Most naming systems only know how to do discovery one way: public. That’s not always the setting you actually want.
Naming systems on the internet, and in most blockchain architectures, tend to work the same way: register a name, and it becomes resolvable to anyone who looks it up. That’s fine for a lot of things — a public website, an open API, a service that genuinely wants as much traffic as possible. It’s a much worse fit for anything handling sensitive workflows, restricted counterparties, or relationships that were never meant to be public in the first place.
The usual workaround is to make the service publicly resolvable and then handle access control after the fact — the request comes in, and only then does the service check whether it should actually respond. That works, but it also means every unauthorized party gets far enough to make the request in the first place. The service is doing security theater at the front door while quietly hoping nobody just tries the handle.
The better version of this doesn’t separate “findable” from “authorized to interact.” It treats them as the same decision, made at the same moment: a service either resolves for a given requester or it doesn’t, based on who that requester actually is — not a public listing that anyone can query and then get turned away from.
That’s only possible if discovery and identity aren’t two separate systems bolted together after the fact. DNNS on Lithosphere resolves names using the same identity context PPAL already establishes, so a resolution request already knows who’s asking. A service can be configured to resolve only for agents with a specific credential or relationship, and simply not resolve — not “resolve and then reject,” but not resolve at all — for anyone else.
The practical upside is less about convenience and more about reducing what’s exposed in the first place. A service nobody outside its intended circle can even find is a much smaller target than one that’s publicly listed and relying on a permission check to do all the work. Fewer parties reach the door, so fewer parties get a chance to test whether it’s locked.
“Public by default, restricted by exception” has been the assumption behind naming systems for a long time. It’s worth asking, at least for anything that isn’t supposed to be public, whether that assumption still makes sense — or whether discovery itself should just be part of the permission, not a separate step before it.



