# Spec-Up-T Demo

ADC

authentic-data-container

architectural-decision-record

ADR

AID

autonomic-identifier

authentic-provenance-chain

APC

application-programming-interface

API

authorized-vlei-representative

AVR

best-available-data-acceptance-mechanism

BADA

byzantine-fault-tolerance

BFT

broken-object-level-authorization

BOLA

concise-binary-object-representation

CBOR

CESR-version

the CESR Version is provided by a special Count Code that specifies the Version of all the CESR code tables in a given Stream or Stream section.

Source: Dr. S. Smith

composable-event-streaming-representation

CESR

chain-link-confidentiality

CLC

CRUD

Is acronym for the traditional client-server database update policy is CRUD (Create, Read, Update, Delete).

CRUD as opposed to RUN which is the acronym for the new peer-to-peer end-verifiable monotonic update policy.

(Source: https://crypto.stackexchange.com/questions/12436/what-is-the-difference-between-csprng-and-prng)

CSPRNG

means “Cryptographically Secure Pseudorandom Number Generator,” which means that a sequence of numbers (bits, bytes…) that is produced from an algorithm that is deterministic (the sequence is generated from some unknown internal state), hence pseudorandom is also cryptographically secure, or not.

CT

certificate-transparency

DAG

directed-acyclic-graph

designated-authorized-representative

DAR

DEL

duplicitous-event-log

DHT

distributed-hash-table

DID

Decentralized Identifier

decentralized-key-management-infrastructure

DKMI

decentralized-key-management-infrastructure

DPKI

E2E

end-to-end

ECR

engagement-context-role

Encrypt‐Sender‐Sign‐Receiver

ESSR

foreign-function-interface

FFI

gleif-authorized-representative

GAR

GLEIF

Global Legal Entity Identifier Foundation

GLEIS

Global Legal Entity Identifier System

GPG

gnu-privacy-guard

HSM

hardware-security-module

I-O

input-output

internet-assigned-numbers-authority

IANA

issuance-and-presentation-exchange-protocol

IPEX

information-theoretic-security

ITPS

javascript-object-signing-and-encryption

JOSE

javascript-object-notation

JSON

keri-agreement-algorithm-for-control-establishment

KA2CE

keri-agreement-algorithm-for-control-establishment

KAACE

KAPI

Application programmer interfaces (APIs) for the various components in the KERI ecosystem such as Controllers, Agents, Witnesses, Watchers, Registrars etc need by which they can share information. The unique properties of the KERI protocol require APIs that preserve those properties. We call the set of APIs the KERI API.

Source Kapi Repo

keri’s-algorithm-for-witness-agreement

KAWA

KEL

A Key Event Log.

key-event-log

key-event-receipt-infrastructure

KERI

KERIA-agent

An agent in keria terms, is an instance of a keystore (hab) that runs in a given instance of the KERIA agent server.

KERIA

KERI Agent in the cloud. The KERIA service will expose 3 separate HTTP endpoints on 3 separate network interfaces.

Boot Interface - Exposes one endpoint for Agent Worker initialization.

Admin Interface - The REST API for command and control operations from the Signify Client.

KERI Protocol Interface - CESR over HTTP endpoint for KERI protocol interactions with the rest of the world.

More at Source Github repo

KERIMask

A wallet similar to MetaMask, the manifestation will be a browser extension and it will connect to KERIA servers in order for a person to control AIDs from their browser.

KERISSE

keri-suite-search-engine

KERL

key-event-receipt-log

KID

keri-improvement-doc

keri-request-authentication-method

KRAM

LEI

Legal Entity Identifier

legitimized-human-meaningful-identifier

LID

LLM

large-language-model

LoA

levels-of-assurance

LoC

loci-of-control

multi-factor-authentication

MFA

MIME-type

media-type

NFT

non-fungible-token

OOBI

out-of-band-introduction

official-organizational-role

OOR

P2P

peer-to-peer

PGP

pretty-good-privacy

percolated-information-discovery

PID

public-key-infrastructure

PKI

(Source: https://crypto.stackexchange.com/questions/12436/what-is-the-difference-between-csprng-and-prng)

PRNG

means “Pseudorandom Number Generator” which means that a sequence of numbers (bits, bytes…) is produced from an algorithm which looks random, but is in fact deterministic (the sequence is generated from some unknown internal state), hence pseudorandom.

Such pseudorandomness can be cryptographically secure, or not. It is cryptographically secure if nobody can reliably distinguish the output from true randomness, even if the PRNG algorithm is perfectly known (but not its internal state). A non-cryptographically secure PRNG would fool basic statistical tests but can be distinguished from true randomness by an intelligent attacker.

public-transaction-event-log

PTEL

qvi-authorized-representative

QAR

QVI

qualified-vlei-issuer

root-autonomic-identifier

RID

RUN

The acronym for the new peer-to-peer end-verifiable monotonic update policy is RUN (Read, Update, Nullify).

RUN as opposed to CRUD which is the traditional client-server database update policy.

SAD

self-addressing-data

self-addressing-identifier

SAID

secure-asset-transfer-protocol

SATP

self-certifying-identifier

SCID

signify-keria-request-authentication-protocol

SKRAP

SKWA

simple-keri-for-web-auth

secure-private-authentic-confidentiality

SPAC

SSI

self-sovereign-identity

transmission-control-protocol

TCP

trusted-execution-environment

TEE

TEL

transaction-event-log

threshold-of-accountable-duplicity

TOAD

TPM

trusted-platform-module

TSP

trust-spanning-protocol

UI

user-interface

URL

uniform-resource-locator

VC

verifiable-credential

virtual-credential-transaction-event-log

VCTEL

verifiable-data-structure

VDS

VID

verifiable-identifier

extensible-business-reporting-language

XBRL

abandoned-identifier

An AID is abandoned when either the inception-event or a subsequent rotation-event rotates to an empty next key digest list (which means the next threshold must also be 0).

access-controlled-interaction

Access controlled actions like submitting a report. If you already have that report then load balancer needs a mechanism to drop repeated requests.

Source: Samuel Smith / Daniel Hardman / Lance Byrd - Zoom meeting KERI Suite Jan 16 2024; discussion minute 30-60 min

agency

Agents can be people, edge computers and the functionality within wallets. The service an agent offers is agency.

agent

A representative for an identity. MAY require the use of a wallet. MAY support transfer.

ambient-verifiability

Verifiable by anyone, anywhere, at anytime. Although this seems a general term, it was first used in the context of KERI by Sam Smith.

Ambient Duplicity Detection is an example of ambient verifiability that describes the possibility of detecting duplicity by anyone, anywhere, anytime.

ample

The minimum required number of participants in an event to have a supermajority so that one and only one agreement or consensus on an event may be reached. This is a critical part of the KAACE agreement algorithm (consensus) in KERI for establishing consensus between witnesses on the key state of a KERI identifier.

append-only-event-logs

Append-only is a property of computer data storage such that new data can be appended to the storage, but where existing data is immutable.

A blockchain is an example of an append-only log. The events can be transactions. Bitcoin is a well-known Append only log where the events are totally ordered and signed transfers of control over unspent transaction output.

More on Wikipedia

application-programming-interface

An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software.

architectural-decision-record

Is a justified software design choice that addresses a functional or non-functional requirement that is architecturally significant.

Source adr.github.io

attribute

a top-level field-map within an ACDC that provides a property of an entity that is inherent or assigned to the entity.

Source: Dr. S. Smith

attributional-trust

KERI offers cryptographic root-of-trust to establish attributional trust. In the real world you’d also need reputational-trust. You can’t have reputation without attributional trust.

Read more in source Universal Identifier Theory

authentic-chained-data-container

a directed acyclic graph with properties to provide a verifiable chain of proof-of-authorship. See the full specification

Source: Dr. S.Smith, 2024

Explained briefly, an ACDC or authentic-data-container proves digital data consistency and authenticity in one go. An ACDC cryptographically secures commitment to the data contained, and its identifiers are self-addressing, which means they point to themselves and are also contained in the data.

authentic-data-container

A mechanism for conveying data that allows the authenticity of its content to be proved.

Instance

A Verifiable Credential is an authentic-chained-data-container.

authentic-data

integrity and provenance data.

Source: Timothy Ruff, #IIW37

authentic-provenance-chain

Interlinked presentation-exchange of evidence that allow data to be tracked back to its origin in an objectively verifiable way.

authentic-web

The authentic web is the internet as a whole giant verifiable data structure. Also called Web5. The web will be one big graph. That’s the mental model of the ‘authentic web’.

authenticity

The quality of having an objectively verifiable origin ; contrast veracity. When a newspaper publishes a story about an event, every faithful reproduction of that story may be authentic — but that does not mean the story was true (has veracity).

Authenticity is strongly related to digital security. Ideally it should be verifiable (to a root-of-trust). The future picture therein is the authentic-web.

authoritative

Established control authority over an identifier, that has received attestations to it, e.g. control over the identifier has been verified to its root-of-trust. So the (control over the) identifier is ‘authoritative’ because it can be considered accurate, renowned, honourable and / or respected.

Also used to describe PKI key pairs that have this feature.

https://glossary.trustoverip.org/#term:authority

authority

authorization

Is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular.

More formally, “to authorize” is to define an access policy.

authorized-vlei-representative

Also ‘AVR’. This a representative of a Legal Entity that are authorized by the DAR of a Legal Entity to request issuance and revocation of:

vLEI Legal Entity Credentials

Legal Entity Official Organizational Role vLEI Credentials (official-organizational-role vLEI Credentials)

Legal Entity Engagement Context Role vLEI Credentials (engagement-context-role vLEI Credentials).

Paraphrased by @henkvancann from source Draft vLEI Ecosystem Governance Framework Glossary.

autonomic-computing-systems

Self managing computing systems using algorithmic governance, from the 90’s way way way before DAOs. KERI creator Sam Smith worked at funded Navy research in the 90’s on autonomic survivable systems as in “self-healing” systems: “We called them autonomic way back then”.

autonomic-identifier

a self-managing cryptonymous identifier that must be self-certifying (self-authenticating) and must be encoded in CESR as a qualified Cryptographic primitive.

Source: Dr. S.Smith, 2024

An identifier that is self-certifying-identifier and self-sovereign-identity (or self-managing).

autonomic-identity-system

an identity system that includes a primary root-of-trust in self-certifying identifiers that are strongly bound at issuance to a cryptographic signing (public, private) key pair. An AIS enables any entity to establish control over an AN in an independent, interoperable, and portable way.

Source: Dr. S.Smith, 2024

autonomic-namespace

a namespace that is self-certifying and hence self-administrating. An AN has a self-certifying prefix that provides cryptographic verification of root control authority over its namespace. All derived AIDs in the same AN share the same root-of-trust, source-of-truth, and locus-of-control (RSL). The governance of the namespace is, therefore, unified into one entity, that is, the controller who is/holds the root authority over the namespace.

Source: Dr. S.Smith, 2024

Namespaces are, therefore, portable and truly self-sovereign.

autonomic-trust-basis

When we use an AID as the root-of-trust we form a so-called autonomic trust basis. This is diagrammed as follows:

backer

an alternative to a traditional KERI based Witness commonly using Distributed Ledger Technology (DLT) to store the KEL for an identifier.

Source: Dr. S.Smith, 2024

base-media-type

credential plus ld plus json.

Other media types of credentials are allowed by must provide either unidirectional or bidirectional transformations. So, for example, we would create credential+acdc+json and provide a unidirectional transformation to credential+ld+json.

base64

In computer programming, Base64 is a group of binary-to-text encoding schemes that represent binary data (more specifically, a sequence of 8-bit bytes) in sequences of 24 bits that can be represented by four 6-bit Base64 digits.

