Key Participants

The issuance-exchange involves specific role relationships:

Issuer/Discloser: The entity that both issued the origin ACDC and is now disclosing it. This role unification is the defining characteristic of issuance-exchange. The Issuer's AID (Autonomic Identifier) appears at the top level of the ACDC structure and controls the KEL (Key Event Log) that establishes cryptographic authority.

Disclosee: The entity receiving the disclosed ACDC. In issuance-exchange, when the origin ACDC includes an Issuee field (the subject of the credential claims), the Disclosee MAY also serve as that origin ACDC's Issuee, creating a direct issuance-to-holder pattern.

Verifiers: Third parties who may later verify the disclosed credentials by validating the cryptographic chain from the Issuer's AID through the KERL (Key Event Receipt Log) and associated witness receipts.

Process Flow

Sequence of Operations

The issuance-exchange follows a structured sequence within the IPEX protocol framework:

1. Credential Preparation Phase

ACDC Construction: The Issuer constructs an ACDC with required top-level fields:

• v (version string): Specifies ACDC protocol version and serialization format
• d (SAID): Self-addressing identifier providing cryptographic binding
• i (Issuer AID): The Issuer's autonomic identifier
• s (schema): JSON Schema defining credential structure
• a (attributes): Credential claims and data payload
• Optional u (UUID): High-entropy nonce for private ACDCs
• Optional ri (registry identifier): Link to TEL (Transaction Event Log) for revocation tracking

Schema Validation: The ACDC must conform to its declared JSON Schema, ensuring structural integrity and type safety through the "type-is-schema" principle.

Cryptographic Signing: The Issuer signs the ACDC using CESR (Composable Event Streaming Representation) proof signatures, creating non-repudiable cryptographic commitment to the credential content.

2. Disclosure Initiation

IPEX Message Construction: The Issuer (acting as Discloser) constructs an IPEX exchange message containing:

• The ACDC to be disclosed (in compact, partial, or full disclosure form)
• Associated CESR proof signatures
• Optional chained ACDCs forming the DAG structure
• Edge references to related credentials

Graduated Disclosure Selection: The Issuer determines the appropriate disclosure level:

• Compact Disclosure: Only SAIDs of major sections disclosed
• Partial Disclosure: Selected field maps disclosed with cryptographic commitments to undisclosed content
• Selective Disclosure: Unbundled attributes with individual blinding
• Full Disclosure: Complete credential content revealed

3. Secure Transmission

OOBI Resolution: If the Disclosee's endpoint is not known, the Issuer may use OOBI (Out-Of-Band Introduction) to discover the Disclosee's service endpoints and witness configuration.

Message Delivery: The IPEX exchange message is transmitted to the Disclosee through:

• Direct peer-to-peer communication
• KERIA (KERI Agent) infrastructure
• Mailbox services for asynchronous delivery

Receipt Confirmation: The Disclosee may provide cryptographic receipts acknowledging message reception, though this is not mandatory for issuance-exchange completion.

4. Verification and Acceptance

KEL Validation: The Disclosee verifies the Issuer's AID by:

• Retrieving the Issuer's KEL from witnesses
• Validating the key event sequence and witness receipts
• Confirming current key state matches the signing keys
• Checking for duplicity through watchers

ACDC Verification: The Disclosee validates:

• SAID integrity (recomputing digest matches declared SAID)
• Signature validity against Issuer's current authoritative keys
• Schema compliance of credential structure
• Edge references to chained ACDCs if present

Registry Checking: If the ACDC includes a registry identifier (ri), the Disclosee queries the TEL to verify:

• Credential issuance status
• Current revocation state
• Transfer history if applicable

5. Storage and Management

Credential Storage: The Disclosee stores the received ACDC in their keystore or credential wallet, maintaining:

• The ACDC structure (in received disclosure form)
• Associated CESR proof signatures
• Issuer KEL snapshots for offline verification
• Metadata about the exchange transaction

Subsequent Presentation: The Disclosee may later present the credential to third-party verifiers, transitioning from issuance-exchange to standard presentation-exchange where the Disclosee becomes the Discloser.

