Cryptographic Verifiability: Identity assertions are backed by cryptographic proofs rather than trust in intermediary authorities. This enables end-to-end verifiable identity without requiring trusted third parties.

Portability: Identities and credentials can move between systems and platforms without loss of security properties, enabling genuine self-sovereignty where controllers maintain complete autonomy.

Scope and Boundaries

SSI is explicitly defined as having "many different interpretations" across the identity community. The concept encompasses:

• Concepts and ideas about identity sovereignty and user control
• Architectures for decentralized identity systems
• Processes for credential issuance, presentation, and verification
• Technologies enabling cryptographic identity management

What SSI is not:

• SSI does not use the term "identity provider" - this term is fundamental to federated identity architectures that SSI explicitly aims to replace
• SSI is not about centralized identity verification - while identity assurance may be provided by trusted parties, the core identifier and credential management remains decentralized
• SSI is not a single standard or protocol - it represents a family of approaches sharing common principles

Historical Context

The evolution of digital identity systems provides essential context for understanding SSI:

Traditional Identity Models

Administrative Trust Basis (DNS/CA): Traditional systems rely on external administrators and hierarchical certificate authorities. Users must trust centralized identity providers to maintain and validate their identity information. This creates:

• Single points of failure
• Privacy concerns through centralized data aggregation
• Vendor lock-in and lack of portability
• Dependency on intermediary business models

Federated Identity: Systems like SAML and OAuth enable identity federation across domains, but still require:

• Central identity providers that users must trust
• Permission-based access control
• Trust in intermediary authorities
• Shared governance over identity infrastructure

The SSI Movement

The SSI movement emerged from recognition that existing identity systems concentrate too much power in centralized authorities. Key drivers included:

Privacy Concerns: Big data collectors and social media platforms accumulate knowledge about individuals that exceeds self-knowledge, enabling surveillance and manipulation.

Security Vulnerabilities: Centralized identity databases create attractive targets for attackers, with breaches affecting millions of users.

User Disempowerment: Individuals lack control over their own identity data, unable to move credentials between platforms or revoke access without provider cooperation.

Democratic Threats: Elections have been influenced and individuals impersonated through digital manipulation, undermining trust in digital interactions.

Conceptual Foundations

SSI builds on several foundational concepts:

Self-Certifying Identifiers: Cryptographically derived identifiers that can be verified without external authorities, providing a decentralized root of trust.

Verifiable Credentials: Digitally signed credentials that are tamper-evident and cryptographically verifiable, enabling trust without intermediaries.

Decentralized Key Management: Cryptographic key management that doesn't rely on centralized infrastructure, enabling true user sovereignty.

KERI's Approach

KERI (Key Event Receipt Infrastructure) implements SSI principles through a specific technical architecture that addresses core challenges in decentralized identity:

Autonomic Identifiers (AIDs)

KERI's Autonomic Identifiers embody SSI principles through:

Self-Certifying: AIDs are cryptographically derived from public keys, enabling verification without external authorities. The identifier itself proves its binding to the controlling key pair.

Self-Governing: AIDs operate independently without requiring permission from centralized registries or identity providers.

Self-Sovereign: Controllers maintain complete authority over their identifiers through cryptographic key control.

Self-Managing: Key rotation and delegation operations are managed by controllers without intermediary involvement.

Self-Administering: The identifier namespace is autonomic, requiring no external administration.

Cryptographic Root of Trust

KERI provides what it calls an autonomic trust basis - a cryptographic root of trust that doesn't depend on external authorities:

Primary Root of Trust: KERI establishes trust through cryptographically verifiable key event logs (KELs) that can be verified all the way to the current controlling key pair. This is fundamentally different from:

• Administrative trust (DNS/CA) that relies on external administrators
• Algorithmic trust (blockchain) that depends on shared distributed ledgers

End-Verifiability: Anyone can verify any KEL, anywhere, at any time - a property KERI calls "ambient verifiability." This eliminates dependency on intervening infrastructure.

Zero-Trust Architecture: KERI requires no trust in intermediary infrastructure. All verification is performed cryptographically by the verifier.

