KERI & vLEI Concepts

In CESR (Composable Event Streaming Representation), variable-length refers to primitives whose size is not fixed but determined by count codes or framing codes that specify the number of characters (text domain) or bytes (binary domain) to extract from a stream.

A dual text-binary encoding format is an encoding scheme that supports both human-readable text representation and compact binary representation of the same data, with full bidirectional composability—meaning concatenated primitives can be converted en masse between text and binary domains without loss while maintaining individual primitive separability.

The threshold of accountable duplicity (TOAD) is a controller-declared parameter specifying the minimum number M of witness confirmations (from N total witnesses) required before accepting accountability for a key event, calculated as M >= N - F where F represents potentially faulty witnesses, enabling fault-tolerant witness consensus while maintaining clear duplicity detection boundaries.

KERI Improvement Documents (KIDs) are modular documentation artifacts that provide implementation guidance ('how we do it') for KERI protocol components, with separate commentary explaining design rationale ('why'), enabling independent team contributions through pull requests while keeping technical specifications distinct from explanatory context.

A threshold signature scheme (TSS) is a cryptographic protocol that enables a group of participants to collectively produce a valid digital signature, where only a threshold number (t-of-n) of participants must cooperate to generate the signature, without any single party having access to the complete private key.

A digital asset designed to work as a medium of exchange, with ownership records stored in a digital ledger using strong cryptography to secure transactions and control coin creation. KERI explicitly does not require cryptocurrency's total global ordering, as its idempotent key event operations eliminate the need for double-spend protection.

A secondary root-of-trust is a verifiable data structure that depends on a primary root-of-trust for its secure attribution, achieving trustability through cryptographic anchoring via seals to the primary root, while maintaining automatic verifiability despite its derivative nature.

Contractually-protected-disclosure is a disclosure mechanism for ACDCs that combines schema-based mechanical controls with contract-based legal controls to minimize information leakage through graduated revelation, where the discloser progressively reveals credential information only after the disclosee agrees to contractual terms at each stage.

CESR Proof Signatures is a protocol extension to [CESR](/concept/cesr) that provides transposable cryptographic signature attachments on [self-addressing data](/concept/self-addressing-data) (SAD), enabling signed SADs like [ACDC](/concept/acdc) credentials to be streamed inline with other CESR content and embedded within other SADs while maintaining cryptographic integrity across envelope boundaries.

A vLEI role credential is a verifiable credential issued within the GLEIF vLEI ecosystem that cryptographically attests to an individual's or entity's authorized role within a legal entity, enabling them to act in that capacity on behalf of the organization with cryptographic proof of authority.

The Internet Assigned Numbers Authority (IANA) is the organization responsible for coordinating global internet protocol resources, including IP address allocation, domain name system management, and the standardization and registration of media types (MIME types) used to identify file formats and content types in internet communications.

Rotation authority is the exclusive right to rotate the authoritative key pairs of an AID and establish changed control authority, distinct from signing authority. This separation enables custodial arrangements where signing operations can be delegated while the original controller retains ultimate control through the ability to rotate keys.

A KERI message type code indicating a 'reply' message, used in query-response patterns and inter-agent communications to return requested data or acknowledgments within the KERI protocol's event streaming architecture.

An append-only event log is a verifiable data structure where new events can be appended to the end but existing events are immutable, providing a tamper-evident chronological record. In KERI, this structure forms the foundation of Key Event Logs (KELs) that record cryptographically signed key management events in an ordered, verifiable sequence.

PII (Personally Identifiable Information) refers to any data that can identify a specific individual, including attributes like name, address, date of birth, and citizenship that require privacy protection mechanisms in credential systems.

A group-framing-code (also called count-code or group-code) is a special CESR framing code that delineates groups of primitives by specifying the count of elements, enabling self-framing grouping, pipelined stream processing, and hierarchical composition of cryptographic primitives in both text and binary domains.

Configuration files in KERI are JSON or YAML files that define initialization parameters and operational settings for KERI components such as keystores, AIDs, witnesses, and agents, enabling reproducible and automated setup of KERI infrastructure.

A standardized two-part identifier (type/subtype) that indicates the nature and format of file or data content transmitted over the internet, registered and maintained by IANA (Internet Assigned Numbers Authority).

A revocation event is a key event that permanently terminates control authority over an identifier by invalidating its authoritative key-pairs. In KERI, revocation is achieved through rotation to a null key, and security relies on event ordering in the KEL rather than timestamps.

A data anchor is a cryptographic digest of digital data that serves dual purposes: uniquely identifying the data and providing a verifiable pointer to that data. In KERI/ACDC systems, data anchors enable cryptographic commitments to arbitrary data through content-addressable references.

Partial rotation is a KERI key management mechanism that enables rotation events where only a threshold-satisfying subset of pre-rotated keys participates, allowing controllers to expose some keys while keeping others in reserve, thereby supporting flexible delegation patterns and enhanced security through selective key exposure.

Chain-of-custody is the chronological documentation of the sequence of custody, control, transfer, analysis, and disposition of materials or data, providing verifiable provenance through cryptographically-linked records that establish authenticity and integrity from origin to current state.

CRUD (Create, Read, Update, Delete) is the traditional client-server database update policy where a centralized server has authority to create, read, update, and delete records on behalf of clients, contrasted with KERI's decentralized RUN (Read, Update, Nullify) model.

cesride is a Rust implementation of CESR (Composable Event Streaming Representation) cryptographic primitives, providing six core primitive types (Diger, Verfer, Signer, Siger, Cigar, Salter) with methods for generating and parsing qualified base64 and binary representations of cryptographic material used in KERI protocol operations.