Key Participants

The PID process involves several participant types:

1. Initial Discoverer: The entity that first obtains discovery information through an OOBI
2. Subsequent Discoverers: Entities that receive discovery information from previous discoverers in the percolation chain
3. Information Sources: Witnesses, watchers, and other KERI infrastructure components that provide verifiable information
4. Verifiers: Any entity that validates discovered information using KERI's end-verifiable mechanisms

Process Flow

Step 1: Bootstrap via OOBI

The PID process begins with an OOBI bootstrap. An OOBI provides the initial association between a URL and an AID or SAID (Self-Addressing Identifier). This bootstrap can occur through various out-of-band channels:

• QR codes scanned by mobile devices
• URLs shared via email or messaging
• Configuration files
• Social media posts
• DNS records
• Physical documents with embedded identifiers

The OOBI itself is not trusted—it merely provides a starting point for discovery. The critical security property is that all information obtained via the OOBI must be verified through KERI's cryptographic mechanisms.

Step 2: Initial Information Retrieval

Once the OOBI is processed, the discoverer retrieves initial information from the specified endpoint. This typically includes:

• Key Event Logs (KELs) for the referenced AID
• Witness configuration and endpoints
• Registry information for credential verification
• Additional service endpoints

This information is retrieved but not yet trusted—it must undergo cryptographic verification.

Step 3: Cryptographic Verification

The discoverer performs end-verifiable validation of all retrieved information:

1. KEL Verification: Validates the key event log structure, including:

   • Inception event integrity
   • Rotation event chain validity
   • Pre-rotation commitments
   • Digital signatures on all events

2. Witness Receipt Validation: Verifies witness receipts to ensure events have been properly witnessed according to the threshold of accountable duplicity (TOAD)

3. Duplicity Detection: Checks for any duplicitous events that would indicate compromise or malicious behavior

Because all information is end-verifiable, the discoverer can cryptographically confirm authenticity without trusting the OOBI source or any intermediaries.

Step 4: Percolation (Information Sharing)

Once information is verified, the discoverer becomes a potential percolation source for subsequent discoverers. This is where the "percolation" aspect becomes critical:

• The discoverer can share what they discovered with others
• Shared information includes verified KELs, witness endpoints, and service URLs
• Recipients can independently verify the shared information
• No trust in the sharing party is required due to end-verifiability

This creates a cascading discovery pattern where information "percolates" through the network along paths of least resistance.

Step 5: Invasion Percolation Dynamics

The percolation follows principles from Invasion Percolation Theory:

1. Least Resistance Principle: Information flows preferentially through paths with lower "resistance" (easier discovery routes, more accessible endpoints, better network connectivity)

2. Selective Infiltration: Discovery naturally gravitates toward nodes with lower barriers to access

3. Cluster Formation: A connected cluster of discoverers forms, all possessing verified information about the same identifiers

4. Incremental Growth: The discovery cluster grows by adding new nodes through neighboring nodes with lowest resistance

This mathematical model ensures efficient propagation without requiring centralized coordination.

Step 6: Non-Interactive Authorization

After the initial bootstrap and verification, subsequent operations become non-interactive:

• No challenge-response handshakes required
• No ongoing coordination with discovery sources
• Cached verified information can be used directly
• Updates propagate through the same percolation mechanism

This non-interactive property is critical for achieving high scalability in distributed identity systems.

Technical Requirements

Cryptographic Requirements

PID relies on several cryptographic foundations:

1. Self-Certifying Identifiers: All AIDs must be self-certifying, enabling verification without external trust anchors

2. CESR Encoding: All cryptographic primitives must use CESR (Composable Event Streaming Representation) for consistent encoding across text and binary domains

3. Digital Signatures: All key events must be signed using non-repudiable digital signatures, typically Ed25519

4. Hash Chain Integrity: KELs must maintain cryptographic hash chains linking events through digests

5. Pre-Rotation Commitments: Establishment events must include pre-rotation commitments to future keys

Timing Considerations

PID operates with specific timing characteristics:

1. Asynchronous Operation: Discovery is fully asynchronous—discoverers operate independently without synchronization requirements

2. First-Seen Policy: Witnesses and watchers apply first-seen policies to establish event ordering

3. Eventual Consistency: The discovery network achieves eventual consistency as information percolates

4. Microsecond Propagation: Within a witness network, consensus on first-seen events propagates within microseconds

5. No Timeout Requirements: Unlike traditional discovery protocols, PID does not require timeout-based coordination

Error Handling

PID includes robust error handling mechanisms:

