Relationship to Protocol Specifications

Keep is not a protocol specification but rather a reference implementation of a KERI client application. It demonstrates how to:

• Interact with KERI agents through standardized APIs
• Implement user workflows for AID (Autonomic Identifier) management
• Handle credential issuance and presentation
• Manage multi-signature operations

Key Features & Capabilities

1. Local AID Management

Keep enables users to establish and manage individual self-certifying identifiers:

• AID Inception: Create new autonomic identifiers with configurable key management policies
• Key Rotation: Securely rotate controlling keys using KERI's pre-rotation mechanism
• Witness Configuration: Select and manage witness pools for identifier validation
• Delegation: Create hierarchical identifier structures through delegation

2. Distributed Multi-Signature AIDs

A core capability is managing group identifiers controlled by multiple parties:

• Multi-Sig Inception: Create identifiers requiring threshold signatures from multiple controllers
• Group Participation: Join existing multi-signature groups as a signing member
• Threshold Configuration: Define signing thresholds (e.g., 3-of-5 signatures required)
• Delegated Multi-Sig: Support for multi-signature identifiers with optional delegation to parent identifiers
• Cooperative Operations: Coordinate signing operations across distributed controllers

This functionality is critical for organizational use cases where multiple parties must collectively control an identifier, such as:

• Corporate identities requiring board approval
• Joint ventures with shared governance
• Custodial arrangements with split authority

3. Credential Operations

Keep provides comprehensive verifiable credential management:

Issuance:

• Issue ACDC credentials to other identifiers
• Support for various credential types within defined ecosystems
• Schema validation and compliance checking
• Registry-backed credential tracking via TEL (Transaction Event Log)

Revocation:

• Revoke previously issued credentials
• Update credential status in registries
• Maintain audit trails of credential lifecycle events

Presentation:

• Present credentials to verifiers
• Support for graduated disclosure patterns
• Selective disclosure of credential attributes

4. vLEI Ecosystem Integration

Keep is specifically designed to support the vLEI (verifiable Legal Entity Identifier) Ecosystem developed by GLEIF (Global Legal Entity Identifier Foundation):

• QVI Operations: Support for Qualified vLEI Issuer workflows
• Legal Entity Credentials: Issuance and management of organizational identity credentials
• Role Credentials: Support for OOR (Official Organizational Role) and ECR (Engagement Context Role) credentials
• Governance Compliance: Adherence to vLEI Ecosystem Governance Framework requirements

5. Keystore Management

While Keep itself doesn't store keys, it provides interfaces for managing the underlying keystore:

• Passcode Protection: Encrypted keystores secured by user-provided passcodes
• Key Derivation: Support for hierarchical deterministic key generation
• Backup and Recovery: Interfaces for keystore backup and restoration
• Multiple Keystores: Management of multiple isolated keystores for different contexts

Installation & Setup

The source documents provide limited installation details, but the general setup process involves:

Prerequisites

1. Running keripy agent: Keep requires a keripy agent instance to be running and accessible
2. Witness network: For production use, a configured witness network is necessary
3. Network connectivity: Keep must be able to reach the keripy agent's REST API endpoints

Configuration

Keep configuration typically involves:

• Agent URL: Specifying the keripy agent's API endpoint
• Witness OOBIs: Configuring Out-Of-Band Introductions for witness discovery
• Schema servers: Connecting to credential schema repositories
• Registry endpoints: Configuring TEL registry access for credential status

Deployment Models

Keep supports multiple deployment scenarios:

1. Local Development: Keep connecting to a local keripy agent for testing
2. Private Cloud: Keep as a web application connecting to organization-hosted agents
3. Hybrid: Keep running locally while connecting to remote infrastructure components

Usage & API

REST API Integration

Keep consumes the keripy agent REST API, which provides endpoints for:

Identity Operations:

• POST /identifiers - Create new AIDs
• GET /identifiers/{aid} - Retrieve AID information
• POST /identifiers/{aid}/rotate - Perform key rotation
• POST /identifiers/{aid}/interact - Create interaction events

Credential Operations:

• POST /credentials - Issue new credentials
• GET /credentials/{said} - Retrieve credential details
• POST /credentials/{said}/revoke - Revoke credentials
• GET /registries/{registry}/credentials/{said} - Check credential status

Multi-Signature Operations:

• POST /multisig/inception - Initiate multi-sig AID creation
• POST /multisig/join - Join existing multi-sig group
• POST /multisig/rotate - Coordinate multi-sig rotation

Workflow Patterns

Single-Signature AID Creation:

1. User initiates AID creation in Keep UI
2. Keep sends inception request to keripy agent
3. Agent generates keys, creates inception event
4. Agent coordinates with witnesses for receipts
5. Keep displays new AID to user

Multi-Signature AID Creation:

1. First participant initiates multi-sig inception
2. Keep generates OOBI for other participants
3. Other participants resolve OOBI and join
4. Each participant signs inception event
5. Once threshold met, AID becomes active

Credential Issuance:

1. Issuer selects credential schema in Keep
2. Issuer fills credential attributes
3. Keep sends issuance request to agent
4. Agent creates credential, anchors to KEL
5. Agent updates TEL registry
6. Keep presents credential to holder via IPEX

