NI2I (Not-Issuer-To-Issuee) is an ACDCedgeoperator that permits any identifier to chain a child credential to a parent credential without requiring the child's issuer to be the parent's issuee, enabling referential linking for context or supporting information without implying delegated authority.
Related Concepts
No related concepts available
Comprehensive Explanation
NI2I (Not-Issuer-To-Issuee)
Protocol Definition
Core Purpose and Objectives
The NI2I (Not-Issuer-To-Issuee) operator is one of three primary edge operators defined in the ACDC specification for establishing logical relationships between chained credentials within a directed acyclic graph (DAG) structure. Unlike the restrictive I2I operator that enforces strict issuer-issuee identity constraints, or the DI2I operator that permits delegated authority, NI2I represents the most permissive edge operator, allowing any AID to reference another ACDC regardless of the relationship between the issuer and the referenced credential's issuee.
The fundamental purpose of NI2I is to enable referential linking where one credential needs to cite, reference, or provide context from another credential without claiming or implying any delegated authority from the referenced credential. This operator is essential for use cases where credentials need to:
Reference external supporting documentation or evidence
Link to contextual information from third-party sources
Associate credentials for informational purposes without authority transfer
Create verifiable references to credentials issued by unrelated parties
According to Document 2, "NI2I allows any identifier to chain a child credential to a parent credential, regardless of whether the issuer has any relationship to the parent credential's issuee. This operator is used for referencing, associating, or linking to another ACDC for context or supporting information without implying delegated authority."
Implementation Notes
Critical Implementation Status
BLOCKING BUG: As of the documentation date, NI2I operator functionality is non-functional due to a bug in KERIpy (GitHub issue #1040). The kli vc create command hangs indefinitely when attempting to create credentials with NI2I edges. No workaround is currently available. Implementers should:
Monitor the GitHub issue for resolution status
Test with I2I operator first to validate basic edge functionality
Prepare NI2I test scenarios for when the bug is resolved
Design systems with fallback mechanisms that can function without NI2I
Schema Design Requirements
When creating ACDC schemas that support NI2I edges:
Edge Section Structure: Include an e field in the schema with nested field maps for each edge
Operator Field: Each edge must have an o field that can accept "NI2I" as a value
SAID References: Each edge must have an n field for the parent ACDC's SAID
Semantic Naming: Use meaningful edge names that clearly indicate the reference relationship
Variant Support: Use JSON Schema oneOf operators to support both compact and expanded forms
Verification Implementation
Verifiers must implement the following logic for NI2I edges:
Parse Edge Section: Extract edge definitions from the ACDC's e field
Identify NI2I Edges: Check the o field for "NI2I" operator value
Retrieve Parent ACDC: Use the SAID in the n field to fetch the referenced parent
Verify Parent Cryptographically: Validate parent's SAID, signature, and issuer key state
Skip Relationship Validation: Unlike I2I/DI2I, do NOT verify any relationship between child issuer and parent issuee
Apply Business Logic: Implement ecosystem-specific rules about what NI2I references mean
Performance Optimization
NI2I edges can create verification overhead. Optimize by:
Caching: Store verified parent ACDCs to avoid repeated retrieval and verification
The NI2I operator is formally defined within the ACDC specification maintained by the Trust Over IP Foundation's Technical Stack Working Group. As documented in Document 3 and Document 4, the ACDC specification is currently at version 0.9 Draft status and defines edge operators as part of the broader ACDC edge section specification.
The operator is implemented in the reference implementation KERIpy and is intended for use through the KERI Command Line Interface (KLI) and KERIA agent systems.
Critical Implementation Status
IMPORTANT: According to Document 13, there is a blocking bug affecting NI2I operator functionality:
"The command line interface hangs indefinitely during execution when attempting to create a chained credential that utilizes the NI2I (Not-Issuer-To-Issuee) operator. Log messages are displayed but the operation never completes. No workaround is currently available. The issue is tracked in GitHub issue #1040 in the keripy repository."
Document 1 explicitly states: "the NI2I operator does not work due to a bug" and advises "For now you can skip this notebook." This represents a critical limitation for production use cases requiring NI2I functionality as of the documentation date.
