KERI's Approach

Two Distinct Services

KERI implements loci-of-control through two architecturally separate services that operate from different perspectives:

Key Event Promulgation Service

This service operates from the controller's point of view and represents the controller's locus-of-control. The controller:

• Creates key events (inception, rotation, interaction)
• Signs events with current authoritative keys
• Publishes events to witnesses for distribution
• Maintains the authoritative Key Event Log (KEL)
• Ensures availability of events for validators

The controller has complete sovereignty over their identifier's key event history. No external party can force the controller to create, modify, or suppress events. This represents true autonomic control—the identifier is self-managing and self-governing.

Key Event Confirmation Service

This service operates from the validator's point of view and represents the validator's locus-of-control. The validator:

• Obtains key events on demand from controllers or witnesses
• Independently verifies cryptographic signatures
• Validates event structure and consistency
• Makes trust decisions based on verification results
• Maintains their own view of key state

Validators operate independently without requiring coordination with other validators. Each validator makes their own determination of whether to accept events, without participating in consensus mechanisms or governance structures.

Architectural Significance

The separation of promulgation and confirmation into two separate loci-of-control fundamentally simplifies the interaction space between controllers and validators. This design removes one of the major drawbacks of total ordered distributed consensus algorithms: the requirement for shared governance over the pool of nodes that provide the consensus algorithm.

In blockchain-based identity systems:

• Validators must participate in shared governance (mining pools, validator sets)
• Controllers depend on validator consensus for event acceptance
• Governance disputes can affect identifier operations
• Coordination overhead limits scalability

In KERI's separated loci-of-control model:

• Controllers maintain full authority over promulgation
• Validators independently confirm without coordination
• No shared governance structures required
• Each party operates autonomously within their sphere

KA2CE Algorithm Protection

The KERI Agreement Algorithm for Control Establishment (KA2CE) serves as the primary mechanism protecting the controller's locus-of-control. KA2CE's purpose is to protect the controller's ability to promulgate the authoritative copy of its key event history despite external attack.

Key protections include:

• Maintaining sufficient availability so any validator can obtain an authoritative copy on demand
• Ensuring the controller's promulgation authority cannot be compromised by malicious actors
• Providing resilience against attempts to subvert the authoritative key event history
• Enabling recovery from witness compromise through witness rotation

KA2CE does not require validators to participate in the algorithm—it operates entirely within the controller's locus-of-control to ensure promulgation integrity.

Practical Implications

Independence of Operation

The separated loci-of-control enables true operational independence:

Controllers can:

• Create and publish events without requiring validator approval
• Rotate keys on their own schedule
• Choose their own witness sets
• Delegate authority to other identifiers
• Operate offline and synchronize later

Validators can:

• Verify events independently without controller permission
• Make trust decisions based on their own policies
• Operate without coordination with other validators
• Choose which identifiers to track
• Implement custom verification logic

Security Through Separation

The architectural separation provides multiple security benefits:

Attack Resistance: Controllers maintain control over promulgation even under attack. An attacker cannot force a controller to create malicious events, and cannot prevent a controller from promulgating legitimate events (assuming sufficient witness availability).

Availability Guarantee: Validators can obtain authoritative copies on demand. The system is designed so that validators don't need to be online continuously—they can retrieve the current key state whenever needed.

No Single Point of Governance Failure: Unlike systems with shared governance, there is no governance structure that can be captured, corrupted, or disputed. Each party operates within their own sphere of authority.

Clear Accountability Boundaries: The separation creates clear lines of responsibility. Controllers are accountable for the events they promulgate. Validators are accountable for their verification decisions. There is no ambiguity about who controls what.

Contrast with Traditional Systems

Traditional identity systems conflate these loci-of-control:

Certificate Authority Systems:

• CA controls both issuance (promulgation) and revocation (confirmation)
• Relying parties must trust CA's governance
• No separation of concerns

Blockchain Systems:

• Validators collectively control transaction acceptance
• Users must participate in or accept validator governance
• Shared governance creates coordination overhead

Federated Systems:

• Identity provider controls authentication
• Relying parties delegate verification to provider
• Centralized control over both promulgation and confirmation

KERI's separation enables truly autonomic identifiers that operate independently of external coordination mechanisms or shared governance structures.

Scalability Implications

The loci-of-control separation has profound scalability implications:

No Global Consensus Required: Validators don't need to reach consensus with each other, eliminating the coordination bottleneck that limits blockchain throughput.

Parallel Verification: Multiple validators can verify the same identifier simultaneously without coordination, enabling horizontal scaling.

Independent Validator Networks: Different applications can use different validator networks without interoperability issues, as all are verifying the same authoritative KEL.

Asynchronous Operation: Controllers and validators don't need to be online simultaneously, enabling truly asynchronous identity operations.

Governance Implications

By eliminating shared governance requirements, KERI enables:

• Controller sovereignty over identifiers without validator permission
• Validator independence in verification without controller interference
• No governance disputes affecting identifier operations
• Flexible trust models where each validator implements their own policies

This represents a fundamental shift from "governance by committee" to "governance by cryptography," where the protocol itself enforces the separation of concerns rather than relying on organizational structures.

Relationship to Other KERI Concepts

Loci-of-control is intimately connected to KERI's other foundational concepts:

Root-of-Trust: The controller's locus-of-control is grounded in the cryptographic root-of-trust established by self-certifying identifiers. The validator's locus-of-control is grounded in their ability to independently verify this root-of-trust.

Source-of-Truth: The controller is the authoritative source-of-truth for their key event history. Validators independently verify this source-of-truth without requiring external confirmation.

Autonomic Identifiers: The separation of loci-of-control is what makes identifiers truly "autonomic"—self-managing and self-governing without external dependencies.

Together, these three concepts (root-of-trust, source-of-truth, loci-of-control) form what KERI documentation calls the RSL triad—the foundational principles that enable truly decentralized, self-sovereign identity.