KERI & vLEI Concepts

A hierarchical delegation architecture in KERI where a single delegator can have multiple delegates, and each delegate can recursively act as a delegator for its own delegates, forming nested delegation trees that enable elastic horizontal scalability while maintaining cryptographic verifiability throughout the hierarchy.

A cigar is an unindexed signature primitive in CESR that represents a cryptographic signature without an index indicator, used in single-signature scenarios where no disambiguation between multiple keys is required.

Reconciliation is the process by which a [validator](/concept/validator) or [controller](/concept/controller) decides whether to accept a forked version of a [KEL](/concept/kel) (Key Event Log) when [duplicity](/concept/duplicity) is detected, enabling potential recovery from [key compromise](/concept/key-compromise) without abandoning the [AID](/concept/aid).

Unpermissioned correlation occurs when a disclosee (credential recipient) establishes linkages between two or more disclosed ACDCs without the discloser's authorization, enabling tracking or profiling that violates the discloser's privacy expectations and intended disclosure boundaries.

A race condition in KERI occurs when the system's behavior depends on the sequence or timing of uncontrollable events, particularly in distributed witness coordination, concurrent key event processing, or duplicity detection, where different orderings of the same events can lead to inconsistent or undesirable states.

A stale key is an outdated or expired cryptographic key that has been rotated out of active use through a KERI establishment event and should no longer be used for signing new events or securing data.

Coroutines are computer program components that generalize subroutines for non-preemptive multitasking by allowing execution to be suspended and resumed at will, enabling cooperative task scheduling without requiring preemptive operating system intervention.

A mechanism ensuring total global ordering of transactions so that a unit of value cannot be spent twice simultaneously. While critical for cryptocurrency systems, KERI's idempotent key event operations do not require double-spend proofing, enabling a greatly simplified distributed consensus architecture.

Stream processing instructions in CESR that provide more general and flexible operations than simple concatenation of primitives or primitive groups, designed to enable a future stack-based virtual machine for executing operations on CESR streams.

Keridemlia is a distributed hash table (DHT) implementation combining KERI with Kademlia protocol to provide decentralized discovery of witness IP addresses and identifier-to-controller mappings, functioning as a DNS-like service specifically designed for the KERI ecosystem.

Cold-start stream parsing is the process by which a [CESR](/concept/cesr) stream parser initializes or recovers from errors by locating well-defined framing information to correctly parse groups of elements, using special count codes as synchronization points to avoid buffer flushing and data loss.

A privacy threat where vendors or data capture points provide sufficient contextual metadata at the point of disclosure to enable statistical correlation with existing datasets, thereby linking disclosed attributes to known profiles and defeating cryptographic privacy protections like selective disclosure and zero-knowledge proofs.

A [transaction event log](/concept/transaction-event-log) (TEL) that tracks the issued or revoked state of individual [verifiable credentials](/concept/verifiable-credential) (VCs) and contains a reference to its corresponding [management transaction event log](/concept/management-transaction-event-log), enabling cryptographically verifiable credential lifecycle management anchored to a [KEL](/concept/kel).

A privacy protection mechanism where contractual restrictions and liability imposed on a recipient of a disclosed ACDC are contractually linked to all subsequent recipients, creating a chain of confidentiality obligations that travels with the data downstream to prevent unpermissioned exploitation.

The jury is the collective set of entities or components that act as jurors, performing duplicity detection on events and event receipts to validate the integrity and consistency of Key Event Logs (KELs) and Duplicitous Event Logs (DELs) within the KERI infrastructure.

A group signature scheme where multiple signing groups (and optionally individual signers) collectively produce a single signature with variable length proportional to the number of participants, designed for practical deployment on existing PKI infrastructure.

Multicodec is a self-describing format specification that uses compact prefixes (a variable-length integer variant plus a format code) to unambiguously identify different data encodings, particularly for binary representations of cryptographic keys and content identifiers.

Broken Object Level Authorization (BOLA) refers to security flaws where users can access data they shouldn't, due to inadequate permission checks on individual objects or sub-objects.

brv (backed vc revoke) is a Transaction Event Log (TEL) operation that revokes a previously issued verifiable credential by anchoring a revocation event to the issuer's Key Event Log (KEL), creating a cryptographically verifiable state change in a registry-backed credential lifecycle.

A [targeted ACDC](/concept/acdc) is an Authentic Chained Data Container that contains an explicit `Issuee` field in either its attribute section or attribute aggregate section, binding the credential to a specific entity identifier and making it a directed credential rather than a bearer credential.

A collection manager in KERI's Python implementation (KERIpy/KERIA) that organizes and manages multiple Hab (Habitat) keystores, where each Hab stores the cryptographic key material and associated data for a single AID (Autonomic Identifier).

A single-signature identifier (single-sig AID) is an Autonomic Identifier controlled by a one-of-one signing keypair, requiring exactly one signature from one private key to authorize key events and establish control authority.

A blind OOBI is an Out-Of-Band Introduction where the AID verification mechanism exists independently of the OOBI itself, relying on pre-established trust relationships (such as witness lists or KEL verification) rather than embedded witness information, enabling indirect trust establishment through cryptographic commitments.

Key stretching is a cryptographic technique that transforms weak, low-entropy secrets (typically passwords or passphrases) into cryptographically strong keys by applying computationally intensive derivation functions, thereby increasing the time and resources required for brute-force attacks against each password candidate.