KERI & vLEI Concepts

A keystore in KERI is an encrypted data store that securely holds the private keys for a collection of AIDs (Autonomic Identifiers), providing the foundational cryptographic key management layer for KERI-based identity systems.

An electronic signature (e-signature) is data in electronic form that is logically associated with other electronic data and used by a signatory to sign documents or transactions. It has the same legal standing as handwritten signatures when compliant with jurisdiction-specific regulations (eIDAS in EU, NIST-DSS in USA, ZertES in Switzerland).

In CESR encoding, a pad character is used to fill empty space in fixed-length fields, while 'lead bytes' specifically refers to bytes added during pre-padding (before Base64 conversion) that are not replaced later, distinguishing this from post-conversion padding characters.

A neural network-based language model with billions of parameters trained on large text corpora using self-supervised learning, capable of generating human-like text and performing various natural language tasks.

In technical specifications, 'normative' designates content that establishes mandatory requirements, procedures, or behaviors that implementations MUST follow for compliance, as opposed to informative or explanatory content.

A QVI Authorized Representative (QAR) is a designated representative of a Qualified vLEI Issuer (QVI) who is specifically authorized to conduct QVI operations with GLEIF, interact with Legal Entities on behalf of the QVI, and manage credential issuance and related governance processes within the vLEI ecosystem.

A field-map is the KERI/ACDC term for a key-value pair in data structures, deliberately renamed to avoid confusion with cryptographic keys. It consists of a field label (traditionally 'key') and field value (traditionally 'value'), represented as a tuple (label, value).

A numerical label (IPv4 or IPv6) assigned to devices on a network using Internet Protocol, serving to identify network interfaces and provide location addressing for routing. In KERI, IP addresses are used for service endpoints (witnesses, watchers) but are not trusted as part of the cryptographic root-of-trust.

A distributed hash table (DHT) is a decentralized distributed system that provides a lookup service similar to a hash table, where key-value pairs are stored across participating nodes, and any node can efficiently retrieve values associated with given keys. DHTs enable nodes to be added or removed with minimal redistribution overhead, making them well-suited for scalable, fault-tolerant network architectures.

Identity assurance is the process by which a trusted third-party organization verifies and establishes confidence in the identity of an entity (individual or organization) through rigorous verification procedures, providing reputational trust that complements KERI's cryptographic attributional trust.

An Authorized vLEI Representative (AVR) is a representative of a Legal Entity who is formally authorized by the entity's Designated Authorized Representative (DAR) to request the issuance and revocation of vLEI credentials on behalf of that Legal Entity within the GLEIF vLEI Ecosystem Governance Framework.

A convenience class in KERI implementations that provides stream parsing support for CESR (Composable Event Streaming Representation) streams, including nested, tunneled, and encrypted stream structures, enabling efficient extraction and processing of concatenated cryptographic primitives.

KAPI (KERI Application Programming Interface) is the comprehensive set of standardized APIs designed for KERI ecosystem components (Controllers, Agents, Witnesses, Watchers, Registrars) that preserve KERI's unique protocol properties including self-certifying identifiers, key event log verifiability, witness agreement mechanisms, end-to-end verifiability, and duplicity detection capabilities.

A judge is an entity or component in KERI that examines Key Event Receipt Logs (KERLs) and Duplicitous Event Logs (DELs) to determine the current authoritative key set for an identifier by validating that the event history originates from a non-duplicitous controller and has been witnessed by sufficient non-duplicitous witnesses, thereby enabling validators to make trust decisions.

An authentic provenance chain (APC) is a cryptographically verifiable sequence of linked presentations that traces data back to its origin through objectively verifiable evidence, establishing both proof-of-authorship (who created the data) and proof-of-authority (who has rights over the data) through chained data structures.

MessagePack (MGPK) is a binary serialization format that encodes data structures (arrays and associative arrays) in a compact binary representation, prioritizing efficiency over human readability while maintaining cross-language compatibility.

BLAKE3 is a cryptographic hash function (2020) that produces fixed-size digests from arbitrary input data, serving as KERI's primary digest algorithm for SAIDs, content addressing, and integrity verification through its high performance, parallelizable architecture, and cryptographic strength.

Agency is the service provided by an agent—a representative entity (human, software, or hardware) that acts on behalf of an identifier controller to perform operations such as key management, credential issuance, transaction signing, and delegation within the KERI/ACDC ecosystem.

Escrow in KERI is a temporary storage mechanism for events that arrive out-of-order or lack prerequisite information, holding them until dependencies are satisfied before processing. The escrow state tracks all pending events and their required conditions across the fully asynchronous KERI protocol.

A justified software design choice that addresses a functional or non-functional requirement that is architecturally significant, documented to provide rationale and context for future maintainers.

Direct mode is a KERI operational mode where an identifier controller establishes control authority through verified signatures of the controlling key-pair via direct, intermittent network communication with validators, without relying on witnesses or Key Event Receipt Logs (KERLs).

A Cryptographically Secure Pseudorandom Number Generator (CSPRNG) is a deterministic algorithm that produces a sequence of numbers from an unknown internal state, where the output is computationally indistinguishable from true randomness even when the algorithm is known, providing the cryptographic strength necessary for secure key generation, seed creation, and nonce generation in KERI systems.

An indexed signature (also called 'siger') is a CESR-encoded cryptographic signature attachment that includes an index value indicating which specific public key from a multi-key autonomic identifier's key set was used to generate the signature, enabling deterministic verification in multi-signature schemes.

A pseudo-random number is a value or sequence of values that appears statistically random but is deterministically generated from a known starting point (seed) using an algorithm, making the sequence reproducible and repeatable rather than truly random.