KERI & vLEI Concepts

Comprehensive explanation available

Levels of Assurance (LoA) represent graduated confidence levels in identity verification and trust decisions, acknowledging that security judgments are often not binary but exist on a spectrum of certainty appropriate to different risk contexts.

An issuer is a role performed by an entity that creates and cryptographically signs an ACDC (Authentic Chained Data Container) credential, asserting claims about a subject and transmitting the credential to a holder, with the issuer's AID appearing at the top level of the ACDC structure.

In KERI, 'authoritative' refers to cryptographically verified control authority over an identifier that has been attested to its root-of-trust, making the identifier accurate, renowned, and respectable. This term also applies to PKI key pairs that possess this verified control property.

A receipt in KERI is a cryptographically signed message that acknowledges observation of a key event, consisting of a reference to the event (via identifier, sequence number, and digest) along with one or more witness signatures, serving as proof that designated witnesses have validated and recorded the event.

Self-sovereign identity (SSI) is a decentralized identity architecture that places the identity controller—whether a natural person or organization—in direct control of the identifiers and credentials they use to assert their digital identity, without requiring permission from or reliance on centralized identity providers.

A protocol is a defined set of rules and procedures that govern how data is transmitted, processed, or verified between systems or entities. In KERI/ACDC, protocols define the standardized mechanisms for key event processing, credential exchange, and cryptographic verification.

A presentation exchange is a protocol-defined process by which authenticatable information is exchanged between a Discloser (who presents one or more ACDCs) and a Disclosee (who receives them), forming a directed acyclic graph (DAG) of chained credentials that enables verifiable disclosure of claims while maintaining cryptographic integrity.

A verifiable identifier (VID) is a cryptographically verifiable, authentic decentralized identifier that enables a controller to provide cryptographic proof of control authority without relying on centralized registries or trusted third parties.

A digest is a fixed-size cryptographic hash output that serves as a verifiable commitment to data content, providing collision-resistant, one-way cryptographic binding between the digest value and the original data.

A message in KERI is a serialized data structure consisting of a body (the core content) and a set of attachments (including signatures and other cryptographic material), forming the fundamental communication unit for key events, receipts, and protocol interactions.

Binding is the cryptographic association of two data elements, such as linking an identifier to a key pair, or connecting data to its cryptographic commitment, thereby establishing verifiable relationships that enable authentication, integrity verification, and control authority.

A controller is an entity (person, organization, or autonomous software) that possesses the cryptographic private keys necessary to prove control authority over an Autonomic Identifier (AID) and make changes to its associated Key Event Log (KEL). In multi-sig configurations, a controller may consist of multiple controlling entities operating under threshold signature schemes.

An Official Organizational Role (OOR) is a person who represents a Legal Entity in an official organizational capacity and is issued an OOR vLEI Credential to cryptographically verify their formal position within the organization's governance structure.

A witness is an entity designated by an AID controller to verify, sign, and store key events, providing distributed consensus and duplicity detection through the KERI Agreement Algorithm for Control Establishment (KAACE) without requiring blockchain infrastructure.

A verifiable Legal Entity Identifier (vLEI) is a cryptographically secure digital credential issued by Qualified vLEI Issuers (QVIs) under GLEIF governance that provides non-repudiable, machine-verifiable proof of a legal entity's identity, linking its ISO 17442 LEI to a KERI-based Autonomic Identifier (AID) through ACDC credential technology.

Control authority in KERI determines who has the power to perform operations on an identifier, including creation, key rotation, revocation, and delegation. It is established through cryptographic proof of key possession and maintained through verifiable event logs (KELs).

A verifier is an entity or agent that cryptographically validates signatures and digests on event messages, and more broadly, determines whether signed statements attributed to an identifier are valid at the time of issuance by applying use-case-specific trust criteria beyond basic cryptographic verification.

A top-level field map within an ACDC that provides directed connections to other ACDCs, forming a labeled property graph (LPG) where each edge represents a cryptographically verifiable relationship with optional operators, weights, and semantic properties.

An Engagement Context Role (ECR) is a person who represents a Legal Entity in a functional or engagement-specific context (rather than an official organizational position) and is issued an ECR vLEI Credential to cryptographically verify their authorization for that specific engagement.

A validator is an entity or agent that evaluates whether a given signed statement attributed to an identifier is valid at the time of its issuance by determining the current authoritative key set from at least one key event receipt log (KERL), applying duplicity detection, and assessing whether the statement meets specific use-case requirements beyond cryptographic verification.

A rotation event is an establishment event in KERI that transfers control authority from the current set of authoritative keypairs to a new set that was cryptographically pre-committed in the prior establishment event, enabling secure key rotation while maintaining identifier continuity and providing forward security through the pre-rotation mechanism.

A key event receipt is a cryptographic message structure in KERI consisting of a body that references a key event and attachments containing one or more witness signatures, providing distributed attestation that designated witnesses have observed and validated the referenced key event.

A digital credential that exists exclusively in electronic form without a physical counterpart, issued, stored, and shared electronically. In the KERI/ACDC ecosystem, virtual credentials are implemented as ACDCs (Authentic Chained Data Containers) that provide cryptographically verifiable, chainable credentials with graduated disclosure capabilities.