State Changes

The issuance-exchange process involves several critical state transitions:

Issuer State Changes:

• Pre-issuance: ACDC exists as unsigned data structure
• Signed: Issuer commits cryptographically via signature
• Anchored: If using TEL, issuance event is anchored to Issuer's KEL via seal
• Disclosed: ACDC transmitted to Disclosee
• Registered: TEL updated with issuance transaction (if registry-backed)

Disclosee State Changes:

• Unknown: No knowledge of credential existence
• Received: IPEX message delivered to Disclosee
• Validating: Cryptographic verification in progress
• Accepted: Credential verified and stored
• Rejected: Verification failed or credential declined

Registry State Changes (if applicable):

• Unissued: Credential identifier not yet in registry
• Issued: Issuance transaction recorded in TEL
• Active: Credential valid and not revoked
• Revoked: Revocation transaction recorded (future state)
• Transferred: Control transferred to new holder (for transferable credentials)

Decision Points

Several critical decision points occur during issuance-exchange:

Disclosure Level Selection: The Issuer must decide which graduated disclosure mechanism to employ based on:

• Privacy requirements of the credential content
• Regulatory compliance needs
• Relationship with the Disclosee
• Anticipated verification scenarios

Registry Backing Decision: The Issuer determines whether to:

• Use a public TEL for transparent revocation
• Employ a blinded revocation registry for privacy
• Issue without registry backing (non-revocable credentials)

Chaining Strategy: When constructing DAGs of ACDCs, the Issuer selects appropriate edge operators:

• I2I (Issuer-to-Issuee): Strict delegation chain
• DI2I (Delegated Issuer-to-Issuee): Allows delegated issuers
• NI2I (Not Issuer-to-Issuee): Reference without authority delegation

Acceptance Criteria: The Disclosee must decide whether to accept the credential based on:

• Trust in the Issuer's AID and KEL
• Validation of cryptographic proofs
• Compliance with expected schema
• Business logic and policy requirements

Technical Requirements

Cryptographic Requirements

Issuance-exchange mandates specific cryptographic standards:

Signature Algorithms: All vLEI credentials (a primary use case for issuance-exchange) must use:

• Ed25519 signatures with CESR Proof Format
• Signatures must be attached as CESR-encoded primitives
• Multi-signature support for group-controlled issuers

Digest Algorithms:

• BLAKE3-256 for all SAIDs in vLEI ecosystem
• Consistent digest algorithm across entire credential chain
• Qualified cryptographic primitives with derivation codes

Key Management:

• Issuer AID must be transferable (supports key rotation)
• Pre-rotation commitment for compromise recovery
• Minimum 128-bit cryptographic strength for key generation
• Hardware Security Module (HSM) recommended for high-value issuers

Entropy Requirements:

• Private ACDCs require high-entropy UUID (≥128 bits) to prevent rainbow table attacks
• Salty nonce for blinded selective disclosure
• CSPRNG (Cryptographically Secure Pseudorandom Number Generator) for all random values

Timing Considerations

Witness Confirmation Timing:

• Issuer should wait for witness receipts before disclosure to ensure KEL stability
• KAACE (KERI Agreement Algorithm for Control Establishment) consensus among witnesses
• Timeout handling for unresponsive witnesses

Registry Anchoring Timing:

• TEL issuance transaction must be anchored to Issuer's KEL
• Anchoring occurs via interaction event or rotation event
• Disclosee should verify anchoring before accepting credential

Verification Timing:

• First-seen policy for duplicity detection
• KEL validation may require querying multiple witnesses
• Asynchronous verification patterns for performance

Expiration Handling:

• Credentials may include temporal validity constraints in schema
• Issuance timestamp typically recorded in attributes
• Verification must check temporal validity at presentation time

Error Handling

Robust error handling is critical for issuance-exchange:

Cryptographic Verification Failures:

• Invalid Signature: Reject credential, log security event
• SAID Mismatch: Content has been tampered with, reject immediately
• Key State Mismatch: Signing keys don't match current KEL state, investigate duplicity

Network and Communication Errors:

• Witness Unavailability: Retry with exponential backoff, use watcher network as fallback
• OOBI Resolution Failure: Cannot discover Disclosee endpoints, use alternative discovery mechanisms
• Message Delivery Failure: Queue for retry, use mailbox services for asynchronous delivery

Schema and Structure Errors:

