KERI's Unified Approach to Revocation

KERI deliberately simplifies revocation semantics by treating it as a special case of rotation rather than a separate operation. In traditional PKI systems, revocation and key replacement are distinct operations, creating complexity and potential for confusion. KERI resolves this through a unified model:

Key Rotation = Key Revocation + Key Replacement

A standard rotation operation in KERI functionally combines:

1. Revoking the current authoritative keys
2. Replacing them with new authoritative keys

For scenarios requiring bare revocation without replacement, KERI uses a special case: rotation to a null key. This approach maintains protocol consistency while providing explicit support for permanent revocation.

Version History and Evolution

The revocation event concept has been part of KERI since its initial design. The protocol's approach to revocation through rotation-to-null has remained stable across versions, reflecting the fundamental design principle of minimizing protocol complexity while maintaining security properties.

Protocol Architecture

Layering and Component Organization

Revocation events operate within KERI's layered architecture:

Layer 1: Cryptographic Primitives

• Key generation and management
• Digital signature operations
• Digest computation

Layer 2: Key Event Structure

• Event serialization using CESR
• Event chaining through digest links
• Revocation events as specialized establishment events

Layer 3: Key Event Log (KEL)

• Append-only log maintaining event ordering
• Forward and backward chaining
• Duplicity detection mechanisms

Layer 4: Witness Infrastructure

• Witness validation and receipting
• KAACE consensus for event acceptance
• Watcher networks for ambient verification

Data Flow and Control Flow

Revocation Event Creation Flow:

1. Controller Decision: The identifier controller decides to permanently revoke control authority
2. Event Construction: A rotation event is constructed with a null key as the next key set
3. Event Signing: The event is signed using current authoritative keys
4. Event Publication: The signed event is published to witnesses
5. Witness Validation: Witnesses verify the event's validity and provide receipts
6. KEL Appending: The event is appended to the KEL
7. State Update: The identifier's key state is updated to reflect revoked status

Verification Flow:

1. Event Retrieval: A validator retrieves the KEL for an identifier
2. Chain Verification: The validator verifies the cryptographic chain from inception to current state
3. Revocation Detection: The validator identifies the revocation event (rotation to null)
4. State Determination: The validator determines that no valid authoritative keys exist post-revocation
5. Rejection of Subsequent Events: Any events after the revocation event are rejected as invalid

State Management Approach

KERI's state management for revocation follows the protocol's general principles:

Append-Only Immutability: Once a revocation event is recorded in the KEL, it cannot be removed or altered. The KEL's cryptographic chaining ensures that any attempt to modify history is detectable.

Event Ordering as Security Foundation: The temporal relationship between events is determined by their position in the KEL, not by timestamps. This design choice is critical for revocation security—an attacker cannot manipulate timestamps to reorder events and bypass revocation.

No Suspension State: KERI explicitly does not support temporary revocation or suspension. Revocation is permanent and irreversible. This design decision eliminates ambiguity and simplifies the protocol's state model.

Message Formats & Encoding

Revocation Event Structure

Revocation events in KERI are encoded as rotation events with specific characteristics that signal permanent termination of control authority. The event follows the standard KERI event structure encoded in CESR.

Core Event Fields:

{
  "v": "KERI10JSON00011c_",
  "t": "rot",
  "d": "ELvaU6Z-i0d8JJR2nmwyYAZAoTNZH3UfSVPzhzS6b5CM",
  "i": "EaU6JR2nmwyZ-i0d8JZAoTNZH3ULvaUfSVPzhzS6b5CM",
  "s": "3",
  "p": "EULvaU6JR2nmwyZ-i0d8JZAoTNZH3fSVPzhzS6b5CMaU",
  "kt": "0",
  "k": [],
  "nt": "0",
  "n": [],
  "bt": "0",
  "b": [],
  "c": [],
  "a": []
}

Field Semantics for Revocation:

