KERI & vLEI Concepts

KERI (Key Event Receipt Infrastructure) is a protocol specification that provides a decentralized key management infrastructure (DKMI) using self-certifying identifiers, cryptographically verifiable key event logs, and a novel pre-rotation mechanism to enable secure, portable, and end-verifiable control over digital identifiers without reliance on centralized authorities or blockchains.

ACDC (Authentic Chained Data Container) is a protocol specification for creating verifiable, chainable data containers that form directed acyclic graphs (DAGs) with cryptographically provable proof-of-authorship, enabling secure, privacy-preserving verifiable credentials built on KERI infrastructure.

An Autonomic Identifier (AID) is a self-managing cryptonymous identifier that must be self-certifying (self-authenticating) and encoded in CESR as a qualified cryptographic primitive, providing cryptographic proof of control authority through a verifiable Key Event Log (KEL).

A vLEI credential is a verifiable credential concerning a Legal Entity Identifier that resides in the Global LEI System (GLEIS) and complies with one or more GLEIF governance frameworks, providing cryptographically verifiable proof of legal entity information and organizational roles.

The Global Legal Entity Identifier Foundation (GLEIF) is a supra-national not-for-profit organization established by the G20 and Financial Stability Board that operates the Global Legal Entity Identifier System (GLEIS) and serves as the root of trust for the vLEI (verifiable Legal Entity Identifier) ecosystem.

The Global Legal Entity Identifier System (GLEIS) is the worldwide infrastructure system operated by GLEIF that manages the issuance, registration, and maintenance of Legal Entity Identifiers (LEIs), serving as the authoritative data source for verifiable Legal Entity Identifiers in the vLEI credential ecosystem.

A Key Event Log (KEL) is a verifiable, append-only, cryptographically-chained data structure that records all key management events for an Autonomic Identifier (AID), providing a complete, tamper-evident history of key state changes from inception through all rotations and interactions.

CESR (Composable Event Streaming Representation) is a dual text-binary encoding protocol that provides self-framing, composable representation of cryptographic primitives and structured data, enabling lossless round-trip conversion between human-readable text and compact binary formats while maintaining primitive separability.

A Qualified vLEI Issuer (QVI) is an organization that has been formally qualified by GLEIF through the vLEI Issuer Qualification Agreement to issue, verify, and revoke Legal Entity vLEI Credentials, Legal Entity Official Organizational Role (OOR) vLEI Credentials, and Legal Entity Engagement Context Role (ECR) vLEI Credentials within the vLEI ecosystem.

Legal Entity Identifier (LEI) is a 20-character alphanumeric code (ISO 17442 standard) that uniquely identifies legally registered organizations globally, serving as the foundation for GLEIF's vLEI (verifiable LEI) credential ecosystem built on KERI infrastructure.

A Transaction Event Log (TEL) is a cryptographically verifiable, append-only log of transactions that tracks state changes (such as credential issuance and revocation) by anchoring to a controlling Key Event Log (KEL), enabling any validator to cryptographically verify the authoritative state of a registry.

Key state is the complete set of currently authoritative keypairs for an AID plus all information necessary to secure or establish control authority, including current keys, prior next key digests, current thresholds, prior next thresholds, witnesses, witness thresholds, and configurations.

Out-of-Band Introduction (OOBI) is a discovery mechanism that associates a URL with a KERI AID (Autonomic Identifier) or SAID (Self-Addressing Identifier), enabling bootstrap discovery of IP resources through the principle 'discovery via URI, trust via KERI'—where the OOBI itself is untrusted and all discovered information must be cryptographically verified through KERI protocols.

A Self-Addressing Identifier (SAID) is a cryptographic identifier that is deterministically generated from the content it identifies and then embedded within that content, creating a self-referential, content-addressable identifier with tamper-evident properties.

A self-certifying identifier (SCID) is a cryptographic identifier uniquely derived from the public key of an asymmetric signing keypair, enabling verification of the identifier-to-key binding through cryptography alone without requiring trusted third parties or external registries.

Pre-rotation is a cryptographic mechanism in KERI where a controller commits to the next set of rotation keys via cryptographic digest in the current establishment event, enabling secure key rotation even if current signing keys are compromised, providing post-quantum security through one-way hash functions.

The Trust over IP Foundation (ToIP) is a Linux Foundation project that defines a complete architecture for Internet-scale digital trust, combining cryptographic trust at the machine layer with human trust at business, legal, and social layers through a four-layer technology stack and governance framework.

A governance framework is a structured collection of governance documents published by a governing body that establishes rules, procedures, policies, and informational guidelines for a trust community, defining power structures and management roles within an organization or ecosystem.

A cryptographic primitive in KERI is the serialization of a value associated with a cryptographic operation (digest, salt, seed, private key, public key, or signature), which MUST be expressed in CESR format as a qualified, self-framing encoding that includes both type information (derivation code) and the cryptographic material itself.

Server-sent events (SSE) provide a streaming notification mechanism for KERI agents to receive real-time updates from the KERI system itself, functioning as a mailbox notification service that delivers system-generated events to agent user interfaces without requiring polling.

In KERI, a **key** is a cryptographic primitive representing either a private key (secret signing material) or public key (verification material) from an asymmetric key pair, encoded in CESR format with derivation codes indicating the cryptographic algorithm used.

Designated aliases are AID-controlled identifiers (such as did:keri or did:webs) that an AID controller formally designates through a self-attested ACDC with no issuee, managing their status via a registry anchored to the controller's KEL, enabling the aliases to populate the 'alsoKnownAs' field in DID documents.

Decentralized identity is a cryptographic technology that enables individuals and organizations to create and control their own unique identifiers, obtain verifiable credentials from trusted organizations, and present elements of these credentials as proof of claims without requiring centralized service providers or intermediaries.

A cloud agent is software installed on cloud server instances that provides security, monitoring, and analysis solutions for cloud infrastructure, enabling information gathering and control over cloud entities without requiring direct active management by the user.