Identity architecture decisions are and will continue to be crucial decision points in the evolution of identity services. My previous newsletter 26. Enhance, Duplicate or Replace? presented three choices with examples. In his excellent response Enhance, Duplicate, or Replace? None of the Above Phil Windley:

1. challenges my definition of State-Endorsed Digital Identity (SEDI) as a pure decentralized system

2. supports my ‘reframing’ of identity architecture choices

Phil’s first criticism was entirely correct: I had mis-categorized SEDI as a decentralized architecture. I address my error in this newsletter by taking a much more in-depth view of what SEDI really is.

Re his second point, I appreciate his support for the identity architectural choices framework that I have developed. But Phil’s comments also show a flaw in my framework which I have corrected in this newsletter. My second architectural approach should be, and is now, Distributed. Credential/Wallet solutions are one example and SEDI is a second.

I start this article by reframing my framework and then move onto SEDI in more detail.

So What Is the Distributed Architectural Approach

At its core, Distributed identity duplicates identity information and moves part of the identity function from institutional infrastructure onto personal devices Practically, this has many challenges as all of the environmental controls and processes around the identity information need to be replicated.

I should have used this term, Distributed Identity, from the beginning.

Clearly the EUDI Credential/Wallet approach is Distributed. Identity information is duplicated to users’ devices and various central infrastructures, yet to be fully defined, enable devices, apps, and profiles to be authenticated and/or revoked.

Similarly, SEDI is Distributed as Phil declares. There is a centre and there is a copy of identity information.

State-Endorsed Digital Identity (SEDI)

By reading many of Phil’s articles, I have traced SEDI’s relationship with Self-Sovereignty, its distributed design, and the key security question.

Self-Sovereignty = First Person = SEDI

In Phil’s response to my newsletter he points us to his article entitled First Person Identity. This article makes it clear that First Person identity is another name, and a more appropriate name, for Self-Sovereign identity. I totally agree that self-sovereignty seems to be rather odd – who wants an identity solution that makes you the sovereign of yourself, that is, the sovereign of a realm of one person who happens to be you?

The aim is, of course, for identity to focus on the First Person by delivering identity solutions that, as Phil defines, deliver “individual control over consent, disclosure, and the terms of the relationship”. These objectives are fine but they are also what any Identity solution should aim to deliver.

SEDI Is Distributed

Phil rightly challenges my assertion that SEDI is a pure decentralized approach. It is not. Phil is right and I was wrong. I aimed to find a pure decentralized identity approach and, as SEDI did not fit into my ‘traditional’ Credential/Wallet category, I concluded that SEDI was decentralized.

Now, in my defence, I could claim that Self-Sovereign Identity has always been associated with decentralization. I could also claim that the official Utah Department of Government Operations document State Endorsed Digital Identity, 17 Oct 2025, states that “Above all, SEDI is a rights-first, decentralized identity model” (my bolding). A later Utah budget presentation states that “It is the first decentralized approach to official digital identity founded on the belief that identity is innate to the individual, not created by government or corporations” (my bolding).

However, I won’t claim that defence – I should have read further. If I had, it would have become clear that SEDI is not a pure decentralized architecture.

In Phil’s article A Legal Identity Foundation Isn’t Optional promoting State-Endorsed Digital Identity, he states that “SEDI is often described as a credentialing initiative, but its real significance is architectural. It provides a publicly governed foundation for first-person digital trust”. Clearly, with a central foundation for first person identity, SEDI is not a pure decentralized solution. Rather, it distributes credentials and, as Phil states in his response to my newsletter: “SEDI is not trying to eliminate institutional trust; it is state-endorsed, rights-first digital identity reuse that keeps institutional authority where it belongs while moving presentation and consent closer to the individual”.

That is, SEDI has central infrastructure that asserts institutional authority.

The SEDI Question – How to make it secure?

The challenge is to understand how the state endorses credentials. Phil states that “SEDI’s most important innovation, and … [most] distinguishing move is law before technology” and “[SEDI] is an attempt to join cryptographic trust and legal trust into a public identity foundation”. So SEDI is an innovative approach to combining cryptographic trust and legal trust.

Going further, Phil in SEDI and Client-Side Identity reveals that this trust is based upon client-side certificates. These were available in the 90s but did not take off as the economics did not stack up. Now they do, so SEDI can utilize this security technique. But is this a plausible explanation or are there challenges of both securing client-side certificates on personal devices, and on managing client-side certificates at a population scale?

We need to know answer to these broader questions. Like all identity solutions, it comes down to how security is achieved at a population level.

Conclusions

Phil’s response drove me to update my architecture framework. This has been very useful and I have updated three of my previous Substack newsletters (22. Seven Challenges for Distributed Identity, 25. The State of Identity Planetwise, and 26. Enhance, Duplicate or Replace?). I now use the term Distributed architecture, and SEDI is definitely Distributed.

SEDI is different and deserves to be considered. It is refreshing to see a different approach when so many identity projects simply following the standards bodies and the EU.

SEDI will have many similar challenges to other solutions such as credential/wallet solutions. One that clearly stands out is how client-side certificates are handled. There are bound to be many more questions, but these must wait until we see a design.

Corollary – Blockchain?

One slide in Blockchain Technology: Current Trends, 16 Sep 2025 presented by the Utah Blockchain Coalition to the Utah State Government shows:

Clearly the Blockchain Coalition see SEDI as part of the broader blockchain programme. And in the final slide, below, it becomes apparent that Utah, like other states such as Wyoming and Texas, are rolling the red carpet out for IT companies to make Utah their home (and where they employ people and pay taxes).

Final Question

So is SEDI a coherent Identity design or is it part of Utah’s broader strategy to attract blockchain, Web3 and digital trust industries? Or could it be both?