KERI & vLEI Concepts

A discloser is the entity that discloses or presents an ACDC (Authentic Chained Data Container) credential to another party. The discloser may or may not be the original issuer of the ACDC being disclosed.

A **disclosee** is the entity or role that receives an [ACDC](/concept/acdc) (Authentic Chained Data Container) during a [presentation exchange](/concept/presentation-exchange). The disclosee is the recipient party in credential disclosure workflows, distinct from the [discloser](/concept/discloser) who presents the credential.

HIO (Hierarchical Asynchronous Coroutines and I/O) is a Python library providing weightless hierarchical asynchronous coroutines with structured concurrency and asynchronous I/O, serving as the foundational async infrastructure for KERIpy and related KERI implementations.

Multi-factor authentication (MFA) is an authentication mechanism that requires users to provide two or more independent verification factors from different categories (knowledge, possession, inherence) to prove identity before granting access to systems or resources.

A code table in CESR is a structured mapping of derivation codes to cryptographic primitive types, sizes, and encoding rules, enabling self-framing stream parsing by defining how the first character(s) of a primitive determine its type and length.

HIO (Hierarchical Asynchronous Coroutines and I/O) is a Python library providing weightless hierarchical asynchronous coroutines with structured concurrency and async I/O, serving as the foundational infrastructure for KERI implementations like KERIpy and KERIA.

Byzantine Agreement is a consensus mechanism that enables distributed systems to reach agreement on data values despite the presence of faulty or malicious nodes, making no assumptions about node behavior and providing Byzantine fault tolerance without requiring proof-of-work.

A root-of-trust that is cryptographically verifiable all the way to its current controlling key pair in a PKI, where the characteristic 'primary' refers to its one-to-one relationship with the entropy used for creating the seed of the private keys.

KAACE (KERI Agreement Algorithm for Control Establishment) is a Byzantine Fault Tolerant consensus algorithm that enables witnesses to reach agreement on key events by ensuring each witness observes identical event versions and all witness receipts are exchanged, thereby establishing verifiable control authority over an identifier through coordinated witness consensus.

A Hardware Security Module (HSM) is a physical computing device that safeguards and manages cryptographic secrets (primarily digital keys), performs encryption/decryption operations, generates digital signatures, and provides strong authentication through tamper-resistant hardware that isolates cryptographic operations from potentially compromised host systems.

Proof-of-authorship is cryptographic evidence establishing who originally created specific data or content, focusing on data inception rather than subsequent rights or permissions. In KERI/ACDC systems, it provides verifiable attribution through digital signatures and hash chains that bind data to its creator's autonomic identifier.

A list of specially defined strings representing configuration options for a Key Event Log (KEL), specified in the inception or rotation events to control identifier behavior and capabilities.

Veracity is the quality of being true or accurate—the actual truthfulness of information content itself. In KERI/ACDC systems, veracity is explicitly distinguished from authenticity: KERI provides cryptographic proof of who made a statement (authenticity), but determining whether that statement is true (veracity) requires additional governance frameworks, reputation systems, and verification processes beyond the cryptographic layer.

Inconsistency refers to a state where different parts of data, events, or logs do not agree with each other or with external references. In KERI, inconsistency is categorized as either internal (within a single data structure, making it unverifiable) or external (between different versions of the same data structure, indicating duplicity).

A Ricardian contract is a method invented by Ian Grigg (1996) for recording a document as a legally binding contract while securely linking it to other systems through cryptographic hash functions, readable legal prose, and markup language for automated processing. In KERI/ACDC systems, Ricardian contracts provide human-readable legal twins to binary cryptographic commitments (seals and signatures).

A registrar is an identifier that serves as a backer for transaction event logs (TELs), providing witnessing and verification services for credential lifecycle events. Registrars are analogous to witnesses in KERI KELs but operate specifically within the TEL infrastructure for tracking credential issuance and revocation states.

A method of identifying and retrieving data using a cryptographic hash of the content itself as the address, rather than a location-based identifier, providing inherent integrity verification and deduplication properties.

KERISSE (KERI Suite Search Engine) is a Docusaurus-based documentation platform with Typesense search capabilities, designed to provide comprehensive, searchable access to KERI ecosystem terminology, specifications, and educational resources for experienced SSI developers.

A privacy protection mechanism that chains together a sequence of disclosees where each recipient inherits and must maintain confidentiality constraints established by the original discloser, creating legally binding obligations that propagate through all subsequent disclosures of ACDC data.

An operational mode in KERI where validators rely on witnessed Key Event Receipt Logs (KERLs) as a secondary root-of-trust to verify identifier events, enabling high availability and one-to-many interactions even when the identifier controller is offline or not directly communicating with validators.

GNU Privacy Guard (GnuPG or GPG) is a free-software implementation of the OpenPGP standard (RFC 4880) that provides cryptographic privacy and authentication for data communication through public-key cryptography, digital signatures, and encryption capabilities.

A KERIA-agent is an instance of a keystore (Hab) that runs within the KERIA (KERI Agent in the cloud) server, providing cloud-based agent services for managing Autonomic Identifiers (AIDs) and their associated cryptographic operations while maintaining strict separation of private key material from the cloud infrastructure through edge-based signing.

A mathematical function that is computationally easy to compute in one direction (from input to output) but computationally infeasible to invert (from output back to input), forming the foundation of cryptographic security in KERI through hash functions, key derivation, and self-certifying identifiers.

The first-seen policy is a fundamental ordering rule in KERI where validators (witnesses/watchers) permanently accept the first valid event they receive for a given sequence position in a Key Event Log (KEL), establishing an immutable record under the principle 'first seen, always seen, never unseen' that enables duplicity detection across the distributed network.