Request for feedback: /.well-known/recover-account proposal

[felipecpaiva]

Hello WebAppSec maintainers,

I am requesting early implementation feedback on a proposal to standardize account-recovery discovery using /.well-known/recover-account.

This proposal is in active pre-Internet-Draft preparation, with reference implementations and tests available.

Request for feedback:

1. Are the endpoint and redirect semantics specific enough for interoperable client behavior?
2. Are security requirements (anti-enumeration, rate limiting, same-origin constraints) adequate and practical?
3. What adoption blockers do you foresee for browsers, identity providers, and password managers?

Primary discussion and response template:

• https://github.com/felipecpaiva/well-known-account-management/issues/5

Spec source:

• https://github.com/felipecpaiva/well-known-account-management/blob/main/specification/draft-spec.md

Thank you for any review or directional guidance.

[miketaylr]

Both of these links 404 - is this a private repo?

[felipecpaiva]

Yes it is, for now cay i send a private invite?

[miketaylr]

My recommendation would be to request a review once the thing can be reviewed by anyone publicly. No need to send me an invite.