When Witness Pools Are Used

Witness pools are employed in KERI's indirect mode operations, which contrast with direct mode peer-to-peer exchanges. According to Document 2, indirect mode is used when:

• Enhanced availability is required beyond direct controller-to-controller communication
• Scalability demands exceed what direct exchange can provide
• Security guarantees need distributed verification rather than bilateral trust
• Asynchronous communication is necessary between parties who may not be simultaneously online

The vLEI ecosystem extensively uses witness pools, as documented in Document 6, which mandates "minimum 5 witnesses using KAACE sufficient majority threshold" for production deployments.

Key Participants

The witness pool ecosystem involves several participant types:

Controllers: AID controllers who select witnesses from the pool and configure threshold requirements through establishment events. Controllers maintain ultimate authority over their witness configuration and can rotate witnesses as needed.

Witnesses: Independent entities that provide witnessing services, each controlling their own self-referential identifier. Witnesses may be self-hosted by controllers, provided by third-party services, or operated by trusted organizations. As Document 19 clarifies, "each witness controls its own self-referential identifier, which may or may not be the same as the identifier it witnesses for."

Validators: Entities that verify key events by checking witness receipts and applying their own validation policies. Validators may maintain their own watcher networks to independently monitor witness behavior.

Pool Operators: Organizations or communities that maintain witness infrastructure and make it available for controller selection. The KERI ecosystem includes both public witness pools (like the demo witness network) and private pools operated by enterprises or consortia.

Process Flow

Witness Pool Selection and Configuration

The process of utilizing a witness pool begins with controller selection and configuration:

Step 1: Pool Discovery

Controllers discover available witnesses through multiple mechanisms, as specified in Document 14:

• Well-Known URIs: Witnesses publish their identifiers and endpoints at standardized web locations following IETF RFC-8615
• OOBI (Out-Of-Band Introduction): Controllers receive witness OOBIs through trusted channels, enabling bootstrapping of witness relationships
• DHT (Distributed Hash Table): Witnesses may be discoverable through KERI's distributed hash table infrastructure
• DID Resolvers: Witnesses can be discovered through DID resolution mechanisms for did:keri and did:webs identifiers

The tutorial in Document 12 demonstrates practical pool discovery using a pre-configured demo network with three witnesses (Wan, Wes, and Wil), each with known prefixes and HTTP endpoints.

Step 2: Witness Selection

Controllers select specific witnesses from the available pool based on:

• Trust relationships: Existing relationships with witness operators
• Geographic distribution: Selecting witnesses in different jurisdictions for resilience
• Security requirements: Matching witness security guarantees to identifier risk profile
• Threshold requirements: Selecting sufficient witnesses to meet desired TOAD (Threshold of Accountable Duplicity) values

As Document 17 explains, the number of witnesses must satisfy the ample constraint to ensure supermajority consensus: (n+f+1)/2 <= m <= n-f, where n is total witnesses, f is potentially faulty witnesses, and m is the minimum required for agreement.

Step 3: Inception Configuration

During AID inception, the controller specifies witness configuration in the inception event:

{
  "v": "KERI10JSON00011c_",
  "t": "icp",
  "d": "EXq5YqaL6L48pf0fu7IUhL0JRaU2_RxFP0AL43wYn148",
  "i": "EXq5YqaL6L48pf0fu7IUhL0JRaU2_RxFP0AL43wYn148",
  "s": "0",
  "kt": "1",
  "k": ["DaU6JR2nmwyZ-i0d8JZAoTNZH3ULvYAfSVPzhzS6b5CM"],
  "nt": "1",
  "n": ["EZ-i0d8JZAoTNZH3ULvaU6JR2nmwyYAfSVPzhzS6b5CM"],
  "bt": "2",
  "b": [
    "BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha",
    "BLskRTInXnMxWaGqcpSyMgo0nYbalW99cGZESrz3zapM",
    "BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX"
  ],
  "c": [],
  "a": []
}

Key fields:

• bt (backer threshold): Minimum witness receipts required (TOAD value)
• b (backers): Array of witness AIDs selected from the pool

Witness Agreement Process

Once configured, witnesses participate in the KAACE (KERI's Agreement Algorithm for Control Establishment) consensus process:

Step 4: Event Promulgation

When a controller creates a new key event:

1. Controller signs the event with current authoritative keys
2. Controller sends the signed event to all designated witnesses
3. Each witness independently receives and queues the event

Step 5: Independent Verification

Each witness performs cryptographic verification:

