KERI, an open protocol for identifiers
Published in Dutch on Tweakers
Authentication is the big problem on the Internet. There is no portable authentication layer in the Internet protocol, like phone number portability between phone providers. This has been a problem since the beginning: how do you prove that a user or other entity is who they say they are? Authentication is also the basis for the term SSI or self sovereign identity, popular in policy documents today. How can you control your own online identity? And at least as important: how can you ensure that others do not abuse it?
Since another term became popular, namely the word “blockchain,” many were looking at the possibilities that these more or less decentralized systems could offer. It seemed an ideal component for decentralized orchestration of online identity. Yet there are drawbacks to this, perhaps the biggest of which is platform dependency which means the identifier isn’t portable and sovereign.
This had to change, thought Sam Smith, creator of KERI or Key Event Receipt Infrastructure. After first enthusiastically collaborating on a large identity project based on a blockchain, he discovered that you do not need a blockchain or other shared database for an online identity or online identifiers. Basically all you need is a secret key that underlies your entire online identity, or: a public private key infrastructure resulting in a self-certifing identifier or SCID.
Smith explains in a few words the problem his system solves: “The Internet has an authentication problem and KERI solves that. There is no authentication layer in the Internet protocol so additional systems are needed to provide authentication. That’s needed for things like making payments, registering somewhere or the domain name system DNS. To know if a domain is really what it says it is, we use certificates but those have fundamental flaws. What you need is a trust layer that can trust all the applications on top of it. That requires a protocol that is not tied to any given trusted entity, trusted platform or trusted infrastructure. It must be zero-trust.”
Before we go deeper into KERI and how it works, it’s good to briefly review the basics of KERI and so much else on the Internet, namely the use of public and secret keys and the application of hashing techniques.
Public key infrastructure PKI
The basis of KERI is to manage a secret key. From that key, all kinds of other keys can be generated. That always seemed like an impossible task for “ordinary” people, so all kinds of systems were devised to circumvent that. However, since the advent of bitcoin and the whole crypto currency boom, people have become increasingly used to dealing with secret keys. More and more systems have also been devised to practically deal with them. According to Smith, this means that most people should be able to manage a secret key themselves without problems in order to manage their own key event log file or KEL, the basis of KERI. A KEL keeps track of changes of secret and derived keys and produces a verifiable data strcuture. In addition, key rotation also solves the problem of your secret key becoming known for any reason.
That all sounds complicated to the outsider. Smith refutes that. “In fact, it’s relatively simple,” he says. “Simple enough to go all the way to the basics of the system and not even have to dive into very complex stuff. A little basic knowledge of cryptography, software, algorithms and consensus mechanisms is enough.”
In essence, this amounts to relatively old technology: hashes and digital signatures.
I speak to Smith about his work via Google Meet on Ascension Day 2022. Nine o’clock in the evening here, one o’clock in the afternoon there. “How much time do we have?” he asks. “Somewhere between half an hour and three-quarters of an hour,” I say. It turned into well over an hour. It’s fascinating stuff, and the little game of signing each other’s public keys all the time and thereby proving that you are who you are can be carried on endlessly. There are also an awful lot of interesting side paths to discuss that are of interest. Like how to make it easier to manage secret keys in the future. But also how you can effortlessly give others within a company or institution responsibility over specific matters with just a digital signature from someone who has the right to make such a decision. Or, of course, simply proving that you are indeed eighteen years of age or older when buying alcohol without giving away anything other than the assurance to the retailer that you are indeed over eighteen, and nothing else.
What preceded the conception of KERI?
“In late 2014, I had some colleagues who were part of a startup that wanted to build a reputation system based on decentralized technology. It was called The World Table and they believed that the internet was broken from the point of view of social networks and people commenting on websites. Trolls were a big problem and they saw an opportunity to use decentralized technology to fix those problems.”
“My colleagues thought they needed artificial intelligence for their project. One thing led to another and they asked me to look into it. I had done some pioneering work in reinforcement learning back in the 1990s, where an artificial intelligence learns from its own experiences, among other things at a university in Florida. It seemed very interesting and I left the company I was working for and joined the startup.”
“Soon I found out that for an online reputation system you need a decentralized identity system. I wrote a number of whitepapers , but before we could get started, we ran out of money. In those white papers I did describe the idea of self-certifying identifiers and that idea stuck.”
“Not much later I got in touch with Evernym, an identity space company and they had just made the move to decentralized identity. They came across my white paper and they hired me. I wrote a white paper Identity Systems Essentials which was the basic design that later became Sovrin. Evernym did an initial coin offering or ICO and started the open source organization Sovrin.”
“The idea of Sovrin is that you can build an interoperable identity system with a public blockchain or public ledger. Only then everyone has to use the same ledger and that’s the big stumbling block: you get ledger wars from it.”
