Separable Authority Types: KERI distinguishes between signing authority (the right to sign non-establishment events) and rotation authority (the right to rotate keys). This separation enables sophisticated delegation patterns, such as custodial arrangements where an agent holds signing authority while the controller retains rotation authority.

Multi-Entity Control: A controller may consist of multiple entities in multi-signature configurations. The complete set of controlling entities collectively constitutes the controller, with threshold schemes determining how many signatures are required for operations.

Scope and Boundaries

The controller concept applies specifically to the management of AIDs and their KELs. Controllers do not necessarily control the data or credentials associated with an identifier—they control the identifier itself and its key state. For example, a controller of a Legal Entity vLEI credential controls the AID used to sign the credential, but the Legal Entity itself (the subject of the credential) may be a separate entity.

Controllers are distinguished from other roles in the KERI ecosystem:

• Witnesses: Designated by controllers but do not control the identifier
• Watchers: Observe KELs but have no control authority
• Validators: Verify key states but do not control identifiers
• Verifiers: Check signatures but do not control the signing keys

Historical Context

The concept of cryptographic control over identifiers has roots in public key cryptography and self-certifying identifiers. Traditional PKI systems established control through certificate authorities that vouched for the binding between identifiers and public keys. However, this administrative trust model created centralized points of failure and made identifiers non-portable.

The W3C DID specification introduced the concept of DID controllers as entities capable of making changes to DID documents. However, many DID methods still rely on ledgers or other shared infrastructure to establish control authority, creating dependencies on external systems.

KERI's controller concept evolved from earlier work on self-certifying identifiers and autonomic namespaces, where the goal was to create identifiers that could be controlled purely through cryptographic means without any dependency on external infrastructure or trusted third parties.

KERI's Approach

Self-Certifying Control

KERI controllers exercise authority through self-certifying identifiers where the identifier itself is cryptographically derived from the controlling keys. This creates a direct, verifiable binding between the identifier and its controller without requiring external registries or certificate authorities.

The inception event that creates an AID includes:

• The initial set of public keys (current keys)
• Cryptographic commitments to the next set of keys (pre-rotated keys)
• Configuration parameters including witness designations and thresholds

This inception event is signed by the controller using the initial private keys, establishing the cryptographic root of trust for the identifier.

Key Event Log as Control Record

The Key Event Log (KEL) serves as the authoritative record of all control authority changes. Every event in the KEL must be signed by the controller using the current authoritative keys at the time of the event. This creates an append-only, cryptographically verifiable history of control authority.

The KEL enables:

• Verification of current control: Any party can process the KEL to determine the current authoritative key set
• Duplicity detection: Conflicting versions of the KEL indicate duplicitous behavior by the controller
• Audit trail: The complete history of key rotations and delegations is preserved

Pre-Rotation and Rotation Authority

KERI's pre-rotation mechanism is fundamental to how controllers maintain persistent control. In each establishment event (inception or rotation), the controller makes a cryptographic commitment to the next set of rotation keys by including digests of those keys.

This creates a critical security property: even if the current signing keys are compromised, an attacker cannot rotate to their own keys because they don't possess the pre-rotated keys whose digests were committed in the previous event. Only the legitimate controller, who generated and stored the pre-rotated keys, can perform the next rotation.

This mechanism enables:

• Recovery from key compromise: Controllers can rotate to pre-rotated keys even after signing key compromise
• Post-quantum security: The digest-based commitment protects against future quantum attacks on the pre-rotated keys
• Unbroken chain of control: The cryptographic chain from inception through all rotations is verifiable

Multi-Signature Control

KERI supports sophisticated multi-signature control configurations where multiple entities collectively act as the controller. This is implemented through:

Threshold Schemes: The current threshold (kt) specifies how many signatures from the current key set are required for non-establishment events. The next threshold (nt) specifies requirements for the next rotation.

Weighted Thresholds: KERI supports fractionally-weighted thresholds where different keys have different weights, and the combined weight must exceed the threshold.