• Validates event signatures against current key state
• Verifies hash chain integrity (backward chaining to previous event)
• Checks sequence number progression
• Validates pre-rotation commitments (forward chaining)
• Ensures event structure conforms to KERI protocol

Step 6: Receipt Generation

Upon successful verification, each witness:

1. Creates a receipt message containing:
   • The event's SAID (Self-Addressing Identifier)
   • The witness's own AID
   • The witness's signature over the event
2. Stores the event in its local KEL copy
3. Broadcasts the receipt to other witnesses in the pool

Step 7: Receipt Exchange and Agreement

Witnesses exchange receipts to achieve consensus:

• Each witness collects receipts from other witnesses
• Witnesses verify receipt signatures from peer witnesses
• Agreement is reached when threshold number of witnesses have receipted the event
• The KERL (Key Event Receipt Log) is formed by combining the KEL with all consistent receipts

Document 18 explains that "agreement on an event in a key event log (KEL) means each witness has observed the exact version of the event and each witness' receipt has been received by every other witness."

Witness Pool Rotation

Step 8: Witness Configuration Changes

Controllers can modify their witness pool selection through rotation events:

1. Controller creates a rotation event specifying:
   • New witness set (may add, remove, or replace witnesses)
   • New TOAD threshold
   • Current key rotation (if keys are also being rotated)
2. Controller sends rotation event to both old and new witnesses
3. Old witnesses verify and receipt the rotation
4. New witnesses verify and receipt the rotation
5. Agreement must be reached across both old and new witness sets

This process enables witness portability, allowing controllers to migrate between witness providers without changing their identifier.

Technical Requirements

Cryptographic Requirements

Witness Identifier Security

As specified in Document 14, witnesses typically use non-transferable AIDs for their own identifiers. This design choice reflects that:

• Witness identifiers are ephemeral and can be replaced if compromised
• Non-transferable AIDs are simpler and more efficient
• Security comes from pool redundancy rather than individual witness key rotation
• Controllers can remove compromised witnesses through rotation

Signature Strength

Document 6 mandates:

• Approximately 128 bits of cryptographic strength for all key generation
• Compliant algorithms include Ed25519 and EcDSASecp256k1
• CESR (Composable Event Streaming Representation) encoding for all cryptographic primitives

Receipt Verification

Validators verifying witness receipts must:

• Verify witness signatures using witness public keys
• Confirm witness AIDs are in the controller's designated witness set
• Check that sufficient witnesses (meeting TOAD threshold) have receipted
• Validate receipt timestamps for freshness (if time-sensitive)

Timing Considerations

Asynchronous Operation

Witness pools operate asynchronously, as emphasized in Document 2:

• Witnesses may receive events at different times
• Receipt exchange happens independently of controller operations
• Agreement may take variable time depending on network conditions
• Controllers can proceed once TOAD threshold is met, not requiring all witnesses

First-Seen Policy

The first-seen policy is critical for duplicity detection:

• Each witness records the first version of an event it observes
• This first-seen version is immutable and cannot be changed
• If a controller attempts to send different versions to different witnesses, this creates detectable duplicity
• Validators can query multiple witnesses to detect inconsistencies

Escrow Mechanisms

Witnesses implement escrow for out-of-order events:

• Events may arrive before their predecessors due to network delays
• Witnesses temporarily store (escrow) events until dependencies are satisfied
• Once the event chain is complete, escrowed events are processed
• This enables reliable operation despite unreliable network delivery

Error Handling

Witness Unavailability

The pool architecture handles witness failures gracefully:

• If some witnesses are offline, operations continue if TOAD threshold can still be met
• Controllers should configure witness pools with sufficient redundancy (typically n >= 3*f+1 where f is expected failures)
• Validators can accept events with partial witness coverage if their own validation policies allow

Duplicity Detection and Response

When duplicity is detected:

1. Witnesses maintain both versions of conflicting events
2. Witnesses mark the identifier as duplicitous in their records
3. Validators are alerted to the duplicity through DEL (Duplicitous Event Log) mechanisms
4. The controller's reputation is damaged, as duplicity is evidence of malicious behavior or key compromise
5. Recovery requires the controller to issue a rotation event using pre-rotated keys

Witness Misbehavior

If a witness behaves maliciously:

• Other witnesses detect inconsistent receipts
• Validators can independently verify witness behavior
• Controllers can rotate to remove misbehaving witnesses
• The distributed nature of the pool prevents single witness compromise from breaking the system

