Loading vLEI.wiki
Fetching knowledge base...
Fetching knowledge base...
This comprehensive explanation has been generated from 16 GitHub source documents. All source documents are searchable here.
Last updated: October 7, 2025
This content is meant to be consumed by AI agents via MCP. Click here to get the MCP configuration.
Note: In rare cases it may contain LLM hallucinations.
For authoritative documentation, please consult the official GLEIF vLEI trainings and the ToIP Glossary.
A single-signature identifier (single-sig AID) is an Autonomic Identifier controlled by a one-of-one signing keypair, requiring exactly one signature from one private key to authorize key events and establish control authority.
A single-signature identifier (also called single-sig identifier or single-sig AID) is an Autonomic Identifier controlled by a one-of-one signing keypair. This represents the simplest control structure in KERI, where:
Single-sig AIDs form the foundational building block of KERI's identifier architecture. They are used in several critical contexts:
Individual Identity: Single-sig AIDs are ideal for individual users or entities that do not require the additional security or governance features of threshold signature schemes or multi-party control structures. Each person or device can maintain exclusive control over their identifier through possession of the private key.
Simplified Testing and Development: As demonstrated in the , single-sig identifiers are often used during development and testing phases to focus on core protocol operations like , , , and without the complexity of coordinating multiple signers.
Single-sig AIDs implement the simplest control authority model in KERI:
Single Point of Failure: The primary security consideration is that compromise of the single private key compromises the entire identifier. This contrasts with multi-sig configurations where an attacker must compromise multiple keys.
Key Protection: Single-sig implementations should employ robust key protection mechanisms:
Recovery Mechanisms: Single-sig AIDs rely entirely on pre-rotation for key compromise recovery. The pre-rotated next key digest must be securely stored separately from the current signing key.
Choose single-sig AIDs when:
Choose multi-sig AIDs when:
Building Blocks for Group Identifiers: Single-sig AIDs serve as the individual participant identifiers in multi-signature group AIDs. Each member of a group maintains their own single-sig AID, and these are combined to form a group multi-sig AID with configurable thresholds. This architecture enables distributed control authority while maintaining individual accountability.
Delegation Hierarchies: In delegated identifier structures, both delegators and delegates may use single-sig AIDs. The vLEI trust chain demonstrates this pattern, where entities like GLEIF, QVIs, and Legal Entities can use single-sig identifiers in simplified implementations, though production systems typically employ multi-sig configurations for enhanced security.
Key Management Simplicity: Single-sig AIDs avoid the coordination challenges inherent in multi-party signing. There are no requirements for:
This simplicity makes single-sig AIDs suitable for scenarios where the security model accepts single-point-of-control and where the operational overhead of multi-sig coordination is unwarranted.
Contrast with Multi-Sig: Single-sig AIDs contrast with multi-signature identifiers that require multiple signatures according to defined thresholds. Multi-sig provides enhanced security through distributed key management and is essential for organizational governance scenarios.
Key Event Structure: Single-sig AIDs still maintain the full KEL (Key Event Log) structure with inception events, rotation events, and interaction events. The difference lies solely in the threshold configuration and number of controlling keypairs.