Re: Utah State-Endorsed Digital Identity (SEDI) legislation from Jori Lehtinen on 2026-02-16 (public-credentials@w3.org from February 2026)

From: Jori Lehtinen <lehtinenjori03@gmail.com>
Date: Mon, 16 Feb 2026 10:34:55 +0200
To: Steffen Schwalm <Steffen.Schwalm@msg.group>
Cc: NIKOLAOS FOTIOY <fotiou@aueb.gr>, Joe Andrieu <joe@legreq.com>, Kyle Den Hartog <kyle@pryvit.tech>, Adrian Gropper <agropper@healthurl.com>, Manu Sporny <msporny@digitalbazaar.com>, Filip Kolarik <filip26@gmail.com>, public-credentials <public-credentials@w3.org>
Message-ID: <CAA6zkAts7ebRjggLxf0cgK3SyxdCB_sPWhZScKJ8gvsOhLm0rg@mail.gmail.com>
I was referencing this guy: https://martin.kleppmann.com/
<https://martin.kleppmann.com/>  😊 Not youtube.

ma 16.2.2026 klo 10.32 Steffen Schwalm (Steffen.Schwalm@msg.group)
kirjoitti:

> Joris:
>
> YouTube is no trustworthy source so let`s use ISO Terminology Portal:
>
> System comprising multiple application domains where the functionality of
> application domainmanagement is distributed over related devices The
> presence of application controllers as physical devices is optional in such
> a system.
>
> See ISO/IEC TR 14543
>
> Even for DLT no consensus required "system in which components located on
> networked computers communicate and coordinate their actions by interacting
> with each other"
>
> See ISO 22739:2024
>
> "Anyone that runs the protocol proves it. And EU law can mandate the
> tech. Saying there is auditing does not prove the audits always absolutely
> reveal misdemeanor. A well defined protocol on the other hand does."
>
>
>    - Based on what you do the proof? Which standard in which procedure?
>    What means well defined protocol defined by whom?
>    - EU law mandates the tech via the Implementing Acts on eiDAS already.
>    See
>    https://ec.europa.eu/digital-building-blocks/sites/spaces/EUDIGITALIDENTITYWALLET/pages/915931811/The+European+Digital+Identity+Regulation?filters=adopted&all=1#sec-6-regulations
>    - What concretely would you change and where?
>
>
> "This is you proving all the fears we have. There is no regard for
> individuals rights or safety. You only care about state and legal system
> authority. (THAT IS HOW IM INTERPRETING HOW YOU PRESENT THE LAW AND DENY
> TECHNICAL FACTS I CANNOT BE A JUDGE)"
>
>
>    - No, I care about technology. The LOTL and TL is well-defined by
>    proven. A consensus which is not clearly defined and audited keep security
>    remaining faith not proof.
>
>
> Best
> Steffen
>
>
> ------------------------------
> *Von:* Jori Lehtinen <lehtinenjori03@gmail.com>
> *Gesendet:* Montag, 16. Februar 2026 09:22
> *Bis:* Steffen Schwalm <Steffen.Schwalm@msg.group>
> *Cc:* NIKOLAOS FOTIOY <fotiou@aueb.gr>; Joe Andrieu <joe@legreq.com>;
> Kyle Den Hartog <kyle@pryvit.tech>; Adrian Gropper <agropper@healthurl.com>;
> Manu Sporny <msporny@digitalbazaar.com>; Filip Kolarik <filip26@gmail.com>;
> public-credentials <public-credentials@w3.org>
> *Betreff:* Re: Utah State-Endorsed Digital Identity (SEDI) legislation
>
> *Caution:* This email originated from outside of the organization.
> Despite an upstream security check of attachments and links by Microsoft
> Defender for Office, a residual risk always remains. Only open attachments
> and links from known and trusted senders.
>
> Steffen,
> >  @Joris: Where is defined that distributed system needs consensus
> (beside a DLT)?
>
> https://youtube.com/playlist?list=PLeKd45zvjcDFUEv_ohr_HdUFe97RItdiB&si=0jsDqdMYaHYZZGfb
> Of course we can change the definition of a distributed system any time we
> want same as we can change the law anytime we want, but for a system to be
> able to technically guarantee integrity there are some physical realities
> you cannot avoid. So if the legislations goals are to guarantee an
