Cryptographic Verifiability: Authoritative status is not asserted but proven through cryptographic verification chains. Any party can independently verify the authoritative nature of an identifier by examining its key event log (KEL) and validating signatures back to the inception event.

Root-of-Trust Anchoring: The verification must trace to a cryptographic root-of-trust, typically the inception event of an AID where the identifier is first bound to its controlling key pairs. This root provides the foundation for all subsequent authoritative statements.

Temporal Validity: Authoritative key pairs are those that were valid at the time a statement was made. KERI's key event logs enable validators to determine which keys were authoritative at any point in the identifier's history, even after key rotations.

Historical Context

Traditional identity systems rely on administrative authority where trusted third parties (certificate authorities, identity providers, registrars) assert the authoritative nature of identifiers. This creates several problems:

Centralization: Authority is concentrated in organizations that must be universally trusted

Revocation Challenges: When authority is compromised, revocation mechanisms are complex and often ineffective

Portability Issues: Identifiers are locked to specific administrative domains and cannot be transferred

Trust Assumptions: Validators must trust the administrative processes of the authority rather than being able to verify independently

In traditional PKI systems, a certificate authority's signature makes a public key "authoritative" for a domain. However, this authority is only as strong as the CA's security practices and the trust placed in it by validators. The 2011 DigiNotar breach demonstrated how compromised CAs can issue fraudulent but technically "authoritative" certificates.

KERI's Approach

Self-Certifying Identifiers as Authoritative Roots

KERI establishes authoritative control through self-certifying identifiers (SCIDs) that are cryptographically derived from their controlling key pairs. The identifier itself proves its binding to specific keys through one-way cryptographic functions, eliminating the need for external authorities to assert this relationship.

Inception Event: The inception event creates the authoritative binding between an AID and its initial key pairs. This event is self-contained and self-verifying—anyone with the inception event can verify that the identifier was correctly derived from the specified keys.

Key Event Log: The KEL maintains a complete, verifiable history of all authoritative key state changes. Each event is signed by the currently authoritative keys and includes commitments to future keys through pre-rotation, creating an unbroken chain of authoritative control.

Authoritative Key Pairs

In KERI, authoritative key pairs are those that have current signing authority over an identifier. The KEL explicitly tracks which keys are authoritative at any point in time:

Current Keys: The keys listed in the most recent establishment event (inception or rotation) that have signing authority for non-establishment events

Pre-rotated Keys: The next keys committed to via cryptographic digests in the current establishment event, which will become authoritative upon the next rotation

Historical Keys: Previous keys that were authoritative but have been rotated out, which remain important for verifying historical statements

Authoritative Statements

When an identifier makes a statement (issues a credential, signs a message, anchors data), that statement is authoritative if:

1. It is signed by keys that were authoritative at the time of signing
2. The signature can be cryptographically verified
3. The key state can be verified through the KEL back to the root-of-trust

This creates non-repudiable authoritative statements where the controller cannot deny having made the statement, and validators can independently verify the statement's authority.

Witness Attestation

KERI extends the concept of authoritative through witness attestation. Witnesses observe and sign key events, providing additional evidence of the authoritative key state. When a sufficient threshold of witnesses attest to an event, it strengthens the authoritative nature of that event by providing distributed consensus.

The threshold of accountable duplicity (TOAD) defines how many witness attestations are required for an event to be considered authoritatively witnessed. This creates a graduated model where authority increases with witness participation.

Duplicity Detection

A critical aspect of KERI's authoritative model is duplicity detection. If a controller attempts to create conflicting authoritative statements (by signing different events with the same keys), this duplicity becomes evident to validators. The detection of duplicity undermines the authoritative nature of the identifier, as it demonstrates the controller is not acting in good faith.

Practical Implications

Credential Issuance

When a QVI (Qualified vLEI Issuer) issues a Legal Entity credential, the credential is authoritative because:

1. The QVI's AID is authoritative (verified through GLEIF's delegation chain)
2. The credential is signed with the QVI's authoritative keys
3. The signature can be verified against the QVI's KEL
4. The credential's SAID binds it cryptographically to its content

Validators can independently verify this authority chain without contacting GLEIF or the QVI.

Key Rotation and Authority Transfer

When keys are rotated, authority transfers from the old keys to the new keys. The rotation event itself must be signed by the currently authoritative keys, and it establishes the new keys as authoritative going forward. Pre-rotation ensures this transfer is secure even if the old keys are compromised.

Multi-Signature Authority

For multi-signature AIDs, authority is distributed among multiple key holders. The signing threshold defines how many authoritative signatures are required for a statement to be authoritative. This enables organizational governance where multiple parties must cooperate to make authoritative statements.

Delegation Hierarchies

KERI's cooperative delegation creates hierarchies of authoritative identifiers. A delegated AID derives its authority from its delegator, creating a chain of authority. The GLEIF vLEI ecosystem demonstrates this with:

• GLEIF Root AID (self-authoritative)
• GLEIF External Delegated AID (GEDA) (authority delegated from root)
• QVI AIDs (authority delegated from GEDA)
• Legal Entity AIDs (authority delegated from QVI)

Each level's authority can be verified by tracing the delegation chain back to the root.

Temporal Authority Verification

Because KELs maintain complete history, validators can verify whether keys were authoritative at any point in time. This is crucial for:

• Verifying historical signatures on documents
• Auditing past transactions
• Resolving disputes about when statements were made
• Ensuring credentials were issued by authoritative keys

Authority and Reputation

While KERI provides cryptographic authority, the "renowned, honorable, and respected" aspects come from governance frameworks and reputation systems built on top of KERI. The vLEI ecosystem combines:

• Cryptographic authority (KERI's domain)
• Governance authority (GLEIF's qualification processes)
• Legal authority (LEI system's regulatory backing)

This creates a comprehensive authoritative system where technical, governance, and legal authority reinforce each other.

Implementation Considerations

Key Management: Maintaining authoritative control requires secure key management. Compromised keys can be rotated out, but any statements made while they were authoritative remain valid.

Witness Selection: Choosing reliable witnesses strengthens the authoritative nature of an identifier by providing distributed attestation.

Escrow Handling: Out-of-order events must be properly escrowed and processed to maintain the authoritative event sequence.

Duplicity Monitoring: Watchers and validators must actively monitor for duplicity to detect when authority is being abused.

The concept of authoritative in KERI represents a fundamental reimagining of how digital authority is established and verified, moving from trust in institutions to trust in cryptographic verification while maintaining the governance and reputation aspects that make authority meaningful in real-world contexts.