Related Implementations

Alternative KERI Clients

Signify:

• Web client focused on "signing at the edge"
• Minimizes KERI usage on client side
• Designed for public cloud deployments
• Complementary to Keep's private cloud focus

KERIA:

• Cloud agent service (backend for Keep)
• Multi-tenant architecture
• Provides REST API consumed by Keep
• Handles all cryptographic operations

KLI (KERI Command Line Interface):

• Command-line tool for KERI operations
• Useful for scripting and automation
• Provides similar functionality to Keep
• Better suited for developers and power users

Browser Extensions

Signify Browser Extension:

• Browser-based KERI client
• Integrates with web applications
• Provides signing capabilities in browser context
• Different use case than Keep's full application model

Integration Points

Keep integrates with the broader KERI ecosystem:

• Witness Networks: Connects to witness pools for event validation
• Schema Servers: Retrieves credential schemas for validation
• TEL Registries: Queries credential status
• OOBI Resolvers: Discovers and validates service endpoints
• vLEI Infrastructure: Integrates with GLEIF's vLEI ecosystem components

Implementation Notes

Security Considerations

Key Material Isolation:

• Keep never handles private keys directly
• All cryptographic operations occur in the keripy agent
• This architecture prevents key exposure to the browser environment
• Follows "keys at the edge" security model

Authentication:

• Keep authenticates to the keripy agent using passcodes
• Passcodes unlock encrypted keystores in the agent
• Session management maintains authenticated state
• KRAM (KERI Request Authentication Method) may be used for API authentication

Multi-Signature Coordination

Asynchronous Operations:

• Multi-sig operations are inherently asynchronous
• Participants may sign at different times
• Keep must handle partial signature states
• Escrow mechanisms manage incomplete operations

OOBI-Based Discovery:

• Participants discover each other via OOBIs
• OOBIs can be shared through various channels (QR codes, URLs, email)
• Keep provides OOBI generation and resolution interfaces

Credential Workflows

IPEX Protocol:

• Credential issuance and presentation use IPEX (Issuance and Presentation Exchange)
• IPEX provides negotiation protocols for credential exchange
• Keep implements IPEX message flows
• Supports both solicited and unsolicited issuance

Registry Integration:

• Credentials are tracked in TEL registries
• Keep queries registries for credential status
• Supports both public and blinded registries
• Handles registry state updates during issuance/revocation

vLEI Ecosystem Specifics

Governance Compliance:

• Keep implements workflows compliant with vLEI Governance Frameworks
• Supports required credential types (QVI, Legal Entity, OOR, ECR)
• Enforces credential chaining rules
• Validates against vLEI schemas

Identity Assurance:

• vLEI credentials require identity verification
• Keep provides interfaces for identity assurance workflows
• Integrates with QVI processes
• Supports authorized representative designations

Performance and Scalability

Agent Architecture:

• Keep's reliance on keripy agent enables horizontal scaling
• Multiple Keep instances can connect to the same agent
• Agent handles resource-intensive cryptographic operations
• Keep focuses on UI/UX concerns

Witness Coordination:

• Witness operations are asynchronous
• Keep must handle witness response delays
• Threshold satisfaction may take time
• UI provides feedback on witness receipt status

Prerequisites

To effectively use and understand Keep, users should be familiar with:

Core KERI Concepts:

• Autonomic Identifiers (AIDs)
• Key Event Logs (KELs)
• Self-certifying identifiers
• Pre-rotation mechanism
• Witnesses and witness pools

Credential Concepts:

• ACDC (Authentic Chained Data Containers)
• Verifiable credentials
• Selective disclosure
• Transaction Event Logs (TELs)

Advanced Features:

• Multi-signature operations
• Delegation hierarchies
• OOBI (Out-Of-Band Introduction) protocol
• IPEX (Issuance and Presentation Exchange)

vLEI Ecosystem (for vLEI use cases):

• GLEIF and LEI system
• QVI (Qualified vLEI Issuer) role
• vLEI credential types and governance

Conclusion

Keep represents the reference user interface implementation for KERI-based identity management, providing accessible tools for managing autonomic identifiers, credentials, and multi-signature operations. By leveraging the keripy agent backend, Keep maintains security while offering a user-friendly interface for complex cryptographic operations. Its specific focus on the vLEI ecosystem demonstrates KERI's applicability to real-world organizational identity use cases, while its architecture provides a model for building KERI client applications across various deployment scenarios.

Identity Assurance Integration: vLEI credentials require identity verification before issuance. Keep provides interfaces for identity assurance workflows, integrating with QVI (Qualified vLEI Issuer) processes and supporting the designation of authorized representatives who can request credential issuance on behalf of legal entities.

Performance Considerations

Agent-Based Scaling: Keep's reliance on the keripy agent backend enables horizontal scaling. Multiple Keep instances can connect to the same agent, and agents can be deployed in clustered configurations for high availability. The agent handles resource-intensive cryptographic operations, allowing Keep to focus on UI/UX concerns.

Witness Coordination: Witness operations are asynchronous, and Keep must handle potential delays in witness responses. The UI provides feedback on witness receipt status, showing users when threshold satisfaction is achieved. For multi-sig operations, this coordination becomes more complex as both participant signatures and witness receipts must be collected.