AW: Utah State-Endorsed Digital Identity (SEDI) legislation

Just as addition: The reference to law matters as it`s underpinned by IA referencing concrete technical standards. Means eIDAS is not only regulation but regulative and technical framework.

See: https://ec.europa.eu/digital-building-blocks/sites/spaces/EUDIGITALIDENTITYWALLET/pages/915931811/The+European+Digital+Identity+Regulation?filters=adopted&all=1#sec-6-regulations


Means if we argue on something like gatekeeper or openess to BigTech it might be helpful to justify this alongside the Implementing Acts and referenced standards. Not to forget 1025/2012 according which any certification against European regulation must be done based on European Standards = ETSI/CEN-CENELEC - so additionally to Implementing Acts on eIDAS also the relevant European standards apply. Any justification on certain claims acc. EU regulation should in this case be done alongside the European standards as well.



Best
Steffen


________________________________
Von: Jori Lehtinen <lehtinenjori03@gmail.com>
Gesendet: Samstag, 14. Februar 2026 14:19
Bis: Steffen Schwalm <Steffen.Schwalm@msg.group>
Cc: Christopher Allen <ChristopherA@lifewithalacrity.com>; Manu Sporny <msporny@digitalbazaar.com>; public-credentials@w3.org <public-credentials@w3.org>
Betreff: Re: Utah State-Endorsed Digital Identity (SEDI) legislation


Caution: This email originated from outside of the organization. Despite an upstream security check of attachments and links by Microsoft Defender for Office, a residual risk always remains. Only open attachments and links from known and trusted senders.

Hi Steffen,

I won’t disagree about the law and articles you displayed here and in the brief thread.

Brain twister: they are meaningless... (for the physical reality of trust)

The issue is that in the EU, no one seems to understand how the trust model of cryptography works.

Wallets, for example, have nothing to do with the trust aspect; they are just a place for storing and presenting the actual trust values.

Of course, storing sensitive credentials needs best practices, but W3C, for example, is a far more appropriate entity for standardizing those best practices than legislation.

Legislation is a security liability, if anything, unless the directive is that it must follow an open and flexible entity that adapts quickly to zero-day threats, and doesn’t need years of bureaucracy to change or extend.

But here is something everyone might want to consider:

Why does it matter what the EU does? Let them do whatever they want—just scope it to government services and I won’t care.

Free markets don’t have to compete against authenticating users to government services. What I want is that legally binding signatures (e.g., for signing private-sector contracts digitally), or compliance disclosure like age or nationality, etc., is not gatekept by certified bodies instead of trusted algorithms...

At a minimum, a third party must not be actively needed. (Q)TSPs should issue capabilities to other values that can be reused without the need for (Q)TSP re-issuance—straight to verification of a claim issued before by the (Q)TSP—and replay protection comes from holder-binding: real-time proof of having access to the private-key material of the claim’s subject.

Go ahead with an authentication framework between EU states and the public sector—just don’t gatekeep private-sector dependencies behind certified bodies with legal power, because, as said, that is not what creates trust, not even in the public sector, no matter what anyone thinks.

It makes no difference where the signature came from when the government service verifies something.

If the algorithm or key is wrong, access is denied...

That is the beauty of cryptography.

Me, as a verifier, set the trust requirement, and the ones that want access to my service (or alter my state or anything that requires trust...) need to sign with the right key and algorithm...

algorithms > actors

Regards,
Jori








la 14.2.2026 klo 2.00 ip. Steffen Schwalm <Steffen.Schwalm@msg.group> kirjoitti:
Hi all,

Thanks for the assesssment which seems bit misunderstanding of EUDI:


"e most likely outcome are multiple walled gardens that serve government and big tech interests more than
they serve the citizens."

Where should the multiple wallet gardens come from if for all EUDI Wallets the same technical requirements and issuance conditions apply? Where exactly are big tech interests go beyond citizens especially since EUDI Wallets endorsed by MS, certified by independent CAB - means there won`t be any EUDI without endorsement by MS and certification by CAB - which focus on exactly privacy by design as defined in Art. 5a eIDAS and its Implementing Acts

@Christopher Allen<mailto:ChristopherA@lifewithalacrity.com>: May you pleas explain alongside the Implementing Acts 2024/2979, 2024/2982, 2024/2980, 2024/2977 and the referenced technical standards where exactly the regulation and underpinning technical framework serve big tech interest?


"Second, the Duty of Loyalty. SB275 requires wallet providers, verifiers, and relying parties to act in the "best interests of an individual." That's agency law applied to digital identity — the holder is the principal, everyone else works for them. Compare that to EUDI's architecture, where the wallet vendors and governments end up serving their own interests first."

Sorry, but that`s wrong see Art. 5a (4) and (5) eIDAS. There are no wallet vendors without endorsement and Member States depend on CAB which are independent but certify the wallet (Art. 5c). Where do I find similar in SEDI?

