Re: Utah State-Endorsed Digital Identity (SEDI) legislation from Jori Lehtinen on 2026-02-13 (public-credentials@w3.org from February 2026)

From: Jori Lehtinen <lehtinenjori03@gmail.com>
Date: Fri, 13 Feb 2026 21:00:18 +0200
To: NIKOLAOS FOTIOY <fotiou@aueb.gr>
Cc: Joe Andrieu <joe@legreq.com>, Lars Kæraa Lücke <lkl@cph.ai>, Anders Rundgren <anders.rundgren.net@gmail.com>, Christopher Allen <ChristopherA@lifewithalacrity.com>, Detlef Hühnlein <detlef.huehnlein@ecsec.de>, public-credentials <public-credentials@w3.org>
Message-ID: <CAA6zkAvCj7gutCdpr1dp9-VLaoUwD3vtJxu7_ka8YSyNPYLPDQ@mail.gmail.com>

Hi Nikolaos,

I know you did not disagree with me specifically, but I do not disagree
with Joe specifically so either I am confused about something, or you are
or both of us are.

> Real-world systems inevitably rely on client behavior. Businesses with an
online presence implicitly trust browsers to correctly implement the Web
PKI, and services like Netflix explicitly rely on client platforms to
enforce DRM and usage controls.

For a system that includes multiple actors to work, the machines executing
role X need to behave according to role X for the system to function. But
other parties do not simply trust that they will behave a certain way; the
trust still comes from cryptography, not from the fact that a browser does
X.

If the verification from PKI fails, the server does not trust the client,
it ignores it instead. Likewise, the client ignores the server if the DNS
certificates are not valid.

Actors with capabilities assert proofs, verify others’ proofs voluntarily,
and sovereignly decide what to do based on those proofs.

> Having say that, it is in the best interest of governments to protect the
identities they issue and ensure that they are accessed only by approved
verifiers. I don’t want an internet where any website has the ability to
request your id (and deny access if you don’t provide it).

Can you explain this a bit more? Specify what you mean by “id” exactly,
because I do not see anyone advocating for something like this, and it
would not be in a service’s interest to impose such heavy requirements. If
they can verify that you have paid for content or follow their terms of
service in general that should be enough 😅

Who would use netflix or anything if they required you to disclose Gov Id?
I know I would not.

Ideally, they would only require the minimum viable disclosure necessary to
provide a service, such as verifying that the same individual is not on
their 100th 30-day free trial. It would not really require anything more
than the website being able to verify that a TSP issued and signed a
pseudonym that is only coupled to that one service as a uniqueness hook.

IMO it is about a power balance between all different roles.

"Every actor keeps custody of capabilities that matter for their own
liabilities / responsibilities, and others trust those capabilities
according to their own policies only when they are presented verifiably."

Received on Friday, 13 February 2026 19:00:36 UTC