The evolution toward autonomic trust represents a paradigm shift where trust hierarchies are established purely through cryptographic proofs without requiring either administrative oversight or shared algorithmic consensus. This evolution recognizes that different trust layers serve different purposes and that not all trust anchors need to be primary—some can be derivative while maintaining verifiability.

KERI's Approach

KERI formalizes the distinction between primary and secondary roots-of-trust as a fundamental architectural principle. In KERI's trust architecture:

Primary Root-of-Trust: The KEL

The Key Event Log (KEL) serves as KERI's primary root-of-trust. It is:

• Self-certifying: Derives trust from cryptographic binding between identifiers and key pairs
• Irreplaceable: Forms the foundational layer that cannot be substituted
• Autonomic: Requires no external authority for verification
• Cryptographically verifiable: Every state transition is provable through hash chaining and digital signatures

The KEL provides what KERI terms a cryptographic root-of-trust rather than an administrative or algorithmic one, meaning trust is established through verifiable cryptographic operations alone.

Secondary Root-of-Trust: The TEL

The Transaction Event Log (TEL) exemplifies KERI's secondary root-of-trust. The TEL:

• Anchors to the KEL: Uses cryptographic seals to bind transaction events to key events
• Inherits security properties: Derives its trustability from the KEL's cryptographic guarantees
• Enables credential lifecycle management: Tracks issuance and revocation states for ACDCs
• Maintains verifiability: Despite being secondary, remains end-verifiable through its anchoring mechanism

Cryptographic Anchoring Mechanism

The connection between secondary and primary roots-of-trust is established through seals—cryptographic commitments in the form of digests or Merkle roots. When a TEL event is created:

1. The event data is hashed to create a cryptographic digest
2. This digest is included as a seal in a KEL event (typically an interaction event)
3. The KEL event is signed by the controller's authoritative keys
4. The signature creates a non-repudiable commitment binding the TEL event to the KEL's key state

This anchoring mechanism provides several critical properties:

• Immutability: Once sealed, the TEL event payload becomes immutable
• Provenance: The seal establishes cryptographic proof of when and by whom the event was committed
• Verifiability: Any party can verify the seal by recomputing the digest and checking the KEL signature
• Independence: The TEL can be stored, transmitted, and verified independently while maintaining its cryptographic binding

Advantages Over Traditional Approaches

KERI's approach to secondary roots-of-trust offers several advantages over traditional hierarchical trust systems:

No Administrative Overhead: Unlike PKI certificate chains that require administrative processes for intermediate CA management, KERI's secondary roots are purely cryptographic. There are no certificate signing requests, no manual verification procedures, and no administrative revocation lists.

No Shared Governance: Unlike blockchain-based systems where secondary layers (like smart contracts) depend on distributed consensus, KERI's secondary roots require no shared governance. Each AID controller independently manages their own TELs anchored to their own KELs.

Cryptographic Continuity: The seal mechanism ensures that even if infrastructure changes (witnesses are rotated, storage locations move, etc.), the cryptographic binding between secondary and primary roots remains verifiable. This enables true portability of trust.

Graduated Security: The architecture allows for different security levels at different layers. The KEL can use the highest security key management practices (HSMs, multi-sig, etc.) while TELs can use more practical approaches, knowing they inherit security from their anchoring.

Scalability: Secondary roots can be created, managed, and verified independently without requiring global coordination. This enables horizontal scaling where each entity manages its own trust structures.

Practical Implications

Use Cases

Credential Lifecycle Management: The most prominent use case for secondary roots-of-trust in KERI is managing verifiable credential lifecycles. A TEL tracks the issuance and revocation state of ACDCs, with each state change anchored to the issuer's KEL. This enables:

• Verifiable issuance: Proof that a credential was issued by a specific controller at a specific key state
• Verifiable revocation: Cryptographic proof of credential revocation without requiring global registries
• Privacy-preserving verification: Credentials can be verified without revealing unnecessary information to third parties

Delegation Hierarchies: In KERI's delegation model, delegated identifiers form secondary roots-of-trust anchored to their delegator's KEL. This enables:

• Organizational hierarchies: Enterprises can create delegated AIDs for departments, teams, or roles
• Recoverable delegation: If a delegated identifier is compromised, the delegator can revoke the delegation
• Scalable authority: Large organizations can distribute authority while maintaining cryptographic accountability

Multi-Signature Coordination: When multiple parties must coordinate on shared decisions, secondary roots can track the coordination state while each party maintains their own primary root (KEL). This enables:

• Threshold signatures: Tracking which parties have signed without requiring all parties to share key material
• Audit trails: Verifiable records of who authorized what and when
• Dispute resolution: Cryptographic evidence for resolving disagreements about authorization

Benefits

Separation of Concerns: Secondary roots-of-trust enable clean architectural separation between different trust layers. Key management (KEL) is separated from credential management (TEL), allowing each to be optimized independently.

Flexible Infrastructure: Because secondary roots are replaceable, infrastructure can evolve without breaking trust. TEL storage can move between systems, witness pools can be reconfigured, and verification infrastructure can be upgraded—all while maintaining cryptographic continuity.

Reduced Complexity: Not every trust decision requires the full security apparatus of a primary root. Secondary roots allow for graduated security where appropriate, reducing operational complexity and cost.

Enhanced Privacy: Secondary roots can be selectively disclosed. A controller might share a TEL proving credential revocation status without revealing their entire KEL history, enabling privacy-preserving verification.

Trade-offs

Dependency Risk: Secondary roots depend on the integrity of their primary roots. If a KEL is compromised, all anchored TELs inherit that compromise. This creates a single point of failure at the primary root level.

Verification Overhead: Verifying a secondary root requires also verifying its anchoring to the primary root. This adds computational overhead compared to verifying a self-contained data structure.

Complexity of Understanding: The hierarchical trust model requires understanding both the primary and secondary layers and their relationship. This conceptual complexity can be a barrier to adoption.

Anchoring Latency: Creating a secondary root event requires anchoring it to the primary root, which may introduce latency if the primary root is not immediately available for signing.

Despite these trade-offs, KERI's secondary root-of-trust architecture provides a powerful mechanism for building scalable, verifiable trust systems that maintain cryptographic integrity while enabling practical operational flexibility. The key insight is that not all trust must be primary—derivative trust can be equally verifiable when properly anchored through cryptographic commitments.

Lazy Verification: Implement verification strategies that defer secondary root verification until needed. Not every operation requires full verification of the anchoring chain.

Caching Strategies: Cache verified secondary root states to avoid repeated verification overhead. Invalidate caches when the primary root (KEL) changes state.