Network Partitions

During network partitions:

• Different witness subsets may temporarily disagree
• The KAACE algorithm ensures at most one sufficient agreement occurs
• When the partition heals, witnesses reconcile and detect any duplicity
• The first-seen policy ensures consistent resolution

Usage Patterns

Typical Scenarios

Enterprise Deployment

Enterprises typically deploy witness pools with:

• 5-7 witnesses for production identifiers
• Geographic distribution across multiple data centers or cloud regions
• Mixed hosting: Combination of self-hosted and third-party witnesses
• TOAD threshold set to require supermajority (e.g., 4 of 5, 5 of 7)

Document 31 demonstrates enterprise patterns where multi-signature group AIDs use shared witness pools, with each participant in the multisig group relying on the same witness infrastructure.

vLEI Ecosystem

The GLEIF vLEI ecosystem, as documented in Document 45, uses witness pools for:

• GLEIF Root AID: Highest security witness pool with notarized witness identifiers
• QVI AIDs: Qualified vLEI Issuers use production-grade witness pools
• Legal Entity AIDs: Organizations receiving vLEI credentials configure witness pools based on their risk profile

Development and Testing

Development environments use simplified witness pools:

• Demo witness networks: Pre-configured pools like the one in Document 12 with three witnesses (Wan, Wes, Wil)
• Local witness pools: Developers can run witness pools locally using kli witness demo
• Reduced thresholds: Development may use lower TOAD values for faster iteration

Best Practices

Witness Selection Criteria

When selecting witnesses from a pool:

1. Independence: Choose witnesses operated by different organizations to prevent correlated failures
2. Reputation: Select witnesses with established track records and transparent operations
3. Geographic diversity: Distribute witnesses across jurisdictions to resist localized attacks or legal actions
4. Technical capability: Verify witnesses have appropriate infrastructure, monitoring, and incident response
5. Alignment: For sensitive identifiers, choose witnesses whose interests align with the controller's

Threshold Configuration

Best practices for TOAD configuration:

• Use the ample formula from Document 17 to determine minimum thresholds
• For n=5 witnesses, typical TOAD is 3 (tolerating 2 failures)
• For n=7 witnesses, typical TOAD is 5 (tolerating 2 failures)
• Higher-risk identifiers should use larger witness pools with higher thresholds

Witness Pool Maintenance

Ongoing maintenance practices:

• Regular monitoring: Track witness availability and response times
• Periodic rotation: Rotate witnesses periodically to test rotation procedures and maintain operational readiness
• Incident response: Have procedures for rapidly rotating witnesses if compromise is suspected
• Backup witnesses: Maintain relationships with backup witnesses that can be quickly added if needed

Mailbox Authorization

As demonstrated in Document 31, controllers should:

• Authorize witnesses to serve as mailboxes using the kli ends add command with --role mailbox
• This enables asynchronous message exchange necessary for multi-party operations
• Mailbox authorization is separate from witnessing authorization and must be explicitly granted

Integration Considerations

Client Library Integration

When integrating witness pools into applications:

• Use established client libraries like SignifyTS or KERIpy that handle witness communication
• Configure witness endpoints in application configuration files
• Implement retry logic for witness communication failures
• Cache witness receipts locally to avoid repeated queries

OOBI Resolution

Witness discovery through OOBI:

• Generate witness OOBIs using kli oobi generate as shown in Document 47
• Resolve witness OOBIs before attempting to use witnesses
• Use OOBI query parameters to enrich contact information (e.g., ?name=Wan&tag=witness)
• Store resolved witness information in local contact databases

Multi-Tenant Architectures

For systems managing multiple AIDs:

• Different AIDs can use different witness pools based on their security requirements
• Shared witness pools can serve multiple AIDs to reduce operational overhead
• Implement witness pool management interfaces for administrators
• Track witness pool performance metrics across all managed identifiers

Credential Issuance Integration

When issuing ACDCs (Authentic Chained Data Containers):

• Ensure issuer AID has sufficient witness coverage before issuing credentials
• Verify witness receipts are collected before considering issuance complete
• Include witness information in credential metadata for verifier reference
• Monitor witness availability during high-volume issuance operations

Blockchain Integration

Witness pools can work alongside blockchain backers:

• Some identifiers use both witnesses and ledger registrars for redundancy
• Witnesses provide fast, off-chain verification
• Ledger backers provide additional immutability guarantees
• The combination offers defense-in-depth for high-value identifiers

