KERI & vLEI Concepts

Rotation is the cryptographic operation that revokes the current set of authoritative key pairs for an AID and replaces them with a new set of pre-committed keys, creating a verifiable rotation event that is appended to the AID's KEL to maintain identifier persistence while updating cryptographic control authority.

Security in KERI refers to the property of being free from exploit or compromise through cryptographic proof of control authority over identifiers, achieved via self-certifying identifiers, key event logs, and duplicity detection mechanisms that eliminate reliance on trusted third parties.

A digital signature is a mathematical scheme using asymmetric cryptography that provides cryptographic proof of message authenticity (origin verification) and integrity (tamper detection), enabling non-repudiable attribution of digital messages to their signers through public key verification of private key-generated signatures.

The next-threshold (nsith) is a protocol parameter in KERI establishment events that specifies the minimum number or fractional weights of signatures required from the next (pre-rotated) key set to authorize the subsequent rotation event, enabling secure key rotation through cryptographic commitment to future signing requirements.

Interoperability is the characteristic of systems, products, or protocols to work together effectively, enabling information exchange and coordinated operation across different implementations, platforms, and trust domains without requiring centralized coordination or shared infrastructure.

An establishment event is a key event in KERI that creates or modifies the authoritative key state of an Autonomic Identifier (AID), including inception events (identifier creation) and rotation events (key rotation), which define the current controlling key pairs and witness configuration.

A legal entity is a unique party that is legally or financially responsible for the performance of financial transactions or has the legal right in their jurisdiction to enter independently into legal contracts, including corporations, non-incorporated entities, governmental organizations, and individuals acting in business capacity.

A URL (Uniform Resource Locator) is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it, commonly called a web address.

Privacy in KERI refers to the ability of entities to control disclosure of their identity metadata and communication patterns, operating within the PAC Theorem constraint that one can achieve any two of Privacy, Authenticity, and Confidentiality at the highest level, but not all three simultaneously.

A rotation event (rot) is a JSON field attribute in KERI that contains a hash pointer linking key rotation events to their predecessors, enabling cryptographic verification of key state changes and serving as the anchoring mechanism for Transaction Event Logs (TELs) to Key Event Logs (KELs).

The 'rules' section (field 'r') is a top-level field map within an ACDC that embeds legal language in the form of Ricardian Contracts, providing both human-readable and machine-readable contractual terms that govern credential usage, issuance, and disclosure policies.

A key event is a serialized data structure that represents an atomic state transition in a Key Event Log (KEL), establishing or modifying the authoritative key state for an Autonomic Identifier (AID). Each key event is cryptographically signed and chained to previous events, forming a verifiable, append-only history of control authority.

An application programming interface (API) is a standardized mechanism enabling two or more computer programs to communicate by defining a set of protocols, data formats, and interaction patterns. In the KERI ecosystem, APIs preserve the protocol's unique security properties while enabling component interoperability.

A verifiable credential (VC) is a cryptographically secured digital credential that contains claims about a subject, issued by an issuer, held by a holder, and verifiable by any verifier without requiring access to the issuer at verification time.

A Trusted Execution Environment (TEE) is a protected hardware/software/firmware security system that provides isolation and security guarantees for sensitive cryptographic operations. In KERI implementations, controllers may leverage TEE technology to protect key generation, key storage, and event signing infrastructure.

A novel delegation mechanism in KERI where both the delegator and delegate must actively participate through cryptographic commitments to establish and maintain the delegation relationship, enabling secure key management hierarchies with built-in compromise recovery.

Self-addressing data (SAD) is a data structure where a Self-Addressing Identifier (SAID) is cryptographically derived from and embedded within the data content itself, creating a mutually tamper-evident relationship where the identifier both addresses and verifies the integrity of its containing data.

Integrity means that information is whole, sound, and unimpaired—complete and in its intended good order. In KERI, integrity is achieved through cryptographic mechanisms that ensure data has not been altered, focusing on technical verifiability rather than semantic correctness (veracity).

A user interface (UI) is the space where interactions between humans and machines occur, enabling users to control and receive feedback from software systems through visual, auditory, or tactile elements.

A root-of-trust is a system component that is secure by design, whose security characteristics are inherently trusted by other components. In KERI, the cryptographic root-of-trust is established through self-certifying identifiers derived from key pairs, eliminating dependency on external authorities and enabling end-verifiable control authority.

An **exn** (exchange) message is a KERI protocol message type used for peer-to-peer communication and data exchange between KERI entities, enabling credential issuance, presentation, and general information exchange through cryptographically signed, self-framing messages.

JSON (JavaScript Object Notation) is an open standard, language-independent data interchange format that uses human-readable text to represent structured data through attribute-value pairs and arrays, serving as the primary serialization format for KERI event messages, ACDC credentials, and configuration files.

A root autonomic identifier (RID) is a specialized AID that serves as the foundational root-of-trust for an entire ecosystem through delegation mechanisms, requiring the highest level of security in its key management and enabling hierarchical trust structures through multi-valent key management infrastructure.

In KERI/CESR, a cryptographic primitive is 'qualified' when it includes a prepended derivation code (proem) that indicates the cryptographic algorithm or suite used for that derivation, enabling self-describing cryptographic material that can be parsed and verified without external context.