More on source Wikipedia

bespoke-credential

It’s an issuance-event of the disclosure or presentation of other ACDCs. Bespoke means Custom or tailor made.

A bespoke credential serves as an on-the-fly contract with the issuee; it’s a self-referencing and self-contained contract between the issuer and the verifier. Mind you, here the issuer and issuee are merely the discloser and disclosee of another (set of) ACDC(s).

best-available-data-acceptance-mechanism

The BADA security model provides a degree of replay-attack protection. The attributate originator (issuer, author, source) is provided by an attached signature couple or quadruple. A single reply could have multiple originators. When used as an authorization the reply attributes may include the identifier of the authorizer and the logic for processing the associated route may require a matching attachment.

BADA is part of KERI's Zero Trust Computing Architecture for Data Management: How to support Secure Async Data Flow Routing in KERI enabled Applications.

bexter

The class variable length text that is used in CESR and preserves the round-trip transposability using Base64 URL safe-only encoding even though the text variable length.

binding

The technique of connecting two data elements together. In the context of key-event-receipt-infrastructure it’s the association of data or an identifier with another identifier or a subject (a person, organization or machine), thereby lifting the privacy of the subject through that connection, i.e. binding.

bis

bis = backed vc issue, registry-backed transaction event log credential issuance

bivalent

A nested set of layered delegations in a delegation tree, wraps each layer with compromise recovery protection of the next higher layer. This maintains the security of the root layer for compromise recovery all the way out to the leaves in spite of the leaves using less secure key management methods.

bivalent-key-management-infrastructure

blake3

BLAKE3 is a relatively young (2020) cryptographic hash function based on Bao and BLAKE2.

blind-oobi

A blind OOBI means that you have some mechanisms in place for verifying the AID instead of via the OOBI itself. A blind OOBI is essentially a URL. It’s called “blind” because the witness is not in the OOBI itself. You haves other ways of verifying the AID supplied.

blinded-revocation-registry

The current state of a transaction-event-log (TEL) may be hidden or blinded such that the only way for a potential verifier of the state to observe that state is when the controller of a designated AID discloses it at the time of presentation.

bran

A cryptographic string used as a primary input, a seed, for creating key material for and autonomic-identifier.

branch

In software development a ‘branch’ refers to the result of branching: the duplication of an object under version control for further separate modification.

broken-object-level-authorization

Refers to security flaws where users can access data they shouldn’t, due to inadequate permission checks on individual (sub)objects.

brv

brv = backed vc revoke, registry-backed transaction event log credential revocation

byzantine-agreement

(non PoW) Byzantine Agreement is byzantine-fault-tolerance of distributed computing systems that enable them to come to consensus despite arbitrary behavior from a fraction of the nodes in the network. BA consensus makes no assumptions about the behavior of nodes in the system. Practical Byzantine Fault Tolerance (pBFT) is the prototypical model for Byzantine agreement, and it can reach consensus fast and efficiently while concurrently decoupling consensus from resources (i.e., financial stake in PoS or electricity in PoW).

byzantine-fault-tolerance

A Byzantine fault (also interactive consistency, source congruency, error avalanche, byzantine-agreement problem, Byzantine generals problem, and Byzantine failure) is a condition of a computer system, particularly distributed computing systems, where components may fail and there is imperfect information on whether a component has failed.

canonicalization

In computer science, canonicalization (sometimes standardization or normalization) is a process for converting data that has more than one possible representation into a “standard,” “normal,” or canonical form.

This can be done to compare different representations for equivalence, to count the number of distinct data structures, to improve the efficiency of various algorithms by eliminating repeated calculations, or to make it possible to impose a meaningful sorting order.

More on source Wikipedia

certificate-transparency

Certificate Transparency (CT) is an Internet security standard and open source framework for monitoring and auditing digital certificates. The standard creates a system of public logs that seek to eventually record all certificates issued by publicly trusted certificate authorities, allowing efficient identification of mistakenly or maliciously issued certificates. As of 2021, Certificate Transparency is mandatory for all SSL/TLS certificates.

cesr-proof-signatures

CESR Proof Signatures is an extension to the Composable Event Streaming Representation [CESR] that provides transposable cryptographic signature attachments on self-addressing data SAD. Any SAD, such as an Authentic Chained Data Container (ACDC) Verifiable Credential [ACDC], for example, may be signed with a CESR Proof Signature and streamed along with any other CESR content. In addition, a signed SAD can be embedded inside another SAD, and the CESR proof signature attachment can be transposed across envelope boundaries and streamed without losing any cryptographic integrity.

(Philip Feairheller, IETF-cesr-proof)

cesride

is concerned with parsing CESR primitives.

Cesride is built from cryptographic primitives that are named clearly and concisely. There are:

diger

verfer

signer

siger

cigar

salter

Each primitive will have methods attached to it that permit one to generate and parse the qualified base2 or base64 representation.

chain-link-confidential-disclosure

contractual restrictions and liability imposed on a recipient of a disclosed ACDC that contractually link the obligations to protect the disclosure of the information contained within the ACDC to all subsequent recipients as the information moves downstream. The Chain-link Confidential Disclosure provides a mechanism for protecting against un-permissioned exploitation of the data disclosed via an ACDC.

Source: Dr. S.Smith

chain-link-confidentiality

Chains together a sequence of disclosee which may also include a set of constraints on data usage by both second and third parties expressed in legal language such that the constraints apply to all recipients of the disclosed data thus the phrase “chain link” confidentiality. Each Disclosee in the sequence in turn is the discloser to the next Disclosee.

This is the primary mechanism of granting digital data rights through binding information exchange to confidentiality laws. Confidentiality is dynamically negotiated on a per-event, per-data exchange basis according to the data that is being shared in a given exchange.

chain-of-custody

From Wikipedia (Source):

Chain of custody (CoC), in legal contexts, is the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of materials, including physical or electronic evidence. Of particular importance in criminal cases, the concept is also applied in civil litigation and more broadly in drug testing of athletes and in supply chain management, e.g. to improve the traceability of food products, or to provide assurances that wood products originate from sustainably managed forests.

cigar

An unindexed-signature.

Source by Jason Colburne

claim

An assertion of the truth of something, typically one which is disputed or in doubt. A set of claims might convey personally identifying information: name, address, date of birth and citizenship, for example. (Source).

clone

A copy of a system that is - and works exactly as the original

cloud-agent

Cloud agent is software that is installed on the cloud server instances in order to provide security, monitoring, and analysis solutions for the cloud. They actually provide information and helps to provide control over cloud entities.

Paraphrased by @henkvancann based on source.

Also see agent.

code-table-selector

the first character in the text code of composable-event-streaming-representation that determines which code-table to use, either a default code table or a code table selector character when not the default code table. Thus the 1 character text code table must do double duty. It must provide selectors for the different text code tables and also provide type codes for the most popular primitives that have a pad size of 1 that appear is the default code table.

code-table

a code table is the Internet’s most comprehensive yet simple resource for browsing and searching for alt codes, ascii codes, entities in html, unicode characters, and unicode groups and categories.

cold-start-stream-parsing

After a reboot (or cold start), a stream processor looks for framing information to know how to parse groups of elements in the stream.

If that framing information is ambiguous then the parser may become confused and require yet another cold start. While processing a given stream a parser may become confused especially if a portion of the stream is malformed in some way. This usually requires flushing the stream and forcing a cold start to resynchronize the parser to subsequent stream elements.

collective-signature

a group signature scheme, that (i) is shared by a set of signing groups and (ii) combined collective signature shared by several signing groups and several individual signers. The protocol of the first type is constructed and described in detail. It is possible to modify the described protocol which allows transforming the protocol of the first type into the protocol of the second type. The proposed collective signature protocols have significant merits, one of which is connected with possibility of their practical using on the base of the existing public key infrastructures.

Collective signature have a variable length as a function of the number of signers.

collision

In cryptography and identity collision generally refers to something going wrong because an identical result has been produced but it refers to - or points to - different sources or assets backing this result.

E.g. two hashes collide, meaning two different digital sources produce the same hash.

Another example is name(space) collision.

compact-disclosure

a disclosure of an ACDC that discloses only the SAID(s) of some or all of its field maps. Both Partial and Selective Disclosure rely on Compact Disclosure.

Source: Dr. S. Smith

compact-variant

Either a most-compact version of an ACDC or the fully-compact version of an ACDC. An issuer commitment via a signature to any variant of ACDC (compact, full, etc) makes a cryptographic commitment to the top-level section fields shared by all variants of that ACDC because the value of a top-level-section is either the SAD or the SAID of the SAD of the associated section.

complementary-integrity-verification

A mechanism that can verify integrity independent of needing access to a previous instance or reference version of the information for comparison.

Source: Neil Thomson

composability

short for text-binary concatenation composability. An encoding has Composability when any set of Self-Framing concatenated Primitives expressed in either the Text domain or Binary domain may be converted as a group to the other Domain and back again without loss.

Source: Dr. S.Smith

composable-event-streaming-representation

Also called ‘CESR’. This compact encoding scheme fully supports both textual and binary streaming applications of attached crypto material of all types. This approach includes composability in both the textual and binary streaming domains. The primitive may be the minimum possible but still composable size.

Making composability a guaranteed property allows future extensible support of new compositions of streaming formats based on pre-existing core primitives and compositions of core primitives. This enables optimized stream processing in both the binary and text domains.

composable

composability

concatenation

In formal language theory and computer programming, string concatenation is the operation of joining character strings end-to-end. For example, the concatenation of “snow” and “ball” is “snowball”.

concise-binary-object-representation

a binary serialization format, similar in concept to JSON but aiming for greater conciseness. Defined in [RFC7049].

Source: Dr. S.Smith, 2024

confidentiality

All statements in a conversation are only known by the parties to that conversation.

Source: Samuel Smith, at IIW-37, Oct 2023.

configuration-files

In computing, configuration files (commonly known simply as config files) are files used to configure the parameters and initial settings for some computer programs. They are used for user applications, server processes and operating system settings.

More on source Wikipedia

configuration-traits

a list of specially defined strings representing a configuration of a KEL. See (Configuration traits field)[#configuration-traits-field].

Source: Dr. S.Smith, 2024

consensus-mechanism

How groups of entitities come to decisions. In general to learn about consensus mechanisms read any textbook on decision making, automated reasoning, multi-objective decision making, operations research etc.

content-addressable-hash

Finding content by a hash of this content, generated by a one-way hash function applied to the content.

Content addressing is a way to find data in a network using its content rather than its location. The way we do is by taking the content of the content and hashing it. Try uploading an image to IPFS and get the hash using the below button.

contextual-linkability

Refers to the condition where vendors or other data capture points provide enough context at point of capture to be able to use statistical correlation with existing data sets to link any of a person’s disclosed attributes to a set of already known data points about a given person.

contingent-disclosure

Contingent disclosure is a privacy-preserving mechanism where only specific information or attributes are disclosed under defined conditions. It enables the selective sharing of data such that only the required information is revealed to a relying party, without exposing other unrelated or sensitive details. chain-link-confidentiality is a form of contingent disclosure.

contractually-protected-disclosure

a discloser of an ACDC that leverages a Graduated Disclosure so that contractual protections can be put into place to minimize the leakage of information that can be correlated. A Contractually Protected Disclosure partially or selectively reveals the information contained within the ACDC in the initial interaction with the recipient and discloses further information only after the recipient agrees to the terms established by the discloser. More information may be progressively revealed as the recipient agrees to additional terms.

