AW: Utah State-Endorsed Digital Identity (SEDI) legislation

Which is no standard definition either.

Please provide a definition where consensus required in distributed system when even DLT standards don`t require consensus by definition
________________________________
Von: Jori Lehtinen <lehtinenjori03@gmail.com>
Gesendet: Montag, 16. Februar 2026 09:34
An: Steffen Schwalm <Steffen.Schwalm@msg.group>
Cc: NIKOLAOS FOTIOY <fotiou@aueb.gr>; Joe Andrieu <joe@legreq.com>; Kyle Den Hartog <kyle@pryvit.tech>; Adrian Gropper <agropper@healthurl.com>; Manu Sporny <msporny@digitalbazaar.com>; Filip Kolarik <filip26@gmail.com>; public-credentials <public-credentials@w3.org>
Betreff: Re: Utah State-Endorsed Digital Identity (SEDI) legislation


Caution: This email originated from outside of the organization. Despite an upstream security check of attachments and links by Microsoft Defender for Office, a residual risk always remains. Only open attachments and links from known and trusted senders.

I was referencing this guy: https://martin.kleppmann.com/<https://martin.kleppmann.com/>  😊 Not youtube.

ma 16.2.2026 klo 10.32 Steffen Schwalm (Steffen.Schwalm@msg.group) kirjoitti:
Joris:

YouTube is no trustworthy source so let`s use ISO Terminology Portal:

System comprising multiple application domains where the functionality of application domainmanagement is distributed over related devices The presence of application controllers as physical devices is optional in such a system.

See ISO/IEC TR 14543

Even for DLT no consensus required "system in which components located on networked computers communicate and coordinate their actions by interacting with each other"

See ISO 22739:2024

"Anyone that runs the protocol proves it. And EU law can mandate the tech. Saying there is auditing does not prove the audits always absolutely reveal misdemeanor. A well defined protocol on the other hand does."


  *
Based on what you do the proof? Which standard in which procedure? What means well defined protocol defined by whom?
  *
EU law mandates the tech via the Implementing Acts on eiDAS already. See https://ec.europa.eu/digital-building-blocks/sites/spaces/EUDIGITALIDENTITYWALLET/pages/915931811/The+European+Digital+Identity+Regulation?filters=adopted&all=1#sec-6-regulations

  *
What concretely would you change and where?

"This is you proving all the fears we have. There is no regard for individuals rights or safety. You only care about state and legal system authority. (THAT IS HOW IM INTERPRETING HOW YOU PRESENT THE LAW AND DENY TECHNICAL FACTS I CANNOT BE A JUDGE)"


  *
No, I care about technology. The LOTL and TL is well-defined by proven. A consensus which is not clearly defined and audited keep security remaining faith not proof.

Best
Steffen


________________________________
Von: Jori Lehtinen <lehtinenjori03@gmail.com<mailto:lehtinenjori03@gmail.com>>
Gesendet: Montag, 16. Februar 2026 09:22
Bis: Steffen Schwalm <Steffen.Schwalm@msg.group>
Cc: NIKOLAOS FOTIOY <fotiou@aueb.gr<mailto:fotiou@aueb.gr>>; Joe Andrieu <joe@legreq.com<mailto:joe@legreq.com>>; Kyle Den Hartog <kyle@pryvit.tech>; Adrian Gropper <agropper@healthurl.com<mailto:agropper@healthurl.com>>; Manu Sporny <msporny@digitalbazaar.com<mailto:msporny@digitalbazaar.com>>; Filip Kolarik <filip26@gmail.com<mailto:filip26@gmail.com>>; public-credentials <public-credentials@w3.org<mailto:public-credentials@w3.org>>
Betreff: Re: Utah State-Endorsed Digital Identity (SEDI) legislation


Caution: This email originated from outside of the organization. Despite an upstream security check of attachments and links by Microsoft Defender for Office, a residual risk always remains. Only open attachments and links from known and trusted senders.

