1. Raw Domain (R): Raw binary representation used by cryptographic libraries
2. Text Domain (T): Base64 URL-safe text encoding
3. Binary Domain (B): Compact binary representation

The version-code enables parsers to correctly interpret primitives across these domains by specifying which encoding rules and derivation codes are active for a given stream section.

Protocol Architecture

Code Table Management

CESR employs a sophisticated code table architecture where different versions of the protocol may define different sets of:

• Derivation codes: Prefixes indicating cryptographic operations (hash functions, signature schemes, key types)
• Count codes: Framing codes that specify the number of following primitives
• Group codes: Codes that enable hierarchical grouping of primitives

Document 4 explains that the version-code determines "which CESR table to load for subsequent parsing." This table-switching mechanism enables:

• Protocol evolution: New cryptographic algorithms can be added in new table versions
• Backward compatibility: Old streams can be parsed using their original table versions
• Forward compatibility: Parsers can reject streams using unknown future versions

Parser Architecture

The version-code integrates with the Parside parser component, which is responsible for extracting and parsing CESR streams. According to Document 4, Parside operates with a default CESR version at initialization, but when encountering a version count code:

1. The parser switches to the specified version
2. Processing elevates to the top level (version count codes must appear at top level)
3. The version count code determines which CESR table to load
4. Subsequent primitives are interpreted according to the loaded table

Cold Start Behavior

Document 4 describes cold start scenarios where a stream does not begin with an explicit version code. In these cases, the parser maintains a default version count code to handle:

• Streams without explicit version declarations
• Processing resumption after a cold restart
• Count code interpretation without explicit version context

This default version mechanism ensures robust parsing even when version information is implicit rather than explicit.

Message Formats & Encoding

Version Count Code Structure

While the provided documents do not specify the exact binary or text encoding of version count codes, Document 4 establishes that version count codes are a special type of count code that appears at the top level of CESR streams.

Count codes in CESR are framing codes that delineate the number of characters (text domain) or bytes (binary domain) that can be extracted atomically from a stream. Document 15 explains that count codes enable self-framing grouping, which is "one of the primary advantages of composable encoding."

The version count code likely follows the general CESR count code pattern:

• Text domain: Multi-character Base64 code indicating version
• Binary domain: Equivalent binary representation
• Composability: Maintains 24-bit alignment for round-trip conversion

Integration with Version Strings

In non-CESR serialization formats (JSON, CBOR, MGPK), the version-code concept is implemented through version strings. Document 4 describes how the sniffer component detects these formats:

1. The sniffer identifies the serialization format (JSON/CBOR/MGPK)
2. It uses regex to locate the version string within the serialized data
3. The version string contains length information (characters for text, bytes for binary)
4. The parser extracts the bounded section and resumes sniffing afterward

This mechanism enables CESR streams to contain embedded JSON, CBOR, or MGPK sections with their own version information, while maintaining overall stream composability.

CESR Format Detection

When the sniffer identifies CESR format at the top level (Document 5):

• The parser searches for the CESR version count code
• It also looks for other count codes defining primitive groups
• These codes enable proper decoding of self-framing primitives

The version count code thus serves as a format selector that determines how subsequent stream content should be interpreted.

Protocol Mechanics

Version Switching

The version-code enables dynamic version switching within a single CESR stream. Document 4 describes the operational workflow:

Initial State:

• Parser initializes with a default CESR version
• This default handles streams without explicit version codes

Version Code Encounter:

• Parser encounters a version count code in the stream
• Parser switches to the specified version
• Processing elevates to top level (version codes must be top-level)
• New version's code tables are loaded

Subsequent Processing:

• All following primitives are interpreted using the new version's tables
• Count codes are interpreted according to the active version
• Nested structures inherit the active version context

Hierarchical Parsing

Document 4 describes how version context interacts with hierarchical parsing:

1. When the sniffer identifies CESR format, the parser looks for version count codes or other count codes at the top level
2. Upon encountering a group count code, the parser may descend into nested group parsing
3. This recursive descent can nest arbitrarily deep, following the hierarchical structure
4. The active version context is maintained throughout the descent

This hierarchical approach enables complex nested structures while maintaining consistent version interpretation.

Count Code Interpretation

Document 4 explicitly states that "count code interpretation depends on the active version code context." This means:

• The same count code byte sequence may have different meanings in different versions
• Parsers must track the active version to correctly interpret count codes
• Version changes affect all subsequent count code processing

This version-dependent interpretation enables protocol evolution without requiring new count code namespaces for each version.

Security Properties

Version Integrity

The version-code mechanism provides several security properties:

Explicit Version Declaration: By requiring version codes at the top level, CESR ensures that parsers cannot be tricked into using incorrect table versions through nested or malformed structures.

Version Isolation: Each version's code tables are isolated, preventing cross-version confusion attacks where primitives from one version are misinterpreted using another version's tables.

Default Version Safety: The default version mechanism ensures that parsers have a well-defined fallback behavior, preventing undefined states when version information is missing.

Attack Resistance

Version Confusion Attacks: The requirement that version count codes appear at the top level prevents attackers from embedding version switches deep in nested structures to confuse parsers.

Table Substitution Attacks: By cryptographically binding version codes to specific table definitions, CESR prevents attackers from substituting malicious code tables.

Downgrade Attacks: Parsers can implement minimum version requirements, rejecting streams that attempt to use obsolete versions with known vulnerabilities.