Source: Dr. S. Smith

control-authority

In identity systems Control Authority is who controls what and that is the primary factor in determining the basis for trust in them. The entity with control authority takes action through operations that affect the

creation (inception)

updating

rotation

revocation

deletion

and delegation of the authentication factors and their relation to the identifier.

controller

an entity that can cryptographically prove the control authority over an AID and make changes on the associated KEL. A controller of a multi-sig AID may consist of multiple controlling entities.

Source: Dr. S.Smith, 2024

cooperative-delegation

The way KERI addresses the security-cost-performance-architecture-trade-off is via delegation of identifier prefixes. Delegation includes a delegator and a delegate. For this reason we may call this a cooperative delegation. This is a somewhat novel form of delegation.

coroutines

Computer programs that can be suspended and resumed at will.

correlation

In our scope this is an identifier used to indicate that external parties have observed how wallet contents are related.

count-code

group-framing-code

credential

Evidence of authority, status, rights, entitlement to privileges, or the like.

(source)

A credential has its current state and a history, which is captured in a doc or a graph.

crypto-libraries

Cryptography libraries deal with cryptography algorithms and have API function calls to each of the supported features.

cryptocurrency

A digital asset designed to work as a medium of exchange wherein individual coin ownership records are stored in a digital ledger or computerized database using strong cryptography to secure transaction record entries, to control the creation of additional digital coin records.

See more on source Wikipedia.

cryptographic-commitment-scheme

is a cryptographic primitive that allows one to commit to a chosen value (or chosen statement) while keeping it hidden to others, with the ability to reveal the committed value later.

Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding.

More on wikipedia

cryptographic-primitive

the serialization of a value associated with a cryptographic operation including but not limited to a digest (hash), a salt, a seed, a private key, a public key, or a signature.

Source: Dr. S.Smith, 2024

cryptographic-strength

The term “cryptographically strong” is often used to describe an encryption algorithm, and implies, in comparison to some other algorithm (which is thus cryptographically weak), greater resistance to attack. But it can also be used to describe hashing and unique identifier and filename creation algorithms.

More on Wikipedia

cryptonym

a cryptographic pseudonymous identifier represented by a string of characters derived from a random or pseudo-random secret seed or salt via a one-way cryptographic function with a sufficiently high degree of cryptographic strength (e.g., 128 bits, see appendix on cryptographic-strength. A cryptonym is a type of primitive.

current-threshold

represents the number or fractional weights of signatures from the given set of current keys required to be attached to a Message for the Message to be considered fully signed.

Source: Dr. S.Smith, 2024

custodial-agent

An agent owned by an individual who has granted signing-authority to a custodian who is usually also the host of the running agent software. Using partial-rotation to facilitate custodial key management the owner of the identifier retains rotation-authority and thus the ability to “fire” the custodian at any time without requiring the cooperation of the custodian.

custodial-rotation

Rotation is based on control authority that is split between two key sets. The first for signing authority and the second (pre-rotated) for rotation authority, the associated thresholds and key list can be structured so that a designated custodial agent can hold signing authority, while the original controller can hold exclusive rotation authority.

partial-rotation supports the vital use case of custodial key rotation to authorize a custodial-agent.

Paraphrased by @henkvancann based on the IETF-KERI draft 2022 by Samual Smith.

data-anchor

Data anchors are digest of digital data, that uniquely identify this data. The digest is the anchor and can be used to identify - and point to the data at the same time.

dead-attack

an attack on an establishment-event that occurs after the Key-state for that event has become stale because a later establishment event has rotated the sets of signing and pre-rotated keys to new sets.

dead-drop

In cybersecurity or digital privacy scenarios, the term “dead drop” refers to encrypted or secure virtual spaces where information can be deposited or retrieved anonymously. In the credentials field, the presenter controls the disclosure, so you can’t re-identify the data.

Discussed in tech meet KERI recording, date June 27 2023.

decentralized-identifier

Decentralized identifiers (DID) are a new type of identifier that enables verifiable, decentralized digital identity. A DID refers to any subject (e.g., a person, organization, thing, data model, abstract entity, etc.) as determined by the controller of the DID.

Source W3C.org.

decentralized-identity

is a technology that uses cryptography to allow individuals to create and control their own unique identifiers. They can use these identifiers to obtain Verifiable Credentials from trusted organizations and, subsequently, present elements of these credentials as proof of claims about themselves. In this model, the individual takes ownership of their own identity and does not need to cede control to centralized service providers or companies.

decentralized-key-management-infrastructure

a key management infrastructure that does not rely on a single entity for the integrity and security of the system as a whole. Trust in a DKMI is decentralized through the use of technologies that make it possible for geographically and politically disparate entities to reach an agreement on the key state of an identifier DPKI.

Source: Dr. S.Smith, 2024

delegated-identifier

Matches the act of delegation with the appropriate digital twin. Consequently when applied recursively, delegation may be used to compose arbitrarily complex trees of hierarchical (delegative) key management event streams. This is a most powerful capability that may provide an essential building block for a generic universal decentralized key management infrastructure (DKMI) that is also compatible with the demand of generic event streaming applications.

delegation

A person or group of persons officially elected or appointed to represent another or others.

derivation-code

To properly extract and use the public-key-infrastructure embedded in a self-certifying-identifier we need to know the cryptographic signing scheme used by the key-pair. KERI includes this very compactly in the identifier, by replacing the pad character (a character used to fill a void to able to always end up with a fixed length public key) with a special character that encodes the derivation process. We call this the derivation code.

designated-aliases

An AID controller can designate aliases which are AID controlled identifiers such as a did:keri, did:webs, etc. The AID controller issues a designated aliases attestation (no issuee) that lists the identifiers and manages the status through a registry anchored to their KEL. See the designated aliases docs

designated-authorized-representative

Also ‘DAR’. These are representatives of a Legal Entity that are authorized by the Legal Entity to act officially on behalf of the Legal Entity. DARs can authorize:

vLEI Issuer Qualification Program Checklists

execute the vLEI Issuer Qualification Agreement

provide designate/replace Authorized vLEI Representatives (authorized-vlei-representatives).

Paraphrased by @henkvancann from source Draft vLEI Ecosystem Governance Framework Glossary.

diger

A primitive that represents a digest. It has the ability to verify that an input hashes to its raw value.

Source by Jason Colburne

digest

verifiable cryptographic commitment. It’s a collision-resistant hash of content.

digital-signature

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very strong reason to believe that the message was created by a known sender (authentication), and that the message was not altered in transit (integrity).

dip

dip = delcept, delegated inception

direct-mode

Two primary trust modalities motivated the KERI design, One of these is the direct (one-to-one) mode, in which the identity controller establishes control via verified signatures of the controlling key-pair. The direct mode doesn’t use witnesses nor key-event-receipt-logs, but has direct (albeit intermittent) network contact with the validator.

directed-acyclic-graph

From Wikipedia (source):

In mathematics, particularly graph theory, and computer science, a directed acyclic graph (DAG /ˈdæɡ/ (listen)) is a directed graph with no directed cycles. That is, it consists of vertices and edges (also called arcs), with each edge directed from one vertex to another.

disclosee

a role of an entity that is a recipient to which an ACDC is disclosed. A Disclosee may or may not be the Issuee of the disclosed ACDC.

Source: Dr. S. Smith

discloser

a role of an entity that discloses an authentic-chained-data-container. A Discloser may or may not be the Issuer of the disclosed ACDC.

Source: Dr. S. Smith

discovery

A mechanism that helps systems or devices find each other automatically, often used in networks to identify services or resources. In decentralized identifier systems it helps to locate and verify digital identities without relying on a central authority.

distributed-hash-table

It is a distributed system that provides a lookup service similar to a hash table: key-value pairs are stored in a DHT, and any participating node can efficiently retrieve the value associated with a given key. The main advantage of a DHT is that nodes can be added or removed with minimum work around re-distributing keys.

dnd

Do Not Delegate is a flag/attribute for an AID, and this is default set to “you can delegate.”

domain-name

A domain name is a string that identifies a realm of administrative autonomy, authority or control within the Internet. Domain names are used in various networking contexts and for application-specific naming and addressing purposes.

domain

a representation of a primitive either Text (T), Binary (B) or Raw binary ®.

Source: Dr. S. Smith

Beware: outside of CESR but within the internet world, the term ‘domain’ mostly refers to the concept of a domain name.

double-spend-proof

Total global ordering of transactions so that value can’t be spent twice at the same time from the unit of value. Or in everyday language: you can’t spend your money twice.

drt

drt = deltate, delegated rotation

dual-indexed-codes

a context-specific coding scheme, for the common use case of thresholded multi-signature schemes in CESR.

dual-text-binary-encoding-format

An encoding format that allows for both text and binary encoding format, which is fully interchangeable. The composability property enables the round trip conversion en-masse of concatenated primitives between the text domain and binary domain while maintaining the separability of individual primitives.

duplicitous-event-log

This is a record of inconsistent event messages produced by a given controller or witness with respect to a given key-event-receipt-log. The duplicitous events are indexed to the corresponding event in a KERL.

duplicity-detection

A mechanism to detect duplicity in cryptographically secured event logs.

duplicity

the existence of more than one version of a Verifiable key-event-log for a given AID.

Source: Dr. S.Smith, 2024

eclipse-attack

An eclipse attack is a peer-to-peer network-based attack. Eclipse attack can only be performed on nodes that accept incoming connections from other nodes, and not all nodes accept incoming connections.

In a bitcoin network, by default, there are a maximum of 117 incoming TCP connections and 8 outgoing TCP connections.

edge

a top-level field map within an ACDC that provides edges that connect to other ACDCs, forming a labeled property graph (LPG).

Source: Dr. S. Smith

electronic-signature

An electronic signature, or e-signature, refers to data in electronic form, which is logically associated with other data in electronic form and which is used by the signatory to sign. This type of signature has the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation under which it was created (e.g., eIDAS in the European Union, NIST-DSS in the USA or ZertES in Switzerland).

encrypt-sender-sign-receiver

An authenticated encryption approach, using PKI. It covers authenticity and confidentiality.

end-role

An end role is an authorization for one AID to serve in a role for another AID.

For example, declaring that your agent AID is serving in the role of agent for your business AIDs.

Source: Phil Feairheller

end-to-end

Inter-host communication and data flow transformations, considered in motion and at rest.

E2E Security. Inter-host communication must be end-to-end signed/encrypted and data must be stored signed/encrypted. Data is signed/encrypted in motion and at rest.

E2E Provenance. Data flow transformations must be end-to-end provenanced using verifiable data items (verifiable data chains or VCs). Every change shall be provenanced.

Paraphrased from source Universal Identifier Theory by Samuel Smith

end-verifiability

a data item or statement may be cryptographically securely attributable to its source (party at the source end) by any recipient verifier (party at the destination end) without reliance on any infrastructure not under the verifier’s ultimate control.

Source: Dr. S.Smith, 2024

end-verifiable

end-verifiable

When a log is end verifiable, it means that the log may be verified by any end user that receives a copy. No trust in intervening infrastructure is needed to verify the log and validate the content.

engagement-context-role

A person that represents the legal-entity in a functional or in another context role and is issued an ECR vlei-credential.

entity

entity in the #essiflab glossary.

entropy

Unpredictable information. Often used as a secret or as input to a key generation algorithm.

ephemeral

Lasting for a markedly brief time. Having a short lifespan.

In the context of identifiers is often referred to as identifiers for one time use; or throw-away identifiers.

escrow-state

The current state of all the temporary storage locations (what events are waiting for what other information) that KERI protocol needs to keep track of, due to its fully asynchronous nature.

escrow

‘Escrow’ as a noun is a (legal) arrangement in which a third party temporarily holds money or property until a particular condition has been met.