1. Invalid OOBI Handling: If an OOBI points to invalid or unreachable endpoints, the discovery simply fails without compromising security

2. Duplicity Detection: If discovered information contains duplicitous events, the duplicity is detected during verification and the information is rejected

3. Partial Information: If only partial information is available, discoverers can operate with what they have and obtain additional information through continued percolation

4. Stale Information: Stale information is detected through sequence number analysis and can be updated through fresh discovery

5. Malicious Sources: Because all information is end-verifiable, malicious sources cannot inject false information—they can only cause discovery failures

Usage Patterns

Typical Scenarios

Scenario 1: New Participant Onboarding

A new participant joins the KERI ecosystem:

1. Receives an OOBI (e.g., via QR code at a conference)
2. Retrieves KEL and witness information from the OOBI endpoint
3. Verifies the KEL cryptographically
4. Discovers additional participants through witness networks
5. Becomes a percolation source for future discoverers

Scenario 2: Credential Verification

A verifier needs to verify an ACDC credential:

1. Receives credential presentation including issuer AID
2. Uses PID to discover issuer's KEL and current key state
3. Discovers TEL (Transaction Event Log) registry for credential status
4. Verifies credential signature against current key state
5. Checks credential revocation status in TEL

Scenario 3: Witness Network Discovery

A controller needs to configure witnesses:

1. Obtains OOBIs for potential witnesses
2. Discovers witness capabilities and endpoints
3. Verifies witness KELs and operational history
4. Configures witnesses in inception or rotation events
5. Shares witness information with other participants

Best Practices

1. Multiple Discovery Paths: Obtain OOBIs from multiple independent sources to reduce dependency on any single discovery path

2. Verify Before Trust: Always perform full cryptographic verification before trusting discovered information

3. Cache Verified Information: Store verified KELs and endpoint information to reduce discovery overhead

4. Monitor for Updates: Implement mechanisms to detect when cached information becomes stale

5. Contribute to Percolation: Share verified discovery information with other participants to strengthen the network

6. Use Well-Known Endpoints: Leverage well-known OOBI paths (e.g., /.well-known/keri/oobi/) for standardized discovery

7. Implement Watcher Networks: Deploy watchers as super-nodes that aggregate discovery information for efficient percolation

Integration Considerations

Integration with KERI Infrastructure

PID integrates with core KERI components:

• Witnesses: Witnesses provide authoritative KEL information that percolates through the network
• Watchers: Watchers operate in promiscuous mode to observe and propagate discovery information
• Controllers: Controllers publish OOBIs to enable discovery of their identifiers
• Agents: Cloud agents use PID to discover and coordinate with witnesses

Integration with ACDC Credentials

PID enables ACDC credential verification:

• Discover issuer KELs for signature verification
• Locate TEL registries for revocation checking
• Find schema definitions referenced by SAIDs
• Discover edge connections in credential graphs

Integration with IPEX Protocol

The IPEX (Issuance and Presentation Exchange) protocol leverages PID:

• Discover presentation endpoints for credential exchange
• Locate issuance services for credential requests
• Find verification services for credential validation

Mathematical Foundation: Invasion Percolation Theory

Percolation Theory Basics

Percolation theory is a mathematical framework originally developed to study fluid flow through porous media. The theory models:

• Connected clusters in random systems
• Flow patterns through interconnected networks
• Emergence of connectivity as links are added to networks

While originating in physics, percolation theory has found applications across mathematics, computer science, epidemiology, and social sciences.

Invasion Percolation Model

Invasion percolation is a specific variant that models how fluids infiltrate porous media:

1. Principle of Least Resistance: The invading fluid seeks paths of minimum resistance through the network

2. Selective Infiltration: As invasion progresses, the fluid selectively infiltrates sites with lower resistance

3. Connected Cluster Formation: A connected cluster of invaded sites forms incrementally

4. Neighbor-Based Growth: New sites are added through neighboring dry sites with lowest resistance

Application to Information Discovery

The invasion percolation model maps naturally to information discovery:

• Fluid → Information: Discovery information "flows" through the network
• Porous Medium → Network: The KERI ecosystem forms the network structure
• Resistance → Discovery Barriers: Network latency, endpoint availability, and accessibility represent resistance
• Invaded Sites → Discoverers: Nodes that have obtained and verified information
• Dry Sites → Undiscovered Nodes: Nodes that have not yet discovered the information

