Re: Utah State-Endorsed Digital Identity (SEDI) legislation from NIKOLAOS FOTIOY on 2026-02-15 (public-credentials@w3.org from February 2026)

From: NIKOLAOS FOTIOY <fotiou@aueb.gr>
Date: Sun, 15 Feb 2026 21:14:01 +0000
To: Kyle Den Hartog <kyle@pryvit.tech>
CC: Adrian Gropper <agropper@healthurl.com>, Manu Sporny <msporny@digitalbazaar.com>, Steffen Schwalm <Steffen.Schwalm@msg.group>, Filip Kolarik <filip26@gmail.com>, public-credentials <public-credentials@w3.org>
Message-ID: <23FF03DF-D37C-4419-A2EF-059C8B0689C0@aueb.gr>

+1 to what Kyle is saying here.

I want also to counterpart Manu’s comment

> “[browsers] don't have to "prove their code is secure” before engaging with a website during a regulated activity”.

This not true. Browsers have done this implicitly and many web sites trust “well-known” browsers. If you try to access a web page with an “unknown” or old browser you are denied access. Try for example "curl https://www.aa.com/“.

However, I think the most important point is the following comment by Manu:

> “For example, do verifiers—such as all the underfunded public schools in my district—now have to pay to be put on some list somewhere for every type of credential they could ask for, just so that I can prove that I’m the parent of my kids or that I live in the school district?”

For the average EU citizen, I believe the answer to this is yes: they would strongly expect formal proof that such a system has taken all necessary measures to prevent anyone from falsely proving that they are someone else’s child’s parent.

Overall, I think this valuable discussion highlights the different ways of thinking that exist across regions. We can see such differences in our daily life, for example U.S. citizens often consider it normal to hand their credit card to a waiter and allow them to process the payment—something that would be considered very unusual in much of the EU. We could have endless debates about which approach is right or wrong, but the key point is that we think differently, and this is not necessarily a bad thing. Even if it is not immediately obvious, discussions like these are fruitful and productive, as they help surface assumptions and improve mutual understanding.

So thank all for their input.

Best,
Nkos

On 15 Feb 2026, at 9:03 PM, Kyle Den Hartog <kyle@pryvit.tech> wrote:

Everyone here seems to be arguing for points about how trust isn’t improved and this slows down EU adoption. I agree both of those are true but I see slow adoption as a feature not a bug.

This site certification process is a feature because it reduces the adoption of credentials and counters Jevons Paradox. Today we’re already seeing more and more sites pulling up their walls with paywalls and logins required to access most of their site. This is true on news sites, social media platforms, and even large content hosts like YouTube now. This has been referred to as the “deep web”.

The “deep web” is about to turned into the “attributed deep web” though with the addition of digital credentials instead of just self attested emails. No longer will I be able to make up fake emails with SimpleLogin to unlink myself and bypass these “deep web” gates. I’ll now be required to show my digital credentials everywhere because the sites don’t trust me self attesting information so they can track me on their site. I don’t trust the sites to be a good judge of making that decision either given how much I’m required to hand over an email these days so they can spam me with marketing emails later.

On top of that, the last thing I want to do is provide my digital credential to prove I’m human so I can read a news article because some IDV promoted digital credentials as an antifraud tool. I’ll just stop visiting their sites in the same way I don’t check Instagram, TikTok, or Facebook anymore because I deleted my login and they don’t want me to view their content unless I’m signed in. YouTube is now doing the same thing to my IP address because I run an adblocker on my TV and they want me to be logged in so they can still track me.

There’s many other such cases of the “deep web”occurring which will get worse once digital credentials are prevalent. So yes, I want my browser restricting which sites can use these. That’s advantageous to me to slow adoption of this and reduce Jevons Paradox of attested information taking hold on the web and further reducing the Open Web principle. To me slow adoption is a feature not a bug.

Some might ask, but your wallet can do that and you’d be correct but you’re not thinking about UX I’d counter with. If I have to agree to share the request on the browser UI first before it hits the wallet then it both leaks information to the wallet (which site I visited) and requires me to click through at least once in the browser to realize this mistake which is a bad UX. Instead I argue Jevons paradox should be solved at the browser layer not the wallet layer because of this.

-Kyle

-------- Original Message --------
On Monday, 02/16/26 at 07:09 Adrian Gropper <agropper@healthurl.com<mailto:agropper@healthurl.com>> wrote:
I appreciate Manu’s web browser perspective. They are a superb example of an important complex product with very low switching costs. Most also offer to manage my credentials across devices.

So how do we explain that only wallets have access to biometrics?

Adrian

On Sun, Feb 15, 2026 at 10:13 AM Manu Sporny <msporny@digitalbazaar.com<mailto:msporny@digitalbazaar.com>> wrote:
On Sun, Feb 15, 2026 at 8:41 AM Steffen Schwalm
<Steffen.Schwalm@msg.group<mailto:Steffen.Schwalm@msg.group>> wrote:
> I guess the key is the combination of legislation and math. Math without legal backing is interesting science but not useable in regulated environments, law without technical basement = math is meaningless because its goals not achievable.