‘Escrow’ as a verb: we use it in protocol design to handle out of order events. Store the event and wait for the other stuff to show up and then continue processing of the event. So escrowing is the process of storing this event. We root back to the event later.

establishment-event

a key-event that establishes or changes the key state which includes the current set of authoritative keypairs (key state) for an AID.

Source: dr. S.Smith

exn

exn = exchange

exp

exp = expose, sealed data exposition

extensible-business-reporting-language

XBRL is the open international standard for digital business reporting, managed by a global not for profit consortium, XBRL International.

field-map

A traditional key:value pair renamed to avoid confusing with the cryptographic use of the term ‘key’.

first-seen

refers to the first instance of a message received by any witness or watcher. The first-seen event is always seen, and can never be unseen. It forms the basis for duplicity detection in KERI-based systems.

Source: Dr. S.Smith

foreign-function-interface

Is a mechanism by which a program written in one, usually an interpreted (scripted), programming language that can call routines or make use of services written or compiled in another one.

More on Source: https://en.wikipedia.org/wiki/Foreign_function_interface

frame-code

framing-code

framing-code

a code that delineates a number of characters or bytes, as appropriate, that can be extracted atomically from a stream.

Source: Dr. S. Smith

full-disclosure

a disclosure of an ACDC that discloses the full details of some or all of its field maps. In the context of selective-disclosure, Full Disclosure means detailed disclosure of the selectively disclosed attributes, not the detailed disclosure of all selectively disclosable attributes. In the context of partial-disclosure, Full Disclosure means detailed disclosure of the field map that was so far only partially disclosed.

Source: Dr. S. Smith

fully-compact

The most compact form of an ACDC. This is the only signed variant of an ACDC and this signature is anchored in a transaction-event-log (TEL) for the ACDC.

This is one valid choice for an ACDC schema.

This form is part of the graduated-disclosure mechanism in ACDCs.

fully-expanded

The most user-friendly version of an ACDC credential. It doesn’t need to be signed and typically is not signed since the most compact version which is signed can be computed from this form and then the signature can be looked up in the TEL of the ACDC in question.

Regarding the graduated disclosure objective this form is the one with the highest amount of disclosure for a given node of an ACDC graph.

ghost-credential

Is a valid credential within in a 90 days grace period (the revocation transaction time frame before it’s booked to revocation registry).

gleif-authorized-representative

A representative of GLEIF authorized to perform the identity verifications requirements needed to issue the QVI vLEI Credential.

Source: GLEIF Ecosystem Governance Framework v1.0 Glossary

gnu-privacy-guard

also GnuPG; is a free-software replacement for Symantec’s PGP cryptographic software suite. It is compliant with RFC 4880, the IETF standards-track specification of OpenPGP. Modern versions of PGP are interoperable with GnuPG and other OpenPGP-compliant systems.

More on wikipedia

See more about the closely related and often-confusing term PGP.

governance-framework

Also called ‘Governance structure’. Governance frameworks are the structure of a government and reflect the interrelated relationships, factors, and other influences upon the institution. Governance frameworks structure and delineate power and the governing or management roles in an organization. They also set rules, procedures, and other informational guidelines.

graduated-disclosure

a disclosure of an ACDC that does not reveal its entire content in the initial interaction with the recipient and, instead, partially or selectively reveals only the information contained within the ACDC necessary to further a transaction with the recipient. A Graduated disclosure may involve multiple steps where more information is progressively revealed as the recipient satisfies the conditions set by the discloser. compact-disclosure, partial-disclosure, selective-disclosure, and full-disclosure are all Graduated disclosure mechanisms.

Source: Dr. S. Smith

graph-fragment

An ACDC is a verifiable data structure and part of a graph, consisting of a node property and one or two edge proporties.

group-code

group-framing-code

group-framing-code

special Framing Codes that can be specified to support groups of Primitives which make them pipelinable. Self-framing grouping using Count Codes is one of the primary advantages of composable encoding.

Source: Dr. S. Smith

hab

A Hab is a keystore for one identifier. The Python implementation in keripy, also used by keria uses LMDB to store key material and all other data.

Many Habs are included within and managed by a habery.

habery

‘Hab’ comes from ‘Habitat’. It’s a place where multi-sigs and AIDs are linked. Habery manages a collection of hab. A Hab is a data structure (a Python object).

hardware-security-module

A HSM is a physical computing device that safeguards and manages secrets (most importantly digital keys), performs encryption and decryption functions for digital signatures, strong authenticity and other cryptographic functions.

hierarchical-asynchronous-coroutines-and-input-output

HIO is an acronym which stands for ‘Weightless hierarchical asynchronous coroutines and I/O in Python’.

It’s Rich Flow Based Programming Hierarchical Structured Concurrency with Asynchronous IO. That mouthful of terms has been explained further on Github.

HIO builds on very early work on hierarchical structured concurrency with lifecycle contexts from ioflo, ioflo github, and ioflo manuals.

hierarchical-composition

Encoding protocol that is composable in a hierarchy and enables pipelining (multiplexing and de-multiplexing) of complex streams in either text or compact binary. This allows management at scale for high-bandwidth applications.

hierchical-deterministic-keys

An HDK type is a deterministic Bitcoin wallet derived from a known seed that allows child keys to be created from the parent key. Because the child key is generated from a known seed, a relationship between the child and parent keys is invisible to anyone without that seed.

hio

Weightless hierarchical asynchronous coroutines and I/O in Python.

Rich Flow Based Programming Hierarchical Structured Concurrency with Asynchronous IO.

icp

icp = incept, inception

identifier-system

a system for uniquely identifying (public) identities

identifier

Something to uniquely identify (public) identities; pointing to something or someone else.

identity-assurance

The heavy-lifting to be done by a trusted (middle-man) party to establish - and then offer reputational trust. An example of such a party is GLEIF. Instead, KERI is for attributional-trust. In the real world you need both.

Read more in source Universal Identifier Theory

identity

A unique entity. Typically represented by a unique identifier.

inception-event

an establishment-event that provides the incepting information needed to derive an AID and establish its initial Key state.

Source Sam Smith

inception

The operation of creating an AID by binding it to the initial set of authoritative keypairs and any other associated information. This operation is made verifiable and duplicity evident upon acceptance as the inception event that begins the AID’s KEL.

Source Sam Smith

inconsistency

If a reason, idea, opinion, etc. is inconsistent, different parts of it do not agree, or it does not agree with something else. Data inconsistency occurs when similar data is kept in different formats in more than one file. When this happens, it is important to match the data between files.

indexed-signature

Also called siger. An indexed signature attachment is used when signing anything with a multi-key autonomic identifier. The index is included as part of the attachment, so a verifier knows which of the multiple public keys was used to generate a specific signature.

Source:Philip Feairheller

indirect-mode

Two primary trust modalities motivated the KERI design, One of these is the indirect (one-to-many) mode, which depends on witnessed key event receipt logs (KERL) as a secondary root-of-trust for validating events. This gives rise to the acronym KERI for key event receipt infrastructure.

information-theoretic-security

the highest level of cryptographic security concerning a cryptographic secret (seed, salt, or private key).

Source: Dr. S. Smith

input-output

In computing, input/output (I/O, or informally io or IO) is the communication between an information processing system, such as a computer, and the outside world, possibly a human or another information processing system. Inputs are the signals or data received by the system and outputs are the signals or data sent from it. The term can also be used as part of an action; to “perform I/O” is to perform an input or output operation.

inquisitor

In the ACDC context it’s a general term for someone (in a validating role) that launches an inquiry at some KERI witness.

integrity

Integrity (of a message or data) means that the information is whole, sound, and unimpaired (not necessarily correct). It means nothing is missing from the information; it is complete and in intended good order.

Source: Neil Thomson

interaction-event

Non-establishment Event that anchors external data to the key-state as established by the most recent prior establishment event.

Source Sam Smith

interactive-authentication-design

A group of approaches having an interactive mechanism that requires a set of requests and responses or challenge responses with challenge response replies for secure authentication.

More in source Keri Request Authentication Mechanism (KRAM) by Samuel Smith

interceptor

a keria class that allows to push events that are happening inside the cloud agent to other backend processes.

It is similar to the notifier class but it is used to “notify” other web services.

interleaved-serialization

Serializations of different types interleaved in an overarching format

internal-inconsistency

Internal is used to describe things that exist or happen inside an entity. In our scope of digital identifier its (in)consistency is considered within the defining data structures and related data stores.

In key-event-receipt-infrastructure, you are protected against internal inconsistency by the hash chain data structure of the key-event-log because the only authority that can sign the log is the controller itself.

internet-assigned-numbers-authority

is the organization that oversees the allocation of IP addresses to internet service providers (ISPs).

interoperability

Interoperability is a characteristic of a product or system to work with other products or systems. While the term was initially defined for information technology or systems engineering services to allow for information exchange.

More on source Wikipedia

interoperable

interoperability

ip-address

An Internet Protocol address (IP address) is a numerical label such as ‘192.0.2.1’ that is connected to a computer network that uses the Internet Protocol for communication. An IP address serves two main functions: network interface identification and location addressing.

Much more on source Wikipedia

iss

iss = vc issue, verifiable credential issuance

issuance-and-presentation-exchange-protocol

provides a uniform mechanism for the issuance and presentation of ACDCs in a securely attributable manner.

issuance-event

The initial transaction event log event anchored to the issuing AID’s key event log that represents the issuance of an ACDC credential.

Source: Philip Feairheller.

It’s a sort of “inception-event” of a verifiable credential.

issuance-exchange

A special case of a presentation-exchange where the discloser is the issuer of the origin (Primary) ACDC of the directed-acyclic-graph formed by the set of chained authentic-chained-data-containers so disclosed.

In an issuance exchange, when the origin ACDC has an issuee, the disclosee MAY also be the origin ACDC’s Issuee.

issuee

a role of an entity to which the claims of an ACDC are asserted.

Source: Dr. S. Smith

issuer

a role of an entity that asserts claims and creates an ACDC from these claims.

Source: Dr. S. Smith

ixn

JSON field name (attribute) for Interaction Event; its content (value) contains a hash pointer. All transaction-event-log events are anchored in a key-event-log in either ixn (interaction-event) or rot (rotation-events). This is the foundation enabling a verifiable credential protocol to be built on top of KERI.

Source Kent Bull 2023

javascript-object-notation

JSON (JavaScript Object Notation, pronounced /ˈdʒeɪsən/; also /ˈdʒeɪˌsɒn/) is an open standard file format and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute–value pairs and arrays (or other serializable values). It is a common data format with diverse uses in electronic data interchange, including that of web applications with servers.

javascript-object-signing-and-encryption

is a framework intended to provide a method to securely transfer claims (such as authorization information) between parties. The JOSE framework provides a collection of specifications to serve this purpose.

judge

A judge is an entity or component that examines the entries of one or more key-event-receipt-log and DELs of a given identifier to validate that the event history is from a non-duplicity controller and has been witnessed by a sufficient number of non-duplicitous witness such that it may be trusted or conversely not-trusted by a validator.

juror

A juror has the basic task of performing duplicity detection on events and event receipts.

jury

The jury is the set of entities or components acting as juror.

keep

Is KERI’s and ACDC’s user interface that uses the keripy agent for its backend. It uses the REST API exposed from the keripy agent.

Source: Philip Feairheller

keri-agreement-algorithm-for-control-establishment

Agreement on an event in a key event log KEL means each witness has observed the exact version of the event and each witness’ receipt has been received by every other witness.