> individuals legal safety, we should use the best tech available to
> guarantee that goal no?
> Anything can be a distributed system it is more about what invariants we
> want the system to guarantee.
>
> > Nope as the QTSP do no share federated PKI
> What is the List of Lists then?
>
> >
>
>    - Who proves based on which standards accredited by whom and
>    supervised by whom that the CRDT network works correctly?
>    - That`s why we defined even for DLT security & auditing standards in
>    ISO resp. CEN-CENELEC
>
>
> Anyone that runs the protocol proves it. And EU law can mandate the tech.
> Saying there is auditing does not prove the audits always absolutely reveal
> misdemeanor. A well defined protocol on the other hand does.
>
> > Wrong as provable via LOTL and EC may stop national list in case of
> failure. Protocol in case of consensus won`t help - if whole consensus
> algorithm flawed no DLT will check this and no replication will help ;-)
>
> This is you proving all the fears we have. There is no regard for
> individuals rights or safety. You only care about state and legal system
> authority. (THAT IS HOW IM INTERPRETING HOW YOU PRESENT THE LAW AND DENY
> TECHNICAL FACTS I CANNOT BE A JUDGE)
>
> Regards,
> Jori
>
>
>
> ma 16.2.2026 klo 9.54 Steffen Schwalm (Steffen.Schwalm@msg.group)
> kirjoitti:
>
> Exactly Nikos!
> ------------------------------
> *Von:* NIKOLAOS FOTIOY <fotiou@aueb.gr>
> *Gesendet:* Montag, 16. Februar 2026 08:39
> *An:* Joe Andrieu <joe@legreq.com>
> *Cc:* Kyle Den Hartog <kyle@pryvit.tech>; Adrian Gropper <
> agropper@healthurl.com>; Manu Sporny <msporny@digitalbazaar.com>; Steffen
> Schwalm <Steffen.Schwalm@msg.group>; Filip Kolarik <filip26@gmail.com>;
> public-credentials <public-credentials@w3.org>
> *Betreff:* Re: Utah State-Endorsed Digital Identity (SEDI) legislation
>
> Caution: This email originated from outside of the organization. Despite
> an upstream security check of attachments and links by Microsoft Defender
> for Office, a residual risk always remains. Only open attachments and links
> from known and trusted senders.
>
> >
> > More dangerous is the fact that your advocacy creates a false sense of
> security, literally telling people something is secure when it is not.
> Seriously, your email here is a dangerous recommendation. For anyone
> reading, please DO NOT think that approved browser lists actually prevent
> "unapproved" browser access.
> >
> > The truism that you can't trust the client is not just a web phenomenon
> or my opinion; it's a deep cybersecurity principle. You might want to argue
> with me, but I suggest you do some research before arguing against the
> combined wisdom of 50+ years of cybersecurity experience.
> >
> > Seriously, search for "cybersecurity can't trust the client" and you'll
> see a wealth of diverse opinions explaining in various terms why you
> actually can't trust the client in cyberspace.
> >
> >
>
> All boils down to who you want to protect. EUDI tries to protect the user.
> Lists of trusted software is fundamental when you are trying to protect the
> user.  Government officials are recommended to use the Signal App and not
> any app claiming to use the OTR protocol. The Tor project recommends users
> to use the Tor browser and explicitly states "Using Tor with other browsers
> is dangerous and not recommended”.
>
> The EUDI DOES NOT try to protect the verifiers. Verifiers do not learn
> which wallet the user is using and the EUDI ARF explicitly prohibits this
> (see in Annex 2 of ARF "A Wallet Unit SHALL present a WUA only to a PID
> Provider or Attestation Provider, as part of the issuance process of a PID
> or a key-bound attestation, and not to a Relying Party or any other
> entity.”)
>
> Best,
> Nikos
>
>
>
Received on Monday, 16 February 2026 08:35:11 UTC