Protocol Architecture
Edge Section Structure
The NI2I operator functions within the edge section (e field) of an ACDC, which is one of the top-level optional fields in the ACDC structure. According to Document 4, the edge section enables ACDCs to form labeled property graphs where:
Each ACDC represents a node (vertex) in the graph
The edge section defines directed edges connecting to other ACDC nodes
Edges are identified by cryptographic references using SAIDs
Edge operators define the logical constraints on these connections
The edge section can appear in multiple forms:
Compact form: The e field contains only the SAID of the edge section
Expanded form: The e field contains the full edge section as a nested field map
Operator Hierarchy and Composition
Edge operators in ACDC form a hierarchy of constraint levels:
I2I (Issuer-To-Issuee): Most restrictive - requires issuer of child to be issuee of parent
DI2I (Delegated-Issuer-To-Issuee): Moderate - permits delegated identifiers of the parent's issuee
NI2I (Not-Issuer-To-Issuee): Least restrictive - no relationship requirement
"NI2I is the most permissive operator. It allows any identifier to chain a child credential to a parent credential, regardless of whether the issuer has any relationship to the parent credential's issuee."
Edge operators can be combined using logical operators (AND, OR, NOT) to create complex authorization logic, though NI2I's permissive nature means it is typically used standalone for simple referential links.
Data Flow in NI2I Relationships
The data flow for NI2I-linked credentials follows this pattern:
Parent ACDC Creation: An issuer creates an ACDC (the "parent") with its own issuee
Parent ACDC Publication: The parent ACDC is published and its SAID becomes available
Child ACDC Creation: A different issuer creates a new ACDC (the "child") that includes an edge section
NI2I Edge Definition: The child's edge section references the parent's SAID with an NI2I operator
Verification: Verifiers can cryptographically verify both ACDCs independently and confirm the reference link
Critically, the child issuer has no authority relationship with the parent credential - they are simply creating a verifiable reference to it.
Message Formats & Encoding
Edge Section Field Structure
The edge section in an ACDC follows the standard ACDC field map structure with specific fields for defining edges. According to Document 4, the edge section is a top-level field map that can contain:
Edge definitions: Named edges pointing to other ACDCs
Operator specifications: The logical operator (NI2I, I2I, DI2I) governing the edge
Edge properties: Additional metadata about the relationship
NI2I Operator Encoding
The NI2I operator is encoded as a string value within the edge definition. Based on the tutorial examples in Document 1 and Document 2, the edge section structure for NI2I follows this pattern:
d: SAID of the edge section itself (for compact disclosure)
<edge_name>: A semantic label for the edge (e.g., "trainingCourse", "supportingEvidence")
n: The SAID of the parent ACDC being referenced
o: The operator field, set to the string "NI2I"
Complete ACDC Example with NI2I Edge
Document 1 provides a conceptual example of an ACDC using NI2I to reference an external training course credential:
{
"v": "ACDC10JSON00011c_",
"d": "<SAID of this ACDC>",
"i": "<Company AID>",
"ri": "<Registry SAID>",
"s": "<Schema SAID>",
"a": {
"d": "<SAID of attributes>",
"employeeId": "EMP-12345",
"skillName": "Advanced Data Analysis",
"certificationDate": "2024-01-15"
},
"e": {
"d": "<SAID of edge section>",
"trainingCourse": {
"n": "<SAID of Training Provider's Course Completion ACDC>",
"o": "NI2I"
}
},
"r": {
"d": "<SAID of rules section>",
"usagePolicy": "This certification is valid for internal company purposes only."
}
}
In this structure:
The Company issues a skill certification to an employee
The edge section references a course completion credential from an external Training Provider
The NI2I operator indicates this is a reference link only - the Company's authority to certify the skill does not derive from the Training Provider's credential
The Training Provider has no relationship with the Company or the employee's employment
CESR Encoding Considerations
All ACDC fields, including edge sections, must be expressible in CESR (Composable Event Streaming Representation) format. According to Document 5, CESR provides:
Text domain encoding: Base64 URL-safe encoding for human-readable formats
Binary domain encoding: Compact binary representation for efficient transmission
Composability: Ability to concatenate and parse primitives in streams
The NI2I operator string and associated SAIDs are encoded as CESR primitives, ensuring they can be transmitted in both text (JSON) and binary (CBOR, MessagePack) serializations while maintaining cryptographic verifiability.