Control establishment means that the set of agreeing witnesses, along with the controller of the identifier and associated keypairs, create a verifiable way to establish control authority for an identifier by reading all of the events in the KEL that have been agreed upon by the witnesses and the controller.

keri-command-line-interface

Command line tool used to create identifiers, manage keys, query for KELs and participate in delegated identifiers or multi-signature group identifiers. It also includes operations for running witnesses, watchers and cloud agents to establish a cloud presence for any identifier.

Most commands require a “name” parameter which references a named Habitat (think wallet) for performing the operation.

keri-event-stream

A stream of verifiable KERI data, consisting of the key-event-log and other data such as a transaction-event-log. This data is a CESR event stream (TODO: link to IANA application/cesr media type) and may be serialized in a file using composable-event-streaming-representation encoding. We refer to these CESR stream resources as KERI event streams to simplify the vocabulary.

Source did:webs ToIP specification

keri-improvement-doc

These docs are modular so teams of contributors can independently work and create PRs of individual KIDs; KIDs answer the question “how we do it”. We add commentary to the indivudual KIDs that elaborate on the why. It has been split from the how to not bother implementors with the why.

keri-ox

The RUST programming-language implementation of the KERI protocol.

keri-request-authentication-method

All requests from a web client must use KRAM (KERI Request Authentication Method) for replay attack protection. The method is essentially based on each request body needing to include a date time string field in ISO-8601 format that must be within an acceptable time window relative to the server’s date time. See the KRAM Github repo

Source SKWA GitHub repo, more info in HackMD.io write-up

keri-suite-search-engine

KERISSE is the Docusaurus self-education site of Web-of-Trust GitHub repo with Typesense search facilities. Because of its focus on well-versed developers in the field of SSI and the support of their journey to understand the structure of the code and how things work in the keri-suite it’s more a search engine that drills down on documentation.

keri-suite

The KERI suite is the set of inter-related developments (KERI, ACDC, OOBI, CESR, IPEX, etc) under the Web-of -Trust user on Github

keride

is a Rust programming language library for key-event-receipt-infrastructure. Among its features

is CESR, signing, prefixing, pathing, and parsing.

keridemlia

It is a contraction of key-event-receipt-infrastructure and Kademlia. It’s the distributed database of Witness IP-addresses based on a distributed-hash-table. It also does the CNAME - stuff that domain-name Services (DNS) offers for KERI: the mapping between an identifier and it’s controller AID stored in the KEL to its current wittness AID and the wittness AID to the IP address.

(@henkvancann)

kerific

kerific is a front plugin or extension that currently only works for Chrome and Brave. It matches words in any text on the web that is parseable for kerific and offers buttons to various glossaries and definitions in the self-sovereign-identity field.

keripy

The Python programming-language implementation of the KERI protocol.

keri’s-algorithm-for-witness-agreement

a type of Byzantine Fault Tolerant (byzantine-fault-tolerance) algorithm.

Source: Dr. S.Smith

kever

Kever is a key event verifier.

key-compromise

Basically there are three infrastructures that are included in “key management” systems that must be protected:

Key pair creation and storage

Event signing

Event signature verification

So when we say “key compromise” we really mean compromise of one of those three things.

key-event-log

a Verifiable data structure that is a backward and forward chained, signed, append-only log of key events for an AID. The first entry in a KEL must be the one and only Inception event of that AID.

Source Sam Smith

key-event-message

Message whose body is a key event and whose attachments may include signatures on its body.

Source Sam Smith

key-event-receipt-infrastructure

or the KERI protocol, is an identity system-based secure overlay for the Internet.

Source: Dr. S.Smtih

key-event-receipt-log

a key event receipt log is a kel that also includes all the consistent key event receipt messages created by the associated set of witnesses. See annex key-event-receipt-log.

Source: Dr. S.Smith

key-event-receipt

message whose body references a Key event and whose attachments must include one or more signatures on that Key event.

Source Sam Smith

key-event

Concretely, it is the serialized data structure of an entry in the Key event log (KEL) for an AID. Abstractly, the data structure itself. Key events come in different types and are used primarily to establish or change the authoritative set of keypairs and/or anchor other data to the authoritative set of keypairs at the point in the KEL actualized by a particular entry.

Source Sam Smith

key-management

management of cryptographic keys in a crypto-system. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys (also #key-rotation). It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.

key-pair

is a private key and its corresponding public key resulting from a one-way crypto-graphical function; a key pair is used with an asymmetric-key (public-key) algorithm in a so called public-key-infrastructure (PKI).

key-state

a set of currently authoritative keypairs for an AID and any other information necessary to secure or establish control authority over an AID. This includes current keys, prior next key digests, current thresholds, prior next thresholds, witnesses, witness thresholds, and configurations.

key-stretching

In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources (time and possibly space) it takes to test each possible key.

key-transparency

provides a lookup service for generic records and a public, tamper-proof audit log of all record changes. While being publicly auditable, individual records are only revealed in response to queries for specific IDs.

key

In our digital scope it’s a mechanism for granting or restricting access to something. MAY be used to issue and prove, MAY be used to transfer and control over identity and cryptocurrency. More

keystore

A keystore in KERI is the encrypted data store that hold the private keys for a collection of AIDs.

Source: Philip Feairheller.

keri-command-line-interface

kli

ksn

ksn = state, key state notice

large-language-model

A large language model (LLM) is a language model consisting of a neural network with many parameters (typically billions of weights or more), trained on large quantities of unlabeled text using self-supervised learning or semi-supervised learning.

lead-bytes

In order to avoid confusion with the use of the term pad character, when pre-padding with bytes that are not replaced later, we use the term lead bytes. So lead-bytes are added “pre-conversion”.

ledger-backer

A witness in KERI that is ledger-registered. It’s a type of backer that proof its authenticity by a signing key anchored to the public key of a data item on a (public) blockchain.

legal-entity-engagement-context-role-vlei-credential-governance-framework

A document that details the requirements for vlei-role-credential issued to representatives of a Legal Entity in other than official roles but in functional or other context of engagement.

Source: Draft vLEI Ecosystem Governance Framework Glossary.

legal-entity-official-organizational-role-vlei-credential-governance-framework

A document that details the requirements for vlei-role-credential issued to official representatives of a Legal Entity.

Source: Draft vLEI Ecosystem Governance Framework Glossary.

legal-entity-vlei-credential-governance-framework

A document that details the requirements for vLEI Credential issued by a qualified-vlei-issuer to a legal-entity.

legal-entity

Unique parties that are legally or financially responsible for the performance of financial transactions or have the legal right in their jurisdiction to enter independently into legal contracts.

legitimized-human-meaningful-identifier

An AID and its associated self-certifying trust basis gives rise to a trust domain for associated cryptographically verifiable non-repudiable statements. Every other type of identifier including human meaningful identifiers may then be secured in this resultant trust domain via an end-verifiable authorization. This authorization legitimizes that human meaningful identifier as an LID through its association with an AID. The result is a secured trust domain specific identifier couplet of aid|lid.

levels-of-assurance

Identity and other trust decisions are often not binary. They are judgement calls. Any time that judgement is not a simple “Yes/No” answer, you have the option for levels of assurance. Also ‘LoA’.

listed-identifier

Is a list in an authentic-chained-data-container of authorised did:webs identifier + method; the list appears in the metadata of the did:webs DID-doc.

Source: paraphrased Samuel Smith, Zoom meeting KERI dev Thursday Nov 9 2023

live-attack

an attack that compromises either the current signing keys used to sign non-establishment events or the current pre-rotated keys needed to sign a subsequent establishment event. See (Security Properties of Prerotation)[#live-attacks].

Source: Dr. S.Smith

liveness

Liveness refers to a set of properties of concurrent systems, that require a system to make progress despite the fact that its concurrently executing components (“processes”) may have to “take turns” in critical sections, parts of the program that cannot be simultaneously run by multiple processes.

loci-of-control

Locus of control is the degree to which people believe that they, as opposed to external forces (beyond their influence), have control over the outcome of events in their lives. Also ‘LoC’.

More on wikipedia

locked-state

The default status a KERI data store is in once it has been created using a passcode; it is by default encrypted.

management-transaction-event-log

management-TEL

management-transaction-event-log

A ‘management transaction-event-log’ will signal the creation of the Virtual Credential Registry VCR and track the list of Registrars that will act as backer for the individual _ transaction event logs (TELs)_ for each virtual-credential (VC).

media-type

A Media type (formerly known as MIME type) is a standard way to indicate the nature and format of a file, in the same way as ‘image/jpeg’ for JPEG images, used on the internet.

It is a two-part identifier for file formats and format contents transmitted on the internet. Their purpose is somewhat similar to file extensions in that they identify the intended data format.

message

a serialized data structure that comprises its body and a set of serialized data structures that are its attachments. Attachments may include but are not limited to signatures on the body.

Source: Dr. S.Smith

messagepack

MessagePack is a computer data interchange format. It is a binary form for representing simple data structures like arrays and associative arrays. MessagePack aims to be as compact and simple as possible. The official implementation is available in a variety of languages

moobi

Multi OOBI would allow to share a bunch of different end-points (oobis) all at once. A way for a single store to share multiple endpoints for that store.

most-compact

An ACDC that, for a given level of disclosure, is as compact as it can be, which means

it has the SAIDs for each section that are not disclosed

it has expanded sections that are disclosed

multi-factor-authentication

Authentication by combining multiple security factors. Well-known factors are what you know, what you have and what you are.

multi-valent

A delegator may have multiple delegate, thereby enabling elastic horizontal scalability. Multiple delegates from a single delegator. Furthermore, each delegate may act as a delegator for its own delegates to form a nested delegation tree.

multicodec

Is a self-describing multi-format, it wraps other formats with a tiny bit of self-description. A multi-codec identifier is both a variant (variable length integer) and the code identifying data.

See more at GitHub Multi-codec

multiplexing

In telecommunications and computer networking, multiplexing (sometimes contracted to muxing) is a method by which multiple analog or digital signals are combined into one signal over a shared medium. The aim is to share a scarce resource - a physical transmission medium.

multisig

also multi-signature or multisignature; is a digital signature scheme which allows a group of users to sign a single piece of digital data.

Paraphrased by @henkvancann from Wikipedia source

naive-conversion

Non-CESR Base64 conversion. How people are used to using the Base64 encode and decode. Without pre-padding etc all the stuff CESR does to ensure aligns on 24 bit boundaries so CESR never uses the ‘=’ pad character. But naive base64 will pad if the length is not 24 bit aligned.

Source: Samuel Smith in issue 34

namespace

In an identity system, an identifier can be generalized to a namespace to provide a systematic way of organizing identifiers for related resources and their attributes. A namespace is a grouping of symbols or identifiers for a set of related objects.

ndigs

Digests of public keys, not keys themselves. The reason to use ndigs is to prove control over public keys or to hide keys. It’s used in Keripy and consists of a list of qualified base64 digests of public rotation key derivations.

nested-cooperative-delegated-identifiers

In KERI delegations are cooperative, this means that both the delegator and delegate must contribute to a delegation. The delegator creates a cryptographic commitment in either a rotation or interaction event via a seal in a delegated establishment event. The delegate creates a cryptographic commitment in its establishment event via a seal to the delegating event.

next-threshold

represents the number or fractional weights of signatures from the given set of next keys required to be attached to a Message for the Message to be considered fully signed.

non-establishment-event

a Key event that does not change the current Key state for an AID. Typically, the purpose of a Non-establishment event is to anchor external data to a given Key state as established by the most recent prior Establishment event for an AID.

