GLEIF's implementation of the RID concept demonstrates the practical application of root autonomic identifiers in a production governance framework:

GLEIF Root AID: The apex identifier that delegates authority to:

• GLEIF Internal Delegated AID (GIDA): For internal GLEIF operations
• GLEIF External Delegated AID (GEDA): For external ecosystem interactions, particularly with Qualified vLEI Issuers

This hierarchical structure enables GLEIF to maintain extreme protection for the root identifier while supporting more performant key management for operational activities through delegation.

Related Governance Entities

The RID concept relates to several key governance entities:

• Qualified vLEI Issuers (QVIs): Receive delegated authority from GLEIF's root through GEDA
• Legal Entities: Receive credentials issued by QVIs, forming the next level in the trust hierarchy
• Authorized Representatives: Individuals who receive role credentials, representing the operational leaves of the trust tree

Roles & Responsibilities

Primary Responsibilities

A RID serves several critical functions within a KERI-based ecosystem:

Trust Anchor: The RID provides the ultimate cryptographic root-of-trust for all identifiers and credentials within its ecosystem. Any entity verifying credentials can trace the chain of trust back to this root identifier.

Delegation Authority: The RID controller has the authority to create delegated identifiers that inherit trust from the root. This enables:

• Horizontal scalability: Multiple delegates can operate in parallel
• Vertical scalability: Delegates can themselves become delegators, creating nested hierarchies
• Separation of concerns: Different operational domains can be managed by different delegated identifiers

Security Foundation: The RID establishes the security baseline for the entire ecosystem. Compromise of the RID would undermine trust in all dependent identifiers, making its protection paramount.

Authority and Permissions

The RID controller possesses several critical authorities:

Establishment Authority: The ability to create the initial root identifier through an inception event, establishing the cryptographic foundation for the ecosystem.

Delegation Authority: The power to create delegated identifiers by:

• Including delegated event seals in the RID's KEL
• Cryptographically committing to the delegate's inception event
• Enabling the delegate to prove its authorization through the verifiable delegation chain

Rotation Authority: The exclusive right to rotate the RID's keys through pre-rotation mechanisms, maintaining control authority despite key compromise.

Revocation Authority: The ability to revoke delegated identifiers by rotating to a state that no longer recognizes the delegation, effectively terminating the delegate's authority.

Limitations

Despite its foundational role, the RID has important limitations:

No Retroactive Authority: The RID cannot retroactively authorize events that occurred before delegation was established. The delegation relationship must be cryptographically committed before the delegate can issue valid events.

Cooperative Delegation Requirement: KERI's delegation model is cooperative, meaning both the delegator (RID) and delegate must contribute cryptographic commitments. The RID cannot unilaterally assert delegation without the delegate's participation.

Key Management Burden: The requirement for highest level security in key management creates operational constraints:

• More complex key generation procedures
• Stricter access controls
• Potentially slower operational response times
• Higher infrastructure costs

Technical Architecture

Multi-Valent Key Management

The RID concept is closely tied to multi-valent key management infrastructure, which enables the critical balance between security and performance:

Bivalent Architecture: A nested set of layered delegations wraps each layer with compromise recovery protection from the next higher layer. This maintains the security of the root layer for compromise recovery all the way to the leaves, even when leaves use less secure key management methods.

Security Gradient: The architecture allows:

• Root layer: Maximum security with potentially slower operations
• Intermediate layers: Balanced security and performance
• Leaf layers: Optimized performance with adequate security for operational needs

Cryptographic Requirements

For a RID to fulfill its role, it must meet stringent cryptographic requirements:

Entropy: The RID must be generated from a random number seed with at least 128 bits of cryptographic strength, providing adequate security against brute-force attacks.

Key Pairs: The RID requires two sets of asymmetric signing key pairs:

• Current signing keys: For immediate operations
• Pre-rotated keys: For future rotations, providing post-quantum security through cryptographic hiding

Derivation: The RID prefix is derived from cryptographic digests of:

• Serialized public keys from the first key pair set
• Cryptographic digest of the second key pair set
• Associated identifiers and configuration parameters

Delegation Mechanics

The RID enables delegation through a specific cryptographic protocol:

Delegated Inception: When creating a delegated identifier, the delegate creates a delegated inception event (dip) that includes:

• The delegator's AID (the RID) in the di field
• The delegate's initial key state
• Configuration parameters

Delegator Commitment: The RID controller must create an interaction event or rotation event containing a seal that commits to:

• The delegate's AID prefix (i)
• The sequence number of the delegated event (s)
• The digest of the delegated event (d)

Verification: Any verifier can confirm the delegation by:

1. Retrieving the delegate's KEL
2. Extracting the delegator AID from the inception event
3. Retrieving the delegator's (RID's) KEL
4. Locating the seal that commits to the delegate's inception
5. Verifying the cryptographic binding between the seal and the delegated event

Security Considerations

Threat Model

The RID faces unique security threats due to its foundational role:

High-Value Target: Compromise of the RID undermines trust in the entire ecosystem, making it an attractive target for sophisticated attackers.

