This is sort of a followup to the "Venting about forums.debian.net", but somewhat different and different enough that I thought I should start a new thread.
I'll ask my question, then give some background afterwards:
I wonder if a new more private Internet could be created on top of the existing Internet maybe where all participants communicate by VPN (or maybe all sites are encrypted (or have encrypted sections after an unencrypted portal).
I thought about (and quickly discarded) the idea that a new Internet could be created, with all necessary physical and non-physical infrastructure from which bad actors could simply be excluded. (Or kicked out if they are found to be bad actors.)
I'm wondering if, as an alternative to that, some sort of private encrypted network could be created?
Maybe some hosting providers would have to adapt by encrypting most of their content (with some sort of unencrypted "portals" would be available to sign up to access the encrypted content).
On further thinking (not much :-( , I guess such a thing would quickly run into the same problems (of bad actors doing various things).
Just wanted to put this out there -- maybe somebody has a similar (or not so similar) idea that might help.
Aside: I don't know much about the dark web (other than that it exists) -- is that in any way similar to this or a possible aid to solving the problem?


--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Tue, Jan 20, 2026 at 5:46?PM <rhkramer@gmail.com> wrote:

This is sort of a followup to the "Venting about forums.debian.net", but

somewhat different and different enough that I thought I should start a new
thread.

I'll ask my question, then give some background afterwards:

I wonder if a new more private Internet could be created on top of the ex

isting Internet maybe where all participants communicate by VPN (or maybe a
ll sites are encrypted (or have encrypted sections after an unencrypted por tal).

I thought about (and quickly discarded) the idea that a new Internet coul

d be created, with all necessary physical and non-physical infrastructure f
rom which bad actors could simply be excluded. (Or kicked out if they are f ound to be bad actors.)

I'm wondering if, as an alternative to that, some sort of private encrypt

ed network could be created?

Maybe some hosting providers would have to adapt by encrypting most of th

eir content (with some sort of unencrypted "portals" would be available to sign up to access the encrypted content).

On further thinking (not much :-( , I guess such a thing would quickly ru

n into the same problems (of bad actors doing various things).

Just wanted to put this out there -- maybe somebody has a similar (or not

so similar) idea that might help.

Aside: I don't know much about the dark web (other than that it exists) -

- is that in any way similar to this or a possible aid to solving the probl
em?

Tor onion services,
<https://community.torproject.org/onion-services/>. Formerly known as
Tor Hidden Services.

Jeff

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

rhkramer@gmail.com wrote:

I wonder if a new more private Internet could be created on top of the existing Internet maybe where all participants communicate by VPN (or maybe all sites are encrypted (or have encrypted sections after an unencrypted portal).

Certainly. The technology exists and is performant on even not-so-state-of-the-art hardware - Wireguard, already in the
Debian kernel.

You will run into the following first-order problems:

* Convincing other people you like to join you.

* Governing the ensuing organization.

* Looking exactly like a revolutionary cabal.

I thought about (and quickly discarded) the idea that a new Internet could be
created, with all necessary physical and non-physical infrastructure from which bad actors could simply be excluded. (Or kicked out if they are found to be bad actors.)

If all the participants are close by each other, yes. See
"meshnet" and variants. Radio-frequency networks.

This also runs into the above three problems.

Social problems have social solutions, aided by technology, not
technical solutions.

-dsr-

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Hi,

On Tue, Jan 20, 2026 at 02:41:29PM -0500, rhkramer@gmail.com wrote:

I wonder if a new more private Internet could be created on top of the existing Internet maybe where all participants communicate by VPN (or maybe all sites are encrypted (or have encrypted sections after an unencrypted portal).

I thought about (and quickly discarded) the idea that a new Internet could be
created, with all necessary physical and non-physical infrastructure from which bad actors could simply be excluded. (Or kicked out if they are found to be bad actors.)

I'm wondering if, as an alternative to that, some sort of private encrypted network could be created?

Can you expand upon this idea as it related to, say, forums.debian.net?

It's already on HTTPS so it's already encrypted.

It could easily refuse to display any content whatsoever unless you
were logged in as a registered user. There are fairly obvious reasons
why it they do not choose to run it that way.

Instead of usernames and passwords it could authenticate via client certificates that it issued on registration. The downsides of that sort
of approach are well known.