Source: Dr. S. Smith

non-fungible-token

A non-fungible token (NFT) is a financial security consisting of digital data stored in a blockchain, a form of distributed ledger.

non-interactive-authentication-design

A group of approaches having non-interactive mechanisms that pose unique problems because they do not allow a challenge response reply handshake. A request is submitted that is self-authenticating without additional interaction.

non-normative

A theory is called non-normative if it does not do what has described under ‘normative’. In general, the purpose of non-normative theories is not to give answers, but rather to describe possibilities or predict what might happen as a result of certain actions.

Source.

non-repudiable

Non-repudiation refers to a situation where a statement’s author cannot successfully dispute its authorship or the validity of an associated contract, signature or commitment.

The term is often seen in a legal setting when the authenticity of a signature is being challenged. In such an instance, the authenticity is being “repudiated”.

non-transferable-identifier

Controlling keys over this identifier cannot be rotated and therefore this identifier is non-transferable to other control.

An identifier of this type has specific positive features like short-lived, peer to peer, one-time use, discardable, etc. that are very practical in certain use cases. Moreover non-transferable identifiers are much easier to govern than persistent identifiers that are transferable.

non-transferable

No transferable (the control over) a certain digital asset in an unobstructed or loss-less manner. As opposed to transferable.

For example not legally transferable to the ownership of another entity.

normative

a theory is “normative” if it, in some sense, tells you what you should do - what action you should take. If it includes a usable procedure for determining the optimal action in a given scenario.

Source.

official-organizational-role

Also ‘OOR’. A person that represents the Legal Entity in an official organizational role and is issued an OOR vLEI Credential.

Source Draft vLEI Ecosystem Governance Framework Glossary.

one-way-function

In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, “easy” and “hard” are to be understood in the sense of computational complexity theory, specifically the theory of polynomial time problems.

More on Wikipedia

opcode

Opcodes are meant to provide stream processing instructions that are more general and flexible than simply concatenated primitives or groups of primitives.

operator

an optional field map in the Edge section that enables expression of the edge logic on edge subgraph as either a unary operator on the edge itself or an m-ary operator on the edge group.

Source: Dr. S.Smith

out-of-band-introduction

Out-of-band Introductions (OOBIs) are discovery and validation of IP resources for key-event-receipt-infrastructure autonomic identifiers. Discovery via URI, trust via KERI.

The simplest form of a KERI OOBI is a namespaced string, a tuple, a mapping, a structured message, or structured attachment that contains both a KERI AID and a URL. The OOBI associates the URL with the AID.

owner

Owner in ToIP glossary

ownership

Ownership in ToIP glossary

pad

is a character used to fill empty space, because many applications have fields that must be a particular length.

parside

is a bunch of generators. Responsible for pulling out a stream of bits from a CESR stream and parse it.

Sam Smith suggested for Parside to not iterate stuff, only parse chunks delimited by the count-code. (Source Cesride: meeting Feb 2 2023)

partial-disclosure

a disclosure of an ACDC that partially discloses its field maps using Compact Disclosure. The Compact Disclosure provides a cryptographically equivalent commitment to the yet-to-be-disclosed content, and the later exchange of the uncompacted content is verifiable to an earlier Partial Disclosure. Unlike Selective disclosure, a partially disclosable field becomes correlatable to its encompassing block after its Full Disclosure.

Source: Dr. S. Smith

partial-pre-rotation

partial-rotation

partial-rotation

The pre-rotation mechanism supports partial pre-rotation or more exactly partial rotation of pre-rotated keypairs. It’s a rotation operation on a set of pre-rotated keys that may keep some keys in reserve (i.e unexposed) while exposing others as needed.

party

An entity who participates or is concerned in an action, proceeding, plan, etc.

Source: ToIP

passcode

A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user’s identity.

More on source Wikipedia

pathing

It was designed to sign portions of a credential aimed at complex cases like

a credential embedded in another credential

multiple signers, only signing portions of a credential (partial signing)

payload

The term ‘payload’ is used to distinguish between the ‘interesting’ information in a chunk of data or similar and the overhead to support it. The payload refers to the interesting part.

peer-to-peer

Peer-to-peer (P2P) computing or networking is a distributed application architecture that partitions tasks or workloads between peers. Peers are equally privileged, equipotent participants in the network. They are said to form a peer-to-peer network of nodes

More on source Wikipedia

percolated-information-discovery

percolated-discovery

a discovery mechanism for information associated with an AID or a SAID, which is based on Invasion Percolation Theory. Once an entity has discovered such information, it may in turn share what it discovers with other entities. Since the information so discovered is end-verifiable, the percolation mechanism and percolating intermediaries do not need to be trusted.

Source: Dr. S. Smith

percolated-information-discovery

In the OOBI protocol, a discovery mechanism for the KERI and the ACDC protocols is provided by a bootstrap that enables Percolated Information Discovery (PID), which is based on Invasion Percolation Theory.

After related information for discovery and verification is bootstrapped from the OOBI, subsequent authorization is non-interactive, thus making it highly scalable. This provides what we call zero-trust percolated discovery or speedy percolated discovery.

perfect-security

a special case of Information theoretic security itps.

Source: Dr. S. Smith

persistent-data-structure

An append only verifiable data structure. What we sign may not change.

persistent-identifier

transferable-identifier

pii

personally identifiable information

pipelining

In computing, a pipeline, also known as a data pipeline, is a set of data processing elements connected in series, where the output of one element is the input of the next one. The elements of a pipeline are often executed in parallel or in time-sliced fashion. Some amount of buffer storage is often inserted between elements.

post-pad

the action and / or result of extending a string with trailing pad characters to align to a certain length in bits or bytes.

post-quantum

In cryptography, post-quantum cryptography (PQC) (sometimes referred to as quantum-proof, quantum-safe or quantum-resistant) refers to cryptographic algorithms (usually public-key algorithms) that are thought to be secure against a cryptanalytic attack by a quantum computer.

More on source Wikipedia

pre-pad

the action and / or result of prepending a string with leading pad characters to align to a certain length in bits or bytes.

pre-rotation

Cryptographic commitment to next rotated key set in previous rotation or inception-event.

prefix

A prefix that is composed of a basic Base-64 (URL safe) derivation code pre-pended to Base-64 encoding of a basic public digital signing key.

Including the derivation code in the prefix binds the derivation process along with the public key to the resultant identifier.

presentation-exchange

An exchange that provides disclosure of one or more authentic-chained-data-containers between a Discloser and a Disclosee.

A presentation exchange is the process by which authenticity information may be exchanged between two parties, namely, the discloser and disclosee.

pretty-good-privacy

Is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.

More on wikipedia

So also the often confusing GPG term.

primary-root-of-trust

In KERI a root-of-trust that is cryptographically verifiable all the way to its current controlling key pair in a PKI.

The characteristic primary is one-on-one related to the entropy used for the creation of (the seed of) the private keys.

primitive

a serialization of a unitary value. All Primitives in KERI must be expressed in composable-event-streaming-representation.

Source: Dr. S.Smith

privacy-washing

De-identification so that it provides a personal data safe harbour and could be legally acceptable forwarded.

privacy

Privacy is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.

The domain of privacy partially overlaps with security, which can include the concepts of appropriate use and protection of information. Privacy may also take the form of bodily integrity.

More on source Wikipedia

proem

A “proem” is an introductory statement, preamble, or preface. It sets the stage for the content that follows, often providing context, framing the discussion, or outlining the purpose and scope of the material.

promiscuous-mode

It is the mode a watcher runs in. A watcher uses the same code as a witness. However a watcher does so “lacking standards of selection; acting without careful judgment; indiscriminate”. Or “Showing little forethought or critical judgment; casual.”

proof-of-authority

Proof that somebody or something has certain rights or permissions. It’s about data. Whereas proof-of-authorship is about data and its original creator.

A proof-of-authority provides verifiable authorizations or permissions or rights or credentials.

proof-of-authorship

Proof that somebody or something has originally created certain content. It’s about data’s inception. Whereas proof-of-authority is about rights attached to this data.

protocol

Generic term to describe a code of correct conduct. Also called “etiquette”: a code of personal behavior.

provenance

From Wikipedia (Source):

Provenance (from the French provenir, ‘to come from/forth’) is the chronology of the ownership, custody or location of a historical object. The term was originally mostly used in relation to works of art but is now used in similar senses in a wide range of fields, including archaeology, paleontology, archives, manuscripts, printed books, the circular economy, and science and computing.

provenanced

The act of verifying authenticity or quality of documented history or origin of something.

pseudo-random-number

A (set of) value(s) or element(s) that is statistically random, but it is derived from a known starting point and is typically repeated over and over.

public-key-infrastructure

Is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.

More on Wikipedia

public-transaction-event-log

is a public hash-linked data structure of transactions that can be used to track state anchored to a key-event-log.

public-verifiable-credential-registry

is a form of a Verifiable Data Registry that tracks the issuance/revocation state of credentials issued by the controller of the key-event-log. Two types of TELs will be used for this purpose: management-transaction-event-log and virtual-credential-transaction-event-log.

qry

qry = query

quadlet

a group of 4 characters in the T domain and equivalently in triplets of 3 bytes each in the B domain used to define variable size.

Source: Dr. S. Smith

qualified-vlei-issuer-vlei-credential-governance-framework

A document that details the requirements to enable this Credential to be issued by GLEIF to qualified-vlei-issuer which allows the Qualified vLEI Issuers to issue, verify and revoke legal-entity-vlei-credential-governance-framework, legal-entity-official-organizational-role-vlei-credential-governance-framework, and legal-entity-engagement-context-role-vlei-credential-governance-framework.

qualified-vlei-issuer

The contracting party to the vLEI Issuer Qualification Agreement that has been qualified by GLEIF as a Qualified vLEI Issuer.

Source: Draft vLEI Ecosystem Governance Framework Glossary.

qualified

When qualified, a cryptographic primitive includes a prepended derivation code (as a proem), that indicates the cryptographic algorithm or suite used for that derivation.

qvi-authorized-representative

A designated representative of a QVI authorized, to conduct QVI operations with GLEIF and legal-entity. Also referring to a person in the role of a QAR.

Paraphrased by @henkvancann from source Draft vLEI Ecosystem Governance Framework Glossary.

race-condition

A race condition or race hazard is the condition of an electronics, software, or other system where the system’s substantive behavior is dependent on the sequence or timing of other uncontrollable events. It becomes a bug when one or more of the possible behaviors is undesirable.

Source.

rainbow-table-attack

A rainbow table attack is a password-cracking method that uses a special table (a “rainbow table”) to crack the password hashes in a database.

rct

rct = receipt

read-update-nullify

Read, update, nullify are a set of actions you (or a server) can take on data. “Read” means to view it, “update” means to change it, and “nullify” means to invalidate it, but not “Delete” it. Mind you, there’s also no “Create”.

receipt-log

ordered record of all key event receipts for a given set of witnesses.

receipt

event message or reference with one or more witness signatures.

reconciliation

Reconciliation is the process in which you decide to accept a fork of the key-event-log or not.