Long-Term Exposure: RIDs are typically long-lived identifiers, increasing cumulative exposure to attacks over time.

Cascading Impact: Compromise of the RID affects not just the root identifier but all delegated identifiers and credentials issued under its authority.

Protection Mechanisms

To address these threats, RID implementations should employ multiple protection layers:

Key Generation: Use cryptographically-secure pseudo-random number generators (CSPRNG) or true random number generators with at least 128 bits of entropy.

Key Storage: Implement highest level protection through:

• Hardware Security Modules (HSMs) for key material storage
• Trusted Execution Environments (TEEs) for cryptographic operations
• Multi-factor authentication for access to key management systems
• Air-gapped systems for the most sensitive operations

Operational Security:

• Minimal exposure: Limit the frequency of RID key usage
• Ceremony-based operations: Use formal procedures for critical operations like key rotation
• Multi-party control: Implement multi-signature schemes requiring multiple authorized parties
• Audit trails: Maintain comprehensive logs of all RID operations

Pre-Rotation for Recovery

The RID leverages KERI's pre-rotation mechanism to provide compromise recovery:

Forward Commitment: Each establishment event commits to the next set of rotation keys through cryptographic digests, hiding the actual keys until needed.

One-Time Use: Rotation keys are used exactly once, minimizing exposure windows.

Post-Quantum Security: The cryptographic hiding of pre-rotated keys provides protection against future quantum attacks, as the keys remain unexposed until rotation.

Recovery Process: If current signing keys are compromised, the RID controller can use the pre-rotated keys to perform a rotation, re-establishing control authority without requiring cooperation from the attacker.

Implementation Patterns

Ecosystem Initialization

Establishing a RID-based ecosystem follows a specific pattern:

1. Entropy Generation: Generate high-quality random entropy for the root seed
2. Key Derivation: Derive the initial key pairs and pre-rotated keys
3. Inception Event: Create the RID inception event with appropriate configuration
4. Witness Configuration: Establish a witness pool for the RID with appropriate thresholds
5. Publication: Make the RID's KEL available through appropriate discovery mechanisms

Delegation Workflow

Creating delegated identifiers from a RID involves coordination:

1. Delegate Preparation: The delegate generates its key pairs and prepares its inception event
2. Delegation Request: The delegate communicates its inception event to the RID controller
3. Verification: The RID controller verifies the delegate's identity and authorization
4. Seal Creation: The RID controller creates an event containing the delegation seal
5. Publication: Both the RID's sealing event and the delegate's inception event are published
6. Verification: Third parties can now verify the delegation relationship

Operational Considerations

Performance Trade-offs: The highest security requirements for RIDs create performance constraints. Organizations must balance:

• Security: Maximum protection for the root identifier
• Availability: Ensuring the RID can perform necessary operations
• Scalability: Supporting the ecosystem's growth through delegation

Governance: RID management requires clear governance:

• Access Control: Who can authorize RID operations?
• Procedures: What processes govern key rotation, delegation, and revocation?
• Audit: How are RID operations monitored and reviewed?
• Succession: What happens if RID controllers are unavailable?

Related Governance Documents

GLEIF vLEI Ecosystem Governance Framework

The vLEI Ecosystem Governance Framework provides the authoritative governance context for RID implementation in the GLEIF ecosystem:

Primary Document: vLEI Ecosystem Governance Framework v3.0 establishes GLEIF's role as both Governing and Administering Authority, with the GLEIF Root AID serving as the RID for the ecosystem.

GLEIF Identifier Governance Framework: Specifically addresses the creation, management, and lifecycle of the GLEIF Root AID and its delegated AIDs (GIDA and GEDA), establishing the highest duty of care requirements.

Technical Requirements Part 1: KERI Infrastructure: Defines the technical specifications for AID generation, key management, and delegation mechanisms that apply to the GLEIF Root AID.

KERI Protocol Specifications

KERI Specification: The foundational protocol specification maintained by the Trust over IP Foundation defines the technical mechanisms for autonomic identifiers, delegation, and key management.

Universal Identifier Theory: Samuel Smith's whitepaper provides the theoretical foundation for the RID concept, explaining how autonomic identifiers enable hierarchical trust structures.

Related Policy Documents

Trust Assurance Framework: Establishes the security requirements and compliance obligations for all participants in the vLEI ecosystem, including specific requirements for root identifier protection.

Qualified vLEI Issuer Qualification Program Manual: Defines how QVIs receive delegated authority from the GLEIF Root AID through GEDA, establishing the operational procedures for delegation.

Conclusion

The root autonomic identifier represents a critical architectural concept in KERI-based ecosystems, enabling the creation of hierarchical trust structures that balance security and operational efficiency. By serving as the ultimate cryptographic anchor for an ecosystem, the RID enables scalable, secure identity infrastructure while maintaining the self-sovereign properties that distinguish KERI from traditional PKI systems. The GLEIF vLEI ecosystem demonstrates the practical application of RID concepts in a production governance framework, providing a model for other ecosystems seeking to implement hierarchical trust structures based on KERI principles.