Traditional identity systems establish authority through administrative hierarchies:

Certificate Authority (CA) Model: In PKI systems like X.509, authority flows from root CAs through intermediate CAs to end-entity certificates. The root CA's authority is administratively designated (often through browser/OS inclusion), and all downstream authority depends on this administrative trust.

Federated Identity: Systems like SAML and OAuth establish authority through federation agreements between identity providers and relying parties. Authority to authenticate users or issue tokens derives from contractual relationships and configuration, not cryptographic proof.

Blockchain Governance: Distributed ledger systems attempt to decentralize authority through consensus mechanisms, but authority over the consensus process itself often remains centralized (through foundation governance, mining pools, or validator sets).

These traditional approaches share common limitations:

• Dependency on External Trust: Authority requires trusting administrators, certificate authorities, or consensus participants
• Revocation Challenges: Revoking authority often requires coordination with the authority-granting entity
• Portability Issues: Authority is typically bound to specific infrastructure or domains

KERI's Approach

Control Authority Through Key Event Logs

KERI establishes authority through Key Event Logs (KELs)—cryptographically verifiable, append-only logs that record all key management events for an identifier. Control authority is proven by:

1. Self-Certifying Identifiers: The AID itself is derived from the controlling key pair, creating an intrinsic cryptographic binding
2. Pre-Rotation: Each establishment event commits to the next set of rotation keys via cryptographic digests, creating a verifiable chain of authority
3. Witness Consensus: Witnesses provide distributed verification of key events without requiring shared governance

This approach means authority is self-contained in the KEL—anyone can verify current control authority by processing the event log without consulting external registries or trusted parties.

Separation of Signing and Rotation Authority

KERI introduces a critical innovation: bifurcating control authority into two distinct types:

Signing Authority: The right to sign non-establishment events (interactions, credential issuances, etc.) using current keys. This enables day-to-day operations.

Rotation Authority: The right to rotate keys and change the authoritative key set through establishment events. This represents ultimate control.

This separation enables custodial rotation patterns where:

• A custodial agent holds signing authority for operational convenience
• The original controller retains rotation authority for ultimate control
• The controller can "fire" the custodian unilaterally by rotating keys

This is implemented through partial rotation, where different key sets control different aspects of the identifier.

Delegated Authority and Cooperative Delegation

KERI supports cooperative delegation where both delegator and delegate must participate in establishing the delegation relationship:

1. Delegator Commitment: The delegator creates a cryptographic commitment in their KEL (via a seal in a rotation or interaction event) to the delegate's inception event
2. Delegate Inception: The delegate creates an inception event that references the delegating event
3. Bidirectional Verification: Validators can verify the delegation by checking both KELs

This creates hierarchical authority structures (delegation trees) where:

• Each level maintains its own KEL and control authority
• Authority flows from delegator to delegate but can be revoked
• Compromise at lower levels doesn't compromise higher levels (with proper key management)

Proof-of-Authority Through ACDCs

While KELs establish control authority over identifiers, ACDCs (Authentic Chained Data Containers) convey proof-of-authority for specific rights, permissions, or entitlements:

Chained Proof-of-Authority: ACDCs can form chains where:

• A root ACDC establishes initial authority (e.g., GLEIF's authority to issue QVI credentials)
• Chained ACDCs delegate authority downstream (e.g., QVI's authority to issue Legal Entity credentials)
• Each link is cryptographically verifiable back to the root

Edge Operators: ACDCs use edge operators (I2I, DI2I, NI2I) to define authority relationships:

• I2I (Issuer-to-Issuee): Strict authority chain where child credential issuer must be the parent credential subject
• DI2I (Delegated Issuer-to-Issuee): Extends I2I to include formally delegated AIDs
• NI2I (Not Issuer-to-Issuee): Permits referencing without implying delegated authority

This enables verifiable delegation chains for credentials, where authority to issue specific credential types can be traced cryptographically to a root authority.

Authoritative Key State

KERI introduces the concept of authoritative key state—the set of keys that have received attestations verifying control to the root-of-trust. A key set is authoritative when:

1. It can be verified through the KEL back to the self-certifying identifier
2. It has been witnessed by the designated witness pool (meeting the TOAD threshold)
3. No duplicity has been detected in the key event history

This establishes a time-dependent authority model where the authoritative key set evolves through rotations, and validators can determine which keys had authority at any point in the identifier's history.

Practical Implications

Use Cases

Enterprise Key Management: Organizations can delegate signing authority to operational systems while retaining rotation authority in secure offline storage. This enables:

• Daily operations without exposing root keys
• Unilateral revocation of compromised operational keys
• Audit trails of all authority changes

Credential Ecosystems: The vLEI ecosystem demonstrates hierarchical authority:

• GLEIF holds root authority as the trust anchor
• QVIs receive delegated authority to issue Legal Entity credentials
• Legal Entities receive delegated authority to issue role credentials
• Each level can be cryptographically verified to the root

Multi-Signature Governance: Organizations can distribute authority across multiple parties:

• Threshold signatures for critical operations
• Weighted voting for governance decisions
• Separation of concerns through partial rotation

Benefits

Portability: Authority is not bound to specific infrastructure—the KEL can be hosted anywhere while maintaining verifiability.

Revocability: Authority can be revoked unilaterally through key rotation, without requiring cooperation from the delegate or any third party.

Auditability: All authority changes are recorded in the KEL, providing a complete, verifiable history.

Scalability: Hierarchical delegation enables authority to scale across large organizations without requiring all parties to directly interact with the root authority.

Security: Separation of signing and rotation authority enables defense-in-depth strategies where operational keys can be compromised without losing ultimate control.

Trade-offs

Complexity: Managing separate signing and rotation authority requires more sophisticated key management than traditional single-key approaches.

Recovery Challenges: If rotation authority is lost (e.g., pre-rotated keys are destroyed), the identifier cannot be recovered. This requires careful backup strategies.

Witness Dependency: While witnesses don't control authority, they provide availability and duplicity detection. Choosing and maintaining witness relationships requires operational overhead.

Legal vs. Cryptographic Authority: KERI establishes cryptographic authority, but this doesn't automatically confer legal authority. Organizations must still establish legal frameworks for how cryptographic authority maps to legal responsibility.

Delegation Overhead: Cooperative delegation requires coordination between delegator and delegate, which can add latency compared to unilateral delegation models.