Steffen,
>  @Joris: Where is defined that distributed system needs consensus (beside a DLT)?
https://youtube.com/playlist?list=PLeKd45zvjcDFUEv_ohr_HdUFe97RItdiB&si=0jsDqdMYaHYZZGfb

Of course we can change the definition of a distributed system any time we want same as we can change the law anytime we want, but for a system to be able to technically guarantee integrity there are some physical realities you cannot avoid. So if the legislations goals are to guarantee an individuals legal safety, we should use the best tech available to guarantee that goal no?
Anything can be a distributed system it is more about what invariants we want the system to guarantee.

> Nope as the QTSP do no share federated PKI
What is the List of Lists then?

>

  *
Who proves based on which standards accredited by whom and supervised by whom that the CRDT network works correctly?
  *
That`s why we defined even for DLT security & auditing standards in ISO resp. CEN-CENELEC

Anyone that runs the protocol proves it. And EU law can mandate the tech. Saying there is auditing does not prove the audits always absolutely reveal misdemeanor. A well defined protocol on the other hand does.

> Wrong as provable via LOTL and EC may stop national list in case of failure. Protocol in case of consensus won`t help - if whole consensus algorithm flawed no DLT will check this and no replication will help ;-)

This is you proving all the fears we have. There is no regard for individuals rights or safety. You only care about state and legal system authority. (THAT IS HOW IM INTERPRETING HOW YOU PRESENT THE LAW AND DENY TECHNICAL FACTS I CANNOT BE A JUDGE)

Regards,
Jori



ma 16.2.2026 klo 9.54 Steffen Schwalm (Steffen.Schwalm@msg.group) kirjoitti:
Exactly Nikos!
________________________________
Von: NIKOLAOS FOTIOY <fotiou@aueb.gr<mailto:fotiou@aueb.gr>>
Gesendet: Montag, 16. Februar 2026 08:39
An: Joe Andrieu <joe@legreq.com<mailto:joe@legreq.com>>
Cc: Kyle Den Hartog <kyle@pryvit.tech>; Adrian Gropper <agropper@healthurl.com<mailto:agropper@healthurl.com>>; Manu Sporny <msporny@digitalbazaar.com<mailto:msporny@digitalbazaar.com>>; Steffen Schwalm <Steffen.Schwalm@msg.group>; Filip Kolarik <filip26@gmail.com<mailto:filip26@gmail.com>>; public-credentials <public-credentials@w3.org<mailto:public-credentials@w3.org>>
Betreff: Re: Utah State-Endorsed Digital Identity (SEDI) legislation

Caution: This email originated from outside of the organization. Despite an upstream security check of attachments and links by Microsoft Defender for Office, a residual risk always remains. Only open attachments and links from known and trusted senders.

>
> More dangerous is the fact that your advocacy creates a false sense of security, literally telling people something is secure when it is not. Seriously, your email here is a dangerous recommendation. For anyone reading, please DO NOT think that approved browser lists actually prevent "unapproved" browser access.
>
> The truism that you can't trust the client is not just a web phenomenon or my opinion; it's a deep cybersecurity principle. You might want to argue with me, but I suggest you do some research before arguing against the combined wisdom of 50+ years of cybersecurity experience.
>
> Seriously, search for "cybersecurity can't trust the client" and you'll see a wealth of diverse opinions explaining in various terms why you actually can't trust the client in cyberspace.
>
>

All boils down to who you want to protect. EUDI tries to protect the user. Lists of trusted software is fundamental when you are trying to protect the user.  Government officials are recommended to use the Signal App and not any app claiming to use the OTR protocol. The Tor project recommends users to use the Tor browser and explicitly states "Using Tor with other browsers is dangerous and not recommended”.

The EUDI DOES NOT try to protect the verifiers. Verifiers do not learn which wallet the user is using and the EUDI ARF explicitly prohibits this (see in Annex 2 of ARF "A Wallet Unit SHALL present a WUA only to a PID Provider or Attestation Provider, as part of the issuance process of a PID or a key-bound attestation, and not to a Relying Party or any other entity.”)

Best,
Nikos