• Schema Validation Failure: ACDC doesn't conform to declared schema, reject
• Missing Required Fields: Incomplete ACDC structure, reject
• Invalid Edge References: Chained ACDC SAIDs cannot be resolved, request full disclosure

Registry Errors:

• Registry Unavailable: Cannot verify issuance/revocation status, implement fallback policy
• Conflicting Registry State: Multiple registries show different states, investigate duplicity
• Unregistered Credential: ACDC claims registry backing but not found in TEL, reject

Duplicity Detection:

• Forked KEL: Issuer has published conflicting key events, enter duplicity resolution protocol
• Conflicting Credentials: Multiple ACDCs with same SAID but different content, reject all versions
• Witness Disagreement: Witnesses provide conflicting receipts, require supermajority consensus

Usage Patterns

Typical Scenarios

vLEI Credential Issuance:

The GLEIF vLEI ecosystem represents the primary production use case for issuance-exchange:

1. QVI to Legal Entity: A Qualified vLEI Issuer (QVI) issues a Legal Entity vLEI Credential to an organization that has obtained an LEI (Legal Entity Identifier)

2. Legal Entity to Representatives: The legal entity then issues OOR (Official Organizational Role) credentials to authorized representatives

3. Delegated Authority Chains: Representatives may issue ECR (Engagement Context Role) credentials for specific business contexts

Each step uses issuance-exchange where the issuer directly discloses credentials to the intended holder.

Supply Chain Provenance:

Issuance-exchange enables verifiable supply chain tracking:

1. Manufacturer Issues Origin Certificate: Product manufacturer issues ACDC certifying product origin and specifications

2. Distributor Receives and Extends: Distributor receives via issuance-exchange, then issues chained ACDC adding distribution information

3. Retailer Final Mile: Retailer receives chained credentials, verifies entire provenance chain back to manufacturer

The DAG structure of chained ACDCs creates an authentic provenance chain with cryptographic integrity.

Educational Credentials:

1. University Issues Degree: Educational institution issues degree credential directly to graduate

2. Graduate Presents to Employer: Graduate later presents credential (now presentation-exchange, not issuance-exchange)

3. Employer Verifies: Employer validates credential chain back to university's authoritative AID

Best Practices

Issuer Best Practices:

1. Maintain KEL Integrity: Ensure robust witness configuration with geographic and organizational diversity

2. Use Appropriate Disclosure Levels:

   • Public credentials: Full disclosure acceptable
   • Sensitive data: Employ selective or partial disclosure
   • PII-containing credentials: Use private ACDCs with UUIDs

3. Implement Registry Backing: For revocable credentials, anchor issuance to TEL for verifiable revocation status

4. Schema Versioning: Use immutable schemas with clear versioning strategy, support backward compatibility during transitions

5. Witness Pool Management: Maintain minimum 5 witnesses with TOAD (Threshold of Accountable Duplicity) configured for Byzantine fault tolerance

Disclosee Best Practices:

1. Comprehensive Verification: Always validate:

   • Issuer KEL integrity and current key state
   • ACDC SAID and signature validity
   • Schema compliance
   • Registry status if applicable
   • Temporal validity constraints

2. Duplicity Monitoring: Use watcher networks to detect potential KEL forks or conflicting credentials

3. Secure Storage: Protect received credentials with encryption at rest, implement access controls

4. Audit Logging: Maintain detailed logs of credential reception, verification results, and usage

5. Graceful Degradation: Implement fallback verification strategies when witnesses or registries are temporarily unavailable

Verifier Best Practices (for subsequent presentations):

1. Fresh KEL Validation: Don't rely solely on cached KEL data, periodically refresh from witnesses

2. Registry Checking: Always verify current revocation status, don't trust stale registry data

3. Chain Validation: For chained ACDCs, validate entire provenance chain, not just the presented credential

4. Policy Enforcement: Implement business logic to enforce organizational policies on credential acceptance

Integration Considerations

KERI Infrastructure Integration:

Issuance-exchange requires integration with core KERI components:

• KERIpy or KERIox: Core KERI protocol implementation
• KERIA: Cloud agent infrastructure for scalable operations
• Signify: Client-side signing and key management
• Witness Network: Configured witness pool with appropriate TOAD thresholds
• Watcher Network: Ambient duplicity detection infrastructure