As any RP need to be registered and proven also ensured that verifier follog law and interest of user. As user has chance to submit complain to privacy officer against flawed RP - there`s additional control. Same for any issuer as they are RP by design
(See Art. 5b ff. )

As the Source Code of EUDIW is open source by definition (See Art. 5a (3) eIDAS) it`s easily provable by anybody. Where do I find similar in SEDI?

"SEDI's "personal digital identifier" — created by the individual, mathematically provable, transportable to infrastructure of their choosing — embeds that principle in law. EUDI has nothing comparable."

Who defines based on which criteria that the identifier mathematically provable against which standards to be accepted? Free wish by user?

EUDI just brings this to practical ground: Defining transparent certification requirements for all EUDI and certification by independent CAB. You can trust math only if the math is trustable - which won´t be case when outdated algorithm used for example.

" The real decisions seem to be made behind closed doors masquerading as open forum" - decisions made in standardization bodies and communities open to everybody. Any IA to be discussed openly.

What do you concretely miss?

Basically the difference between SEDI & EUDI seems that in SEDI the identity gains legal trust not from beginning but through approval of created ID by 3rd party while in EUDI the PID is created from beginning based on proven technical schemes from 3rd party.

Best
Steffen



________________________________
Von: Christopher Allen <ChristopherA@lifewithalacrity.com<mailto:ChristopherA@lifewithalacrity.com>>
Gesendet: Freitag, 13. Februar 2026 22:18
Bis: Manu Sporny <msporny@digitalbazaar.com<mailto:msporny@digitalbazaar.com>>
Cc: public-credentials@w3.org<mailto:public-credentials@w3.org> <public-credentials@w3.org<mailto:public-credentials@w3.org>>
Betreff: Re: Utah State-Endorsed Digital Identity (SEDI) legislation


Caution: This email originated from outside of the organization. Despite an upstream security check of attachments and links by Microsoft Defender for Office, a residual risk always remains. Only open attachments and links from known and trusted senders.


On Fri, Feb 13, 2026 at 6:53 AM Manu Sporny <msporny@digitalbazaar.com<mailto:msporny@digitalbazaar.com>> wrote:
On Thu, Feb 12, 2026 at 5:01 PM Joe Andrieu <joe@legreq.com<mailto:joe@legreq.com>> wrote:
> What's happening in the EU is the opposite of open innovation and
> I expect it will need to be reengineered within the decade.

Yes, exactly.

For those of you that haven't read Joe's response, it is excellent and
conveys much of my disappointment in the EUDI work. It's a mistake to
say that SEDI is more similar to EUDI than not.

I'm deeply concerned that EUDI has been captured by centralized
government and big tech interests. The real decisions seem to be made
behind closed doors masquerading as open forums. Legislators have been
tricked into thinking they're building something that is going to
protect their citizens when the most likely outcome are multiple
walled gardens that serve government and big tech interests more than
they serve the citizens.

I've been warning about this for some time, see:

    * https://www.lifewithalacrity.com/article/musings-gdc25/ (TLDR: platform capture at global identity standards)
    * https://www.lifewithalacrity.com/article/ssi-bankruptcy/ (TLDR: how SSI's own community lost the plot)
    * https://www.lifewithalacrity.com/article/eidas/ (TLDR: good intentions, bad architecture)
    * https://www.blockchaincommons.com/articles/echoes-history/


Manu, your four anti-patterns from direct experience with governments are devastating — and they seem to be exactly what SEDI was written to prevent. I've done an initial analysis of SB275, and plan to go through it line-by-line.

    * https://www.lifewithalacrity.com/article/Musings-SEDI/ (TLDR: what Utah got right)

Two things struck me that haven't received enough attention yet.

First, the bill of rights. The very first entry declares that identity is "innate to the individual's existence and independent of the state." I've been doing this work for a decade, and seeing a state legislature independently arrive at something so close to the Existence principle from my original SSI work — that was a moment. It means the ideas are spreading beyond our community, which was always the point.

Second, the Duty of Loyalty. SB275 requires wallet providers, verifiers, and relying parties to act in the "best interests of an individual." That's agency law applied to digital identity — the holder is the principal, everyone else works for them. Compare that to EUDI's architecture, where the wallet vendors and governments end up serving their own interests first.

But here's what worries me. The Duty of Loyalty appears to be a statutory minimum — not something a user can sign away in a clickwrap. That's powerful. It's also a target. Every one of Manu's four anti-patterns represents an interest that would love to carve out an exemption. We need to watch for platform lobbyists asking Utah for "reasonable" exceptions that hollow out these protections. Regulatory capture is how good legislation dies — not through repeal, but through amendment.

I also agree with Joe's framing that you trust the math, not the client. SEDI's "personal digital identifier" — created by the individual, mathematically provable, transportable to infrastructure of their choosing — embeds that principle in law. EUDI has nothing comparable.

For those interested in how other jurisdictions compare, I wrote about what Switzerland's e-ID needs to get right:

    * https://www.lifewithalacrity.com/article/musings-swiss-eid/ (TLDR: better than the EU, but not good enough)

SEDI is the best legislative expression of our community's principles I've seen. Let's make sure it stays that way.

— Christopher Allen