Re: Utah State-Endorsed Digital Identity (SEDI) legislation

Hi Steffen,

I won’t disagree about the law and articles you displayed here and in the
brief thread.

Brain twister: they are meaningless... (for the physical reality of trust)

The issue is that in the EU, no one seems to understand how the trust model
of cryptography works.

Wallets, for example, have nothing to do with the trust aspect; they are
just a place for storing and presenting the actual trust values.

Of course, storing sensitive credentials needs best practices, but W3C, for
example, is a far more appropriate entity for standardizing those best
practices than legislation.

Legislation is a security liability, if anything, unless the directive is
that it must follow an open and flexible entity that adapts quickly to
zero-day threats, and doesn’t need years of bureaucracy to change or extend.

But here is something everyone might want to consider:

Why does it matter what the EU does? Let them do whatever they want—just
scope it to government services and I won’t care.

Free markets don’t have to compete against authenticating users to
government services. What I want is that legally binding signatures (e.g.,
for signing private-sector contracts digitally), or compliance disclosure
like age or nationality, etc., is not gatekept by certified bodies instead
of trusted algorithms...

At a minimum, a third party must not be actively needed. (Q)TSPs should
issue capabilities to other values that can be reused without the need for
(Q)TSP re-issuance—straight to verification of a claim issued before by the
(Q)TSP—and replay protection comes from holder-binding: real-time proof of
having access to the private-key material of the claim’s subject.

Go ahead with an authentication framework between EU states and the public
sector—just don’t gatekeep private-sector dependencies behind certified
bodies with legal power, because, as said, that is not what creates trust,
not even in the public sector, no matter what anyone thinks.

It makes no difference where the signature came from when the government
service verifies something.

If the algorithm or key is wrong, access is denied...

That is the beauty of cryptography.

Me, as a verifier, set the trust requirement, and the ones that want access
to my service (or alter my state or anything that requires trust...) need
to sign with the right key and algorithm...

algorithms > actors

Regards,
Jori








la 14.2.2026 klo 2.00 ip. Steffen Schwalm <Steffen.Schwalm@msg.group>
kirjoitti:

> Hi all,
>
> Thanks for the assesssment which seems bit misunderstanding of EUDI:
>
>
> "e most likely outcome are multiple walled gardens that serve government
> and big tech interests more than
> they serve the citizens."
>
> Where should the multiple wallet gardens come from if for all EUDI Wallets
> the same technical requirements and issuance conditions apply? Where
> exactly are big tech interests go beyond citizens especially since EUDI
> Wallets endorsed by MS, certified by independent CAB - means there won`t be
> any EUDI without endorsement by MS and certification by CAB - which focus
> on exactly privacy by design as defined in Art. 5a eIDAS and its
> Implementing Acts
>
> @Christopher Allen <ChristopherA@lifewithalacrity.com>: May you pleas
> explain alongside the Implementing Acts 2024/2979, 2024/2982, 2024/2980,
> 2024/2977 and the referenced technical standards where exactly the
> regulation and underpinning technical framework serve big tech interest?
>
>
> "Second, the Duty of Loyalty. SB275 requires wallet providers, verifiers,
> and relying parties to act in the "best interests of an individual." That's
> agency law applied to digital identity — the holder is the principal,
> everyone else works for them. Compare that to EUDI's architecture, where
> the wallet vendors and governments end up serving their own interests
> first."
>
> Sorry, but that`s wrong see Art. 5a (4) and (5) eIDAS. There are no wallet
> vendors without endorsement and Member States depend on CAB which are
> independent but certify the wallet (Art. 5c). Where do I find similar in
> SEDI?
>
> As any RP need to be registered and proven also ensured that verifier
> follog law and interest of user. As user has chance to submit complain to
> privacy officer against flawed RP - there`s additional control. Same for
> any issuer as they are RP by design
> (See Art. 5b ff. )
>
> As the Source Code of EUDIW is open source by definition (See Art. 5a (3)
> eIDAS) it`s easily provable by anybody. Where do I find similar in SEDI?
>
> "SEDI's "personal digital identifier" — created by the individual,
> mathematically provable, transportable to infrastructure of their choosing
> — embeds that principle in law. EUDI has nothing comparable."
>
> Who defines based on which criteria that the identifier mathematically
> provable against which standards to be accepted? Free wish by user?
>
> EUDI just brings this to practical ground: Defining transparent
> certification requirements for all EUDI and certification by independent
> CAB. You can trust math only if the math is trustable - which won´t be case
> when outdated algorithm used for example.
>
> " The real decisions seem to be made behind closed doors masquerading as
> open forum" - decisions made in standardization bodies and communities open
> to everybody. Any IA to be discussed openly.
>
> What do you concretely miss?
>
> Basically the difference between SEDI & EUDI seems that in SEDI the
> identity gains legal trust not from beginning but through approval of
> created ID by 3rd party while in EUDI the PID is created from beginning
> based on proven technical schemes from 3rd party.
>
> Best
> Steffen
>
>
>
> ------------------------------
> *Von:* Christopher Allen <ChristopherA@lifewithalacrity.com>
> *Gesendet:* Freitag, 13. Februar 2026 22:18
> *Bis:* Manu Sporny <msporny@digitalbazaar.com>
> *Cc:* public-credentials@w3.org <public-credentials@w3.org>
> *Betreff:* Re: Utah State-Endorsed Digital Identity (SEDI) legislation
>
> *Caution:* This email originated from outside of the organization.
> Despite an upstream security check of attachments and links by Microsoft
> Defender for Office, a residual risk always remains. Only open attachments
> and links from known and trusted senders.
>
>
> On Fri, Feb 13, 2026 at 6:53 AM Manu Sporny <msporny@digitalbazaar.com>
> wrote:
>
> On Thu, Feb 12, 2026 at 5:01 PM Joe Andrieu <joe@legreq.com> wrote:
> > What's happening in the EU is the opposite of open innovation and
> > I expect it will need to be reengineered within the decade.
>
> Yes, exactly.
>
> For those of you that haven't read Joe's response, it is excellent and
> conveys much of my disappointment in the EUDI work. It's a mistake to
> say that SEDI is more similar to EUDI than not.
>
> I'm deeply concerned that EUDI has been captured by centralized
> government and big tech interests. The real decisions seem to be made
> behind closed doors masquerading as open forums. Legislators have been
> tricked into thinking they're building something that is going to
> protect their citizens when the most likely outcome are multiple
> walled gardens that serve government and big tech interests more than
> they serve the citizens.
>
>
> I've been warning about this for some time, see:
>
>     * https://www.lifewithalacrity.com/article/musings-gdc25/ (TLDR: platform
> capture at global identity standards)
>     * https://www.lifewithalacrity.com/article/ssi-bankruptcy/ (TLDR: how
> SSI's own community lost the plot)
>     * https://www.lifewithalacrity.com/article/eidas/ (TLDR: good
> intentions, bad architecture)
>     * https://www.blockchaincommons.com/articles/echoes-history/
>
> Manu, your four anti-patterns from direct experience with governments are
> devastating — and they seem to be exactly what SEDI was written to prevent.
> I've done an initial analysis of SB275, and plan to go through it
> line-by-line.
>
>     * https://www.lifewithalacrity.com/article/Musings-SEDI/ (TLDR: what
> Utah got right)
>
> Two things struck me that haven't received enough attention yet.
>
> First, the bill of rights. The very first entry declares that identity is
> "innate to the individual's existence and independent of the state." I've
> been doing this work for a decade, and seeing a state legislature
> independently arrive at something so close to the Existence principle from
> my original SSI work — that was a moment. It means the ideas are spreading
> beyond our community, which was always the point.
>
> Second, the Duty of Loyalty. SB275 requires wallet providers, verifiers,
> and relying parties to act in the "best interests of an individual." That's
> agency law applied to digital identity — the holder is the principal,
> everyone else works for them. Compare that to EUDI's architecture, where
> the wallet vendors and governments end up serving their own interests first.
>
> But here's what worries me. The Duty of Loyalty appears to be a statutory
> minimum — not something a user can sign away in a clickwrap. That's
> powerful. It's also a target. Every one of Manu's four anti-patterns
> represents an interest that would love to carve out an exemption. We need
> to watch for platform lobbyists asking Utah for "reasonable" exceptions
> that hollow out these protections. Regulatory capture is how good
> legislation dies — not through repeal, but through amendment.
>
> I also agree with Joe's framing that you trust the math, not the client.
> SEDI's "personal digital identifier" — created by the individual,
> mathematically provable, transportable to infrastructure of their choosing
> — embeds that principle in law. EUDI has nothing comparable.
>
> For those interested in how other jurisdictions compare, I wrote about
> what Switzerland's e-ID needs to get right:
>
>     * https://www.lifewithalacrity.com/article/musings-swiss-eid/ (TLDR:
> better than the EU, but not good enough)
>
> SEDI is the best legislative expression of our community's principles I've
> seen. Let's make sure it stays that way.
>
> — Christopher Allen
>