Briefly, he explains that it is certainly possible to connect different blockchains and the like via bridges, rollups, atomic swaps and other systems, but in his view that is stitching things together. A blockchain is very good for tracking and performing transactions and ordering them globally over time. This helps to prevent that something can be spent twice, the well-known double spending problem, but this ordering is not necessary for an identifier, because it refers to an identity. Smith went in search of a solution that did not require a blockchain or other shared database.
“In our idea, you manage secret keys that control an identity, or more precisely, an identifier. That led us to design a protocol and not a platform. We named that protocol KERI. One of the main requirements for the protocol was that it had to be able to work anywhere on the Internet. It also had to be namespace agnostic and ledger agnostic. The whole thing had to provide a verifiable data structure that is also portable. In other words, it doesn’t matter where you host the file and yet anyone can verify the public keys and key state. So you get a truly decentralized identifier system, without shared management. The essential property we call “end-verifiability” means that the key state can be verified by anyone, anywhere, and any time. This is the ultimate most granular form of zero-trust.”
How does KERI actually work?
In essence, KERI is a type of decentralized public key infrastructure or PKI. The owner of a public key or identifier can prove that he is in possession of the corresponding secret key where the key event logs or KELs are the basis of the system. In this way, someone can prove ownership of a self-certifying identifier or SCID. A SCID is an identifier that can be proven using cryptography to be the only identifier linked to a specific public key, without the need for a blockchain or other database structure.
When modifying keys, someone can prove control over the new public keys without having to rely on anyone else. Anyone can keep their own key event log, but others can also keep and sign it. Such a witness is an additional facility to prove cheating if someone cheats.
To avoid problems around exposure of secret keys, such as through theft, carelessness, brute force attacks and the like, pre-rotation, or a way to protect the next secret key, is used. New keys can be generated in the private wallet for future use.
A KERI identifier can have multiple types of events added to it via its log, the KEL, that involves different PKIs . Nevertheless, at any given time only one secret key is active as controller of the KEL. That being active of only one secret key, can be done by pre-rotation. Such a thing would not be possible on a blockchain system, since that would involve a transaction.
In pre-rotation, a controller digitally signs the next public key and adds that proof of signing to the key event log. That way, in the future, it is only possible to use exactly that announced key and no other. This key is not in the log as a public key, but as a hash, so that future public keys are not readable before they are used.
Example : Is the secret key of public key A compromised? Get the next public key B from your wallet and that way you use the next secret key for signing future documents. Future secret keys don’t have to be in the same place as the active device you’re currently using, or as Smith puts it, you can store all that in a safe in a mountain with an army of navy seals out front.
Because KERI identifiers and event logs are self-certifying, they can use any system as a witness, as long as the system in question can store and return data. So other key event logs, but also blockchains, traditional databases, file systems, etc. In this way, key event logs form signed hashed data structures that provide a verifiable key state.
Because everything relies on cryptographic links, KERI identifiers can be linked together in such a way that it is always provable who or what has ever verified an identifier or what permissions have been granted to an identifier. In this way, a government can be a reliable source for verifying an identity and a company can identify a person as authorized to sign. Or, conversely, revoke that authority. In this way it is possible to create an entire hierarchy of identifiers.
This works with the functions that KERI adds to identifiers, namely: inception, pre-rotation, rotation, delegation, and revocation. In addition, there are numerous derived and ancillary functions. Think of functions such as signing, committing (of data) that remain verifiable up to the source of the trust: the public-secret key pairs that the controller generated in his vault in his mountain, without having to trust intermediate parties.
So how does that work with, say, something like a personal identity, how do I prove it?
“Very simply, you create a verifiable link between a natural person and a cryptonymous identifier.”
And what does such a cryptonoumos identifier mean?
“Which is derived from your public-secret key pair in the beginning, but that identifier remains. So, you can rotate your keys, but you keep the same identifier. The key event log says, ‘here are the keys that control the identifier and no one else can create them.’ Then a reputable entity, the government for example, says, ‘I’m going to challenge you, natural person, to prove to me that you are the custodian of this identifier’. You can prove that by signing something with the secret key. I can verify that your signature can only come from the secret key if I have your public key, which proves that you have control over it. Then I, the government agency, will issue a certificate that says, “this is signed by the government’s crypto-anonymous identifier that is universally published so that everyone can verify that it is correct. Because the public identifier that you, the natural person with this name and personally identifiable information, is the controller of this crypto-anonymous identifier, this person is the controller of the secret keys.”
