Loading vLEI.wiki
Fetching knowledge base...
Fetching knowledge base...
This comprehensive explanation has been generated from 186 GitHub source documents. All source documents are searchable here.
Last updated: October 7, 2025
This content is meant to be consumed by AI agents via MCP. Click here to get the MCP configuration.
Note: In rare cases it may contain LLM hallucinations.
For authoritative documentation, please consult the official GLEIF vLEI trainings and the ToIP Glossary.
An identifier system is a systematic framework for uniquely identifying entities through identifiers, their assignment mechanisms, and associated data management. KERI represents a thin-layered identifier system generator that creates autonomic identifier systems with cryptographic roots-of-trust, enabling globally portable, self-certifying identifiers without centralized registries.
An identifier system is a comprehensive framework for uniquely identifying entities (people, organizations, things, or digital objects) through structured mechanisms that assign, manage, and resolve identifiers. At its core, an identifier system must address three fundamental questions: how identifiers are created, how they map to entities, and how their authenticity and authority can be verified.
The concept extends beyond simple identifier assignment to encompass the entire ecosystem of policies, infrastructure, and processes that govern identifier lifecycles. This includes creation, binding to entities, resolution, verification, revocation, and the management of associated metadata and attributes.
Robust identifier systems exhibit twelve critical properties as documented in identifier system theory:
These properties establish evaluation criteria for comparing different identifier system architectures and implementations.
When implementing identifier systems using KERI:
Choose the appropriate trust basis for your use case:
Select between direct and indirect modes based on requirements:
For indirect mode, carefully consider:
Implement appropriate key management based on security requirements:
KERI provides secure attribution but requires governance frameworks for:
Ensure identifier system interoperability through:
Identifier systems operate at multiple layers:
The boundaries of an identifier system are defined by its trust domain—the ecosystem of interactions that rely on a specific trust basis binding controllers, identifiers, and key-pairs.
Historically, identifier systems have relied on administrative trust bases where centralized authorities maintain mappings between identifiers and entities. Examples include:
These systems share common characteristics:
The emergence of blockchain technology introduced algorithmic trust bases where distributed consensus mechanisms replace centralized authorities. Systems like Bitcoin addresses and Ethereum accounts demonstrated that identifiers could be created without permission from central authorities, though they remained locked to specific ledger infrastructures.
The W3C Decentralized Identifier (DID) specification attempted to create a universal identifier framework, but most DID methods still depend on either centralized registries or specific blockchain infrastructures, limiting true portability and self-sovereignty.
KERI is distinctively characterized as a thin-layered identifier system generator rather than simply an identifier system itself. This means KERI provides the foundational infrastructure and protocols that enable the creation of identifier systems with specific properties, rather than being a monolithic identifier system with fixed characteristics.
This generative approach allows KERI to support diverse identifier system implementations while maintaining core security properties:
KERI introduces a third trust basis model—the autonomic trust basis—distinct from both administrative and algorithmic approaches:
Administrative Trust Basis (Traditional PKI):
Algorithmic Trust Basis (Blockchain):
Autonomic Trust Basis (KERI):
The autonomic approach eliminates dependencies on both centralized authorities and blockchain consensus mechanisms, enabling truly self-sovereign identifier systems.
KERI identifier systems are built on Key Event Logs (KELs)—append-only, cryptographically chained data structures that record all key management events for an identifier. Each KEL:
This architecture solves the fundamental problem of persistent identifiers with rotating keys—a challenge that has plagued traditional PKI systems where key rotation breaks the chain of trust.
KERI identifiers are self-certifying—the identifier itself is cryptographically derived from the controlling public key, eliminating the need for external certificate authorities. The identifier prefix includes either:
This self-certification property means that anyone can verify the binding between an identifier and its controlling keys using only cryptography, without consulting external registries or authorities.
KERI's pre-rotation mechanism provides a novel solution to key compromise:
This mechanism enables persistent control authority despite key weakness or compromise, a critical property for long-lived identifier systems.
KERI identifier systems can operate in two modes:
Direct Mode: Controllers interact directly with validators, suitable for intermittent connectivity scenarios like mobile devices.
Indirect Mode: Controllers designate witnesses—entities that observe, receipt, and promulgate key events. Witnesses provide:
The witness architecture enables scalable, resilient identifier systems without requiring blockchain infrastructure.
Organizational Identity: The GLEIF vLEI (verifiable Legal Entity Identifier) system demonstrates KERI's application to organizational identity at global scale. Legal entities receive cryptographically verifiable credentials that prove their identity and the authority of their representatives, enabling automated verification in cross-border transactions.
Supply Chain Provenance: KERI identifier systems can track products, components, and materials through supply chains with verifiable chain-of-custody. Each entity in the supply chain maintains its own AID, and ACDCs create verifiable links between entities and assets.
IoT Device Identity: Devices can maintain persistent identities with rotating keys, enabling secure firmware updates and device-to-device authentication without centralized device registries.
Personal Identity: Individuals can create self-sovereign identifiers that work across platforms and jurisdictions, receiving verifiable credentials from multiple issuers without platform lock-in.
True Portability: KERI identifiers are not locked to any specific infrastructure. An identifier created with one set of witnesses can be rotated to use different witnesses, or even moved from witness-based infrastructure to ledger-anchored infrastructure and back.
Scalability: Each identifier has its own KEL—there is no global ledger requiring total ordering of all events. This enables horizontal scaling limited only by the number of identifiers, not by consensus bottlenecks.
Security Without Centralization: The autonomic trust basis provides cryptographic security guarantees without requiring trust in centralized authorities or participation in expensive consensus protocols.
Ambient Verifiability: Anyone can verify the authenticity and current key state of any identifier at any time using only the KEL and basic cryptographic operations. No special infrastructure access is required.
Post-Quantum Resistance: The pre-rotation mechanism provides protection against future quantum computing threats, as the next rotation keys remain cryptographically hidden even if current cryptographic algorithms are broken.
Complexity: KERI's sophisticated key management and event log architecture requires deeper understanding than simple username/password systems or even basic public key cryptography.
Key Management Burden: Controllers must properly manage their private keys and understand the implications of key rotation, delegation, and recovery mechanisms.
Witness Coordination: In indirect mode, controllers must select and coordinate with witnesses, though this provides benefits in availability and duplicity detection.
Adoption Barriers: As a relatively new protocol, KERI faces ecosystem adoption challenges compared to established systems like X.509 certificates or blockchain-based DIDs.
No Built-in Veracity: KERI provides secure attribution (proving who said what) but does not verify the truth of claims. Veracity determination requires additional governance frameworks and trust mechanisms.
KERI identifier systems occupy a unique position:
vs. Traditional PKI: KERI eliminates dependency on certificate authorities while providing stronger key rotation security through pre-rotation.
vs. Blockchain DIDs: KERI provides the same decentralization benefits without locking identifiers to specific ledgers or requiring participation in consensus protocols.
vs. Federated Identity: KERI enables true self-sovereignty where controllers maintain exclusive authority over their identifiers, rather than depending on identity providers.
vs. Centralized Platforms: KERI identifiers work across platforms and jurisdictions, preventing vendor lock-in and enabling true data portability.
The autonomic trust basis represents a fundamental architectural innovation that enables identifier systems with properties previously thought incompatible: strong security, complete decentralization, true portability, and scalability without consensus bottlenecks.