• v (version): CESR version string specifying encoding format
• t (type): "rot" indicating a rotation event
• d (SAID): Self-addressing identifier of this event
• i (identifier): The AID being revoked
• s (sequence number): Position in the KEL
• p (prior): Digest of the previous event, creating backward chaining
• kt (key threshold): Set to "0" for revocation
• k (keys): Empty array indicating no current keys
• nt (next threshold): Set to "0" for revocation
• n (next keys): Empty array indicating no pre-rotated keys
• bt (witness threshold): Set to "0" for revocation
• b (witnesses): Empty array indicating no witnesses
• c (configuration): Empty array
• a (anchors): Empty array

Critical Revocation Indicators:

The combination of kt: "0", k: [], nt: "0", and n: [] signals that this is a revocation event. The zero thresholds and empty key arrays indicate that no keys are authorized to sign subsequent events, effectively terminating control authority.

CESR Encoding

Revocation events are encoded using CESR's composable event streaming representation, which provides:

• Self-framing: Each primitive includes type and size information
• Dual encoding: Support for both text (Base64) and binary domains
• Composability: Primitives can be concatenated and parsed as groups

Example CESR-encoded Revocation Event:

{"v":"KERI10JSON00011c_","t":"rot","d":"ELvaU6Z-i0d8JJR2nmwyYAZAoTNZH3UfSVPzhzS6b5CM","i":"EaU6JR2nmwyZ-i0d8JZAoTNZH3ULvaUfSVPzhzS6b5CM","s":"3","p":"EULvaU6JR2nmwyZ-i0d8JZAoTNZH3fSVPzhzS6b5CMaU","kt":"0","k":[],"nt":"0","n":[],"bt":"0","b":[],"c":[],"a":[]}-AABAADaguFmWb-l1SFHK-1TrEt6Rc0jiscDVjHB0eHukfMKJTmyLsvzlZfqNZFHd_KjJDPkMzBqJBHjGVHDqH_5ECDg

The signature attachment (-AAB...) follows the event body, providing cryptographic proof that the controller authorized the revocation.

Witness Receipts

After a revocation event is published, witnesses provide receipts confirming they have observed and validated the event. These receipts are encoded as indexed signatures attached to the event.

Receipt Structure:

-FAB
EaU6JR2nmwyZ-i0d8JZAoTNZH3ULvaUfSVPzhzS6b5CM
-AABAABqNZFHd_KjJDPkMzBqJBHjGVHDqH_5ECDgaguFmWb-l1SFHK-1TrEt6Rc0jiscDVjHB0eHukfMKJTmyLsvzlZf

The -FAB prefix is a CESR group code indicating a witness receipt attachment. Multiple witnesses provide independent receipts, creating a distributed consensus on the revocation event's validity.

Protocol Mechanics

Message Exchange Patterns

Revocation Event Publication:

1. Controller → Witnesses: The controller publishes the signed revocation event to its designated witnesses
2. Witnesses → Controller: Witnesses return signed receipts confirming event acceptance
3. Controller → Watchers: The controller may publish the event to watcher networks for broader distribution
4. Watchers → Validators: Watchers make the event available to validators through OOBI discovery mechanisms

Revocation Event Verification:

1. Validator → Witnesses/Watchers: Validator requests the KEL for an identifier
2. Witnesses/Watchers → Validator: KEL is provided with witness receipts
3. Validator → Validator: Local verification of event chain and signatures
4. Validator → Application: Revocation status is communicated to the application layer

State Transitions

The identifier undergoes a definitive state transition upon revocation:

Pre-Revocation State:

• Authoritative keys: [key1, key2, ...]
• Key threshold: n (where n ≥ 1)
• Next keys: [digest1, digest2, ...]
• Next threshold: m (where m ≥ 1)
• Status: Active

Post-Revocation State:

• Authoritative keys: [] (empty)
• Key threshold: 0
• Next keys: [] (empty)
• Next threshold: 0
• Status: Revoked

Irreversibility: Once an identifier enters the revoked state, it cannot transition back to an active state. No subsequent events can be validly signed because no authoritative keys exist.

