- From: NIKOLAOS FOTIOY <fotiou@aueb.gr>
- Date: Fri, 13 Feb 2026 17:47:36 +0000
- To: Joe Andrieu <joe@legreq.com>
- CC: Lars Kæraa Lücke <lkl@cph.ai>, Anders Rundgren <anders.rundgren.net@gmail.com>, Jori Lehtinen <lehtinenjori03@gmail.com>, Christopher Allen <ChristopherA@lifewithalacrity.com>, Detlef Hühnlein <detlef.huehnlein@ecsec.de>, public-credentials <public-credentials@w3.org>
Hi all, I want to express my disagreement to what Joe says here. Real-world systems inevitably rely on client behavior. Business with online presence implicitly trust browsers to correctly implement the Web PKI, and services like Netflix explicitly rely on client platforms to enforce DRM and usage controls. The example of bitcoin is in my option a counterexample to what Joe says: although the protocol removes the need to trust clients in practice roughly 75% of transaction is linked to (centralized) exchanges. Having say that, it is in the best interest of governments to protect the identities they issue and make sure that they are accessed only by approved verifiers. I don’t want an internet where any web site has the ability to request your id (and deny access if you don’t provide it). Best, Nikos > On 13 Feb 2026, at 6:46 PM, Joe Andrieu <joe@legreq.com> wrote: > > > On Fri, Feb 13, 2026 at 2:27 AM Lars Kæraa Lücke <lkl@cph.ai> wrote: > We’ve been following this debate with great interest. The tension between the EUDI (State-Anchored) and SEDI (Individual-Anchored) models highlights a critical gap in our current architecture: How do we trust the Client without controlling it? > > This is brilliant. It clearly illustrates the disconnect between the EUDI approach and SEDI. Unfortunately, it also illustrates the fundamental error in the EUDI approach. > > You only need to trust those things you can't control. > > If you control something, trust is not in question. The question itself isn't well-formed. > > The point of SEDI is that the inspired leadership in Utah has found a way to ensure that neither the state nor corporations control the means of identification. Rather, they are defining trustworthy mechanisms that enable trust in the digital interactions we have, both in their authenticity (cryptography) and in their appropriateness (privacy). > > What we have learned from decentralized systems is that it is possible to build a framework of trustworthy data exchange that does not rely on a central entity controlling access or restricting clients. Rather than a topological protocol that defers to a central authority, like OAuth and any Phone Home system, Bitcoin showed how to manage state amongst adversarial collaborators through signed transactions. > > Apropos to this thread, bitcoin works not because someone has blessed some set of "approved wallets" but by embedding the protocol in cryptographic datagrams independent of the network. You can talk to ANY bitcoin node to get a transaction in, and, frankly, you can use any protocol that node supports. From there out its all datagram. (Yes, there is a gossip network, but it is essentially an unsecured, uncontrolled channel anyone can use and it has essentially no security guarantees.) > > In short, you don't trust the client, which would be a categorical cybersecurity error. > > You trust the math. > > -j > > > -- > Joe Andrieu > President > joe@legreq.com > +1(805)705-8651 > Legendary Requirements > https://legreq.com > > Virus-free.www.avg.com
Received on Friday, 13 February 2026 17:47:44 UTC