Cryptographic Agility

The version-code mechanism is essential for cryptographic agility in KERI systems. Document 58 emphasizes that "truly secure protocols must be both cryptographically agile and cryptographically primitive-heavy."

Version codes enable:

• Algorithm Migration: New cryptographic algorithms can be introduced in new versions
• Deprecation Management: Old algorithms can be phased out by removing them from new table versions
• Post-Quantum Preparation: Future quantum-resistant algorithms can be added without breaking existing systems

Interoperability

KERI Protocol Integration

The version-code mechanism integrates deeply with the broader KERI protocol stack:

Key Event Logs (KELs): Document 12 describes KELs as "append-only, cryptographically verifiable data structures" that use CESR encoding. Version codes enable KELs to evolve their encoding schemes while maintaining verifiability of historical events.

Autonomic Identifiers (AIDs): AIDs use CESR-encoded prefixes that include derivation codes. Version codes ensure that these prefixes can be correctly interpreted across different CESR versions.

Witnesses and Watchers: Document 14 describes witness and watcher infrastructure that exchanges CESR-encoded messages. Version codes enable these components to negotiate compatible encoding versions.

ACDC Integration

Document 13 describes ACDCs as "ordered nested field maps" that can be serialized in multiple formats including CESR. The version-code mechanism enables:

• ACDC Version Evolution: New ACDC features can be introduced in new CESR versions
• Selective Disclosure: Version codes ensure that compact and expanded ACDC variants use consistent encoding
• Chained Credentials: Version codes enable credential chains to span multiple CESR versions

IPEX Protocol

Document 16 describes the Issuance and Presentation Exchange protocol for ACDC credentials. Version codes enable:

• Protocol Negotiation: IPEX participants can negotiate compatible CESR versions
• Message Compatibility: IPEX messages can specify required CESR versions
• Upgrade Coordination: IPEX workflows can coordinate version upgrades across participants

Transaction Event Logs (TELs)

Document 33 describes TELs as "hash-linked data structures that track issuance and revocation state." Version codes enable:

• TEL Evolution: New TEL event types can be introduced in new CESR versions
• Registry Compatibility: TEL registries can specify required CESR versions
• State Verification: Version codes ensure correct interpretation of historical TEL events

Implementation Considerations

Parser State Management

Implementers must carefully manage parser state related to version codes:

Default Version Initialization: Parsers should initialize with a well-defined default version that matches the expected stream format.

Version Stack Management: For nested structures, parsers may need to maintain a version stack to handle version changes at different nesting levels.

Version Validation: Parsers should validate that version codes reference known, supported table versions before attempting to load them.

Table Loading Strategy

Document 4 suggests that Parside could "load" the code tables it supports, potentially enabling dynamically loaded code tables. Implementers should consider:

Static Table Embedding: Embedding all supported table versions in the parser binary for maximum performance and security.

Dynamic Table Loading: Loading table definitions from external sources, enabling version support without recompilation (with appropriate security controls).

Lazy Table Loading: Loading table versions only when first encountered in a stream, reducing memory footprint.

Performance Optimization

Table Caching: Once a table version is loaded, it should be cached for reuse across multiple streams.

Version Prediction: For streams with predictable version patterns, parsers can pre-load expected table versions.

Fast Path for Default Version: The default version should have an optimized fast path since it will be used most frequently.

Error Handling

Unknown Version Codes: Parsers should have well-defined behavior when encountering unknown version codes (reject, skip, or request table definition).

Version Mismatch: When a stream's version requirements conflict with parser capabilities, clear error messages should guide resolution.

Partial Version Support: Parsers may support only a subset of primitives in a given version; this should be clearly documented.

Testing Strategies

Version Compatibility Testing: Test suites should verify correct parsing across all supported versions.

Version Switching Testing: Test streams that switch between versions to verify correct state management.

Backward Compatibility Testing: Verify that new parser versions can correctly process streams from older versions.

Specification Compliance

While the provided documents do not reference a formal IETF RFC or specification document specifically for version-codes, implementers should:

• Follow the CESR specification for count code structure
• Adhere to KERI protocol requirements for version management
• Participate in the WebOfTrust community to track version-code evolution
• Monitor the Trust over IP Foundation's CESR specification development

Conclusion

The version-code mechanism is a critical component of CESR's architecture, enabling protocol evolution while maintaining backward compatibility and security. By providing a well-defined mechanism for table version selection, version codes enable KERI-based systems to adapt to new cryptographic algorithms, encoding schemes, and protocol features without breaking existing implementations.

Implementers must carefully consider version management in their parser designs, ensuring robust handling of version switches, unknown versions, and nested structures. The version-code mechanism, combined with CESR's composability properties, provides a solid foundation for long-term protocol evolution in the KERI ecosystem.

Testing Requirements

Implementations should include:

• Version compatibility tests across all supported versions
• Version switching tests to verify correct state management
• Backward compatibility tests to ensure old streams parse correctly
• Unknown version tests to verify error handling

Performance Considerations

• Implement fast paths for the default version (most common case)
• Use table caching to avoid repeated table loads
• Consider lazy loading of table versions to reduce memory footprint
• Optimize version detection to minimize overhead

Security Considerations

• Validate version codes before loading tables to prevent malicious table substitution
• Implement minimum version requirements to prevent downgrade attacks
• Ensure version codes can only appear at top level to prevent confusion attacks
• Log version changes for security auditing