Re: Utah State-Endorsed Digital Identity (SEDI) legislation from Lars Kæraa Lücke on 2026-02-13 (public-credentials@w3.org from February 2026)

From: Lars Kæraa Lücke <lkl@cph.ai>
Date: Fri, 13 Feb 2026 16:48:05 +0100
To: "Manu Sporny" <msporny@digitalbazaar.com>
Cc: "public-credentials" <public-credentials@w3.org>
Message-Id: <19c57b01e2a.c4a7eb80172513.1953416537341015028@cph.ai>
Venu, Manu,

Manu’s warning about "Walled Gardens" and "Anti-Patterns" provides the critical context here. The industry keeps building rigid compliance machines that inadvertently centralize power because they assume safety requires a single gatekeeper.

We designed the Open KYA (Know Your Agent) standard to solve Venu’s architectural requirements without falling into Manu’s anti-patterns. (We understand it is unlikely to be perfect, hence our engagement with the solid minds here).

Our core thesis is Flexibility. KYA is not a regulatory shackle; it is a reciprocal shared Reputation Protocol that allows trust to emerge organically based on merit or mandate.

Here is how KYA maps Venu’s requirements directly to our  schema, emphasizing that almost every field is Optional-by-Design to support spontaneous, permissionless innovation:

1. Portable Accounts (Self-Sovereign)

Requirement: Portable ledgers/identifiers stored on personal devices.


KYA Solution: The KyaManifest is the portable account. It binds the abstract DID to concrete verificationMethod keys and serviceEndpoint arrays. Crucially, this works for a student with a mobile phone just as well as a bank with a server. There is no "minimum hardware requirement" to participate.



2. Assets & Tokens (Flexible Proofs)

Requirement: Pointers to assets without exposing raw ledgers.


KYA Solution: We support both Zero-Knowledge Proofs (e.g., Aztec/Noir) and Bank-Issued Proofs. The manifest’s challengeService defines the protocol:

ZK Mode: The agent locally proves it satisfies a safetyBound (e.g., that balance > $500k) without revealing the exact amount.


Bank Mode: The manifest authorizes a bank to issue a proof upon request.
This hybrid approach allows agents to "prove solvency" using whatever method the counterparty trusts—math or institutions—without locking them into one.





3. Participants (Regulation & Jurisdiction)

Requirement: Verifying qualifications and regulatory standing to participate in trade.


KYA Solution: We embed regulatory anchors directly into the manifest.

Mechanism: An agent can voluntarily attach a LegalEntityCredential containing its LEI (Legal Entity Identifier) and define its Operating Jurisdiction (e.g., permittedRegions: ["EU", "US-UT"]).


Result: This allows a counterparty to automatically verify if the agent is Regulated in a compatible jurisdiction before opening a channel. New entrants can start without it, but high-value agents can signal their compliance voluntarily.





4. Verifiably Authentic Issuers (Operator Policy)

Requirement: Certifying regulatory requirements of transactions.


KYA Solution: We replace "Active Gatekeeping" with "Signed Policy." The Agent Operator (Controller) signs a static signingPolicy block defining the rules (e.g., "Transactions > $10k require 2-of-3 signatures").

Mechanism: The enforcement is local and cryptographic. The Agent’s execution logic refuses to sign a transaction unless the policy constraints are met.


Role of Regulator: The Regulator does not need to be online. If high assurance is required, the policy can simply list the Regulator's public key as one of the required co-signers in the threshold group, but the orchestration remains fully decentralized.





5. Settlement (Emergent Assurance)

Requirement: Certifying settlement transactions.


KYA Solution: While we support Hardware Binding via the tee object (binding keys to a measurementHash or framework like nitro), this is strictly optional. We foresee this emerging organically as a premium signal for high-value settlement, rather than a barrier to entry for the rest of the network.




ref:  https://github.com/open-kya/kya-standard/blob/main/schema/kya-manifest.schema.json 


Manu,

This architecture directly addresses the "Anti-Patterns" you listed.

The "Walled Garden" exists because manual verification is expensive. By making verification computational (via ZK proofs and signed manifests), we lower the cost of trust to near zero.

This enables Spontaneous Trust:

Scenario A: I am paying $0.50 for a newsletter. My platform accepts any valid DID by default.


Scenario B: I am transferring $1M. My agent automatically demands a ZkSolvencyCircuit and a valid LEI from a G20 Jurisdiction before opening the channel.