At the heart of the problem is that people running services like forums.debian.net? do not want to make it difficult for reasonable
clients to access their data. What we lack are good ways to separate
reasonable and unreasonable clients without making access too difficult.

You could choose to expand this notion beyond the individual site, so
instead of it being forums.debian.net working out its own authentication
scheme there were some central service managing the identities of the
users. The benefit here would be that it would be easier to enrol users
since they would need to do so for multiple services. Once enrolled they
have easy access to everything using that scheme. The nasty down side is
that this provides an attractive target for personal information leakage
and it's still pretty annoying to use. In the real world the only setups
like this are either single sign on for workplaces or other institutions
where it's a requirement to use it, or they are mandated by law like the
recent crackdown on access to sexually explicit content. Which is not
going well.

Decentralized identity providers exist that can be self-hosted, like
OAuth. These are highly obscure and probably a dead end: anything that
can be self-hosted can be abused to create infinite identities.
Important services won't want to trust an identity provider that they
don't control, again unless mandated to by law,

In a walled garden where the state issues you an electronic ID and
provides the services to authenticate that ID, it ought to be possible
to create even third party services that could reason about their users
without necessarily having to know exactly who they were. e.g. "This
HTTP client is providing an access token that belongs to a citizen of
Elbonia as attested by the Elbonian government, so I'll let them view my
whole site. Oh, they are now being abusive, so please revoke that token
and don't issue any more to that citizen for the next 30 days."

That technology exists, but the governance doesn't, as far as I am
aware. Maybe the current unpleasantness will force it to come into
existence, though I suspect that no government will be visionary enough
to do a good job of it, preferring to take easier solutions that they understand better, like passing laws that make it other peoples'
problem.

Thanks,
Andy

? This is just my opinion as a generalisation. I don't have any insight
into the actual thoughts of the operators of forums.debian.net. I
don't even know who they are and I'm not a user of it myself.

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026-01-21, Andy Smith <andy@strugglers.net> wrote:

Decentralized identity providers exist that can be self-hosted, like
OAuth. These are highly obscure and probably a dead end: anything that
can be self-hosted can be abused to create infinite identities.
Important services won't want to trust an identity provider that they
don't control, again unless mandated to by law,

If you want decentralized identity, the correct stack is:

DID + Wallet + Verifiable Credentials + Blockchain anchoring

Not OAuth.
Not Google.
Not a central provider.

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Bigsy Bohr (HE12026-01-21):

If you want decentralized identity, the correct stack is:

DID + Wallet + Verifiable Credentials + Blockchain anchoring

Looks complicated when ssh-keygen is very simple.

Do not give solutions before clearly defining the problem.

Regards,

--
Nicolas George

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026-01-21, Nicolas George <george@nsup.org> wrote:

Bigsy Bohr (HE12026-01-21):

If you want decentralized identity, the correct stack is:

DID + Wallet + Verifiable Credentials + Blockchain anchoring

Looks complicated when ssh-keygen is very simple.

Do not give solutions before clearly defining the problem.

DID = SSH for the Internet

global
interoperable
discoverable
verifiable across domains
not tied to a single serv

Regards,

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Bigsy Bohr (HE12026-01-21):

DID = SSH for the Internet

global
interoperable
discoverable
verifiable across domains
not tied to a single serv

I do not understand what you are trying to say. But have you considered
that an authentication scheme that accepts any source of authority is
the same thing as no authentication at all?

This is what you get when you give the solution first and try to devise
a problem that matches it afterward: you get something complicated that
does something useless.

Regards,

--
Nicolas George

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Wed, Jan 21, 2026 at 03:55:12PM -0000, Bigsy Bohr wrote:

On 2026-01-21, Nicolas George <george@nsup.org> wrote:

Bigsy Bohr (HE12026-01-21):

If you want decentralized identity, the correct stack is:

DID + Wallet + Verifiable Credentials + Blockchain anchoring

Looks complicated when ssh-keygen is very simple.

Do not give solutions before clearly defining the problem.

