AW: Utah State-Endorsed Digital Identity (SEDI) legislation from Steffen Schwalm on 2026-02-16 (public-credentials@w3.org from February 2026)

From: Steffen Schwalm <Steffen.Schwalm@msg.group>
Date: Mon, 16 Feb 2026 07:52:08 +0000
To: NIKOLAOS FOTIOY <fotiou@aueb.gr>, Joe Andrieu <joe@legreq.com>
CC: Kyle Den Hartog <kyle@pryvit.tech>, Adrian Gropper <agropper@healthurl.com>, Manu Sporny <msporny@digitalbazaar.com>, Filip Kolarik <filip26@gmail.com>, public-credentials <public-credentials@w3.org>
Message-ID: <AM8P191MB1299409BF087E46713728F04FA6CA@AM8P191MB1299.EURP191.PROD.OUTLOOK.COM>

Exactly Nikos!
________________________________
Von: NIKOLAOS FOTIOY <fotiou@aueb.gr>
Gesendet: Montag, 16. Februar 2026 08:39
An: Joe Andrieu <joe@legreq.com>
Cc: Kyle Den Hartog <kyle@pryvit.tech>; Adrian Gropper <agropper@healthurl.com>; Manu Sporny <msporny@digitalbazaar.com>; Steffen Schwalm <Steffen.Schwalm@msg.group>; Filip Kolarik <filip26@gmail.com>; public-credentials <public-credentials@w3.org>
Betreff: Re: Utah State-Endorsed Digital Identity (SEDI) legislation

Caution: This email originated from outside of the organization. Despite an upstream security check of attachments and links by Microsoft Defender for Office, a residual risk always remains. Only open attachments and links from known and trusted senders.

>
> More dangerous is the fact that your advocacy creates a false sense of security, literally telling people something is secure when it is not. Seriously, your email here is a dangerous recommendation. For anyone reading, please DO NOT think that approved browser lists actually prevent "unapproved" browser access.
>
> The truism that you can't trust the client is not just a web phenomenon or my opinion; it's a deep cybersecurity principle. You might want to argue with me, but I suggest you do some research before arguing against the combined wisdom of 50+ years of cybersecurity experience.
>
> Seriously, search for "cybersecurity can't trust the client" and you'll see a wealth of diverse opinions explaining in various terms why you actually can't trust the client in cyberspace.
>
>

All boils down to who you want to protect. EUDI tries to protect the user. Lists of trusted software is fundamental when you are trying to protect the user.  Government officials are recommended to use the Signal App and not any app claiming to use the OTR protocol. The Tor project recommends users to use the Tor browser and explicitly states "Using Tor with other browsers is dangerous and not recommended”.

The EUDI DOES NOT try to protect the verifiers. Verifiers do not learn which wallet the user is using and the EUDI ARF explicitly prohibits this (see in Annex 2 of ARF "A Wallet Unit SHALL present a WUA only to a PID Provider or Attestation Provider, as part of the issuance process of a PID or a key-bound attestation, and not to a Relying Party or any other entity.”)

Best,
Nikos

Received on Monday, 16 February 2026 07:52:14 UTC