- From: Steffen Schwalm <Steffen.Schwalm@msg.group>
- Date: Sat, 14 Feb 2026 12:08:47 +0000
- To: Jori Lehtinen <lehtinenjori03@gmail.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <AM8P191MB129977FDB8BE0761BBFADE8AFA6EA@AM8P191MB1299.EURP191.PROD.OUTLOOK.COM>
Hi Jori,
Thanks for the great comparison. Just some remarks:
*
Please differentiate EUDI from eIDAS as EUDI only one part of the regulation
*
EIDAS does not forbid DID and in CEN we work on European standard to integrate DID in eIDAS framework
"SEDI says identity is separate from the state. The state only verifies or endorses that identity as a trust anchor for something controlled by the individual. That makes a lot of sense to me: the individual’s identity and endorsements of that identity move with the individual, instead of residing in the state.
EUDI, by contrast, keeps the identity more coupled to the state (via state-recognized schemes / anchor credentials), instead of “only endorsing” an identity controlled by the user. That may be because EUDI originally grew out of making national eID systems interoperable at the EU level, and those national eID systems often carry that power imbalance where the individual’s identity depends on the state."
*
Exactly in SEDI it`s the other way round - the state binds/endorse self created ID acc. Defined requirements
*
In eIDAS the government defines how the ID Scheme looks like and issues PID based on this scheme
*
In both cases certain endorsement needed - from beginning (eIDAS) or in 2nd step (SEDI). In both cases there seems no ID without certain approval (or control) by government - because without endorsement there seems no legally ID in SEDI either
* Anti-tracking / “phone home” risk
This matters because identity presentation is an obvious place to build silent telemetry if we don’t prevent it by design.
* SEDI: explicitly prohibits mechanisms that allow the state to monitor, surveil, or track identity presentations.
* EUDI: privacy goals exist, but critics worry about structural “phone home” surfaces and gatekeeper risk."
* The evidence from "phone home" on EUDI remains still open, just critics seems not convincing. Gatekeeper risk exists in SEDI IMHO as well due to "identity is inherent to the individual; the state endorses/attests"
*
In EUDI unlinkability & non-tracking requested by law and basement for any endorsement & certification of any EUDI (See Art. 5a (16) eiDAS)
"EUDI: is a heavily regulated ecosystem (certification, trust lists, relying-party obligations), and some worry that mandatory OS/platform integration shifts gatekeeping power to platforms"
* Which "mandatory OS/platform integration" of what and where acc. To which sourse you have in mind?
"A possible convergence point: an individual-controlled identifier (e.g., DID), with states issuing VCs as attestations (personhood, residency, etc.), without the wallet becoming a tracking or gatekeeper surface."
*
In EUDI the tracking is excluded by design see ARF + Art. 5a (16) and related IA
Best
Steffen
________________________________
Von: Jori Lehtinen <lehtinenjori03@gmail.com>
Gesendet: Donnerstag, 12. Februar 2026 10:02
Bis: W3C Credentials CG (Public List) <public-credentials@w3.org>
Betreff: Brief on EUDI vs SEDI
Caution: This email originated from outside of the organization. Despite an upstream security check of attachments and links by Microsoft Defender for Office, a residual risk always remains. Only open attachments and links from known and trusted senders.
I was left somewhat confused by the conversation earlier and did some research. I quickly noticed that the EU is making real efforts toward VCs and DIDs, so I was wondering: what is the actual problem here?
I think part of it is that “EU work” is not one single thing. EBSI is clearly doing DID/VC work, but the EUDI Wallet / eIDAS track seems to be evolving somewhat separately, and the EUDI Wallet ARF does not appear to be explicitly DID-centric today (there is an open discussion/request to include DIDs). So technical alignment might happen over time, but the disagreement on this list seems to be about more than just formats.
I think the philosophical difference that people react to is essentially this:
SEDI says identity is separate from the state. The state only verifies or endorses that identity as a trust anchor for something controlled by the individual. That makes a lot of sense to me: the individual’s identity and endorsements of that identity move with the individual, instead of residing in the state.
EUDI, by contrast, keeps the identity more coupled to the state (via state-recognized schemes / anchor credentials), instead of “only endorsing” an identity controlled by the user. That may be because EUDI originally grew out of making national eID systems interoperable at the EU level, and those national eID systems often carry that power imbalance where the individual’s identity depends on the state.
So the question is: is EUDI’s imbalanced model really necessary, and why? And if it is not necessary, what is the model everyone could agree on, for example, a DID controlled by the individual, as the subject for state-issued Verifiable Credentials, where the state’s role is to issue verifiable trust anchors for the entities that want state-backed verification?
I hope this can clarify the current situation for everyone and result in a productive conversation.
Anyways, here is the brief:
________________________________
Brief on EUDI vs SEDI
What they share (surface similarities)
* Wallet-based delivery
* Support (at least in principle) for selective disclosure
* Interest in cross-border / cross-domain interoperability
What differs (and why it matters to people)
* Root of identity / trust anchor
This matters because it sets the power model: does the individual carry identity and get endorsements, or does the individual’s identity depend on a state-issued anchor?
* SEDI: identity is inherent to the individual; the state endorses/attests.
* EUDI: identity is primarily anchored in state-issued identity and regulated national schemes.
* Anti-tracking / “phone home” risk
This matters because identity presentation is an obvious place to build silent telemetry if we don’t prevent it by design.
* SEDI: explicitly prohibits mechanisms that allow the state to monitor, surveil, or track identity presentations.
* EUDI: privacy goals exist, but critics worry about structural “phone home” surfaces and gatekeeper risk.
* Ecosystem control / platform capture risk
Decentralized identity does not care whether resolution happens in OS code, application-layer code, or elsewhere, the concern is whether any layer becomes a mandatory gatekeeper.
* SEDI: has stronger ecosystem duties (e.g., Duty of Loyalty).
* EUDI: is a heavily regulated ecosystem (certification, trust lists, relying-party obligations), and some worry that mandatory OS/platform integration shifts gatekeeping power to platforms.
Interoperability framing
* Technical convergence (VC formats, crypto suites, presentation/verification protocols) can help a lot, but only if the governance model does not require weakening the stronger protections.
* A possible convergence point: an individual-controlled identifier (e.g., DID), with states issuing VCs as attestations (personhood, residency, etc.), without the wallet becoming a tracking or gatekeeper surface.
________________________________
Regards,
Jori Lehtinen
Received on Saturday, 14 February 2026 12:08:56 UTC