Well, we'll have to agree to disagree there. "This scenario has three dependencies (DNS, Identity, Apex) instead of two (DNS, Identity)" is a technical problem. But frankly - I don't care if it's a technical or a business problem. Whatever way the problem is categorized, I'm still going to solve it, and I'd still like that solution to be well-formed from a technical perspective. The members of the W3C WebID working group agreed that this is a problem worth solving.
Do you have any technical feedback on the solutions that are under consideration? Thanks, Will ________________________________ From: John R Levine <[email protected]> Sent: Wednesday, April 8, 2026 11:17 AM To: Will Bartlett <[email protected]>; [email protected] <[email protected]> Subject: [DNSOP] Re: [EXTERNAL] Re: Advice sought: DNS record type for FedCM well-known file delegation > The core of the issue is that FedCM desires to mandate that > implementations provide a single authoritative document for a > "registrable domain" (also sometimes called an "eTLD+1"). So far so good, we all know about the PSL. > Today, the FedCM spec says that to locate the single authoritative > document for an origin like idp.foo.example, the browser should query > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffoo.example%2F.well-known%2Fweb-identity&data=05%7C02%7Cwibartle%40microsoft.com%7C2d1abb83f0894a0f9f8208de959b2bf5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C639112690861686635%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=GY4ox4yTyI618eOVILJMj1mKti8qG8NnPSVqGG92H1s%3D&reserved=0<https://foo.example/.well-known/web-identity> > - note particularly - > foo.example, not idp.foo.example. Foo Inc. uses a CNAME to point > idp.foo.example to its identity service in (as you say) an ordinary > virtual host transaction. However, Foo Inc. cannot use a CNAME to point > foo.example to the same identity service for multiple reasons. First, > foo.example isn't the identity service - it's a marketing or storefront > page. Second, DNS does not support CNAME for foo.example, because > foo.example is an apex domain. Ah, OK. So your user goes to another department in the company and says "we need the web server the company is paying you to run handle this URL https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffoo.example%2F.well-known%2Fweb-identity&data=05%7C02%7Cwibartle%40microsoft.com%7C2d1abb83f0894a0f9f8208de959b2bf5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C639112690861707717%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=z75WzXFfTOhEvoiq3Bjge58ramrM8UgdjPm6N8C9nN0%3D&reserved=0";<https://foo.example/.well-known/web-identity> and they say some combination of "what?" and "no." That still sounds like a business problem, not a technical one. R's, John _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