Protocol Mechanics
NI2I Edge Creation Process
The process of creating an ACDC with an NI2I edge involves several steps, as documented in Document 1:
Parent ACDC Availability: The referenced parent ACDC must already exist and its SAID must be known
Schema Definition: The child ACDC's schema must include an edge section that permits NI2I operators
Edge Section Construction: The issuer constructs the edge section with:
A semantic edge name
The parent ACDC's SAID in the n field
The operator value "NI2I" in the o field
SAID Computation: The edge section's SAID is computed and included in the d field
ACDC Assembly: The complete ACDC is assembled with all sections
Top-Level SAID Computation: The ACDC's top-level SAID is computed
"With NI2I, there is no requirement for the issuer of the child credential to have any relationship with the issuee of the parent credential. This makes NI2I suitable for scenarios where one party wants to reference or link to another credential for informational or contextual purposes, without claiming any authority derived from that credential."
State Management
NI2I edges are stateless references - they do not create or modify state in either the parent or child ACDC. The relationship is purely referential:
The parent ACDC is unaware of child ACDCs that reference it
The child ACDC maintains a cryptographic pointer to the parent
No bidirectional relationship is established
Revocation of the parent does not automatically affect the child (though verifiers may apply business logic based on parent status)
Timing and Ordering Requirements
The only temporal requirement for NI2I edges is that the parent ACDC must exist before the child ACDC is created, since the child needs the parent's SAID to construct the edge reference. However:
The parent need not be "active" or "valid" at child creation time
The parent's revocation status is independent of the child's validity
Verifiers may apply business logic about parent status, but the protocol itself imposes no constraints
Security Properties
Threat Model
The NI2I operator's permissive nature creates specific security considerations:
Unauthorized Reference Attacks
Since NI2I permits any issuer to reference any ACDC, malicious actors could:
Create misleading associations: Issue credentials that reference prestigious credentials to imply false endorsements
Reputation hijacking: Link to high-reputation credentials to transfer trust inappropriately
Context manipulation: Reference credentials out of context to misrepresent their meaning
Mitigation: These attacks are mitigated through:
Cryptographic independence: Each ACDC's validity is independently verifiable - the parent's signature does not extend to the child
Explicit operator semantics: The NI2I operator explicitly signals "no authority transfer"
Verifier business logic: Verifiers must implement appropriate business rules about what NI2I references mean in their context
Governance frameworks: Ecosystems like vLEI define acceptable use of edge operators
Reference Integrity
NI2I edges rely on SAID-based references, which provide:
Immutability: The SAID cryptographically binds to specific content - any modification changes the SAID
Verifiability: Verifiers can confirm the referenced ACDC matches the SAID
Tamper evidence: Any attempt to substitute a different ACDC will fail SAID verification
Security Guarantees
NI2I provides these security guarantees:
Cryptographic Binding: The edge reference is cryptographically bound to a specific parent ACDC via its SAID
Non-Repudiation: The child ACDC's issuer cannot deny creating the reference (their signature commits to the edge section)
Independent Verification: Both parent and child ACDCs can be verified independently
No Implicit Authority: The protocol explicitly does not grant authority from parent to child
Attack Resistance
NI2I edges resist several attack vectors:
SAID Collision Attacks
An attacker attempting to create a malicious ACDC with the same SAID as a legitimate parent would need to:
Find a collision in the cryptographic hash function (e.g., Blake3-256)
This is computationally infeasible with current cryptographic standards
KERI's use of post-quantum resistant algorithms further strengthens this
Replay Attacks
NI2I edges are not vulnerable to replay attacks because:
Each ACDC is uniquely identified by its SAID
The edge reference is part of the signed ACDC content
Timestamps and registry anchoring provide temporal context
Man-in-the-Middle Attacks
NI2I references are resistant to MITM attacks because:
The SAID provides content integrity - any modification is detectable
The issuer's signature provides authenticity
KERI's witness infrastructure provides availability and consistency
Privacy Considerations
NI2I edges have specific privacy implications:
Correlation Risk
NI2I edges create explicit correlation points between credentials:
The child ACDC publicly references the parent's SAID
This creates a verifiable link that can be used for correlation
"I2I enforces a strict constraint: the issuer of a child credential MUST be the issuee (subject) of the parent credential. This creates a direct chain of authority... NI2I, in contrast, allows any identifier to chain a child credential to a parent credential, regardless of whether the issuer has any relationship to the parent credential's issuee."
