Key Features & Capabilities

Core Protocol Implementation

KERIpy provides complete implementation of KERI's foundational features:

Autonomic Identifier Management:

• Inception events for creating self-certifying identifiers
• Rotation events with pre-rotation security
• Interaction events for anchoring external data
• Support for transferable and non-transferable identifiers
• Delegated identifiers with cooperative delegation

Key Event Log Architecture:

• KEL construction and validation
• KERL (Key Event Receipt Log) with witness receipts
• Hash-chained event structure with forward and backward chaining
• Duplicity detection through event comparison
• Escrow mechanisms for out-of-order event handling

Multi-Signature Support:

• Weighted thresholds for flexible signing policies
• Group multi-sig AIDs with distributed control
• Partial rotation for custodial key management
• Threshold satisfaction validation

Witness Infrastructure

KERIpy includes complete witness implementation:

Witness Operations:

• Event receipting and KERL maintenance
• KAACE (KERI's Agreement Algorithm for Control Establishment)
• Threshold of Accountable Duplicity enforcement
• Witness pool management and rotation

Watcher Services:

• Promiscuous mode event monitoring
• Duplicity detection across witness networks
• Juror functionality for event validation

ACDC Credential System

KERIpy implements the complete ACDC specification:

Credential Issuance:

• SAID-based credential identifiers
• Schema validation and enforcement
• Compact, partial, and selective disclosure
• Graduated disclosure workflows

Registry Management:

• TEL (Transaction Event Log) for credential state
• Management TEL for registry configuration
• Issuance and revocation tracking
• Backers for TEL witnessing

IPEX Protocol:

• Issuance and Presentation Exchange message flows
• Credential offer, apply, issue, and present operations
• Chain-link confidentiality support

CESR Encoding System

KERIpy provides the reference CESR implementation:

Primitive Types:

• Cryptographic primitives with derivation codes
• Qualified encoding for self-describing data
• Composability across text and binary domains
• Self-framing for stream parsing

Stream Processing:

• Cold start parsing for stream recovery
• Count codes for grouping primitives
• Indexed signatures for multi-sig operations
• Pipelining support for high-throughput scenarios

Database and Storage

KERIpy uses LMDB (Lightning Memory-Mapped Database) for persistent storage:

Storage Architecture:

• Hab (Habitat) - keystore for single identifier
• Habery - collection manager for multiple Habs
• Encrypted keystore with passcode protection
• Separate databases for KELs, credentials, and configuration

Key Management:

• Salter for deterministic key generation
• Signer for private key operations
• Verfer for public key verification
• Diger for digest computation

Command Line Interface (KLI)

The KLI provides comprehensive command-line access:

Identifier Operations:

• kli incept - Create new identifiers
• kli rotate - Rotate keys
• kli interact - Create interaction events
• kli status - Query identifier state

Witness Management:

• kli witness demo - Run demonstration witness pool
• kli witness add - Add witnesses to identifier
• kli witness rotate - Rotate witness configuration

Credential Operations:

• kli vc create - Issue credentials
• kli vc present - Present credentials
• kli vc revoke - Revoke credentials
• kli vc verify - Verify credential validity

OOBI Resolution:

• kli oobi resolve - Resolve Out-Of-Band Introductions
• kli oobi generate - Generate OOBIs for identifiers

Installation & Setup

System Requirements

Python Version: 3.12.1 or higher (3.12.x recommended)

System Dependencies:

• libsodium 1.0.18+ - Cryptographic library for Ed25519, X25519 operations
• LMDB - Database backend (typically installed via Python package)

macOS libsodium Setup:

# Install via Homebrew
brew install libsodium

# Create symlink for Python ctypes discovery
sudo ln -s /opt/homebrew/lib /usr/local/lib

Installation Methods

From PyPI (stable releases):

pip install keri

From Source (development):

git clone https://github.com/WebOfTrust/keripy.git
cd keripy
python3 -m pip install -e ./