“We prefer to call it ‘autonomic identifier’ rather than crypto-anonymous, because that’s a bit easier to pronounce and better conveys the idea of self-governance. Self-governing because it is controlled by the custodian of the secret keys, not another entity. Yet for the purpose of determining the identity of you as a natural person, the reputable entity has made the connection with your identifier. This allows us to say, ‘okay, officially this identifier belongs to you, natural person’. So with that certificate, if you’re willing to show it, you can prove who you are. Or you can apply it in a privacy-protecting way in that you can prove through cryptographic links that you are, for example, old enough to buy liquor, but without having to give up anything about yourself. GLEIF does this not for natural persons, but for companies and institutions. And that makes pretty good sense: they sign a lot all day long.”
“Many people who know a lot about blockchains say: it can’t be done! Now my challenge is to explain that it can. So in the meantime, that’s gotten through to GLEIF , the Global Legal Entity Identifier Foundation, sort of the W3C for identifiers.”
How can I practically shape all that as an end user? What do I need?
“You need a device that can do cryptography, so something like a cell phone or other device with similar capabilities. In those devices there’s a secure enclave or something, that’s not such a problem.”
And what if I lose the lot? Backup?
“You need a backup of the secret keys, but that’s not a problem these days. A password manager, a hard copy backup, or mechanisms to share secrets. Since the advent of Bitcoin and many wallets, the options around backups have gotten better and better. But the importance of KERI is to be a good protocol, not to build a good user interface. That’s what others do.”
And what about people who can’t or no longer operate these kinds of systems themselves?
“Now that’s the beauty of delegation: if you build delegation into identity systems, then you can prove that someone is a guardian; the whole chain is verifiable.”
“But it’s interesting, you’re talking about usability now. That’s something that does get solved. The problem is: if you sacrifice security for usability, you lose trust.”
The latter, trust, is one of the Internet’s biggest problems, according to Smith: trust cannot be moved over the Internet.
“Web 3.0 is intended to increase trust,” he continues. “But right now, that’s the last thing it does. Everyone thinks it has to be based on blockchains, but that’s not true. It doesn’t have to be based on a shared ledger; instead, it has to be based on a verifiable data structure. One type of verifiable data structure is a blockchain, but I also have one: a verifiable data tree, not just a chain. So in my view, a verifiable data tree is the solution, not a shared blockchain.”
“Why is blockchain not the solution? Because you have to deal with shared governance (governance), and the latter is always a weak point. It makes for high costs and low throughput. Look at Ethereum, right now the transaction costs are bizarre! Now they’re all doing arts and crafts there to get those down with rollups. And then all these complicated systems are being implemented to protect privacy. Just try to manage zero knowledge proofs…”
The latter also has a lot to do with legal issues, such as when buying products and problems with them. Smith explains that such issues call for receipts, for a receipt. “It’s not called key event receipt infrastructure for nothing,” he says. “The basic idea is that agreements are made with receipts that are verifiable. That way, both parties have a legal recourse.”
So it all comes across as quite complex….
“Yet self sovereign identity is relatively simple. The problem is that it comes across as complex. People hear the word ‘blockchain’ and they shut down because they think it’s a big black box. With KERI, I just explained everything down to the fundamentals. Those fundamentals require a little bit of knowledge about cryptography and a little bit about software and a little bit about consensus algorithms, but it’s not remotely as complex as most blockchain systems that are supposed to provide SSI.”
And the privacy issue?
Authenticity is Smith’s number one most important component. Confidentiality follows immediately and privacy is the least important of the three in his eyes. He calls this PAC: Privacy, Authenticity and Confidentiality. You can have two of the three at a high level. According to Smith, privacy is always the weak point. It’s always difficult to keep protecting that. If you want to jump through too many hoops to do that, you make it impossible. “To protect my privacy now, that’s not that hard. To protect that information in ten years’ time is very difficult. That’s why I structurally choose strong authenticity and slightly less strong privacy protection. When I deal with people, I already lose a bit of privacy. So if I want to protect that forever, I have to go sit on an island, alone. What matters is that I don’t want to be abused by third parties. If I engage with a party, I don’t want a third party to be able to misuse my data. I share information with a party in order to do an activity together, for that party to do that, they need to know certain things about me. I have to be able to trust them and they have to trust me, very specifically for the transaction we are entering into. Now that relationship is structurally abused by third parties. Parties who don’t need to know anything about our relationship. Confidentiality is good enough to prevent third party exploitation.
The point is to be used, not to use the latest, coolest technique that is also very difficult to implement properly. That’s the principle of KERI: solve a problem in the real world with the minimum techniques needed. The dumber the technology, but still sufficient to solve the problem, the better. ‘Dumb technology’ is freely available, understandable to everyone and easy to implement. In our case: just hashes and digital signature.
With many thanks to Henk van Cann for his expertise and invaluable help in writing this article.