Partial Rotation: In multi-sig configurations, not all pre-rotated keys need to be exposed in each rotation. This enables reserve keys and graduated security models.

Multi-sig control is essential for organizational use cases where multiple parties must cooperatively authorize actions, such as:

• Corporate governance requiring multiple executives to approve key operations
• Custodial arrangements where both custodian and principal must authorize certain actions
• Distributed teams managing shared infrastructure

Delegation and Hierarchical Control

Controllers can delegate authority to other AIDs, creating hierarchical control structures. In a delegation:

Delegator: The controller of the delegating AID that authorizes the creation of a delegated AID Delegate: The controller of the delegated AID that receives delegated authority

Delegation is cooperative, meaning both delegator and delegate must participate in establishment events for the delegated identifier. The delegator anchors the delegate's establishment events in their own KEL, creating a verifiable chain of authority.

This enables:

• Scalable key management: Organizations can delegate signing authority to departments or agents while retaining ultimate control
• Revocable authority: Delegators can revoke delegated identifiers by refusing to anchor future events
• Hierarchical trust structures: Complex organizational hierarchies can be represented through delegation trees

Custodial Control Patterns

KERI's separation of signing and rotation authority enables custodial arrangements where:

Custodial Agent: Holds signing authority and can sign non-establishment events on behalf of the controller Principal Controller: Retains rotation authority and can "fire" the custodian by rotating keys

This is implemented through partial rotation where:

• The current signing keys are held by the custodial agent
• The pre-rotated keys are held by the principal controller
• The custodian can perform day-to-day signing operations
• The principal can rotate to new keys (potentially with a new custodian) at any time

This pattern is critical for:

• Cloud-based key management services
• Mobile wallet architectures where keys are split between device and cloud
• Enterprise scenarios where operational signing is delegated but ultimate control is retained

Controller vs. Subject Distinction

In credential systems, it's important to distinguish:

Controller of the Issuer AID: The entity that controls the cryptographic keys used to sign credentials Subject of the Credential: The entity about whom claims are made in the credential

These may be the same entity (self-issued credentials) or different entities (third-party issued credentials). For example:

• A Legal Entity may control its own AID and issue self-signed credentials
• A Qualified vLEI Issuer controls an AID and issues credentials about Legal Entities
• An individual may control an AID but receive credentials from employers or governments

Practical Implications

Use Cases

Individual Identity Management: Individuals control AIDs for their personal digital identity, maintaining control over their identifiers across different contexts and service providers. The controller can rotate keys if a device is lost or compromised, maintaining persistent identity.

Organizational Identity: Legal entities control AIDs representing their organizational identity. Multi-sig configurations ensure that multiple executives must authorize key operations, preventing single points of failure.

IoT Device Management: Autonomous devices can be controllers of their own AIDs, enabling machine-to-machine authentication and authorization without human intervention. Manufacturers can delegate authority to devices while retaining ultimate control.

Credential Issuance: Credential issuers control AIDs used to sign verifiable credentials. The KEL provides an auditable history of the issuer's key state, enabling verifiers to check that credentials were signed with authoritative keys.

Supply Chain Tracking: Each participant in a supply chain controls AIDs used to sign transfer-of-custody events. The chain of controllers creates a verifiable provenance trail for physical goods.

Benefits

Cryptographic Verifiability: Control authority can be verified purely through cryptographic operations on the KEL, without requiring trust in external infrastructure or authorities.

Portability: Controllers can move their identifiers between different systems and infrastructure providers without losing control. The KEL is the authoritative record, not any particular storage system.

Recovery from Compromise: The pre-rotation mechanism enables controllers to recover from key compromise by rotating to pre-rotated keys that were never exposed.

Flexible Delegation: Controllers can delegate authority in sophisticated ways, from simple custodial arrangements to complex organizational hierarchies, while maintaining ultimate control.

Duplicity Detection: The KEL structure makes duplicitous behavior by controllers evident. If a controller creates conflicting versions of their KEL, this can be detected by comparing logs from different sources.