DID = SSH for the Internet

I'll take SSH over Internet any time
;-D
(Now more seriously: what does "DID + Wallet + ..." to the table?
Do I care?)
Cheers
--
t


--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Wed, Jan 21, 2026 at 10:42?AM Bigsy Bohr <curtyshoo@gmail.com> w
rote:

On 2026-01-21, Andy Smith <andy@strugglers.net> wrote:

Decentralized identity providers exist that can be self-hosted, like
OAuth. These are highly obscure and probably a dead end: anything that
can be self-hosted can be abused to create infinite identities.
Important services won't want to trust an identity provider that they
don't control, again unless mandated to by law,

If you want decentralized identity, the correct stack is:

DID + Wallet + Verifiable Credentials + Blockchain anchoring

Not OAuth.
Not Google.
Not a central provider.

Also see Self-Sovereign Identity, <https://en.wikipedia.org/wiki/Self-sovereign_identity>.

Jeff

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Hi,

On Thu, Jan 22, 2026 at 11:00:52AM +0800, Maytham Alsudany wrote:

On Wed, 2026-01-21 at 00:30 +0000, Andy Smith wrote:

[...] You could choose to expand this notion beyond the individual site, so instead of it being forums.debian.net working out its own authentication scheme there were some central service managing the identities of the users. [...] Decentralized identity providers exist that can be self-hosted, like OAuth.

FYI salsa.debian.org already serves this purpose. It doubles as Debian's GitLab instance as well as an oAuth2 provider for many Debian sites such
as nm.debian.org.

This is nice but it only really goes to emphasise my point: An
organisation (Debian) made an identity provider for its own services,
but is it something that's simple enough and pleasant enough to use that
a service like forums.debian.net would realistically want to use it for authentication?

These are highly obscure and probably a dead end: anything that
can be self-hosted can be abused to create infinite identities.

Salsa registrations require manual approval from the admins to protect against spam / bot accounts.

?which is great for internal Debian services for a total population of a
few thousand experts who know they have to work through some initial inconvenience if they want to participate in Debian. I don't think it
would suit something like a forum for novice Debian users that wants to
attract new users with lowest friction possible.

I can't really imagine that Salsa admins would want to be manually
approving new signups for people who want to write posts on
forums.debian.net, and that is assuming that only write access needs to
be authenticated - this thread did start with a question about even
abusive scraping being stopped by authentication.

What I was saying here in this thread is that the technology exists, in multiple implementations, it's just that it's too inconvenient and
fragmented. Due to that, users often have to be forced to use them and
their use remains niche, not a silver bullet that all popular services
could use.

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Thu, Jan 22, 2026 at 11:46?AM Andy Smith <andy@strugglers.net> w
rote:

On Thu, Jan 22, 2026 at 11:00:52AM +0800, Maytham Alsudany wrote:

On Wed, 2026-01-21 at 00:30 +0000, Andy Smith wrote:

[...] You could choose to expand this notion beyond the individual si

te, so

instead of it being forums.debian.net working out its own authenticat

ion

scheme there were some central service managing the identities of the users. [...] Decentralized identity providers exist that can be self-hosted, like OAuth.

FYI salsa.debian.org already serves this purpose. It doubles as Debian'

s

GitLab instance as well as an oAuth2 provider for many Debian sites suc

h

as nm.debian.org.

This is nice but it only really goes to emphasise my point: An
organisation (Debian) made an identity provider for its own services,
but is it something that's simple enough and pleasant enough to use that
a service like forums.debian.net would realistically want to use it for authentication?

These are highly obscure and probably a dead end: anything that
can be self-hosted can be abused to create infinite identities.

Salsa registrations require manual approval from the admins to protect against spam / bot accounts.

?which is great for internal Debian services for a total populati

on of a

few thousand experts who know they have to work through some initial inconvenience if they want to participate in Debian. I don't think it
would suit something like a forum for novice Debian users that wants to attract new users with lowest friction possible.

I can't really imagine that Salsa admins would want to be manually
approving new signups for people who want to write posts on forums.debian.net, and that is assuming that only write access needs to
be authenticated - this thread did start with a question about even
abusive scraping being stopped by authentication.

What I was saying here in this thread is that the technology exists, in multiple implementations, it's just that it's too inconvenient and fragmented. Due to that, users often have to be forced to use them and
their use remains niche, not a silver bullet that all popular services
could use.

My observation has been, just about everyone wants to be the Identity
Provider (IdP), and most people don't want to be a Relying Party (RP)
who confers trust to the IdP.

Jeff

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)