Source: Samuel Smith, Zoom meeting Jan 2 2024.

redundant-credential

Multiple credentials issued by the same issuer (e.g. a QVI). They do not have anything to do with each other. They are independently valid.

registrar

identifiers that serve as backers for each transaction-event-log (TEL) under its provenance. This list of Registrars can be rotated with events specific to a certain type of TEL. In this way, a Registrar is analogous to a Backer in KERI KELs and Registrar lists are analogous to Backer lists in KERI KELs.

registration-interaction

Setup/Registration interaction, new AID and authorization to establish access control. You present a (vLEI) credential. You don’t want that captured and misused. Narrowing the scope to a certain role (e.g. Document Submitter) is a pre-registration via delegation authority.

registry

In our digital mental model it’s an official digital record book. When people refer to a registry, they usually mean a specific instance, within a multi-tenant registry. E.g. Docker Hub is a multi-tenant registry, where there’s a set of official / public images.

replay-attack

A replay attack occurs when a cybercriminal eavesdrops on a secure network communication, intercepts it, and then fraudulently delays or resends it to misdirect the receiver into doing what the hacker wants.

repo

Software is our line of work. In this, ‘repo’ is the short hand for ‘Repository’, mostly referring to a software repo(sitory) on Github.com, Gitlab (https://gitlab.com) or other software repository hosting services.

reputation

Consistent behaviour over time on the basis of which anyone else makes near-future decisions.

Source: Samuel Smith at IIW37.

reputational-trust

Established by a trusted party offering identity-assurance.

reserve-rotation

One important use case for partial-rotation is to enable pre-rotated key pairs designated in one establishment-event to be held in reserve and not exposed at the next (immediately subsequent) establishment event.

Source IETF-KERI draft 2022 by Samual Smith.

rev

rev = vc revoke, verifiable credential revocation

revocation-event

An event that revokes control-authority over an identifier. From that point in time the authoritative key-pairs at hand are not valid anymore.

revocation

Revocation is the act of recall or annulment. It is the cancelling of an act, the recalling of a grant or privilege, or the making void of some deed previously existing.

More on source Wikipedia

ricardian-contract

The Ricardian contract, as invented by Ian Grigg in 1996, is a method of recording a document as a contract at law, and linking it securely to other systems, such as accounting, for the contract as an issuance of value.

root-autonomic-identifier

An entity may provide the root-of-trust for some ecosystem (with delegation )via its root AID. Let’s call this the RID for “root AID”. The RID must be protected using the highest level of security in its key-management.

root-of-trust

A root-of-trust is some component of a system that is security by design and its security characteristics may be inherently trusted or relied upon by other components of the system.

rot

JSON field name (attribute) for Rotation Event; its content (value) contains a hash pointer. All transaction-event-log events are anchored in a key-event-log in either ixn (interaction-event) or rot (rotation-events). This is the foundation enabling a verifiable credential protocol to be built on top of KERI.

Source Kent Bull 2023

rotation-authority

The (exclusive) right to rotate the authoritative key pair and establish changed control authority.

rotation-event

an Establishment Event that provides the information needed to change the Key state, which includes a change to the set of authoritative keypairs for an AID.

Source: Dr. S.Smith

rotation

The operation of revoking and replacing the set of authoritative key-pair for an AID. This operation is made verifiable and duplicity evident upon acceptance as a rotation event that is appended to the AID’s KEL.

Source Sam Smith

rpy

rpy = reply

rules

a top-level field map within an ACDC that provides a legal language as a Ricardian Contract, which is both human and machine-readable and referenceable by a cryptographic digest.

Source: Dr. S. Smith

run-off-the-crud

RUN off the CRUD is an alternative to the traditional CRUD approach to defining basic operations on resources in data management systems (e.g., databases, APIs). RUN stands for Read, Update, Nullify and bears a nuanced approach to deletion.

sally

is an implementation of a verification service and acting as a reporting server. It is purpose-built software for the vLEI ecosystem to allow participants in the vLEI ecosystem present credentials, so the GLEIF Reporting API can show what vLEI are; issued to legal-entity.

salt

random data fed as an additional input to a one-way function that hashes data.

Source: Dr. S. Smith

salter

A primitive that represents a seed. It has the ability to generate new signers.

Source by Jason Colburne

salty-nonce-blinding-factor

For ease of sharing a secret and hiding information with this secret of Blindable State TELs we use a Salty Nonce Blinding Factor. You’d like to hide the state of certain credentials to some verifiers in the future, while keeping the state verifiable for others.

schema-namespace-registry

a centrally managed schema-registry where corporations or individuals reserve schemas within a specific namespace in order to have an interoperable schema that is labeled with a corporation-specific or individual-specific namespace.

schema-registry

Central registry for credential schemas based on namespaces.

schema

the said of a JSON schema that is used to issue and verify an ACDC.

Source: Dr. S.Smith

seal

a seal is a cryptographic commitment in the form of a cryptographic digest or hash tree root (Merkle root) that anchors arbitrary data or a tree of hashes of arbitrary data to a particular event in the key event sequence.

Source: Dr. S. Smith

secondary-root-of-trust

In KERI its a root-of-trust that, for its secure attribution, depends on another verifiable data structure (VDS) which MUST be a primary-root-of-trust.

By its nature and cryptographic anchoring via seal to a primary root-of-trust, a secondary root-of-trust still has a high level of trustability and can be automatically verified.

secure-asset-transfer-protocol

An IETF protocol (and working group) in the making (as of mid 2022) for moving assets between blockchains.

secure-attribution

Secure attribution is strongly related to making and proving statements. A controller makes statements to the a validator or verifier, who in turn validates the statements issued. A controller “owns” the statement: content and attribution via digital signatures. Secure attribution is “whodunit?!” in cyberspace.

https://www.usenix.org/system/files/sec22-cohen.pdf

secure-private-authentic-confidentiality

ToIP Trust Spanning Layer Group realized we do have a secure authentication layer (KERI) but we don’t have a secure confidentiality and privacy mechanism. Sam Smith proposes SPAC paper to define this.

secure

security

security-cost-performance-architecture-trade-off

The degree of protection offered by a key management infrastructure usually forces a trade-off between security, cost, and performance.

Typically, key generation happens relatively infrequently compared to event signing. But highly secure key generation may not support highly performant signing. This creates an architecture trade-off problem.

Paraphrased from source Universal Identifier Theory by Samuel Smith

security-overlay-properties-trillema

An identifier system has some degree of any combination of the three properties authenticity, privacy and confidentiality, but not all three completely.

security

‘secure’ is free from or not exposed to danger or harm; safe. For identifiers security typically means secure from exploit or compromise. More specifically an identifier is secure with respect to an entity if there is a mechanism by which that entity may prove it has controller over the identifier.

seed

In cryptography a ‘seed’ is a pseudorandomly generated number, often expressed in representation of a series of words.

Paraphrased from wikipedia

selective-disclosure

a disclosure of an ACDC that selectively discloses its attributes using Compact Disclosure. The set of selectively disclosable attributes is provided as an array of blinded blocks where each attribute in the set has its own dedicated blinded block. Unlike Partial Disclosure, the selectively disclosed fields are not correlatable to the so far undisclosed but selectively disclosable fields in the same encompassing block.

Source: Dr. S. Smith

self-addressed-data

a representation of data content from which a SAID is derived. The SAID is both cryptographically bound to (content-addressable) and encapsulated by (self-referential) its SAD said.

Source: Dr. S.Smith

self-addressing-data

an identifier that is content-addressable and self-referential. A SAID is uniquely and cryptographically bound to a serialization of data that includes the SAID as a component in that serialization said.

Source: Dr. S. Smith

self-addressing-identifier

any identifier that is deterministically generated out of the content, or a digest of the content.

Source: Dr. S. Smtih

self-certifying-identifier

self-authenticating

self-certifying-identifier

a type of Cryptonym that is uniquely cryptographically derived from the public key of an asymmetric signing keypair (public, private).

Source: Dr. S. Smith

self-framing

a textual or binary encoding that begins with type, size, and value so that a parser knows how many characters (when textual) or bytes (when binary) to extract from the stream for a given element without parsing the rest of the characters or bytes in the element is Self-Framing.

self-sovereign-identity

Self-Sovereign Identity (SSI) is a term that has many different interpretations, and that we use to refer to concepts/ideas, architectures, processes and technologies that aim to support (autonomous) parties as they negotiate and execute electronic transactions with one another.

Paraphrased by @henkvancann, sources eSSIF-lab and ToIP.

self-sovereignty

Self sovereignty in Trust over IP wiki.

semver

Semantic Versioning Specification 2.0. See also (https://semver.org/)[https://semver.org/].

Source: Dr. S.Smith

server-sent-event

Mailbox notifications; a streaming service for the agent U/I, to get notifications from the KERI system itself.

service-endpoint

In our context we consider a web service endpoint which is a uniform-resource-locator at which clients of specific service can get access to the service.

siger

indexed-signature

signed-digest

commitment to content, by digitally signing a digest of this content.

signer

A primitive that represents a private key. It has the ability to create Sigers and Cigars (signatures).

Source by Jason Colburne

signify-keria-request-authentication-protocol

SKRAP is a client to the KERIA server. Mobile clients will be using SKRAP to connect to KERI AIDs via agents in the new, multi-tenant Mark II Agent server, keria.

signify

Signify is a web client key-event signing - and key pair creation app that minimizes the use of KERI on the client.

signing-authority

The authority to sign on behalf of the controller of the authoritative key pair. Often in situation where delegation has taken place, e.g. a custodial agent. These are limited rights because rotation-authority is not included.

signing-threshold

Is the minimum number of valid signatures to satisfy the requirement for successful verification in a threshold-signature-scheme.

simple-keri-for-web-auth

A KERI implementation that sacrifices performance or other non-security feature for usability. In general a narrow application of KERI may not require all the features of KERI but those features that it does support must still be secure.

single-signature-identifier

or single sig identifier; is an identifier controlled by a one-of-one signing key-pair

sniffable

A stream is sniffable as soon as it starts with a group code or field map; in fact this is how our parser (parside) works. and detects if the CESR stream contains a certain datablock.

The datablock of CESR binary, CESR Text, JSON, CBOR, MGPK have an Object code or the Group code (binary or text) and it’s always a recognizable and unique three bit combination.

sniffer

The sniffer is part of parside and detects if the CESR stream contains CESR binary, CESR Text, JSON, CBOR, MGPK.

solicited-issuance

The issuance of a Legal Entity vLEI Credentials, OOR vLEI Credentials and ECR vLEI Credentials upon receipt by the QAR of a Fully Signed issuance request from the AVR(s) of the legal-entity.

Source: Draft vLEI Ecosystem Governance Framework Glossary.

source-of-truth

The source of truth is a trusted data source that gives a complete picture of the data object as a whole.

Source: LinkedIN.

spanning-layer

An all encompassing layer horizontal layer in a software architecture. Each trust layer only spans platform specific applications. It bifurcates the internet trust map into domain silos (e.g. twitter.com), because there is no spanning trust layer.

spurn

To reject. In KERI, “spurn” refers to a cryptographic or protocol-based act of rejecting an invalid or untrusted event. This rejection is deliberate and purposeful, ensuring the system’s integrity by disregarding information that does not meet the necessary validation criteria. The verb ‘spurn’ is first used in the IPEX specification.

ssi-system

The SSI Infrastructure consists of the technological components that are deployed all over the world for the purpose of providing, requesting and obtaining data for the purpose of negotiating and/or executing electronic transactions.

Paraphrased by @henkvancann based on source eSSIF-lab

stable

Refers to the state of cryptographic verifiability across a network or system. It generally implies that a particular identifier, event, or data set is consistent, fully verified, and cannot be contested within KERI.

stale-event

A stale key event is an outdated or irrelevant (key) event involving an stale-key that may compromise security.

stale-key

A stale key is an outdated or expired encryption key that should no longer be used for securing data

stream

a CESR Stream is any set of concatenated Primitives, concatenated groups of Primitives, or hierarchically composed groups of primitives.