We don't need a government whitelist. We need a standard protocol for Negotiation. Open KYA allows actors to "meet in the dark" and decide -- based on their own policy -- whether to trust each other.

That is how we maintain operational liberty without capture while achieving safety.

---

The best,

LKL

Engineering Excellence.

Creative Renaissance.

Hyper Optimization.









From: Manu Sporny <msporny@digitalbazaar.com>
To: <public-credentials@w3.org>
Date: Fri, 13 Feb 2026 15:52:04 +0100
Subject: Re: Utah State-Endorsed Digital Identity (SEDI) legislation



On Thu, Feb 12, 2026 at 5:01 PM Joe Andrieu < mailto:joe@legreq.com > wrote: 
> What's happening in the EU is the opposite of open innovation and 
> I expect it will need to be reengineered within the decade. 
 
Yes, exactly. 
 
For those of you that haven't read Joe's response, it is excellent and 
conveys much of my disappointment in the EUDI work. It's a mistake to 
say that SEDI is more similar to EUDI than not. 
 
I'm deeply concerned that EUDI has been captured by centralized 
government and big tech interests. The real decisions seem to be made 
behind closed doors masquerading as open forums. Legislators have been 
tricked into thinking they're building something that is going to 
protect their citizens when the most likely outcome are multiple 
walled gardens that serve government and big tech interests more than 
they serve the citizens. 
 
Our (Digital Bazaar's) experience is not academic in this regard. 
Remember that we actively build digital credential systems for some of 
the largest governments in the world as well as large swaths of 
private industry (retail, banking, etc.). We have direct experience 
with being asked to align with EUDI by government agencies, and those 
requests have gone something like this: 
 
1. In order to protect our reputation, we need to support centralized, 
government controlled trust lists like EUDI is planning to do for 
issuers. 
2. In order to protect our citizens, we need to protect people from 
sharing data with the wrong verifiers, so we need to have all 
verifiers register with the big wallet vendors and only support OpenID 
HAIP. 
3. In order to combat vendor lock-in, we need to ensure that our 
citizens have an alternative to big tech wallets, so we're going to 
launch a government wallet (but only allow government credentials into 
that wallet). 
4. In order to prevent fraud, we need a strong compliance regime for 
digital wallets so we can trust the "holder binding" aspect of them; 
we can't support more than the big tech wallets and the government 
wallets until that is in place. 
 
Every single one of those asks comes from a good place, but based on 
what EUDI is doing, is an anti-pattern that the community has known 
about for a very long time now. I can assure you that the decisions 
made as a part of the EUDI program is driving multiple governments 
around the world to push further into each anti-pattern... and every 
SDO (through big tech participation), including W3C (via Web Payments 
and DC API), is helping with some aspect of making those anti-patterns 
a reality. This is not conspiratorial thinking, I can confirm that we 
are regularly having these discussions with multiple governments and 
vendors these days (and are doing our best to convince them that these 
are anti-patterns that are going to harm citizens). 
 
Now, compare that with SEDI, which seems to have been written by 
people that were influenced by much of the hard won wisdom in this 
community -- they were aware of the dangers and have written pretty 
solid legislation that corrects many of the misguided language and 
actions in EUDI. It's not perfect, and time will tell if the 
implementations truly live up to the legislation. They'll need to 
refine, but they're certainly off to a better start than where EUDI is 
right now. 
 
I do hope that EUDI gets its act together. Europe has shown the world 
how it is capable of doing wonderful things -- they pushed Visa and 
Mastercard back and did a great job with their payments systems and 
reducing payment interchange fees. They are actively and aggressively 
regulating both Google and Apple App Stores and devices and are 
improving competition in Europe. These are things the US has failed to 
do over the course of decades and is unlikely to succeed at in the 
near term. 
 
All that said, I think we have something new to point to, from a 
legislation perspective, that exemplifies the principles that built 
this community... and it's not EUDI. The response to each of the 
anti-patterns above is not centralization, it's decentralization -- 
and that is in the best interests of governments, their citizens, and 
all the people of the world that value liberty and democracy. 
 
That's what is at the heart of SEDI, may we be so lucky to achieve the 
vision therein. 
 
-- manu 
 
-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/  
Founder/CEO - Digital Bazaar, Inc. 
https://www.digitalbazaar.com/
Received on Friday, 13 February 2026 15:48:31 UTC