The term "zero-trust" was popularized by Forrester Research analyst John Kindervag in 2010, though the underlying principles had been developing in security research for years. The NIST Special Publication 800-207 (2020) formalized zero-trust architecture principles, defining it as a security model that acknowledges threats exist both inside and outside traditional network boundaries.

In the context of identity systems, zero-trust emerged as a response to the Universal Secure Attribution Problem—the challenge of proving "who said what" in digital communications without relying on trusted infrastructure. Traditional federated identity systems using PKI-DNS/CA and OAuth were recognized as inadequate because they required trust in certificate authorities, DNS infrastructure, and identity providers.

KERI's Approach

KERI (Key Event Receipt Infrastructure) embodies zero-trust principles at the identity layer through several fundamental design choices:

Cryptographic Root-of-Trust

KERI establishes autonomic identifiers (AIDs) with a purely cryptographic root-of-trust, eliminating dependence on trusted infrastructure. The identifier is derived directly from the controller's key material through one-way cryptographic functions, creating what KERI calls an "autonomic trust basis." This contrasts with:

• Administrative trust basis (DNS/CA): Relies on trusted organizations and is vulnerable to organizational failures
• Algorithmic trust basis (blockchain): Depends on distributed consensus but locks identifiers to specific infrastructure

KERI's autonomic approach means "if the edges are secure, the security of the middle doesn't matter"—the cryptographic proof is sufficient regardless of the infrastructure used to transmit it.

End-to-End Verifiability

KERI implements ambient verifiability—the principle that any data can be verified anywhere, at any time, by anybody. This is achieved through:

• Key Event Logs (KELs): Append-only, cryptographically verifiable logs of all key state changes
• Self-certifying identifiers: Identifiers cryptographically bound to their controlling keys
• Pre-rotation: Cryptographic commitments to future keys that enable recovery from compromise
• Duplicity detection: Mechanisms that make conflicting key states evident rather than hidden

The KERI specification explicitly states: "It's much easier to protect one's private keys than to protect everyone else's internet infrastructure." This encapsulates the zero-trust philosophy—rather than trusting network security, DNS integrity, or certificate authorities, KERI requires only that controllers protect their own key material.

Witness and Watcher Networks

KERI's infrastructure components operate on zero-trust principles:

• Witnesses: Designated by controllers to provide signed receipts of key events, but witnesses themselves are not trusted—their role is to create evidence that can be verified
• Watchers: Operate in "promiscuous mode," collecting key event logs without being designated by controllers, enabling ambient duplicity detection
• First-seen policy: The first version of a key event seen by a witness or watcher is immutable, making any subsequent conflicting version evidence of duplicity

These components don't require trust because their outputs are cryptographically verifiable. A malicious witness or watcher can be detected through duplicity evidence.

Out-of-Band Introduction (OOBI)

KERI's discovery mechanism exemplifies zero-trust design. OOBI uses existing internet infrastructure (DNS, URLs, QR codes) for initial discovery but does not trust that infrastructure for authentication:

• The OOBI provides only a bootstrap—an association between a URL and an AID
• All subsequent verification uses KERI's cryptographic mechanisms
• The discovery path is untrusted; only the cryptographic proof matters
• This enables "safe internet use"—leveraging infrastructure convenience without security dependence

The OOBI specification explicitly states that "an OOBI itself is not trusted and must be verified" through subsequent in-band KERI mechanisms.

Zero-Trust Computing Principles

KERI documentation articulates seven core zero-trust principles for autonomic identifier systems:

1. Network hostility: Networks are always hostile, both internally and externally; locality cannot be trusted
2. End-to-end security: All inter-host communication must be end-to-end signed/encrypted; data must be secured in motion and at rest
3. End-to-end provenance: Data flow transformations must be provenanced using verifiable data structures
4. Continuous verification: Every network interaction must be authenticated and authorized using cryptography
5. Behavioral authorization: Policies must be dynamically modified based on behavior and reputation
6. Diffuse trust: Policies must be governed by distributed consensus, not single authorities
7. Locked-down hosts: Security-critical operations must occur in trusted execution environments

These principles extend beyond KERI itself to guide the design of KERI-enabled applications.

Practical Implications

Use Cases

Zero-trust architecture in KERI enables several critical use cases:

Healthcare Data Exchange: The RACK (Routing, Authentication and Confidentiality with KERI) system implements zero-trust for healthcare integration engines like Mirth Connect. Rather than relying on VPN credentials and perimeter security, RACK uses KERI AIDs to cryptographically verify every data exchange, implementing "Sign Everything" and "Keys at the Edge" paradigms.

Organizational Identity: GLEIF's vLEI (verifiable Legal Entity Identifier) system uses KERI's zero-trust architecture to create a global organizational identity infrastructure. Legal entities receive cryptographically verifiable credentials without depending on trusted certificate authorities or centralized registries.

Supply Chain Provenance: KERI's zero-trust model enables authentic data supply chains where every transformation is cryptographically signed and verifiable, creating end-to-end provenance without trusted intermediaries.

Decentralized Applications: Zero-trust enables truly decentralized applications where clients create their own identifiers, manage their own keys, and authenticate directly with peers, inverting traditional client-server architectures.

Benefits

The zero-trust approach in KERI provides several advantages:

Elimination of Single Points of Failure: By not depending on DNS, certificate authorities, or centralized identity providers, KERI removes single points of failure that plague traditional PKI systems. DNS hijacking and BGP attacks cannot compromise KERI identifiers because the cryptographic proof is independent of network infrastructure.

Post-Quantum Security: KERI's pre-rotation mechanism provides post-quantum security through cryptographic commitments to future keys. Even if quantum computers break current signature schemes, the one-way hash functions used in pre-rotation remain secure.

Portability: KERI identifiers are truly portable because they don't depend on specific infrastructure. Controllers can change witnesses, move between networks, or switch service providers without changing their identifiers or losing control.

Scalability: Zero-trust verification in KERI is highly scalable because verification is local and doesn't require global consensus. Each verifier can independently validate key event logs without coordinating with other parties.

Ambient Duplicity Detection: The zero-trust architecture enables detection of malicious behavior by anyone, anywhere, at any time. Conflicting key events become evidence of compromise or malicious intent, visible to all participants.

Trade-offs

Zero-trust architecture involves important trade-offs:

Complexity: Zero-trust systems are more complex than perimeter-based security. Implementing cryptographic verification for every interaction requires sophisticated key management, event logging, and verification infrastructure.

Key Management Burden: Zero-trust places responsibility for key security on controllers. While KERI provides mechanisms like pre-rotation and delegation to manage this burden, controllers must still protect their key material using appropriate security measures (HSMs, secure enclaves, etc.).

Initial Bootstrap: Zero-trust systems face a "cold start" problem—how to establish initial trust without trusted infrastructure. KERI addresses this through OOBI, but the initial introduction still requires some out-of-band mechanism (QR codes, secure channels, etc.).

Performance Overhead: Cryptographic verification adds computational overhead compared to simple network-based trust. However, modern cryptographic libraries and hardware acceleration make this overhead acceptable for most applications.

User Experience: Zero-trust can create friction in user experience if not carefully designed. KERI addresses this through delegation mechanisms that enable custodial agents to handle routine operations while controllers retain ultimate authority through rotation rights.

The fundamental trade-off is between security and convenience. Zero-trust prioritizes security by requiring cryptographic proof for every interaction, accepting some additional complexity in exchange for eliminating dependence on trusted infrastructure. KERI's design philosophy is "minimally sufficient means"—providing exactly what's necessary for security without unnecessary complexity.