AW: Utah State-Endorsed Digital Identity (SEDI) legislation from Steffen Schwalm on 2026-02-15 (public-credentials@w3.org from February 2026)

From: Steffen Schwalm <Steffen.Schwalm@msg.group>
Date: Sun, 15 Feb 2026 13:41:24 +0000
To: Manu Sporny <msporny@digitalbazaar.com>, NIKOLAOS FOTIOY <fotiou@aueb.gr>
CC: Filip Kolarik <filip26@gmail.com>, public-credentials <public-credentials@w3.org>
Message-ID: <AM8P191MB1299C20216133B4201A75D57FA6FA@AM8P191MB1299.EURP191.PROD.OUTLOOK.COM>

Hi all,

I guess the key is the combination of legislation and math. Math without legal backing is interesting science but not useable in regulated environments, law without technical basement = math is meaningless because its goals not achievable.

"The issue is that the EU, in it's effort to strengthen security and
privacy, is putting legislation in place that is going to harm market
competition because the regulatory environment is going to be so
difficult to enter that only deeply monied interests will be able to
engage. I will be thrilled if I'm wrong here, but this is right out of
the big tech tackle box and it looks like the EU is falling for it
hook, line, and sinker."

Basically we have no BigTech in the QTSP. Reason is complexity in becoming and running a QTSP. So QTSP regime seems more a key to keep BigTech out of regulated environments - so far the experiences from eIDAS 1. Only DocuSign was bit successful but by underlying EU rules.

BEst
Steffen

________________________________
Von: Manu Sporny <msporny@digitalbazaar.com>
Gesendet: Samstag, 14. Februar 2026 19:52
Bis: NIKOLAOS FOTIOY <fotiou@aueb.gr>
Cc: Filip Kolarik <filip26@gmail.com>; public-credentials <public-credentials@w3.org>
Betreff: Re: Utah State-Endorsed Digital Identity (SEDI) legislation

Caution: This email originated from outside of the organization. Despite an upstream security check of attachments and links by Microsoft Defender for Office, a residual risk always remains. Only open attachments and links from known and trusted senders.

On Sat, Feb 14, 2026 at 12:51 PM NIKOLAOS FOTIOY <fotiou@aueb.gr> wrote:
> (Expressing my own opinions) EU is trying to enforce security by design through legislation.

Legislation is among the weakest forms of security because it can be
changed within a year by the whims of human emotion. You need not look
further than the United States to see how fragile legislative systems
are, though I admit that Europe seems to have stronger controls (for
now).

Math is a stronger form of security, not susceptible to the whims of
human emotion.

That said, security is like an onion; it's layered. Legislation + math
can be powerful if aligned... but you do need to plan for the
legislative layer to rot from time to time, and know where the real
security comes from (the math, not the legislation).

> I do not think that the goal of the EU is to support big companies .

Oh, of course not! I don't think anyone that's paying attention thinks
the EU is trying to support big companies -- it's clear, even from
across the ocean, that the EU has done the most to stand up to big
corporations and try to ensure fair market competition!

As an open source developer and vendor of these very technologies,
there is no way we'd be able to exist in the European market without a
deep infusion of cash, which would then make us beholden to the same
powers that the EU is attempting to protect its citizens from.

These large organizations are very clever and the EU is inadvertently
helping them achieve some of their goals with an overzealous
regulatory environment that doesn't actually achieve the security and
privacy guarantees they think they're achieving. "Wallet Attestations"
and "Verifier Trust Lists" being just two of the anti-patterns now
enshrined in EU legislation.

-- manu

--
Manu Sporny - https://www.linkedin.com/in/manusporny/

Founder/CEO - Digital Bazaar, Inc.
https://www.digitalbazaar.com/

Received on Sunday, 15 February 2026 13:41:33 UTC