Key Management Innovation

KERI's approach to key management directly supports SSI principles:

Pre-Rotation: Controllers commit to next keys before rotation, providing post-quantum security and protection against key compromise. This enables:

• Secure key rotation without trusted third parties
• Recovery from key compromise
• Long-lived identifiers with rotating keys

Delegation: KERI supports cooperative delegation where both delegator and delegate must contribute, enabling:

• Hierarchical identifier management
• Scalable organizational identity
• Separation of concerns through delegation trees

Witness Networks: Instead of requiring blockchain consensus, KERI uses designated witnesses that provide duplicity detection without requiring shared governance.

Differences from Traditional SSI Approaches

KERI distinguishes itself from other SSI implementations:

No Blockchain Dependency: Unlike many SSI systems that anchor to blockchains, KERI provides decentralized trust without requiring:

• Shared consensus mechanisms
• Transaction fees
• Blockchain scalability limitations
• Governance over consensus node pools

Portability: KERI identifiers can be transferred off ledgers to native KERI infrastructure, providing true portability.

Security-First Design: KERI explicitly prioritizes:

1. Security first - Cryptographic verifiability and attack resistance
2. Confidentiality second - Protection of data content
3. Privacy third - Protection of correlation

This ordering reflects a deliberate architectural philosophy that security guarantees must precede privacy features.

Benefits of KERI's SSI Implementation

Scalability: KERI's witness-based approach scales better than blockchain-based SSI systems, supporting high-throughput credential issuance and verification.

Performance: Without blockchain transaction latency, KERI operations complete in milliseconds rather than minutes.

Cost: No transaction fees for identifier operations or credential issuance.

Simplicity: KERI uses well-established cryptographic primitives rather than complex zero-knowledge proofs or blockchain consensus.

Interoperability: KERI can integrate with existing standards like W3C DIDs through did:keri and did:webs methods.

Practical Implications

Use Cases

SSI principles implemented through KERI enable diverse applications:

Organizational Identity (vLEI): GLEIF's verifiable Legal Entity Identifier system uses KERI to provide cryptographically verifiable organizational credentials, enabling:

• Secure digital signing by legal entities
• Verifiable organizational role credentials
• Cross-border payment authentication
• Regulatory compliance with verifiable identity

Supply Chain: Authentic data supply chains track provenance through chained credentials, providing:

• Verifiable chain of custody
• Tamper-evident product tracking
• Automated compliance verification

Healthcare: Patient-controlled health records enable:

• Selective disclosure of medical information
• Verifiable provider credentials
• Portable health data across systems

Education: Verifiable academic credentials provide:

• Tamper-proof diplomas and transcripts
• Portable credentials across institutions
• Automated credential verification

Benefits

User Empowerment: Individuals and organizations control their own identity data, deciding what to share and with whom.

Privacy Protection: Selective disclosure and graduated revelation enable sharing only necessary information for each interaction.

Security: Cryptographic verification eliminates reliance on trusted intermediaries that could be compromised.

Portability: Identities and credentials work across platforms and jurisdictions without vendor lock-in.

Efficiency: Automated cryptographic verification reduces manual identity checks and paperwork.

Trust: End-to-end verifiable credentials establish trust without requiring reputation-based systems.

Trade-offs

SSI implementations face inherent challenges:

Complexity: Users must manage cryptographic keys, which requires education and appropriate tooling.

Recovery: Lost keys can mean lost identity, requiring careful backup and recovery mechanisms.

Adoption: Network effects favor existing centralized systems, making SSI adoption challenging.

Usability: Cryptographic operations must be abstracted behind user-friendly interfaces.

Governance: Decentralized systems require new governance models for schema registries, trust frameworks, and dispute resolution.

The PAC Trilemma: As KERI acknowledges, no system can simultaneously maximize all three of Privacy, Authenticity, and Confidentiality - design choices must prioritize among these properties.

Real-World Deployment

The vLEI ecosystem represents the most mature production deployment of KERI-based SSI:

• GLEIF issues verifiable credentials for legal entities globally
• Qualified vLEI Issuers provide credential services to organizations
• Legal entities use vLEI credentials for digital signing and authentication
• The system demonstrates SSI principles at enterprise scale

This deployment validates that SSI principles can work in high-stakes, regulated environments while maintaining the core properties of user control, decentralization, and cryptographic verifiability.

Availability: Witness networks and watchers ensure identifier availability, but systems should also implement:

• Redundant witness configurations
• Offline verification capabilities
• Caching strategies for credential verification