Docker Installation:

# Build image
make build-keri

# Run container
docker run --pull=never -it --entrypoint /bin/bash weboftrust/keri:1.1.10

Python Dependencies

KERIpy requires several specialized packages:

Core Dependencies:

• lmdb>=0.98 - Database backend
• pysodium>=0.7.5 - Cryptographic operations
• blake3>=0.1.5 - BLAKE3 hashing
• msgpack>=1.0.0 - MessagePack serialization
• simplejson>=3.17.0 - JSON encoding
• cbor2>=5.1.0 - CBOR encoding

Installation:

pip install -U lmdb pysodium blake3 msgpack simplejson cbor2

Development Environment Setup

Virtual Environment:

# Create environment
python3 -m venv keripy-env

# Activate
source keripy-env/bin/activate  # Unix/macOS
keripy-env\Scripts\activate     # Windows

# Install dependencies
pip install -r requirements.txt

Testing:

# Install pytest
pip install pytest

# Run core tests
pytest tests/ --ignore tests/demo/

# Run demo tests
pytest tests/demo/

Configuration

KERIpy uses configuration files for witness and agent setup:

Witness Configuration (witness-config.json):

{
  "dt": "2024-01-01T00:00:00.000000+00:00",
  "curls": [
    "http://127.0.0.1:5642/oobi/BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha",
    "http://127.0.0.1:5643/oobi/BLskRTInXnMxWaGqcpSyMgo0nYbalW99cGZESrz3zapM",
    "http://127.0.0.1:5644/oobi/BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX"
  ]
}

Agent Configuration (keria-config.json):

{
  "dt": "2024-01-01T00:00:00.000000+00:00",
  "iurls": [
    "http://127.0.0.1:5642/oobi/BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha"
  ]
}

Usage & API

Basic Identifier Creation

Non-Transferable Identifier:

import keri.core.eventing as eventing
import keri.core.coring as coring
import keri.app.keeping as keeping
import keri.db.dbing as dbing

# Open database and keystore
with dbing.openLMDB(name="test") as db, keeping.openKS(name="test") as kpr:
    # Generate salt for key derivation
    salt = coring.Salter().qb64
    
    # Create key manager
    mgr = keeping.Manager(ks=kpr, salt=salt)
    
    # Generate keys (1 current, 0 next = non-transferable)
    verfers, _, _, _ = mgr.incept(icount=1, ncount=0)
    
    # Create inception event
    srdr = eventing.incept(
        keys=[verfers[0].qb64],
        code=coring.MtrDex.Ed25519
    )
    
    print(f"Identifier: {srdr.pre}")

Transferable Identifier with Pre-Rotation:

# Generate keys with pre-rotation
verfers, digers, _, _ = mgr.incept(icount=1, ncount=1)

# Create transferable inception
srdr = eventing.incept(
    keys=[verfers[0].qb64],
    nxt=coring.Nexter(digs=[digers[0].qb64]).qb64,
    code=coring.MtrDex.Ed25519
)

print(f"Transferable AID: {srdr.pre}")
print(f"Next key digest: {coring.Nexter(digs=[digers[0].qb64]).qb64}")

Key Rotation

Rotating Keys:

# Generate new keys
verfers, digers, _, _ = mgr.rotate(pre=srdr.pre, count=1)

# Create rotation event
rot_srdr = eventing.rotate(
    pre=srdr.pre,
    keys=[verfers[0].qb64],
    dig=srdr.said,  # Previous event digest
    nxt=coring.Nexter(digs=[digers[0].qb64]).qb64,
    sn=1  # Sequence number
)

print(f"Rotated to key: {verfers[0].qb64}")

Multi-Signature Identifiers

Creating Multi-Sig Group:

# Generate keys for multiple participants
verfers1, digers1, _, _ = mgr.incept(icount=1, ncount=1)
verfers2, digers2, _, _ = mgr.incept(icount=1, ncount=1)

