This binary choice has been a fundamental barrier to mainstream adoption. In traditional custodial models, users who want to change providers or reclaim direct control must rely on the custodian's cooperation, creating vendor lock-in and centralization of power.

In blockchain-based systems, custodial wallets became popular because they eliminated the need for users to manage seed phrases and private keys directly. However, these arrangements often meant users had no cryptographic proof of ownership independent of the custodian's systems—"not your keys, not your coins" became a warning about the risks of custodial arrangements.

KERI's Approach

KERI solves this dilemma through its partial rotation mechanism, which enables cryptographic separation of signing and rotation authorities. This is implemented through KERI's dual-key architecture:

Split Control Authority Implementation

KERI's establishment events support two distinct key sets:

1. Current keys: Used for signing authority in day-to-day operations
2. Pre-rotated keys: Cryptographically committed to in advance, reserved for rotation authority

By structuring the thresholds and key lists appropriately, a controller can:

• Grant signing keys to a custodial service provider
• Retain exclusive possession of pre-rotated keys needed for rotation events
• Cryptographically enforce this separation through the KEL structure

Unilateral Revocation Capability

The critical security property is that the identifier owner can exercise their rotation authority to:

• Create a rotation event that revokes the custodian's signing keys
• Establish new signing keys (either self-managed or with a different custodian)
• Anchor this rotation in the KEL without requiring any signature from the custodian

This is possible because rotation events are signed with the pre-rotated keys that only the owner possesses. The custodian's signing keys are explicitly excluded from the rotation authority threshold, preventing them from blocking or interfering with the owner's exercise of ultimate control.

Custodial Rotation Events

KERI defines custodial rotation as a specific type of rotation operation that:

• Changes the signing authority key set (potentially to a new custodian or back to self-custody)
• Maintains or updates the rotation authority key set (which remains under owner control)
• Preserves the identifier's continuity through the KEL chain

This enables flexible transitions between custodial arrangements, self-custody, and hybrid models without breaking the identifier's verifiable history.

Practical Implications

Mainstream Adoption Enablement

The source documents emphasize that 99% of people may not feel comfortable taking direct responsibility for managing cryptographic keys and agent software. Custodial agents address this reality by:

• Reducing technical barriers: Users don't need to understand key management, CESR encoding, or witness coordination
• Professional infrastructure: Custodians can provide enterprise-grade security, availability, and user interfaces
• Familiar service model: Users interact with hosted services similar to traditional web applications
• Preserved sovereignty: Despite the managed service model, users retain cryptographic proof of ownership and unilateral exit capability

Software-as-a-Service Business Model

Custodial agents enable a SaaS business model without centralizing control. Service providers can:

• Offer managed KERIA agent hosting
• Provide user-friendly interfaces for credential management
• Handle witness coordination and OOBI resolution
• Implement backup and recovery services
• Charge subscription fees for these services

All while users maintain the cryptographic capability to migrate to different providers or self-custody at will.

Security Model

The custodial agent security model provides important properties:

Compartmentalized Risk: Even if the custodian's signing keys are compromised, the attacker cannot:

• Rotate keys to lock out the legitimate owner
• Transfer the identifier to their own control
• Prevent the owner from revoking the compromised keys

The owner's pre-rotated keys remain the ultimate authority, enabling recovery from custodian compromise.

Operational Flexibility: Organizations can:

• Delegate signing operations to employees or departments
• Maintain executive control through rotation authority
• Implement separation of duties for compliance
• Revoke delegated authority without cooperation from the delegate

Trust Minimization: Users can benefit from custodial services without:

• Trusting the custodian not to impersonate them (signing authority is explicitly granted)
• Trusting the custodian to cooperate with service termination (rotation authority enables unilateral exit)
• Trusting the custodian's long-term viability (identifier portability is cryptographically guaranteed)

Use Cases

Custodial agents are particularly valuable for:

1. Individual Users: People who want decentralized identity benefits without technical complexity
2. Enterprise Deployments: Organizations that need professional key management with executive oversight
3. Regulated Environments: Scenarios requiring separation of operational and control authority for compliance
4. Transitional Adoption: Users who start with custodial services and later migrate to self-custody as they gain confidence
5. Hybrid Models: Sophisticated users who use custodial services for convenience while maintaining self-custody options for high-value operations

Trade-offs and Considerations

While custodial agents solve critical adoption challenges, they involve trade-offs:

Operational Dependence: Users depend on the custodian for day-to-day signing operations. If the custodian becomes unavailable, the user cannot sign transactions until they exercise rotation authority to establish new signing keys.

Privacy Considerations: The custodian can observe all signing operations, potentially learning about the user's activities and relationships. This is inherent to the custodial model but should be considered in privacy-sensitive applications.

Key Management Responsibility: While signing key management is delegated, users must still protect their rotation authority keys. Loss of these keys means loss of the ability to revoke the custodian or recover from custodian compromise.

Trust in Custodian Operations: While the custodian cannot lock out the owner, they can refuse to sign or perform operations incorrectly. Users must trust the custodian to operate honestly within their granted authority, though cryptographic accountability mechanisms can detect misbehavior.

Ecosystem Significance

Custodial agents are identified in the source documents as a key feature for KERI and ACDC adoption because they solve the fundamental tension between:

• Decentralization principles: Self-sovereign identity and cryptographic control
• Practical usability: Managed services and user-friendly experiences

This makes custodial agents essential infrastructure for scaling decentralized identity systems beyond early adopters to mainstream users who want the benefits of self-sovereign identity without the operational complexity of full self-custody. The ability to start with a custodial arrangement and later migrate to self-custody (or vice versa) provides a flexible adoption path that accommodates users at different points in their technical journey.

The custodial agent pattern exemplifies KERI's design philosophy of enabling real-world deployment scenarios while maintaining cryptographic verifiability and user sovereignty. By separating signing and rotation authorities through partial rotation, KERI provides the technical foundation for a new generation of identity services that are simultaneously user-friendly and truly self-sovereign.