Timing and Ordering Requirements

Event Ordering Semantics:

KERI's security model for revocation relies on event ordering within the KEL rather than wall-clock timestamps. This design choice addresses a critical security vulnerability:

Why Timestamps Are Not Used for Security:

Timestamps can be manipulated by attackers. An attacker who compromises keys could:

1. Create backdated events with false timestamps
2. Attempt to insert events before a legitimate revocation
3. Claim that their malicious events occurred before revocation

By using KEL ordering instead of timestamps, KERI ensures that:

• Events are ordered by their position in the append-only log
• The cryptographic chain prevents insertion of events
• Revocation is definitive based on log position, not time claims

Sequence Number Monotonicity:

Each event in the KEL has a sequence number s that must be strictly monotonically increasing. For a revocation event at sequence n, all events with sequence n+1 or higher are invalid because no authoritative keys exist to sign them.

Witness Agreement:

The KAACE algorithm ensures that witnesses reach agreement on the revocation event before it is considered stable. The threshold of accountable duplicity (TOAD) determines how many witness confirmations are required.

Security Properties

Threat Model

Revocation events must provide security against several threat scenarios:

Threat 1: Compromised Key Exploitation

An attacker who compromises the current signing keys attempts to continue using the identifier after the legitimate controller has revoked it.

Mitigation: The revocation event is signed with the current keys before they are considered compromised. Once the revocation is recorded in the KEL and witnessed, the compromised keys cannot be used to create valid subsequent events because the key state shows zero authoritative keys.

Threat 2: Timestamp Manipulation

An attacker attempts to create backdated events with false timestamps to make malicious events appear to occur before revocation.

Mitigation: KERI does not use timestamps for security decisions. Event ordering is determined by position in the KEL, which is cryptographically chained and cannot be reordered without breaking the chain.

Threat 3: Witness Collusion

Malicious witnesses attempt to accept conflicting versions of the KEL, one with revocation and one without.

Mitigation: The duplicity detection mechanisms in KERI ensure that any witness providing conflicting receipts is detectable. Watchers operating in promiscuous mode provide ambient verification that exposes duplicitous behavior.

Threat 4: Revocation Denial

An attacker attempts to prevent the revocation event from being distributed to validators.

Mitigation: The distributed witness and watcher infrastructure ensures that revocation events are widely propagated. Validators can query multiple sources to obtain the authoritative KEL state.

Security Guarantees

Guarantee 1: Finality

Once a revocation event is accepted by the required threshold of witnesses and recorded in the KEL, it is final and irreversible. No mechanism exists to "undo" a revocation.

Guarantee 2: Non-Repudiation

The revocation event is signed by the controller's authoritative keys, providing cryptographic proof that the controller authorized the revocation. The controller cannot later deny having revoked the identifier.

Guarantee 3: Verifiability

Any validator can independently verify the revocation by:

1. Retrieving the KEL from witnesses or watchers
2. Verifying the cryptographic chain from inception to revocation
3. Confirming that the revocation event has valid signatures and witness receipts
4. Determining that no valid authoritative keys exist post-revocation

Guarantee 4: Duplicity Evidence

If a controller attempts to create conflicting versions of the KEL (one with revocation, one without), this duplicity is detectable and provides evidence of malicious behavior.

Attack Resistance

Resistance to Key Compromise:

Revocation events provide a mechanism to terminate control authority even after key compromise. The pre-rotation mechanism in KERI enhances this by allowing controllers to pre-commit to rotation keys that are not exposed until needed.

Resistance to Replay Attacks:

Each event includes a sequence number and digest of the previous event, preventing replay of old events. A revocation event cannot be replayed to revoke an identifier multiple times because the sequence number would conflict with the existing KEL.

Resistance to Reordering Attacks:

The cryptographic chaining of events prevents reordering. An attacker cannot move a revocation event to a different position in the KEL without breaking the chain of digests.

Post-Quantum Considerations:

KERI's design supports post-quantum cryptographic algorithms. Revocation events can use quantum-resistant signature schemes, ensuring that revocation remains secure even against future quantum computing threats.