Source: Dr. S. Smith

streamer

A convenience class for supporting stream parsing, including nested (tunneled, encrypted) CESR streams. Streams can be a mixture/combination of different primitive, including other streams. A stream is a concatenation of primitives.

Source: Kent Bull in chat Zoom meeting KERI Aug 6, 2024.

strip-parameter

tells us what part of the CESR stream will be parsed by which code.

sub-shell

A subshell is basically a new shell just to run a desired program. A subshell can access the global variables set by the ‘parent shell’ but not the local variables. Any changes made by a subshell to a global variable is not passed to the parent shell.

supermajority

Sufficient majority that is labeled immune from certain kinds of attacks or faults.

targeted-acdc

an ACDC with the presence of the Issuee field in the attribute or attribute aggregate sections.

Source: Dr. S.Smith

untargeted-acdc

tcp-endpoint

This is a service-endpoint of the web transmission-control-protocol

text-binary-concatenation-composability

An encoding has composability when any set of self-framing concatenated primitives expressed in either the text domain or binary domain may be converted as a group to the other domain and back again without loss.

tholder

t-holder object that supports fractionally-weighted signing-threshold

threshold-of-accountable-duplicity

The threshold of accountable duplicity (TOAD) is a threshold number M that the controller declares to accept accountability for an event when any subset M of the N witnesses confirm that event. The threshold M indicates the minimum number of confirming witnesses the controller deems sufficient given some number F of potentially faulty witnesses, given that M >= N - F. This enables a controller to provide itself with any degree of protection it deems necessary given this accountability.

threshold-signature-scheme

or TSS; is a type of digital signature protocol used by Mutli-party Computation (MPC) wallets to authorize transactions or key state changes.

Source Cryptoapis

threshold-structure-security

A threshold structure for security allows for weaker key management or execution environment infrastructure individually, but achieve greater overall security by multiplying the number of attack surfaces that an attacker must overcome to compromise a system.

top-level-section

The fields of an ACDC in compact-variant. The value of a top level section field is either the SAD or the SAID of the SAD of the associated section.

An Issuer commitment via a signature to any variant of ACDC (compact, full, etc) makes a cryptographic commitment to the top-level section fields shared by all variants of that ACDC.

Paraphrased by @henkvancann based on source.

trans-contextual-value

Value that is transferrable between contexts. How do we recapture the value in our data? 1- Leverage cooperative network effects 2- Retake control of our data.

Source Samuel Smith

transaction-event-log

The set of transactions that determine registry state form a log called a Transaction Event Log (TEL). The TEL provides a cryptographic proof of registry state by reference to the corresponding controlling key-event-log. Any validator may therefore cryptographically verify the authoritative of the registry.

transfer-off-ledger

The act of transferring control authority over an identifier from a ledger (or blockchain) to the native verifiable KERI data structure Key Event Log.

transferable-identifier

Control over the identifier transferable by rotation.

A synonym is ‘persistent identifier’.

transferable

Capable of being transferred or conveyed from one place or person to another. Place can be its and bits.

The adjective transferable also means ‘Negotiable’, as a note, bill of exchange, or other evidence of property, that may be conveyed from one person to another by indorsement or other writing; capable of being transferred with no loss of value. As opposed to non-transferable.

transmission-control-protocol

One of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP).

tritet

3 bits. See Performant resynchronization with unique start bits.

Source: Dr. S. Smith

trust-domain

A trust domain is the ecosystem of interactions that rely on a trust basis. A trust basis binds controllers, identifiers, and key-pairs. For example the Facebook ecosystem of social interactions is a trust domain that relies on Facebook’s identity system of usernames and passwords as its trust basis.

(Source whitepaper)

trust-spanning-protocol

Protocol using verifiable-identifiers that signs every single message on the internet and makes them verifiable.

trusted-execution-environment

Protected hardware/software/firmware security system. The controller may protect its key generation, key storage, and event signing infrastructure by running it inside a trusted execution environment (TEE).

trusted-platform-module

A device that enhances the security and privacy (of identity systems) by providing hardware-based cryptographic functions.

# Functions

A TPM can generate, store, and protect encryption keys and authentication credentials that are used to verify the identity of a user or a device.

A TPM can also measure and attest the integrity of the software and firmware that are running on a system, to ensure that they have not been tampered with or compromised.

# Form

A TPM can be implemented as a physical chip, a firmware module, or a virtual device.

Source: Bing chat sept 2023

ts-node

npm package that lets you run typescript from a shell

uniform-resource-locator

A Uniform Resource Locator (URL), colloquially termed a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it.

univalent

In identifier systems, univalent means having a unique and non-ambiguous identifier for each entity or resource. This means that there is a one-to-one correspondence between the identifiers and the entities, and that no two different entities share the same identifier.

Source: Bing chat, Sept 2023

unpermissioned-correlation

a correlation established between two or more disclosed ACDCs whereby the discloser of the ACDCs does not permit the disclosee to establish such a correlation.

Source: Dr. S. Smith

unsolicited-issuance

Issuance of a Legal Entity vLEI Credential upon notice by a QAR to the AVR(s) of the Legal Entity that a Legal Entity vLEI Credential has been solicited on the legal-entity’s behalf.

Source: Draft vLEI Ecosystem Governance Framework Glossary.

untargeted-acdc

an ACDC without the presence of the Issuee field in the attribute or attribute aggregate sections.

Source: Dr. S. Smith

targeted-acdc

user-interface

A user interface (UI or U/I) is the space where interactions between humans and machines occur.

verifiable-legal-entity-identifier

vLEI

validate

ESSIF-lab definition of validate. Although this definition is very general, in the KERI/ACDC vocabulary, ‘validate’ currently has extra diverse meanings extending the one of eSSIF-lab, such as

evaluate

verify

validator

any entity or agent that evaluates whether or not a given signed statement as attributed to an identifier is valid at the time of its issuance.

Source: Dr. S. Smith

variable-length

a type of count code allowing for vaiable size signatures or attachments which can be parsed to get the full size.

Source: Dr. S. Smith

vcp

vcp = vdr incept, verifiable data registry inception

vdr

verifiable-data-registry

veracity

The quality of being true; contrast authenticity. When a newspaper publishes a story about an event, every faithful reproduction of that story may be authentic — but that does not mean the story was true (has veracity).

verfer

A primitive that represents a public key. It has the ability to verify signatures on data.

Source by Jason Colburne

verifiable-credential

Verifiable credentials (VCs) are an open standard for digital credentials. They can represent information found in physical credentials, such as a passport or license, as well as new things that have no physical equivalent, such as ownership of a bank account.

verifiable-data-registry

A role a system might perform by mediating issuance and verification of ACDCs. See verifiable data registry.

Source: Dr. S. Smith

#Sources-Definition-ChatGPT

verifiable-data-structure

A verifiable data structure is a data structure that incorporates cryptographic techniques to ensure the integrity and authenticity of its contents. It allows users to verify the correctness of the data stored within the structure without relying on a trusted third party.

verifiable-identifier

Cryptographically verifiable authentic decentralized identifier (verfiable DID)

verifiable-legal-entity-identifier

Verifiable credentials are issued by authorized validation agents (QVI) under the governance of GLEIF, who delegate tasks to these agents. They provide cryptographic proof that the information about a legal entity, as linked to its Legal Entity Identifier (LEI), is verifiably authentic, accurate, and up-to-date.

verifiable

a condition of a KEL: being internally consistent with the integrity of its backward and forward chaining digest and authenticity of its non-repudiable signatures.

Source: Dr. S. Smith

Explanation

Able to cryptographically verify a certain data structure on its inconsistency and its authenticity

verification

An action an agent (of a principal) performs to determine the authenticity of a claim or other digital object using a cryptographic key.

Source: ToIP glossary, Jan 2024.

verified-integrity

A mechanism that can unambiguously assess whether the information is/continues to be whole, sound and unimpaired

verifier

any entity or agent that cryptographically verifies the signature(s) and digests on an event Message.

Source Dr. S. Smith

verify-signature

Applying an algorithm that, given the message, public key and signature, either accepts or rejects the message’s claim to authenticity.

verify

The act, by or on behalf of a party, of determining whether that data is authenticity (i.e. originates from the party that authored it), timely (i.e. has not expired), and conforms to other specifications that apply to its structure.

Source eSSIF-lab in eSSIF-lab glossary

version-code

tells you which set of tables to load, it tells the table state. It’s a unique code. what version of the table is going to load.

version-string

the first field in any top-level KERI field map in which it appears.

version

an instance of a KEL for an AID in which at least one event is unique between two instances of the kel.

Source: Dr. S. Smith

virtual-credential-transaction-event-log

will track the issued or revoked state of each virtual credential (VC) and will contain a reference to its corresponding management transaction event log (management TEL).

virtual-credential

Digital representations of claims or identity attributes, often used in online environments.

vlei-credential

Credential concerning a verifiable Legal Entity Identifier, residing in the GLEIS and compliant with one or more of the GLEIF governance-frameworks

vlei-ecosystem-governance-framework

The Verifiable LEI (vLEI) Ecosystem governance-framework Information Trust Policies. It’s a document that defines the information security, privacy, availability, confidentiality and processing integrity policies that apply to all vLEI Ecosystem Members.

Paraphrased by @henkvancann from source Draft vLEI Ecosystem Governance Framework Glossary.

vlei-role-credential

It is a vlei-credential that attests to a role within a legal entity to an individual or an entity. It cryptographically proves that the individual or entity is authorized to act in that role on behalf of the legal entity.

vrt

vrt = vdr rotate, verifiable data registry rotation

wallet

A crypto wallet is a device, physical medium, program or a service which stores the public and/or private keys for cryptocurrency transactions and digital identifiers.

Paraphrased by @henkvancann from source Wikipedia

watcher

an entity or component that keeps a copy of a kerl for an identifier but that is not designated by the controller of the identifier as one of its witnesses. See annex watcher.

Source: Dr. S.Smith

web-of-trust

In cryptography, a web of trust is a concept used in PGP, gnu-privacy-guard, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner.

weight-of-weights

There are 2 levels in the multi-sign weighted thresholds of multisig in KERI because the solution only needs to focus on tightly cooperating teams.

An individual using split keys over devices

A team of teams

All other use cases can be solved by other means in KERI (e.g. delegation).

weight

an optional field map in the Edge section that provides edge weight property that enables directed weighted edges and operators that use weights.

Source: Dr. S.Smith

well-known-witnesses

Witness identifier creation by using salts to initialize their key stores so that you can predict what identifiers will be created. For testing purposes only!

witness

a witness is an entity or component designated (trusted) by the controller of an identifier. The primary role of a witness is to verify, sign, and keep events associated with an identifier. A witness is the controller of its own self-referential identifier which may or may not be the same as the identifier to which it is a witness. See also keri’s-algorithm-for-witness-agreement.

Source: Dr. S. Smith

xip

A XIP message allows a transaction set to be a mini peer to peer exchange to become a verifiable data structure. It makes the transaction become duplicity evident.

Source KERI meeting 2024-03-12

zero-trust-computing

A security model centered on the principle of “never trust, always verify.” It assumes that threats can exist inside and outside the network, and thus, no entity — a device, user, or system — is inherently trusted. This approach requires continuous verification of all users and devices attempting to access network resources.

zero-trust

a Zero Trust approach trusts no one.

# Demo of example markup in Spec-Up-T and Markdown

# Blockquote

To be, or not to be, that is the question: Whether 'tis nobler in the mind to suffer The slings and arrows of outrageous fortune, Or to take arms against a sea of troubles And by opposing end them. To die—to sleep, No more;

# Notices

::: note Basic Note
  Check this out.
:::

Check this out.

Here’s another.

And one more!