KERI & vLEI Concepts

A consensus mechanism is a protocol by which distributed entities coordinate to reach agreement on shared state or decisions. In KERI, consensus is achieved through witness agreement algorithms (KAACE/KAWA) that provide safety guarantees without requiring liveness or total ordering, enabling decentralized, portable, and permissionless identifier control.

Discovery in KERI is a mechanism that enables systems to automatically locate and verify service endpoints, witness networks, and cryptographic identifiers without relying on centralized authorities, primarily implemented through OOBI (Out-Of-Band Introduction) and percolated information discovery protocols.

Provenance is the documented history of the origin, custody, and transformations of data, establishing a verifiable chain from current state back to original creation. In KERI/ACDC systems, provenance is cryptographically verifiable through chained data structures that maintain integrity and authenticity without requiring trusted intermediaries.

Keep is the primary user interface application for the KERI protocol and ACDC ecosystem, serving as a task-oriented frontend that communicates with the keripy agent backend through a REST API to manage Autonomic Identifiers (AIDs), credentials, and multi-signature operations.

Internal inconsistency refers to contradictions or violations of protocol rules within a single Key Event Log (KEL) that make it cryptographically unverifiable, as opposed to external inconsistency (duplicity) where multiple verifiable but conflicting versions of a KEL exist.

KERIpy is the reference Python implementation of the KERI (Key Event Receipt Infrastructure) protocol, providing the canonical implementation of autonomic identifiers, key event logs, witnesses, and the complete KERI/ACDC/CESR protocol stack.

Public Key Infrastructure (PKI) is a comprehensive system of roles, policies, hardware, software, and procedures for creating, managing, distributing, using, storing, and revoking digital certificates and managing public-key encryption through hierarchical certificate authorities.

A service endpoint is a network-accessible URL (typically HTTP/HTTPS) that provides access to specific services or operations, serving as the addressable location where clients can interact with KERI infrastructure components such as witnesses, watchers, agents, or other protocol services.

A prefix is a qualified cryptographic primitive in CESR format that combines a derivation code with an encoded public key or digest, serving as the self-certifying identifier for an AID in KERI. The prefix cryptographically binds the identifier to its controlling key material through one-way functions, enabling self-certification without external trust.

A wallet in KERI/ACDC is a collection of data stores comprising a keystore (encrypted private key storage), local and remote key event log databases, and credential databases, providing both secure storage and agency (active functionality) for managing autonomic identifiers and verifiable credentials.

An inception event is the first establishment event in a KERI Key Event Log (KEL) that creates an Autonomic Identifier (AID) by cryptographically binding it to an initial set of authoritative keypairs, establishing the identifier's initial key state, configuration, and witness infrastructure.

A verifiable data structure (VDS) is a cryptographically secured data structure that incorporates cryptographic techniques (such as hash functions, digital signatures, and Merkle trees) to ensure the integrity and authenticity of its contents, allowing users to verify the correctness of stored data without relying on trusted third parties.

Non-repudiable refers to the property where a statement's author cannot successfully dispute its authorship or the validity of an associated signature or commitment. In KERI, non-repudiation is achieved through cryptographic digital signatures that create verifiable, tamper-evident proof of who made a statement, enabling secure attribution without relying on trusted intermediaries.

Verify-signature is the cryptographic process of applying an algorithm that takes a message, public key, and signature as inputs to determine whether the signature was validly created by the corresponding private key holder, thereby accepting or rejecting the message's claim to authenticity.

A watcher is an entity or component that maintains copies of Key Event Receipt Logs (KERLs) for identifiers but is not designated by the controller, operating in promiscuous mode to enable ambient duplicity detection across the KERI network.

Compact disclosure is a privacy-preserving mechanism in ACDCs where field maps are represented by their SAIDs (Self-Addressing Identifiers) rather than their full content, enabling cryptographic commitments to data without revealing it, forming the foundation for both partial and selective disclosure patterns.

Confidentiality in KERI refers to the protection of message content and data from unauthorized access through encryption and access control mechanisms, ensuring that only authorized parties can view disclosed information. It is the second priority in KERI's security model after authenticity, and is constrained by the PAC Theorem which states that systems cannot simultaneously maximize privacy, authenticity, and confidentiality.

A non-establishment event is a key event in KERI that anchors external data to an AID's key event log without modifying the current key state, enabling verifiable commitments to data while maintaining the existing authoritative keypairs, thresholds, and witness configuration.

An interaction event is a non-establishment event in KERI that anchors external data to an AID's key event log without modifying the current key state, enabling controllers to make verifiable authoritative statements while maintaining the existing set of controlling keypairs.

A seed is a pseudorandomly generated number, typically expressed as a series of words (BIP-39 format), that serves as the primary entropy source for deterministically generating cryptographic key pairs in KERI. Also called 'bran' in KERI terminology to avoid conflicts with existing uses of 'seed' and 'salt'.

A spanning layer is a single protocol layer in a network architecture that provides universal interoperability between diverse protocols above and below it, following the hourglass model where the spanning layer serves as the narrow waist enabling any upper-layer application to work with any lower-layer infrastructure.

Canonicalization is the process of converting data that has multiple possible representations into a single, deterministic "standard" or "canonical" form, enabling consistent cryptographic operations, equivalence comparison, and verifiable data structures across KERI/ACDC systems.

A secret string of characters (password) used to encrypt and protect a KERI keystore, providing the primary authentication mechanism for accessing private keys and cryptographic material stored within the keystore.

A framing code is a specialized CESR encoding element that delineates the number of characters (in text domain) or bytes (in binary domain) that can be extracted atomically from a stream, enabling self-framing primitives and groups to be parsed without external delimiters or schemas.