What KERI Does NOT Provide:

• Content verification—determining if claims are factually accurate
• Semantic truth assessment—evaluating whether statements correspond to reality
• Automatic trust—attribution does not equal truthfulness

The Key Event Log as Source-of-Truth

In KERI, the Key Event Log (KEL) serves as the source-of-truth for an identifier's control authority. The KEL is an append-only, cryptographically chained data structure that records:

• Inception events: Initial identifier establishment
• Rotation events: Changes to authoritative key pairs
• Interaction events: Anchoring of external data

The ordering of these events and their cryptographic dependencies form the authoritative record of control authority operations. This record is:

• Cryptographically verifiable: Each event is signed and hash-chained
• Duplicity-evident: Conflicting versions can be detected
• End-verifiable: Any party can verify without trusting intermediaries
• Portable: Not locked to specific infrastructure

Transaction Event Logs for Credential State

Transaction Event Logs (TELs) extend the source-of-truth concept to credential lifecycle management. A TEL provides the authoritative record of:

• Issuance events: When credentials are created
• Revocation events: When credentials are invalidated
• Registry state: Current status of credentials

TELs are anchored to KELs through cryptographic seals, creating a verifiable chain from credential state back to the controlling identifier's root-of-trust.

Decentralized Controller as Source-of-Truth

KERI implements a "RUN off the CRUD" model (RUN = Read, Update, Nullify vs. CRUD = Create, Read, Update, Delete). In this architecture:

• The decentralized controller peer is the source-of-truth for their identifier
• Traditional server-based record creation is replaced by controller-managed event logs
• Databases hosted by witnesses or watchers do not create records—they replicate and verify controller-created events

This inverts the traditional client-server model where servers act as the source-of-truth. In KERI, controllers maintain sovereignty over their identity data.

Philosophical Foundation

The KERI specifications ground their discussion in the philosophical definition of truth as "the property of being in accord with fact or reality." This acknowledges that truth aims to represent reality but must be ascertained through verification processes beyond cryptographic primitives.

KERI's design philosophy recognizes that:

1. Cryptography solves attribution: Who said something can be proven mathematically
2. Governance solves veracity: Whether something is true requires human/organizational judgment
3. Separation enables flexibility: Different trust frameworks can be built on the same cryptographic foundation

Practical Implications

For System Architects

Understanding KERI's source-of-truth model has critical architectural implications:

Separation of Concerns: The cryptographic identity layer (KERI) is separated from semantic truth evaluation. Systems must be designed with this boundary in mind—KERI provides the foundation for attributable statements, but additional layers handle truth determination.

Governance Requirements: Organizations need governance frameworks to establish truth criteria beyond cryptographic verification. This includes:

• Credential schemas defining what claims mean
• Issuance policies determining who can make claims
• Verification policies determining what evidence is sufficient

Infrastructure Independence: KERI's source-of-truth (the KEL) is portable and not locked to specific infrastructure. This enables:

• Migration between witness pools
• Backup and recovery strategies
• Multi-infrastructure redundancy

For Credential Issuers

Issuers must understand that KERI provides:

Attribution Infrastructure: The ability to cryptographically prove that a specific AID issued a credential, with non-repudiable signatures and verifiable key state.

Not Reputation Infrastructure: KERI does not automatically establish that an issuer is trustworthy or that their claims are accurate. Reputation must be built through:

• Governance frameworks (e.g., GLEIF for vLEI)
• Credential schemas with clear semantics
• Verification policies that assess issuer authority

For Verifiers

Verifiers must recognize the distinction:

Cryptographic Verification: KERI enables verification that:

• A credential was issued by a specific AID
• The issuing AID's key state is valid
• The credential has not been tampered with
• The credential has not been revoked (via TEL)

Trust Determination: Verifiers must separately assess:

• Whether the issuing AID is authorized to make the claim
• Whether the claim content is accurate
• Whether the credential meets their acceptance criteria

This separation prevents the misconception that cryptographic verification equals trust in content.

Use Cases

Supply Chain Provenance: KERI provides source-of-truth for who made statements about product origin, handling, and custody. Determining whether those statements are true requires additional verification (physical inspection, sensor data, third-party audits).

Educational Credentials: KERI establishes source-of-truth for which institution issued a degree credential. Verifying the institution's accreditation and the accuracy of the degree information requires consulting external governance frameworks.

Legal Entity Identity: The vLEI ecosystem uses KERI as source-of-truth for cryptographic control over Legal Entity Identifiers. GLEIF governance provides the trust framework for determining which entities are authorized to issue vLEI credentials.

Trade-offs and Limitations

Governance Dependency: While KERI eliminates cryptographic trust dependencies, it does not eliminate the need for governance. Truth determination requires human/organizational processes that KERI supports but does not replace.

Complexity: The separation between attribution and veracity adds conceptual complexity. Implementers must understand where KERI's guarantees end and where additional verification begins.

Veracity Gap: KERI deliberately does not solve the veracity problem. This is a feature (enabling flexible trust models) but requires additional infrastructure for complete identity systems.

Relationship to Traditional Systems

Traditional PKI systems often conflate source-of-truth with trust in content. A certificate from a trusted CA is treated as both:

• Proof of who controls a domain (attribution)
• Proof that the domain owner is trustworthy (reputation)

KERI separates these concerns, providing cryptographic source-of-truth for attribution while leaving reputation and trust assessment to governance layers. This enables more flexible and portable identity systems that don't depend on centralized trust authorities.

• Separate verification steps: First verify cryptographic properties (signatures, key state), then assess content trustworthiness
• Context-dependent trust: The same issuer may be trusted for some claims but not others
• Evidence requirements: Define what additional evidence is needed beyond cryptographic verification
• Reputation systems: Build or integrate reputation mechanisms for issuers and credential types