Interoperability

Dependencies on KERI/ACDC Protocols

Core KERI Dependencies:

Revocation events depend on several foundational KERI components:

• KEL (Key Event Log): The append-only log structure that records revocation events
• CESR (Composable Event Streaming Representation): The encoding format for revocation events
• Witness Infrastructure: The distributed consensus mechanism for validating revocation
• OOBI (Out-Of-Band Introduction): The discovery mechanism for distributing revocation information

ACDC Integration:

Revocation events interact with the ACDC (Authentic Chained Data Container) credential system:

• Credential Revocation: When an identifier is revoked, all credentials issued by that identifier become invalid
• TEL (Transaction Event Log): Credential-specific revocation is managed through TELs, which are anchored to KELs
• Issuer Revocation: If a credential issuer's identifier is revoked, the issuer can no longer issue new credentials

Integration Points

Integration with Credential Registries:

Revocation events in KELs affect credential status in public verifiable credential registries:

1. Issuer Identifier Revocation: If an issuer's AID is revoked, validators must check the issuer's KEL to determine if credentials issued before revocation remain valid
2. Holder Identifier Revocation: If a credential holder's AID is revoked, presentations using that identifier become invalid
3. Verifier Identifier Revocation: If a verifier's AID is revoked, they can no longer request or verify credentials

Integration with vLEI Ecosystem:

In the vLEI (verifiable Legal Entity Identifier) ecosystem:

• QVI Revocation: If a Qualified vLEI Issuer (QVI) identifier is revoked, all credentials issued by that QVI may need to be re-evaluated
• Legal Entity Revocation: If a legal entity's identifier is revoked, all role credentials (OOR, ECR) associated with that entity become invalid
• Governance Framework Compliance: Revocation events must comply with the vLEI Ecosystem Governance Framework policies

Integration with DID Methods:

KERI-based DID methods (e.g., did:keri, did:webs) must handle revocation:

• DID Document Updates: Revocation of the underlying KERI identifier should be reflected in the DID document
• DID Resolution: DID resolvers must check the KEL to determine if the identifier has been revoked
• DID Deactivation: Revocation events provide a mechanism for permanent DID deactivation

Implementation Considerations

Common Challenges

Challenge 1: Revocation Detection Latency

Validators may not immediately learn about revocation events due to network delays or asynchronous propagation. Implementations should:

• Query multiple witnesses and watchers to obtain the most current KEL state
• Implement caching strategies that respect revocation event timestamps
• Provide mechanisms for validators to subscribe to KEL updates

Challenge 2: Partial KEL Availability

In some scenarios, validators may only have access to a partial KEL that does not include the revocation event. Implementations should:

• Implement KEL synchronization protocols to obtain complete logs
• Provide clear error messages when revocation status cannot be determined
• Support escrow mechanisms for out-of-order event processing

Challenge 3: Revocation vs. Rotation Disambiguation

Implementations must clearly distinguish between:

• Standard rotation: Transfers control to new keys (non-zero thresholds, non-empty key arrays)
• Revocation: Terminates control authority (zero thresholds, empty key arrays)

Parsing logic should explicitly check for the revocation indicators (kt: "0", k: [], nt: "0", n: []) rather than assuming any rotation with empty keys is a revocation.

Challenge 4: Credential Lifecycle Management

When an issuer identifier is revoked, implementations must determine the validity of previously issued credentials. Considerations include:

• Issuance Time: Credentials issued before revocation may remain valid
• Verification Time: Credentials verified after revocation may be rejected
• Grace Periods: Some governance frameworks (e.g., vLEI) define grace periods for credential transitions

Performance Considerations

KEL Verification Overhead:

Verifying a revocation event requires validating the entire KEL from inception to the revocation event. For identifiers with long KEL histories, this can be computationally expensive. Optimization strategies include:

• Caching: Cache verified KEL states and only verify new events
• Checkpointing: Use witness receipts as checkpoints to avoid re-verifying the entire chain
• Parallel Verification: Verify multiple KEL segments in parallel

Witness Query Optimization:

Querying multiple witnesses for KEL state can introduce latency. Implementations should:

• Use asynchronous queries to witnesses
• Implement timeout and retry logic
• Prioritize witnesses based on historical reliability

Watcher Network Efficiency:

Watcher networks provide ambient verification but can generate significant network traffic. Implementations should:

