Re: [apps-discuss] Aggregated service discovery

Alessandro Vesely <> Fri, 25 May 2012 08:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7065121F850C for <>; Fri, 25 May 2012 01:15:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.719
X-Spam-Status: No, score=-4.719 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4+EupmcvhTkl for <>; Fri, 25 May 2012 01:15:19 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 562D621F85AA for <>; Fri, 25 May 2012 01:15:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=test; t=1337933715; bh=GJ1qr71M+MGQlxL3t5y2eh761cjJfn34fkaBJEXZhAc=; l=1004; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Content-Transfer-Encoding; b=N/4UAV/N9uMt+kuv63i67dnR8IbW0xYTKGi60XEt9sfdPAJ7Mza5t905x9tq9YNnw Myh5pLYmGBkoCJ9h3pNLpeUBUxSamqeZPydjKQT3okziTaykS+r4s3sKC+5C+j29ac k2RODBYRrlxLV5+3+NqXE4zWoNgO19AT1vSi5Z4w=
Received: from [] (pcale.tana []) (AUTH: CRAM-MD5 515, TLS: TLS1.0,256bits,RSA_AES_256_CBC_SHA1) by with ESMTPSA; Fri, 25 May 2012 10:15:15 +0200 id 00000000005DC035.000000004FBF3F93.00004BE8
Message-ID: <>
Date: Fri, 25 May 2012 10:15:15 +0200
From: Alessandro Vesely <>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
References: <64C6DF43A866F40437AF4CC3@cyrus.local> <> <FF3DD3C9968F397579BC846A@cyrus.local> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Re: [apps-discuss] Aggregated service discovery
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 25 May 2012 08:15:20 -0000

On Thu 24/May/2012 16:30:03 +0200 Michiel de Jong wrote:

> but the main objection people would have to doing this is i think
> privacy/security. you don't want to announce the exact details of all
> your services publically, because:
> 1) it makes it easier for an attacker to know where to attack your systems
> 2) it may reveal non-public information about your users unnecessarily.

Requiring authentication in order to discover the services would seem
to be a relevant functional difference w.r.t. SRV records.  I, for
one, don't use SRV records because of those two reasons.

Of course, directing all mass, blind dictionary attacks toward a
single entry point will call from some savvy implementation advice.
For example, centralized discovery could count failed attempts and
block a user when that number becomes comparable to her password's
entropy.  She won't be able to install new client devices for a while,
but that is much less disruptive than blocking IMAP access.