KERI & vLEI Concepts

A representative of GLEIF (Global Legal Entity Identifier Foundation) authorized to perform identity verification requirements needed to issue QVI (Qualified vLEI Issuer) vLEI Credentials within the vLEI ecosystem governance framework.

A cloud agent is software installed on cloud server instances that provides security, monitoring, and analysis solutions for cloud infrastructure, enabling information gathering and control over cloud entities without requiring direct active management by the user.

In KERI, verifiable refers to a Key Event Log (KEL) that is internally consistent through cryptographic digest chains and authenticated through non-repudiable signatures, enabling any party to independently verify the log's integrity and authenticity without relying on trusted intermediaries.

A credential is evidence of authority, status, rights, or entitlement to privileges, consisting of a set of claims about a subject that can be cryptographically verified. In the KERI/ACDC ecosystem, credentials are implemented as Authentic Chained Data Containers (ACDCs) that provide verifiable proof-of-authorship and can be chained together to form directed acyclic graphs of trust relationships.

A claim is an assertion of truth about a subject, typically expressed as an attribute or property, made by an issuer and requiring verification by a verifier to determine validity.

SPAC (Secure Private Authentic Confidentiality) is a comprehensive security framework for KERI-based systems that addresses the fundamental trade-offs between privacy, authenticity, and confidentiality through the PAC Theorem, establishing that systems can achieve any two of these three properties at the highest level but not all three simultaneously.

An entity who participates or is concerned in an action, proceeding, plan, or transaction. In KERI/ACDC contexts, parties are typically categorized as first party (initiator), second party (direct counterparty), or third party (external entity providing services or verification).

In CESR (Composable Event Streaming Representation), a domain refers to one of three representation formats for cryptographic primitives: Raw (R) - unencoded binary, Text (T) - Base64 URL-safe encoding, or Binary (B) - compact binary encoding, enabling composable conversion between human-readable and efficient machine formats.

A decentralized identifier (DID) is a globally unique persistent identifier that does not require a centralized registration authority and is often generated and/or registered cryptographically, enabling verifiable, decentralized digital identity as standardized by the W3C DID specification.

A registry in KERI/ACDC is a verifiable data structure that tracks the lifecycle state (issuance, revocation, status) of credentials or other data objects, implemented through Transaction Event Logs (TELs) that are cryptographically anchored to Key Event Logs (KELs) to provide end-verifiable proof of registry state without requiring trusted intermediaries.

Key management encompasses the complete lifecycle of cryptographic keys in KERI systems, including generation, exchange, storage, usage, rotation, and destruction of key pairs that control autonomic identifiers (AIDs). It represents the foundational security infrastructure that enables self-certifying identifiers and verifiable control authority.

Authenticity is the quality of having an objectively verifiable origin, established through cryptographic proofs that demonstrate who created or authorized data, distinct from veracity (truthfulness of content). In KERI, authenticity is achieved through self-certifying identifiers, digital signatures, and verifiable key event logs that enable end-to-end verification without trusted intermediaries.

In computing, input/output (I/O) refers to the communication between an information processing system (such as a computer) and the outside world, where inputs are signals or data received by the system and outputs are signals or data sent from it.

An SSI (Self-Sovereign Identity) system is a decentralized identity infrastructure that enables autonomous parties to negotiate and execute electronic transactions by providing, requesting, and obtaining verifiable data without relying on centralized identity providers or intermediaries.

Inception is the foundational operation in KERI that creates an Autonomic Identifier (AID) by cryptographically binding it to an initial set of authoritative keypairs and configuration parameters, producing a verifiable and duplicity-evident inception event that serves as the first entry in the identifier's Key Event Log (KEL).

An issuance event is the initial transaction event log (TEL) event that represents the creation and issuance of an ACDC credential, cryptographically anchored to the issuing AID's key event log (KEL) to establish verifiable provenance and lifecycle tracking.

An identifier system is a systematic framework for uniquely identifying entities through identifiers, their assignment mechanisms, and associated data management. KERI represents a thin-layered identifier system generator that creates autonomic identifier systems with cryptographic roots-of-trust, enabling globally portable, self-certifying identifiers without centralized registries.

Comprehensive explanation available

ndigs (next key digests) is a list of qualified base64-encoded cryptographic digests of public rotation keys in KERI, used to implement pre-rotation by cryptographically committing to future rotation keys without exposing them, enabling post-quantum secure key management and recovery from key compromise.

A key-pair is a mathematically related pair of cryptographic keys consisting of a private key (kept secret by the controller) and its corresponding public key (shared publicly), generated through a one-way cryptographic function and used with asymmetric-key algorithms in Public Key Infrastructure (PKI) systems.

Revocation is the process by which a credential issuer formally withdraws their attestation to the validity of a previously issued credential, making it cryptographically verifiable that the credential should no longer be trusted, typically implemented in KERI through Transaction Event Logs (TELs) that track credential state changes.

End-to-end (E2E) in KERI refers to cryptographic security and provenance properties that span from data origination to final verification without requiring trust in intermediary infrastructure, encompassing both E2E security (signed/encrypted data in motion and at rest) and E2E provenance (verifiable tracking of all data transformations).

Composability in CESR is the property that enables any set of self-framing concatenated primitives expressed in either the Text domain or Binary domain to be converted as a group to the other domain and back again without loss, while maintaining the separability of individual primitives.

An identifier is a unique reference that points to and distinguishes a specific entity, resource, or identity within a given scope, enabling unambiguous identification without necessarily being human-meaningful or requiring centralized registration.