• Use efficient gossip protocols for KEL propagation
• Implement bloom filters or other probabilistic data structures to reduce redundant queries
• Support selective watching based on identifier prefixes or other criteria

Testing and Validation

Test Scenarios:

Implementations should include test cases for:

1. Basic Revocation: Create an identifier, perform operations, then revoke it
2. Post-Revocation Rejection: Attempt to create events after revocation and verify they are rejected
3. Revocation Detection: Verify that validators correctly detect revocation events in KELs
4. Duplicity Detection: Create conflicting KELs (one with revocation, one without) and verify duplicity is detected
5. Witness Agreement: Test revocation with various witness configurations and thresholds
6. Credential Invalidation: Issue credentials, revoke the issuer, and verify credentials are invalidated

Interoperability Testing:

Implementations should be tested against other KERI implementations to ensure:

• Revocation events are correctly encoded and decoded
• Witness receipts are compatible across implementations
• KEL synchronization works correctly
• Revocation status is consistently interpreted

Operational Best Practices

Revocation Planning:

Controllers should plan for revocation scenarios:

• Key Compromise Response: Have procedures for rapid revocation if keys are compromised
• Identifier Lifecycle: Define when identifiers should be revoked (e.g., end of organizational role, system decommissioning)
• Credential Migration: Plan for migrating credentials to new identifiers before revoking old ones

Witness Configuration:

Choose witness configurations that balance security and availability:

• Minimum Witnesses: Use at least 3 witnesses for production identifiers
• Geographic Distribution: Distribute witnesses across different geographic regions and network providers
• Witness Rotation: Periodically rotate witness sets to prevent long-term collusion

Monitoring and Alerting:

Implement monitoring for revocation-related events:

• Revocation Detection: Alert when identifiers are revoked
• Post-Revocation Activity: Alert if events are attempted after revocation
• Duplicity Detection: Alert if conflicting KELs are detected
• Witness Availability: Monitor witness availability and responsiveness

Governance and Policy

Revocation Policies:

Organizations should define policies for when revocation is appropriate:

• Mandatory Revocation: Key compromise, employee termination, system decommissioning
• Optional Revocation: Identifier migration, organizational restructuring
• Prohibited Revocation: Situations where revocation would violate legal or contractual obligations

Audit and Compliance:

Revocation events should be auditable:

• Revocation Logs: Maintain logs of all revocation events with justifications
• Compliance Verification: Verify that revocations comply with governance frameworks
• Forensic Analysis: Support forensic analysis of revocation events in case of disputes

Legal Considerations:

Revocation may have legal implications:

• Non-Repudiation: Revocation events provide non-repudiable proof of controller intent
• Liability: Controllers may be liable for damages if revocation is performed improperly
• Regulatory Compliance: Some regulations may require revocation under specific circumstances (e.g., GDPR right to erasure)

Conclusion

Revocation events in KERI provide a cryptographically secure, verifiable mechanism for permanently terminating control authority over identifiers. By treating revocation as a special case of rotation (rotation to null keys) and relying on event ordering rather than timestamps for security, KERI simplifies the revocation model while maintaining strong security properties. The protocol's design ensures that revocation is final, verifiable, and resistant to manipulation, making it suitable for high-assurance identity systems including the vLEI ecosystem and other enterprise applications.

Implementations should:

1. Query multiple sources: Query multiple witnesses and watchers to ensure revocation events are not being suppressed
2. Implement timeout logic: Set reasonable timeouts for witness queries to avoid blocking on unresponsive witnesses
3. Handle partial responses: If some witnesses are unavailable, determine if the available responses meet the TOAD threshold
4. Support asynchronous updates: Implement mechanisms for receiving asynchronous notifications of revocation events

Error Handling

Implementations should handle revocation-related errors gracefully:

• Revocation detection failure: If revocation status cannot be determined, fail closed (reject operations)
• Post-revocation event attempts: Provide clear error messages when operations are attempted on revoked identifiers
• Witness unavailability: Implement fallback mechanisms when witnesses are unavailable
• KEL synchronization failures: Provide mechanisms to retry KEL synchronization and alert operators to persistent failures