Performance Optimization

Parallel Witness Communication

Optimize witness pool operations by:

• Sending events to all witnesses in parallel rather than sequentially
• Using connection pooling to maintain persistent connections to frequently-used witnesses
• Implementing timeout mechanisms to avoid blocking on slow witnesses
• Collecting receipts asynchronously and proceeding once TOAD threshold is met

Witness Pool Sizing

Balance security and performance:

• Larger witness pools provide better security but slower consensus
• Smaller pools are faster but less resilient
• The "sweet spot" for most applications is 5-7 witnesses
• Critical infrastructure may use 9-11 witnesses despite performance impact

Caching Strategies

Implement caching to reduce witness queries:

• Cache witness receipts for recently verified events
• Cache witness public keys to avoid repeated OOBI resolution
• Implement TTL (time-to-live) policies for cached data
• Invalidate caches when witness rotations occur

The witness pool architecture represents a fundamental innovation in KERI's approach to decentralized trust, enabling secure, scalable, and portable identifier management without dependence on blockchains or centralized authorities. By carefully selecting witnesses, configuring appropriate thresholds, and following best practices, controllers can achieve high levels of security while maintaining operational flexibility and performance.

Graceful Migration: When rotating witnesses, implement graceful migration that maintains service continuity. New witnesses should be fully synchronized before old witnesses are removed.

Rollback Capability: Implement rollback mechanisms in case witness rotation fails. The system should be able to continue operating with the old witness set if the new configuration cannot be established.

Security Considerations

First-Seen Enforcement: Implement strict first-seen policies where witnesses record and never change the first version of an event they observe. This is critical for duplicity detection.

Duplicity Detection: Implement mechanisms to detect when different witnesses have different versions of the same event. This indicates controller duplicity and should trigger alerts.

Witness Authentication: Always verify witness signatures using the witness's public key. Validate that the witness AID is in the controller's designated witness set before accepting receipts.

Receipt Verification: Implement comprehensive receipt verification including signature validation, timestamp checking (if applicable), and confirmation that the receipt references the correct event SAID.

Performance Optimization

Caching Strategy: Cache witness public keys, recent receipts, and witness endpoint information to reduce repeated queries. Implement TTL policies and cache invalidation on witness rotation.

Batch Operations: When processing multiple events, batch witness communications to reduce network overhead. Send multiple events in a single request where the witness API supports it.

Witness Pool Sizing: Provide guidance to users on appropriate witness pool sizes. The typical range is 5-7 witnesses for production, with 3 witnesses acceptable for development. Critical infrastructure may use 9-11 witnesses.

Monitoring and Operations

Witness Health Monitoring: Implement monitoring of witness availability, response times, and receipt generation rates. Alert operators when witnesses become unavailable or slow.

Metrics Collection: Collect metrics on witness pool performance including average receipt collection time, witness availability percentages, and TOAD threshold achievement rates.

Incident Response: Implement procedures for rapidly rotating witnesses if compromise is suspected. This should be a well-tested operational procedure that can be executed quickly.

Testing Strategies

Demo Witness Networks: Provide demo witness networks for development and testing, similar to the three-witness demo pool (Wan, Wes, Wil) documented in the training materials.

Fault Injection: Test witness pool behavior under various failure scenarios including witness unavailability, network partitions, slow witnesses, and malicious witnesses.

Rotation Testing: Regularly test witness rotation procedures to ensure they work correctly. This should be part of operational readiness testing.

Integration Patterns

Client Library Integration: When building client libraries, abstract witness pool complexity behind simple APIs. Users should be able to configure witness pools without understanding KAACE internals.

Configuration Management: Support witness pool configuration through configuration files, environment variables, and programmatic APIs. The configuration should be easily auditable and version-controlled.

Multi-Tenant Support: For systems managing multiple AIDs, implement witness pool management that allows different AIDs to use different pools while sharing infrastructure where appropriate.

Compliance Considerations

vLEI Requirements: For vLEI ecosystem implementations, ensure compliance with governance framework requirements including minimum 5 witnesses, KAACE sufficient majority threshold, and appropriate discovery mechanisms.

Audit Logging: Implement comprehensive audit logging of witness pool operations including witness selection, rotation events, receipt collection, and duplicity detection events.

Key Management: Follow governance framework requirements for witness key management including cryptographic strength (128 bits minimum), approved algorithms (Ed25519, EcDSASecp256k1), and CESR encoding.