Counterpoint: Web browsers, the World Wide Web, and the Internet. :)

Web browsers have no mandatory regulatory regime, yet they're used in
highly regulated activities (payments, banking, interaction with
government). They don't have to "prove their code is secure" before
engaging with a website during a regulated activity.

Transport Layer Security (TLS) depends on math, not legislation, to
secure connections over the Web and Internet.

Web sites have no mandatory regulatory regime that is checked for by
the Web browser before requesting arbitrary information from the
individual and the Web browser has no mandatory regulatory regime that
it checks before sending arbitrary information from the individual to
the website.

There are 5.5 billion people on the planet that use this system to
engage in regulated environments... and it needs far less European
regulation to operate than what EUDI is attempting.

Now, that's not to say that there isn't regulation involved. The
Domain Name System (DNS) does have governance policies and there is
regulation in place to determine who gets to manage top-level domains
as well as certificate authorities. So, this isn't a "there should be
zero regulation" stance -- it's just that EUDI is overdoing it, by a
very wide margin.

> Basically we have no BigTech in the QTSP.

Why would BigTech want to become a QTSP? There is no money or control
in it... the money and control is in holding the most critical
identity documents of an individual in a digital wallet and then
charging the market for access to those identity documents.

For example, Apple and Google can charge a larger percentage of a
credit card transaction if they also have a PID in the same digital
wallet -- that's many tens of billions of dollars a year in revenue
without having to become a QTSP. Google can do more targeted
advertising with a PID in a wallet... and if the PID is in a wallet,
the fact that more credentials tied to that PID are likely to appear
gives them even more data for targeted advertising, which is many
hundreds of billions of dollars a year more. Banks will pay them to
put their cards in the wallet, give them basis point kickbacks (to the
tune of billions of dollars), because that's what people are using
(and they get visibility into consumer spending habits)... that
doesn't happen in the state-issued government wallet, which will never
hold the variety of credentials that BigTech wallets will hold.

All BigTech needs to do is make sure that the competitive landscape is
hobbled and the EU is doing a fine job of that by making the
regulations so complex and hard to meet that there will be very little
real competition when it comes to digital wallets in the EU.

> Reason is complexity in becoming and running a QTSP.

Yes, that's why small organizations can't become a QTSP in the EU. But
for Big Tech... no, that's not the reason. BigTech has no problem
throwing money at regulatory complexity if there is a profit motive
there. They could become a QTSP if they wanted to... it's just that
there's no need for them to do so in order to hit their profit motive
(yet)... and frankly, I don't think Google even asked the EU to
constrain competition in the way that has ended up happening... the EU
shot itself in the foot wrt. wallet competition all by itself. I
expect Apple is overjoyed with the current direction.

> So QTSP regime seems more a key to keep BigTech out of regulated environments - so far the experiences from eIDAS 1. Only DocuSign was bit successful but by underlying EU rules.

EU is not an attractive market to digital credential businesses
outside of the EU because the regulations are such that home-grown
systems built for the EU market are so complex and EU-centric that
they don't have a chance of surviving in other markets. It's one of
the reasons the EU does not have many tech companies that can compete
at a global scale. You're hobbling your own tech companies through
regulatory overreach, all in the name of "protecting the citizen",
which is largely security theatre.

Just take a look at what it takes to become a QTSP (checklist on pages 16-30):

https://www.enisa.europa.eu/sites/default/files/publications/ENISA%20Report%20-%20Conformity%20Assessment%20of%20Qualified%20Trust%20Service%20Providers.pdf

and the laundry list of European-centric standards that you have to
implement, that the rest of the world does not use, to become a QTSP
(on page 11):

https://www.enisa.europa.eu/sites/default/files/publications/ENISA%20Report%20-%20Recommendations%20for%20QTSPs%20based%20on%20Standards.pdf

Speaking as an entrepreneur, I do not envy European tech companies
that need to build to overcome those regulatory hurdles. I think it's
telling that your governments are the one's largely building and
funding digital wallets. I expect only the larger companies, that do
so at a loss, will be able to survive over the long term... and even
they will be overcome when a less Minitel-like system[1] is overtaken
by a more Web-like system.

... and to be thoroughly clear, I think that certain US state
governments allowing Big Tech to be the sole holder of state-issued
identity documents, with proprietary protocols run between the state
and the Big Tech digital wallet, to be an even worse outcome... but at
least the US hasn't made the regulatory mistakes the EU has (yet).

Utah is the only state I've seen so far get the regulatory stuff
mostly right. Time will tell if they fumble the execution, or if they
do a good job there as well.

-- manu

[1] https://www.bbc.com/news/magazine-18610692

--
Manu Sporny - https://www.linkedin.com/in/manusporny/

Founder/CEO - Digital Bazaar, Inc.
https://www.digitalbazaar.com/

Received on Sunday, 15 February 2026 21:14:12 UTC