# Create multi-sig inception with 2-of-2 threshold
srdr = eventing.incept(
    keys=[verfers1[0].qb64, verfers2[0].qb64],
    nxt=coring.Nexter(digs=[digers1[0].qb64, digers2[0].qb64]).qb64,
    code=coring.MtrDex.Ed25519,
    sith="2",  # Signing threshold
    nsith="2"  # Next threshold
)

print(f"Multi-sig AID: {srdr.pre}")

Witness Configuration

Adding Witnesses:

# Witness AIDs
wits = [
    "BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha",
    "BLskRTInXnMxWaGqcpSyMgo0nYbalW99cGZESrz3zapM",
    "BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX"
]

# Create inception with witnesses
srdr = eventing.incept(
    keys=[verfers[0].qb64],
    nxt=coring.Nexter(digs=[digers[0].qb64]).qb64,
    wits=wits,
    toad=2  # Threshold of Accountable Duplicity
)

CESR Encoding

Creating Primitives:

from keri.core import coring

# Create digest
diger = coring.Diger(raw=b"some data", code=coring.MtrDex.Blake3_256)
print(f"Digest: {diger.qb64}")

# Create signature
signer = coring.Signer(raw=b"private_key_bytes")
sig = signer.sign(b"message")
print(f"Signature: {sig.qb64}")

# Create verifier
verfer = coring.Verfer(raw=b"public_key_bytes")
verified = verfer.verify(sig.raw, b"message")
print(f"Verified: {verified}")

ACDC Credential Issuance

Creating Credential:

import keri.core.scheming as scheming

# Define schema
schema = {
    "$id": "EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao",
    "$schema": "http://json-schema.org/draft-07/schema#",
    "type": "object",
    "properties": {
        "name": {"type": "string"},
        "role": {"type": "string"}
    }
}

# Create credential
cred = {
    "v": "ACDC10JSON000197_",
    "d": "",  # SAID computed
    "i": issuer_aid,
    "s": schema_said,
    "a": {
        "d": "",
        "i": issuee_aid,
        "name": "John Doe",
        "role": "Manager"
    }
}

Database Operations

Querying KEL:

from keri.core import eventing
from keri.db import dbing

with dbing.openLMDB(name="test") as db:
    # Get KEL for identifier
    kever = eventing.Kever(db=db, pre=aid)
    
    # Access key state
    print(f"Sequence: {kever.sn}")
    print(f"Keys: {kever.verfers}")
    print(f"Witnesses: {kever.wits}")
    print(f"Threshold: {kever.tholder.thold}")

Related Implementations

Alternative Language Implementations

KERI-ox (Rust):

• Repository: WebOfTrust/keri-ox
• Status: Active development
• Focus: Performance-critical applications
• Compliance: ~90% KERI specification coverage

KERIgo (Go):

• Repository: decentralized-identity/kerigo
• Status: Archived (development moved to WebOfTrust)
• Historical: Early Go implementation

KERIml (Swift):

• Repository: decentralized-identity/keriml
• Status: Experimental
• Focus: iOS/macOS applications

Complementary Tools

KERIA (KERI Agent):

• Repository: WebOfTrust/keria
• Purpose: Cloud-based agent service
• Architecture: REST API for remote AID management
• Integration: Works with Signify clients

Signify (Client Libraries):

• SignifyPy: Python client for KERIA
• SignifyTS: TypeScript/JavaScript client
• Purpose: Edge-based signing with cloud agents
• Architecture: Minimal client-side key operations

Keep (Wallet UI):

• Repository: keri-foundation/wallet
• Purpose: Graphical wallet interface
• Backend: KERIpy agent API
• Platform: Cross-platform (Flet/Flutter)

Integration Points

Witness Networks:

• KERIpy witnesses interoperate with all KERI implementations
• Standard KERI protocol messages
• CESR-encoded event streams

