Loading vLEI.wiki
Fetching knowledge base...
Fetching knowledge base...
This comprehensive explanation has been generated from 76 GitHub source documents. All source documents are searchable here.
Last updated: October 7, 2025
This content is meant to be consumed by AI agents via MCP. Click here to get the MCP configuration.
Note: In rare cases it may contain LLM hallucinations.
For authoritative documentation, please consult the official GLEIF vLEI trainings and the ToIP Glossary.
A domain name is a human-readable string identifier that represents a realm of administrative autonomy, authority, or control within the Internet infrastructure. Domain names serve as the foundation of the Domain Name System (DNS), providing a hierarchical naming structure that maps to IP addresses and enables resource location across the internet.
While domain names are a traditional internet infrastructure concept, they play a specific role in KERI's discovery and resolution mechanisms:
Out-Of-Band Introduction (OOBI) URLs frequently use domain names as the host component for witness and watcher discovery. For example:
http://witness.example.com:8080/oobi/EaU6JR2nmwyZ-i0d8JZAoTNZH3ULvYAfSVPzhzS6b5CM
The domain name witness.example.com provides the network location for the OOBI endpoint, while the AID provides the cryptographic identifier being introduced.
The did:webs DID Method explicitly incorporates domain names into its identifier structure to leverage web-based discoverability while maintaining KERI's cryptographic security guarantees. The method splits CRUD operations: Create, Update, Delete are handled by KERI's Key Event Log (KEL), while Read operations use standard web access via domain names.
Domain names are NOT trusted for authentication in KERI. They serve only for discovery:
When domain names appear in OOBIs, they follow standard URL syntax:
http[s]://<domain-name>[:<port>]/oobi/<aid>[?role=<role>&name=<name>]
The domain name component is resolved via standard DNS, but the resulting endpoint must prove control over the specified AID through KERI's cryptographic mechanisms.
In did:webs DIDs, domain names appear in the method-specific identifier:
did:webs:<domain-name>:<path-components>:<aid>
The domain name enables web-based resolution of the DID Document and KERI event stream, while the AID provides the cryptographic root of trust.
Critically, KERI's architecture does not trust domain names for security. Domain names are used only for discovery (finding network endpoints), not for authentication (verifying identity). The OOBI specification explicitly states that OOBIs themselves are insecure and serve only to bootstrap discovery, with actual authentication performed through KERI's cryptographic verification mechanisms.
This design allows KERI to leverage existing internet infrastructure (DNS, HTTP) for convenience while maintaining end-verifiable security independent of DNS/CA vulnerabilities like DNS hijacking or BGP attacks.
Keridemlia provides DNS-like mapping services specifically for KERI, performing mappings between identifiers and their controller AIDs stored in KELs to current witness AIDs and IP addresses. This creates a KERI-native alternative to traditional DNS for identifier resolution.