KERI & vLEI Concepts

A security architecture principle where overall system security exceeds the security of individual components by multiplying attack surfaces—requiring adversaries to compromise multiple independent components simultaneously, enabling weaker individual elements to collectively provide stronger protection than a single hardened component.

A high-entropy cryptographic value (≥128 bits) used in KERI's Blindable State TELs to hide credential state information from unauthorized verifiers while maintaining verifiability for authorized parties who possess the shared secret.

Access-controlled interaction is a KERI protocol pattern for managing actions requiring authorization (such as report submission), where infrastructure components like load balancers must implement deduplication mechanisms to drop repeated requests for resources that already exist in the system, primarily to prevent DDoS attacks through resubmission rather than traditional replay attacks.

The first character in a CESR text stream that determines which code table the parser should use for interpreting subsequent characters, serving dual purpose as both a table selector (for default vs. alternate code tables) and as a type code for the most popular primitives with pad size of 1 in the default table.

An IETF protocol (and working group) in development as of mid-2022 for enabling secure asset transfers between different blockchain systems, addressing cross-blockchain interoperability challenges.

A credential issuance workflow in the vLEI ecosystem where Legal Entity vLEI Credentials, OOR vLEI Credentials, and ECR vLEI Credentials are issued by a QVI Authorized Representative (QAR) upon receipt of a fully signed issuance request from the Legal Entity's Authorized vLEI Representative(s) (AVR).

Key transparency is a cryptographic system that provides a publicly auditable, tamper-proof log of all key-to-identifier associations while maintaining selective privacy by only revealing individual records in response to queries for specific identifiers.

A category of authentication mechanisms requiring bidirectional communication through multiple request-response cycles, typically using challenge-response patterns where one party issues a challenge that the other must correctly respond to, providing enhanced security through dynamic verification.

A context-specific CESR encoding scheme that uses a two-character text code to compactly represent signatures in thresholded multi-signature schemes, where the first character identifies the signature type and the second character encodes a Base64 integer index pointing to the corresponding public key in an ordered set.

A proem is a prepended derivation code that qualifies a cryptographic primitive by indicating the cryptographic algorithm or suite used for its derivation, making the primitive self-describing and enabling simplified, compactified representation in CESR encoding.

A kever (key event verifier) is a component in KERI implementations that cryptographically verifies the integrity, authenticity, and consistency of key events within a Key Event Log (KEL).

A setup process in KERI that establishes a new [AID](/concept/aid) (Autonomic Identifier) and configures authorization mechanisms for access control, typically involving the presentation of a [vLEI](/concept/vlei) credential with scope-limited delegatable authority to prevent credential capture and misuse.

keri-ox is the Rust programming language implementation of the KERI (Key Event Receipt Infrastructure) protocol, providing a memory-safe, high-performance implementation foundation for KERI-based applications and infrastructure.

A verification mechanism that can assess data integrity independently without requiring access to previous instances or reference versions of the information for comparison, achieved through public key cryptography from the data controller.

A vLEI credential issuance process where a QVI Authorized Representative (QAR) issues a Legal Entity vLEI Credential after notifying the Legal Entity's Authorized vLEI Representatives (AVRs) that a credential has been solicited on the entity's behalf, rather than in response to a direct request from the AVRs.

The security overlay properties trilemma is a fundamental constraint in identifier system design stating that any system can achieve varying degrees of authenticity, privacy, and confidentiality, but cannot simultaneously maximize all three properties completely due to inherent cryptographic limitations.

The current state of all temporary storage locations in a KERI implementation that track events awaiting additional information before they can be successfully processed, enabling the protocol to handle fully asynchronous event arrival where events may arrive out of order or with missing dependencies.

The default encrypted state of a KERI data store after creation with a passcode, requiring authentication to access the keystore containing cryptographic material.

A cryptographic primitive that allows one party to commit to a chosen value or statement while keeping it hidden, with the ability to reveal it later, ensuring the commitment cannot be changed (binding property) and remains concealed until disclosure (hiding property).

An entity in a validating role that launches an inquiry at a KERI witness to verify key event information and validate the authenticity of identifier state.

Transfer-off-ledger is the process of migrating control authority over an identifier from a blockchain or distributed ledger to KERI's native verifiable data structure (KEL), enabling portable, ledger-independent identifiers while maintaining cryptographic verifiability and identifier continuity.

The fundamental tension in key management infrastructure design where increasing security typically requires higher costs and reduces performance, particularly evident in the asymmetry between infrequent but security-critical key generation operations and frequent high-performance signing operations.

An encrypted or secure virtual space where information can be deposited or retrieved anonymously, with the presenter maintaining control over disclosure to prevent re-identification of data subjects across different verification contexts.

A hierarchical delegation pattern in KERI where both delegator and delegate must cryptographically commit to the delegation relationship through mutual seals in their respective key events, enabling recursive application of superseding recovery rules across multiple delegation levels to protect lower-level keys through higher-level security.