- From: Steffen Schwalm <Steffen.Schwalm@msg.group>
- Date: Thu, 12 Feb 2026 13:19:13 +0000
- To: Jori Lehtinen <lehtinenjori03@gmail.com>, Anders Rundgren <anders.rundgren.net@gmail.com>
- CC: Christopher Allen <ChristopherA@lifewithalacrity.com>, Detlef Hühnlein (ecsec GmbH) <detlef.huehnlein@ecsec.de>, "public-credentials@w3.org" <public-credentials@w3.org>
- Message-ID: <AM8P191MB1299EADAABD3006CEA47591BFA60A@AM8P191MB1299.EURP191.PROD.OUTLOOK.COM>
Hi Jori, „Later, the person moves to the EU. To interact with local services, they register with an EU country’s wallet implementation“ --> if the person does not become EU Citizen it would not get any EUDI wallet. To interact with services there`s not necessarily need to register with an EU country’s wallet implementation as EUDIW is voluntary any service need to comply with other wallets as well. Means a (Q)TSP may issue QEAA to certain DID or the US wallet with the EU wallet implementation. Only question: Will you find a (Q)TSP doing this. Von: Jori Lehtinen <lehtinenjori03@gmail.com> Gesendet: Donnerstag, 12. Februar 2026 13:06 An: Anders Rundgren <anders.rundgren.net@gmail.com> Cc: Christopher Allen <ChristopherA@lifewithalacrity.com>; Detlef Hühnlein (ecsec GmbH) <detlef.huehnlein@ecsec.de>; public-credentials@w3.org Betreff: Re: Utah State-Endorsed Digital Identity (SEDI) legislation Caution: This email originated from outside of the organization. Despite an upstream security check of attachments and links by Microsoft Defender for Office, a residual risk always remains. Only open attachments and links from known and trusted senders. For example: Someone starts in the United States with a DID they control on their own device. U.S. institutions issue Verifiable Credentials to that identifier (e.g., identity, residency, banking-related attestations). Those credentials are stored in some wallet relevant in the US, but the wallet is just storage and presentation infrastructure, not the trust anchor. Later, the person moves to the EU. To interact with local services, they register with an EU country’s wallet implementation. They present their DID and relevant U.S.-issued credentials. The EU system can verify those credentials against U.S. issuers and apply its own policy to determine what is acceptable and what additional attestations are required. The EU may then issue its own Verifiable Credential to the same DID. From that point forward, the individual may need to use that EU wallet implementation to interact with local banks or authorities. That is fine, interaction with a system can require system-specific tooling. Crucially, their identity does not depend on that wallet. Their DID and previously issued credentials remain under their control. If they later move to Asia, they can register with an Asian country’s wallet system using the same DID, present both U.S. and EU credentials, and receive new attestations there. Throughout this lifecycle: * The individual’s identifier remains portable and under their control. * Issuers (U.S., EU, Asia) act as trust anchors through their signatures and legal accountability. * Wallets act as storage, backup, and presentation tools tied to jurisdictions when needed. * Leaving one system does not destroy the individual’s digital existence or prior attestations. to 12.2.2026 klo 13.49 Jori Lehtinen (lehtinenjori03@gmail.com<mailto:lehtinenjori03@gmail.com>) kirjoitti: I think we largely agree on the structural realities you’re describing. Wallets under eIDAS2 look like regulated infrastructure with high and sustained costs. Relying parties will only integrate a limited number of implementations. Payments are already mature and competitive. All of that makes sense. Where I want to slightly reframe the discussion is on what that actually implies for identity architecture. It is not a problem if an individual has to enter a system in order to interact with a bank, a government, or to sign agreements. That is normal. Interaction dependency is fine. The problem only appears if the individual’s digital existence depends on that system. If leaving the system equals destruction of identity, or if system failure equals destruction of identity, then we have created structural dependency. That is the issue. So even if: * Wallets are few. * Member states operate certified implementations. * Relying parties only accept certain flows. This is completely fine, as long as the individual’s identifier and credentials are portable and survivable outside any single wallet or platform. In that framing: * The trust anchor remains the issuer’s signature and legal accountability. * The wallet is a storage/backup/presentation tool. * The individual controls a portable identifier. * Credentials can move between compliant wallets without “re-identitying.” * System participation does not equal identity ownership. In other words, dependency for interaction is acceptable. Dependency for existence is not. That distinction is what matters, and how these systems can become globally interoperable. Regards, Jori to 12.2.2026 klo 12.15 Anders Rundgren (anders.rundgren.net@gmail.com<mailto:anders.rundgren.net@gmail.com>) kirjoitti: On 2026-02-12 08:08, Jori Lehtinen wrote: [...] > > If both frameworks keep the idea of “choose the wallet you want” and portability across wallets, that’s a strong base. Unfortunately (for the EU) it doesn't work like this for several reasons: - There is no money in building wallets, only [high and sustained] costs - Banks and VLOPs (Very Large Online Providers) are unlikely to accept more than a handful of wallets. In fact, GSDV in Germany has already begun integrating EUDIW functionality in their mobile banking app. Fragmentation is a European specialty. - Last but not least: the payment part of the EUDIW is way below the competition and will [rightfully] be rejected. The competition is both fierce and more focused. The EUDIW folks talks about SCA (Strong Customer Authentication). However, EU banks have SCA in production since years back. Regards, Anders
Received on Thursday, 12 February 2026 16:59:58 UTC