Summary: Alan Mayo frames the digital identity design choice as enhance, duplicate, or replace, and places Utah’s SEDI in the “replace” bucket alongside purist decentralized identity. That badly misreads the architecture and the policy goal. SEDI is not trying to eliminate institutional trust; it is state-endorsed, rights-first digital identity reuse that keeps institutional authority where it belongs while moving presentation and consent closer to the individual.

Alan Mayo’s latest Identity 2.5 newsletter poses a useful strategic question: when we build digital identity reuse, are we enhancing existing infrastructure, duplicating it, or replacing it? He maps three approaches onto those choices: networked identity enhances, credential/wallet identity duplicates, and decentralized identity replaces. He then places Utah’s State-Endorsed Digital Identity (SEDI) squarely in the third category and concludes that networked identity is the obvious, lowest-risk path forward. The framework is a good lens. But his classification of SEDI is wrong.

What Mayo Gets Right

Mayo is right that societies already have digital identity. Government agencies, banks, and healthcare systems hold digital records of who we are; what they issue to us are physical documents and credentials that allow a basic form of identity reuse. The strategic question is not whether to create digital identity but how to let people reuse it effectively. That reframing is valuable because it cuts through a lot of the hype that treats digital identity as something we still need to invent.

He is also right that wallet-based credentials introduce real operational complexity. Lifecycle management, revocation, device binding, recovery, verifier trust, wallet trust, and credential freshness all matter. His critique of naive “just put credentials in a wallet” thinking is fair; a high-assurance identity ecosystem cannot rely on static credentials floating around indefinitely. Utah’s own mobile driver’s license work already recognizes these problems by emphasizing consent, selective disclosure, anti-tracking, and state-signed credentials under individual control.

And he is right that institutional trust does not disappear. SEDI still needs authoritative issuers, governance, endorsement rules, certification, relying-party accountability, revocation, and legal frameworks. Even the ACLU’s analysis of Utah’s legislation praises it as a legal and governance framework with important privacy protections, not as magic cryptography that makes institutions irrelevant. None of that goes away in a world with digital credentials. The question is how institutional trust gets expressed and who controls the presentation.

Where the Framework Breaks

Mayo’s big mistake is classifying SEDI as “Decentralized Identity” in the purist replacement sense. He characterizes that category as individual-held identity, cryptographic security, self-sovereignty, and no central control. That badly misrepresents first person identity in general and SEDI’s architecture in particular. SEDI is not trying to eliminate institutional trust or replace government identity infrastructure. It is a state-endorsed legal and governance framework for digital credentials. The state still verifies, endorses, regulates, and defines duties for participants. That is not anti-institutional decentralization; it is public trust infrastructure with individual control over consent, disclosure, and the terms of the relationship.

He also conflates credential identity and decentralized identity in a way that obscures what SEDI actually does. SEDI is closer to a hybrid: credential-based presentation with state endorsement, legal duties, privacy protections, and governance. It is not simply duplicating current identity infrastructure into wallets, and it is not replacing identity infrastructure with cryptographic self-sovereignty. It sits outside Mayo’s three-bucket taxonomy because it combines institutional authority with individual agency in ways his framework does not accommodate.

Mayo overstates the idea that credential systems make every phone wallet “a mini Identity Provider.” A wallet is never the authoritative source of identity. Even with self-issued credentials, the authority rests with the individual issuing the credential, not the container. The wallet is a presentation mechanism; the issuer remains authoritative for the claims it signs. The hard problems of binding, revocation, and recovery are real, but they do not turn the wallet into a source of truth. They turn it into a presentation layer, one the individual controls rather than the institution.

He also misses SEDI’s most important innovation, and it is not a technical one. SEDI’s distinguishing move is law before technology. The point is not that new cryptographic techniques will solve identity. The point is that digital identity needs constitutional principles, fiduciary-like duties, voluntary adoption, non-tracking rules, selective disclosure, and enforceable accountability. As I wrote in A Legal Identity Foundation Isn’t Optional, SEDI provides a legal base layer for first person digital trust. The ACLU did not praise Utah’s legislation because of its cryptographic architecture; they praised it because it adds civil-liberties protections to digital identity. The duty of loyalty provision places a fiduciary obligation on institutions that rely on a state-endorsed digital identity. That is a governance innovation, not a technology choice.

Networked Identity Is Not the Obvious Answer

Mayo treats networked identity as the obviously practical path, but that model has its own structural weaknesses. A central switch creates a single point of dependency and failure. Online-only availability means the system breaks when the network does. Relying-party accreditation creates bottlenecks that limit who can participate. And a model where every identity transaction runs through a network switch creates inherent opportunities for surveillance, correlation, and gatekeeper control. SEDI is partly a response to exactly those risks.

The Scandinavian BankID systems that Mayo points to work well in small, high-trust societies with strong institutional foundations. They are real accomplishments. But they also concentrate identity infrastructure in banking consortiums, require online connectivity for every transaction, and give the network operator visibility into every authentication event. Those are acceptable tradeoffs in some contexts. They are not acceptable when the policy goal is individual control, minimized disclosure, and resistance to tracking.

Networked identity is also inherently national; each country’s BankID is a separate system tied to its own banking consortium. Cross-border use requires additional federation infrastructure that reintroduces much of the complexity Mayo attributes only to credential and decentralized systems. A networked model can be useful for some transactions, but it does not automatically win when the policy goals include individual control, minimal disclosure, offline capability, cross-border portability, and resistance to surveillance.

What SEDI Actually Is

None of this means SEDI is the clean best-of-all-worlds answer. It has its own hard problems: wallet ecosystem maturity, credential lifecycle management, adoption incentives, and the political challenge of getting other states and countries to recognize Utah’s framework. Mayo’s operational concerns about credential systems apply to SEDI too; they are not magically resolved by putting a legal framework around them.

But SEDI does not fit cleanly into any of Mayo’s three buckets, and that is the point. It is better described as state-endorsed, rights-first digital identity reuse. SEDI keeps institutional authority where it belongs: the state still verifies identity, endorses credentials, and defines legal duties for participants. It moves presentation and consent closer to the individual: the person controls what they disclose, to whom, and under what terms. And it wraps the whole system in public-law governance: constitutional principles, a duty of loyalty, voluntary adoption, and enforceable accountability.

That is not “replacing” identity infrastructure. It is not “no central control” or “all power rests with the individual.” It is an attempt to join cryptographic trust and legal trust into a public identity foundation. The state provides the endorsement and the legal framework; the individual provides the consent and controls the presentation; the technology provides the mechanism for doing both securely. As I explored in SEDI and Client-Side Identity, this resolves a problem that has plagued digital identity since the 1990s: people will not pay for identity proofing, but they already pay their state government for it without realizing it. SEDI routes around the economic bottleneck that killed client-side certificates.

Mayo’s useful contribution is the question itself. But the answer for SEDI is none of the above. SEDI enhances institutional trust by giving it a legal and cryptographic expression that the individual controls. It does not duplicate infrastructure into unsupervised wallets. It does not replace institutional authority with self-sovereign cryptography. It creates a new kind of public trust infrastructure in which the institution, the individual, and the law each carry weight. Getting SEDI’s category wrong makes it easy to dismiss. Getting it right means engaging with the harder, more interesting question: what does identity infrastructure look like when it starts from rights and relationships rather than from databases and documents?

Photo Credit: SEDI: None of the Above from ChatGPT (public domain)