Description
In section 3:
Servers must not locate the actual change password page at the change password url, per RFC8615 §1.1 Appropriate Use of Well-Known URIs.
In PR #17, the reference was updated from the obsolete RFC 5785 to the current RFC 8615, leaving the section reference unchanged. However, 8615 does not contain a section 1.1, nor does it contain any section directly addressing the appropriate use of well-known URIs.
The best reference I can find in 8615 to support this spec prohibiting servers from locating the resource itself at the well-known URI is section 1, in which the RFC implies that well-known URIs are for metadata (only?): the penultimate paragraph includes "Future specifications that need to define a resource for such metadata [...]".
See also issue #9.