KERI & vLEI Concepts

Pathing is a KERI/CESR mechanism using SAD (Self-Addressing Data) path language to specify cryptographic signatures on specific portions of nested data structures, enabling granular signing of embedded credentials and message forwarding while maintaining signature transposability across envelope boundaries.

A serialization technique where CESR-encoded cryptographic primitives are combined with other serialization formats (JSON, CBOR, MessagePack) within a single stream using special count codes that enable parsers to distinguish between different encoding types while maintaining composability and self-framing properties.

Post-padding is the action of extending a string with trailing pad characters (typically '=') to align the encoded data to a specific length in bits or bytes, ensuring proper boundary alignment for encoding schemes.

An [ACDC](/concept/acdc) that does not contain an Issuee field in either its attribute section or attribute aggregate section, meaning the credential is not explicitly issued to a specific entity and functions as a bearer credential or public assertion.

A browser extension and bookmarklet implementation that provides contextual access to KERI/SSI terminology definitions by parsing web page content and displaying interactive glossary lookups from the KERISSE unified dictionary.

SKWA (Simple KERI for Web Auth) is a usability-focused implementation of the KERI protocol designed for private cloud deployments that deliberately sacrifices performance and feature completeness for ease of integration while maintaining full security guarantees for all supported features.

A peer-to-peer network attack where malicious actors isolate a target node from the honest network by controlling all of its incoming and outgoing connections, preventing it from receiving legitimate information. In KERI, eclipse attacks represent the primary threat vector that must be mitigated through watcher network expansion.

The sniffer is a format detection component within KERI's Parside parser that automatically identifies serialization formats (CESR binary, CESR text, JSON, CBOR, MessagePack) in streaming data by examining initial codes and markers, enabling proper parsing dispatch without prior configuration.

An operational mode in which a [watcher](/concept/watcher) runs, characterized by indiscriminate acceptance and monitoring of key events without selective filtering or formal designation by identifier controllers, using the same protocol and codebase as [witnesses](/concept/witness) but serving a different functional role.

An end-role is an authorization mechanism in KERI that grants one AID (Autonomic Identifier) permission to serve in a specific role for another AID, establishing a cryptographically verifiable relationship between identifiers with defined permissions and responsibilities.

A sufficient majority threshold that is immune from certain kinds of attacks or faults, guaranteeing that at most one valid agreement occurs (or none at all) despite the presence of faulty or malicious participants.

Reserve rotation is a key management pattern in KERI that enables pre-rotated keypairs designated in an establishment event to be held in reserve (unexposed) rather than revealed at the immediately subsequent establishment event, providing enhanced security through selective key exposure while maintaining cryptographic commitments to future rotation keys.

A XIP (exchange) message is a KERI protocol mechanism that transforms a transaction set into a mini peer-to-peer exchange functioning as a verifiable data structure, making transactions duplicity evident through cryptographic verification.

A cryptographic protocol pattern using Public Key Infrastructure (PKI) where the sender encrypts a message and then signs the ciphertext, enabling the receiver to verify authenticity before decryption, thereby providing both confidentiality and authenticity guarantees.

A mechanism that can unambiguously assess whether information is and continues to be whole, sound, and unimpaired through cryptographic verification, without requiring comparison to previous versions or reference data.

NI2I (Not-Issuer-To-Issuee) is an ACDC edge operator that permits any identifier to chain a child credential to a parent credential without requiring the child's issuer to be the parent's issuee, enabling referential linking for context or supporting information without implying delegated authority.

Semantic Versioning (semver) is a versioning scheme following the MAJOR.MINOR.PATCH format that provides a standardized way to communicate backward compatibility and breaking changes in software releases, adopted by KERI/ACDC specifications for schema and protocol versioning.

A stale event is an outdated or irrelevant key event in a KERI Key Event Log (KEL) that involves an expired or rotated-out encryption key, representing a potential security risk if processed as authoritative.

A governance document within the GLEIF vLEI Ecosystem that establishes requirements, policies, and procedures for issuing verifiable credentials to individuals serving in official organizational roles within Legal Entities, enabling cryptographically verifiable proof of their authority and identity.

A governance document published by GLEIF that establishes the requirements, policies, and procedures for issuing vLEI Role Credentials to individuals representing Legal Entities in functional or engagement-specific contexts (rather than official organizational roles), enabling cryptographically verifiable authorization for context-specific activities.

Naive conversion refers to traditional Base64 encoding/decoding that uses standard padding ('=') without pre-padding or alignment strategies, lacking the composability, concatenation support, and self-framing properties required for efficient stream processing in CESR.

A cryptographic commitment to content achieved by digitally signing a digest (cryptographic hash) of that content, providing both content integrity verification and non-repudiable authentication of the signer.

KERIMask is a planned browser extension wallet for the KERI ecosystem, conceptually similar to MetaMask, that will enable users to manage and control their Autonomic Identifiers (AIDs) directly from their web browser by connecting to KERIA agent servers.

The top-level section of an [ACDC](/concept/acdc) consists of the fields in a [compact variant](/concept/compact-variant) whose values are either the [SAD](/concept/sad) (Self-Addressed Data) or the [SAID](/concept/said) (Self-Addressing Identifier) of the associated section, creating a cryptographic commitment that is shared across all variants of that ACDC.