- From: NIKOLAOS FOTIOY <fotiou@aueb.gr>
- Date: Mon, 16 Feb 2026 07:39:58 +0000
- To: Joe Andrieu <joe@legreq.com>
- CC: Kyle Den Hartog <kyle@pryvit.tech>, Adrian Gropper <agropper@healthurl.com>, Manu Sporny <msporny@digitalbazaar.com>, Steffen Schwalm <Steffen.Schwalm@msg.group>, Filip Kolarik <filip26@gmail.com>, public-credentials <public-credentials@w3.org>
> > More dangerous is the fact that your advocacy creates a false sense of security, literally telling people something is secure when it is not. Seriously, your email here is a dangerous recommendation. For anyone reading, please DO NOT think that approved browser lists actually prevent "unapproved" browser access. > > The truism that you can't trust the client is not just a web phenomenon or my opinion; it's a deep cybersecurity principle. You might want to argue with me, but I suggest you do some research before arguing against the combined wisdom of 50+ years of cybersecurity experience. > > Seriously, search for "cybersecurity can't trust the client" and you'll see a wealth of diverse opinions explaining in various terms why you actually can't trust the client in cyberspace. > > All boils down to who you want to protect. EUDI tries to protect the user. Lists of trusted software is fundamental when you are trying to protect the user. Government officials are recommended to use the Signal App and not any app claiming to use the OTR protocol. The Tor project recommends users to use the Tor browser and explicitly states "Using Tor with other browsers is dangerous and not recommended”. The EUDI DOES NOT try to protect the verifiers. Verifiers do not learn which wallet the user is using and the EUDI ARF explicitly prohibits this (see in Annex 2 of ARF "A Wallet Unit SHALL present a WUA only to a PID Provider or Attestation Provider, as part of the issuance process of a PID or a key-bound attestation, and not to a Relying Party or any other entity.”) Best, Nikos
Received on Monday, 16 February 2026 07:40:07 UTC