Wallet Integration:

Credential wallets must support:

• IPEX Protocol: Full implementation of issuance and presentation exchange
• ACDC Parsing: Support for all ACDC variants (compact, partial, selective, full)
• CESR Encoding: Ability to parse and generate CESR-encoded primitives
• Schema Validation: JSON Schema validation engine
• KEL Management: Local KEL caching and witness querying

Registry Integration:

For registry-backed credentials:

• TEL Querying: Ability to query public or private TELs
• Anchoring Verification: Validate TEL events are properly anchored to issuer KEL
• State Tracking: Monitor credential lifecycle (issued, active, revoked, transferred)
• Notification Services: Optional real-time notifications of registry state changes

Enterprise System Integration:

Integrating issuance-exchange into enterprise systems requires:

• API Gateways: RESTful APIs wrapping KERI/IPEX operations
• Identity Providers: Integration with existing IAM systems
• Workflow Engines: Orchestration of multi-step issuance processes
• Compliance Monitoring: Audit trails for regulatory requirements
• Backup and Recovery: Secure backup of issuer keys and KEL data

Interoperability Considerations:

• DID Method Compatibility: KERI AIDs can be expressed as did:keri or did:webs for broader ecosystem compatibility
• VC Data Model Alignment: ACDCs can be transformed to W3C Verifiable Credentials format for legacy system integration
• Schema Registries: Coordinate with centralized or decentralized schema registries for schema discovery
• Trust Frameworks: Align with governance frameworks like GLEIF vLEI Ecosystem Governance Framework

Conclusion

Issuance-exchange represents a fundamental pattern in the KERI/ACDC ecosystem, providing a secure, verifiable mechanism for credential issuance that maintains cryptographic integrity from issuer to holder. By unifying issuance and presentation under the IPEX protocol's disclosure model, the architecture achieves elegant simplicity while supporting sophisticated use cases ranging from vLEI credentials to supply chain provenance.

The process's reliance on KERI's autonomic identifier infrastructure, combined with ACDC's flexible disclosure mechanisms and CESR's efficient encoding, creates a powerful foundation for authentic data ecosystems. Proper implementation requires careful attention to cryptographic requirements, timing considerations, error handling, and integration patterns, but the result is a robust, scalable credential issuance system suitable for high-stakes regulatory and business applications.

Caching Strategy: Balance freshness requirements with performance by implementing intelligent caching of registry state. Critical verifications should always query live registry state.

Security Considerations

Key Protection: Issuer private keys must be protected with appropriate security measures. HSMs are recommended for high-value issuers. Implement key rotation schedules and pre-rotation commitments for compromise recovery.

Duplicity Detection: Integrate with watcher networks for ambient duplicity detection. Implement alerting mechanisms for detected KEL forks or conflicting credentials.

Audit Logging: Maintain comprehensive audit logs of all issuance and verification activities. Include timestamps, involved AIDs, verification results, and any errors encountered.

Performance Optimization

Witness Parallelization: Query multiple witnesses in parallel to reduce latency. Implement early termination when sufficient receipts are obtained.

KEL Caching: Cache validated KELs with appropriate TTL. Implement incremental KEL updates rather than full re-validation when possible.

Batch Processing: For high-volume issuance scenarios, implement batch processing of credentials with shared witness confirmation.

Interoperability

DID Method Support: Implement did:keri and did:webs resolution for broader ecosystem compatibility. Support transformation between KERI AIDs and DID representations.

Schema Registry Integration: Coordinate with centralized or decentralized schema registries for schema discovery and validation. Implement schema caching with version management.

Legacy System Bridges: For integration with W3C VC ecosystems, implement transformation layers that convert ACDCs to VC Data Model format while preserving cryptographic integrity.

Testing and Validation

Test Vectors: Implement comprehensive test suites covering:

• Valid issuance-exchange scenarios
• Invalid signature detection
• SAID tampering detection
• KEL fork handling
• Registry state conflicts
• Network failure scenarios

Interoperability Testing: Participate in interoperability testing events to validate compatibility with other KERI implementations (KERIpy, KERIox, Signify).

Load Testing: For production deployments, conduct load testing to validate performance under expected transaction volumes. Test witness pool capacity and registry query performance.