- From: Joe Andrieu <joe@legreq.com>
- Date: Thu, 12 Feb 2026 13:59:01 -0800
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- Cc: Jori Lehtinen <lehtinenjori03@gmail.com>, Christopher Allen <ChristopherA@lifewithalacrity.com>, Detlef Hühnlein (ecsec GmbH) <detlef.huehnlein@ecsec.de>, public-credentials@w3.org
- Message-ID: <CAEOiD0FJ63H7SJmFLiaRcZoOF=sUJ5U-ic3Pwkkpk3gU36B4qg@mail.gmail.com>
I just want to note one disconnect in your framing, Anders. On Thu, Feb 12, 2026 at 2:16 AM Anders Rundgren < anders.rundgren.net@gmail.com> wrote: > [...] > - Banks and VLOPs (Very Large Online Providers) are unlikely to accept > more than a handful of wallets. In fact, GSDV in Germany has already begun > integrating EUDIW functionality in their mobile banking app. Fragmentation > is a European specialty. > How is this NOT just creating another wallet? Instead of GSDV relying on an open wallets chosen by individuals that can handle both public and private sector interactions, they are creating their own. Are they just hoping to be one of the "handful" of wallets that win the wallet wars? This is the exact opposite of what we want: more competition for becoming the "one" blessed wallet. What we want is competition for becoming the *best* wallet. We don't do that by restricting which wallets are even allowed to be "a wallet". We do it with a laser focus on the minimum API that every wallet can use, regardless of format, protocol, etc. The fact is, you cannot actually tell if the wallet you're interacting with is the kind of wallet you think it is. The idea of restricting to particular set of approved wallets is guaranteed to be compromised by attackers who figure out how to spoof the blessed wallets. It's not a matter of if, but a matter of how often. This is a dominant idea in the European framework, and it will almost certainly cause the current EUDI framework to fail in achieving its larger goals. Yes, it will likely provide an interoperable way for each nation-state's walled silos to selectively share state-issued credentials with other states. That's worth celebrating. But the restrictions on that wallet paradigm make it nearly useless, IMO, for most private sector use, which requires features like different cryptosuites and data formats that EUDI ignores. If EUDI wallets don't support arbitrary DIDs and arbitrary digital credentials (VCs, mDocs, zCaps, etc.) then other wallets will emerge to fill the gap in the marketplace, resulting in a dual wallet architecture in Europe. One for state-sponsored credentials and those for the rest of society. I've already seen discussion along these lines with the advent of the EU Business Wallet (whatever that really is). Any decent investigation into detecting the browser (when you are the website) will show you the problem. It is a well-worn piece of advice in cybersecurity that you NEVER trust the client. You literally can't discern a legitimate client from one which has reversed engineered all of the authentication mechanisms and appears legitimate. The EU's attempt to control which client software is used is just going to restrict adoption in the market. Innovation will move to those who aren't slowing down to deal with the limitations of centralized designs and instead support open standards for credentials and exchange. The Web is the guiding star here. As long as CompuServe and AOL relied on proprietary clients to restrict access to their proprietary server, the social and economic opportunity for online services was necessarily constrained by alignment with those companies' visions of how "online" should be. When TBL invented the Web, he created a way for anyone anywhere to publish content that is seemlessly linkable from any other website that chooses too. The wild ride of the late 90s was fueled by unfettered economic opportunity that came from allowing individuals, startups, and established players to innovate and provide services without requiring permission those who controlled the walle gardens. The freedom of open source and open standards unleashed significant economic activity and wealth generation. What the EUDI is doing is more likely a temporary technological advance that the market will quickly outpace, just like France's Minitel, which was once ahead of the game (launched in 1982), but couldn't compete with the World Wide Web. It was shut down in 2012. https://www.bbc.com/news/magazine-18610692 Dr. Pramod Varma, Chief Architect of Aadhaar, made this point at GDC last year. In my words: Worrying about securing the wallet is a distraction. Focus on APIs and protocols that enable anyone to reliably participate in the emerging platform, and you will see untold innovation, far beyond what central planning could champion. What's happening in the EU is the opposite of open innovation and I expect it will need to be reengineered within the decade. -j -- Joe Andrieu President joe@legreq.com +1(805)705-8651 ------------------------------ Legendary Requirements https://legreq.com <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free.www.avg.com <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
Received on Thursday, 12 February 2026 21:59:19 UTC