Key Properties

1. Efficiency: Information naturally follows optimal discovery paths
2. Scalability: No centralized coordination required
3. Resilience: Multiple discovery paths provide redundancy
4. Organic Growth: Network topology emerges based on actual usage patterns

Security Properties

Zero-Trust Architecture

PID implements true zero-trust discovery:

• No Trusted Intermediaries: Discovery path does not affect information trustworthiness
• End-to-End Verification: All information verified cryptographically by end users
• Ambient Verifiability: Anyone, anywhere, anytime can verify discovered information

Attack Resistance

1. OOBI Poisoning: Malicious OOBIs cannot inject false information due to cryptographic verification
2. Man-in-the-Middle: MITM attacks cannot forge KEL events due to digital signatures
3. DNS Hijacking: Even if DNS is compromised, end-verifiability prevents false information acceptance
4. BGP Hijacking: Network-level attacks cannot compromise discovery security

Privacy Considerations

PID has specific privacy characteristics:

• Public Discovery: Discovery information is typically public (KELs, witness endpoints)
• Correlation Risk: Discovery patterns may reveal relationships between identifiers
• Blind OOBIs: Blind OOBIs enable private bootstrap scenarios
• Selective Disclosure: Discoverers can choose what information to share during percolation

Relationship to Other KERI Mechanisms

OOBI Protocol

PID is fundamentally enabled by OOBI:

• OOBI provides the bootstrap mechanism
• PID describes how information propagates after bootstrap
• Together they form a complete discovery solution

SPED (Speedy Percolated Endpoint Discovery)

SPED is a specific application of PID:

• Focuses on endpoint discovery for KERI infrastructure
• Leverages watcher networks as aggregation points
• Provides rapid discovery through optimized percolation paths

BADA (Best Available Data Acceptance)

PID works in conjunction with BADA policy:

• BADA determines which version of data to accept when multiple versions exist
• PID determines how data is discovered and propagated
• Together they enable eventually consistent distributed systems

Implementation Considerations

Performance Optimization

1. Caching: Implement aggressive caching of verified KELs and endpoint information
2. Parallel Discovery: Pursue multiple discovery paths simultaneously
3. Watcher Integration: Use watchers as high-performance discovery aggregators
4. Connection Pooling: Maintain persistent connections to frequently accessed endpoints

Scalability Factors

• Non-Interactive Operation: Eliminates request-response overhead
• Distributed Architecture: No central bottlenecks
• Organic Load Distribution: Popular endpoints naturally become discovery hubs
• Eventual Consistency: Relaxed consistency requirements improve scalability

Monitoring and Observability

1. Discovery Metrics: Track discovery success rates and latencies
2. Percolation Patterns: Monitor how information spreads through the network
3. Endpoint Health: Observe availability and performance of discovery sources
4. Verification Failures: Log and analyze cryptographic verification failures

Future Directions

PID continues to evolve:

• Enhanced Privacy: Research into privacy-preserving discovery mechanisms
• Optimized Algorithms: Improved percolation algorithms for specific network topologies
• Cross-Protocol Integration: Integration with other decentralized discovery protocols
• Machine Learning: Using ML to predict optimal discovery paths

Percolated Information Discovery represents a fundamental innovation in decentralized identity systems, enabling scalable, secure discovery without centralized infrastructure or trusted intermediaries. By grounding the approach in mathematical percolation theory and leveraging KERI's end-verifiable security properties, PID provides a robust foundation for the discovery needs of the KERI and ACDC ecosystems.

Security Considerations

1. Validate All Inputs: Never trust OOBI sources or percolation intermediaries, always perform full cryptographic verification, and implement defense against malformed data

2. Prevent Injection Attacks: Sanitize all URL inputs, validate JSON structure before parsing, and implement rate limiting to prevent DoS

3. Monitor for Attacks: Detect and log suspicious discovery patterns, implement anomaly detection for unusual percolation behavior, and alert on potential attack indicators

Integration Points

1. KERI Infrastructure: Integrate with witness networks for authoritative KEL retrieval, connect to watcher networks for aggregated discovery, and coordinate with cloud agents for identifier management

2. ACDC Credentials: Discover issuer KELs for credential verification, locate TEL registries for revocation checking, and resolve schema SAIDs for credential validation

3. IPEX Protocol: Discover presentation endpoints for credential exchange, locate issuance services for credential requests, and find verification services for credential validation