OOBI Resolution:

• Universal discovery mechanism
• Works across implementations
• HTTP-based endpoint discovery

Credential Verification:

• ACDC format standardized
• CESR encoding ensures compatibility
• TEL state verification across implementations

Implementation Notes

Architecture Patterns

Asynchronous Design: KERIpy uses HIO (Hierarchical Asynchronous Coroutines and I/O) for all I/O operations. This enables:

• Non-blocking witness communication
• Concurrent event processing
• Scalable agent operations

Doer Pattern: The doing.DoDoer class provides hierarchical coroutine management:

class CustomDoer(doing.DoDoer):
    def recur(self, tyme):
        # Custom logic
        yield from super().recur(tyme)

Escrow System: Out-of-order events are escrowed until dependencies arrive:

• Partially signed events wait for threshold
• Delegated events wait for delegator approval
• Witness receipts wait for event acceptance

Security Considerations

Key Storage:

• LMDB databases should be encrypted at rest
• Passcodes protect keystore access
• Salt values enable deterministic key derivation

Witness Selection:

• Minimum 5 witnesses recommended for production
• TOAD threshold should be n - f where f is fault tolerance
• Witness rotation supported for compromised witnesses

Duplicity Detection:

• All events checked against existing KEL
• Conflicting events trigger duplicity alerts
• Watchers provide additional monitoring

Performance Optimization

Database Tuning:

• LMDB map size affects performance
• Separate databases for KELs, credentials, escrows
• Periodic compaction recommended

Stream Processing:

• CESR parsing optimized for cold-start recovery
• Pipelining enables high-throughput scenarios
• Count codes reduce parsing overhead

Caching:

• Key state cached in Kever objects
• Witness receipts cached for validation
• Schema validation results cached

Common Pitfalls

Witness Configuration:

• Forgetting to start witness network before identifier creation
• Incorrect OOBI URLs for witness discovery
• Insufficient TOAD threshold for security requirements

Key Rotation:

• Not preserving next key digests during rotation
• Rotating without witness receipts
• Threshold mismatches between current and next

Multi-Sig Coordination:

• Timeout issues in distributed signing
• Partial rotation without all participants
• Escrow timeouts in asynchronous scenarios

Version Compatibility

Breaking Changes:

• Version 1.2.0 introduced new rotation rules
• Witness protocol changes require coordinated upgrades
• CESR encoding updates affect stream compatibility

Migration Paths:

• Database migration scripts provided for major versions
• KEL replay enables state reconstruction
• Witness rotation allows infrastructure upgrades

Testing Strategies

Unit Tests:

• Core primitives (Diger, Signer, Verfer)
• Event creation and validation
• CESR encoding/decoding

Integration Tests:

• Witness network coordination
• Multi-sig workflows
• Credential issuance/verification

Demo Scripts:

• kli witness demo for local testing
• Docker compose for multi-node scenarios
• vLEI workflow demonstrations

Documentation Resources

Official Documentation:

• KERIpy ReadTheDocs
• KERI Specification
• ACDC Specification

Community Resources:

• KERI Slack
• WebOfTrust GitHub
• KERISSE Search

Training Materials:

• GLEIF vLEI Training
• KERI Tutorial Series
• Q&A Documentation

• KERIA provides REST API for remote AID management
• Signify clients enable edge-based signing with cloud agents
• Keep wallet provides GUI for end-user operations
• KLI suitable for automation and scripting

Testing Infrastructure

• kli witness demo provides six-witness network for local testing
• Docker Compose configurations available for multi-node scenarios
• Integration tests cover witness coordination and multi-sig workflows
• Demo scripts in scripts/demo/ directory demonstrate complete workflows

Version Compatibility

• KERIpy 1.2.x introduces breaking changes in rotation rules
• Witness protocol changes require coordinated upgrades across network
• CESR encoding updates may affect stream compatibility
• Migration scripts provided for database schema changes