Trade-offs

Key Management Burden: Controllers bear full responsibility for protecting their private keys. Unlike systems with account recovery mechanisms, losing all copies of private keys means permanent loss of control over the identifier.

Operational Complexity: Multi-sig configurations and delegation hierarchies require careful coordination between multiple parties. Threshold schemes must be designed to balance security against operational availability.

Witness Coordination: Controllers must maintain relationships with witnesses to ensure their KEL is properly witnessed and available. Witness selection and management adds operational overhead.

Rotation Latency: Key rotations require coordination with witnesses and propagation through the ecosystem. This creates latency between initiating a rotation and having it universally recognized.

Custodial Trust: While custodial arrangements enable convenient key management, they require trusting the custodian not to abuse signing authority. The principal retains rotation authority but must monitor custodian behavior.

Implementation Considerations

Key Storage: Controllers must implement secure key storage appropriate to their security requirements. Options include:

• Hardware security modules (HSMs) for high-security applications
• Trusted execution environments (TEEs) for mobile devices
• Encrypted keystores with strong passphrases for personal use
• Multi-party computation (MPC) for distributed key management

Witness Selection: Controllers should select witnesses based on:

• Geographic and jurisdictional diversity to resist localized attacks
• Reputation and reliability for ensuring KEL availability
• Independence to prevent collusion
• Technical capability to properly implement witness protocols

Threshold Configuration: Multi-sig thresholds should be set considering:

• Security requirements (higher thresholds provide more security)
• Operational availability (higher thresholds make operations more difficult)
• Fault tolerance (threshold should allow for some key loss)
• The "ample" calculation to ensure immune agreement

Rotation Policies: Controllers should establish policies for:

• Routine key rotation schedules to limit key exposure
• Emergency rotation procedures for suspected compromise
• Pre-rotation key generation and secure storage
• Witness notification and coordination procedures

Delegation Strategies: When delegating authority, controllers should:

• Clearly define the scope of delegated authority
• Implement monitoring of delegate behavior
• Establish revocation procedures
• Document the delegation hierarchy for auditability

Partial Rotation: Consider using partial rotation to keep some keys in reserve, providing additional security layers and recovery options.

Delegation Management

When delegating authority:

Scope Definition: Clearly define what authority is being delegated. Document whether delegates can further delegate (recursive delegation) or only perform specific operations.

Monitoring: Implement monitoring of delegate behavior. The delegator should regularly review the delegate's KEL for unexpected events.

Revocation Procedures: Establish clear procedures for revoking delegated authority, including how to communicate revocation to relying parties.

Custodial Arrangements

For custodial control patterns:

Authority Separation: Ensure signing authority and rotation authority are properly separated. The custodian should never have access to pre-rotated keys.

Monitoring and Auditing: The principal controller should monitor the custodian's use of signing authority and be prepared to rotate keys if abuse is detected.

Recovery Procedures: Document procedures for the principal to recover control by rotating to new keys, potentially with a different custodian.

KERIA Agent Architecture

When using KERIA agents:

Client-Agent Relationship: The Signify client (edge) maintains the controller's private keys. The KERIA agent (cloud) manages KEL storage and witness coordination but never has access to private keys.

Delegated Agent AID: The KERIA agent has its own AID that is delegated from the client's AID. This enables the agent to perform operations on behalf of the controller while maintaining clear authority boundaries.

Passcode Security: The client's passcode (bran) is used to derive keys. This passcode must be protected and should never be transmitted to the agent.

Duplicity Detection

Controllers should be aware that their behavior is subject to duplicity detection:

Consistent KEL Publication: Controllers must ensure they publish consistent versions of their KEL to all witnesses and watchers. Publishing conflicting versions will be detected as duplicitous behavior.

Witness Coordination: All witnesses should receive the same events in the same order. Controllers should not attempt to present different event sequences to different witnesses.

Watcher Networks: Validators may use watcher networks to compare KEL versions from multiple sources. Controllers should assume their KEL will be widely observed and compared.