"DI2I extends the strict I2I constraint to include formally recognized delegates, enabling security, flexibility, and scalability through the single responsibility pattern and reduced exposure of parent AID signing keys."
NI2I, by contrast, imposes no delegation requirements whatsoever.
Use Cases and Applications
Referencing External Certifications
The primary use case demonstrated in Document 1 involves a company issuing skill certifications that reference external training courses:
Scenario:
A Training Provider issues a "Course Completion" credential to an employee
The employee's company issues an "Employee Skill Certified" credential
The skill certification uses NI2I to reference the course completion
The company's authority to certify the skill is independent of the training provider
This demonstrates NI2I's value for:
Acknowledging supporting evidence without claiming authority from it
Creating verifiable links to third-party credentials
Maintaining organizational independence while providing context
Supporting Documentation Links
NI2I enables credentials to reference supporting documentation:
This cross-ecosystem linking is particularly valuable in scenarios where different governance frameworks operate independently but need to reference each other's credentials.
Future Directions
The NI2I operator's development and adoption will likely evolve in several directions:
Bug Resolution
The immediate priority is resolving the blocking bug documented in Document 13. Once GitHub issue #1040 is resolved, NI2I will become practically usable in production systems.
Semantic Standardization
As NI2I usage grows, ecosystems will likely develop:
Standard edge names for common reference types
Conventions for when NI2I is appropriate vs. other operators
Best practices for privacy-preserving NI2I usage
Enhanced Privacy Features
Future developments may include:
Blinded NI2I edges using zero-knowledge proofs
Selective disclosure of edge sections
Privacy-preserving edge verification protocols
Tooling and Developer Experience
As the KERI ecosystem matures, expect:
Improved CLI commands for NI2I edge creation
Better error messages and debugging tools
Graphical tools for visualizing ACDC graphs with NI2I edges
Enhanced documentation and tutorials
Governance Framework Evolution
Governance frameworks like the vLEI EGF will likely:
Define more specific policies for NI2I usage
Establish audit requirements for NI2I references
Create liability frameworks for inappropriate NI2I usage
Develop dispute resolution mechanisms for NI2I-related issues
Lazy Evaluation: Only verify edges when required by business logic
Compact Disclosure: Present edge section SAIDs initially, expand on demand
Error Handling
Implement robust error handling for:
Missing Parent: Handle cases where the referenced SAID cannot be resolved
Invalid Parent: Detect when parent ACDC fails cryptographic verification
Revoked Parent: Check parent's registry status and apply appropriate business logic
Circular References: Detect and prevent infinite loops in edge chains
Operator Mismatch: Validate that edge operators match schema requirements
Security Considerations
No Implicit Trust: Never assume NI2I edges grant authority - they are references only
Independent Verification: Always verify both parent and child ACDCs independently
Business Logic Required: Implement ecosystem-specific rules for interpreting NI2I references
Correlation Awareness: Recognize that NI2I edges create explicit correlation points
Privacy Protection: Consider using compact disclosure or blinding for sensitive edges
Governance Framework Integration
When deploying NI2I in production ecosystems:
Define Acceptable Use: Document when NI2I references are appropriate
Establish Verification Policies: Specify how verifiers should interpret NI2I edges
Standardize Semantics: Create conventions for edge names and their meanings
Implement Auditing: Track NI2I usage for compliance monitoring
Provide Recourse: Establish mechanisms for addressing inappropriate NI2I usage
Testing Strategy
Given the current bug status:
Unit Tests: Create test cases for NI2I edge parsing and validation logic
Integration Tests: Prepare end-to-end tests for when bug is resolved
Fallback Testing: Verify system behavior when NI2I is unavailable
Edge Case Testing: Test circular references, missing parents, invalid operators
Performance Testing: Measure verification overhead with multiple NI2I edges