Dictionary SSI
(risk) control
digital.govt.nz
(noun) measure that maintains and / or modifies risk[Source: ISO 31073:2022 modified to add note 3]Additional notes:Note 1: Risk controls include, but are not limited to, any process, policy, device, practice, or other conditions and / or actions which maintain and / or modify risk.Note 2: Risk controls do not always exert the intended or assumed modifying effect.Note 3: When using the Assessing identification risk guidance to calculate levels of identification process, these processes are not included as risk controls.
AAL
ToIP
ABAC
ToIP
ACDC
ToIP
WebOfTrust
ADC
Nist
Term found but the definition does not exist yet.WebOfTrust
ADR
WebOfTrust
AID
Nist
A globally unique identifier of a card application as defined in ISO/IEC 7816-4.ToIP
See autonomic identifier.
WebOfTrust
AID controlled identifiers
ToIP (DID:Webs)
Any identifier, including did:webs DIDs, that have the same AID are by definition referencing the same identity. As defined in the KERI specification
APC
WebOfTrust
API
Nist
A system access point or library function that has a well-defined syntax and is accessible from application programs or user code to provide well-defined functionality.WebOfTrust
AVR
WebOfTrust
Action
Actor
Essif-Lab
entity that can act (do things/execute action), e.g. people, machines, but not organization.
Advertisement
Essif-Lab
an offer by a specific party to provide a (type of) credential, where the offer includes (a reference to) the syntax and semantics specifications of that credential, and also lists various other characteristics that enable other parties to decide whether or not a credential that the advertising party has issued under this offer, is valid to be processed in one or more of its information processes.
Agent
Assertion
Essif-Lab
a declaration/statement, made by a specific party, that something is the case.
Assessment Framework
Attribute
TSWG (ACDC)
a top-level field map within an ACDC that provides a property of an entity that is inherent or assigned to the entity.
Authentic Chained Data Container
ToIP
A digital data structure designed for both cryptographic verification and chaining of data containers. ACDC may be used for digital credentials.
For more information, see: ToIP ACDC Task Force.
TSWG (Keri)
a directed acyclic graph with properties to provide a verifiable chain of proof-of-authorship. See the full specification
Authority (Centralized or Decentralized)
Autonomic Identifier
TSWG (ACDC)
a self-managing cryptonymous identifier that must be self-certifying (self-authenticating) and must be encoded in CESR as a qualified Cryptographic Primitive.
Autonomic Identifier (AID)
TSWG (CESR)
a self-managing cryptonymous identifier that must be self-certifying (self-authenticating) and must be encoded in CESR as a qualified Cryptographic Primitive.
Autonomic identifier
TSWG (Keri)
a self-managing cryptonymous identifier that must be self-certifying (self-authenticating) and must be encoded in CESR as a qualified Cryptographic primitive.
Autonomic identity system
TSWG (Keri)
an identity system that includes a primary root-of-trust in self-certifying identifiers that are strongly bound at issuance to a cryptographic signing (public, private) key pair. An AIS enables any entity to establish control over an AN in an independent, interoperable, and portable way.
Autonomic namespace
TSWG (Keri)
a namespace that is self-certifying and hence self-administrating. An AN has a self-certifying prefix that provides cryptographic verification of root control authority over its namespace. All derived AIDs in the same AN share the same root-of-trust, source-of-truth, and locus-of-control (RSL). The governance of the namespace is therefore unified into one entity, that is, the controller who is/holds the root authority over the namespace.
BADA
WebOfTrust
BADA-RUN
ToIP (DID:Webs)
Best available data acceptance - Read/Update/Nullify provides a medium level of security because events are ordered in a consistent way, using a combination of date-time and a key state. The latest event is the one with the latest date-time for the latest key state. See The KERI spec for more detail.
BFT
Nist
Term found but the definition does not exist yet.WebOfTrust
BOLA
WebOfTrust
Backer
TSWG (Keri)
an alternative to a traditional KERI based Witness commonly using Distributed Ledger Technology (DLT) to store the KEL for an identifier.
C2PA
CA
ToIP
See: certificate authority.
CAI
ToIP
CBOR
Nist
Term found but the definition does not exist yet.WebOfTrust
CESR
WebOfTrust
CLC
WebOfTrust
CRUD
Nist
Term found but the definition does not exist yet.WebOfTrust
CRUD
Definition
Is acronym for the traditional client-server database update policy is CRUD (Create, Read, Update, Delete).
CRUD as opposed to RUN which is the acronym for the new peer-to-peer end-verifiable monotonic update policy.
OOBI related
We RUN off the CRUD, which means that because the source of truth for each data item is a decentralized controller Peer, a given database hosted by any Peer does not create records in the traditional sense of a server creating records for a client.
CSPRNG
WebOfTrust
CSPRNG
Definition
means "Cryptographically Secure Pseudorandom Number Generator" which means that a sequence of numbers (bits, bytes...) that is produced from an algorithm which is deterministic (the sequence is generated from some unknown internal state), hence pseudorandom, is also cryptographically secure, or not.
It is cryptographically secure if nobody can reliably distinguish the output from true randomness, even if the PRNG algorithm is perfectly known (but not its internal state). A non-cryptographically secure PRNG would fool basic statistical tests but can be distinguished from true randomness by an intelligent attacker.
(Source: https://crypto.stackexchange.com/questions/12436/what-is-the-difference-between-csprng-and-prng)See also
CT
Nist
A framework for publicly logging the existence of Transport Layer Security (TLS) certificates as they are issued or observed in a manner that allows anyone to audit CA activity and notice the issuance of suspect certificates as well as to audit the certificate logs themselves. (Experimental RFC 6962)WebOfTrust
Capability (of a Party)
Essif-Lab
the (named) combination of (a) the means of a specific party to get something done, (b) the party governance process that ensures that its (business) policies for getting that something done are being created and maintained, and (c) the party management process that creates and maintains the (operational) policies, such that every employee that has a task in getting this something done can find and interpret a policy and use it as it executes action in such tasks.
Capability (of an Actor)
Chain-link Confidential Disclosure
TSWG (ACDC)
contractual restrictions and liability imposed on a recipient of a disclosed ACDC that contractually link the obligations to protect the disclosure of the information contained within the ACDC to all subsequent recipients as the information moves downstream. The Chain-link Confidential Disclosure provides a mechanism for protecting against unpermissioned exploitation of the data disclosed via an ACDC.
Coalition for Content Provenance and Authenticity
ToIP
C2PA is a Joint Development Foundation project of the Linux Foundation that addresses the prevalence of misleading information online through the development of technical standards for certifying the source and history (or provenance) of media content.
Also known as: C2PA.
See also: Content Authenticity Initiative.
Colleague
Commitment Decision
Essif-Lab
the decision of that party whether or not to commit to that business transaction, i.e. (promise) to fulfill the obligation that the associated transaction agreement proposal would impose on that party once it were signed.
Communication Channel
Essif-Lab
a (digital or non-digital) means by which two actor can exchange messages with one another.
Communication Session
Essif-Lab
a time interval during which two actor have an established communication channel that does not exist outside of that time interval.
Community
Compact Disclosure
TSWG (ACDC)
a disclosure of an ACDC that discloses only the SAID(s) of some or all of its field maps. Both Partial and Selective Disclosure rely on Compact Disclosure.
Compliance
Essif-Lab
the state of realization of a set of conformance criteria or normative framework of a party.
Compliance Objective
Compliance level
Essif-Lab
a measure for stating how well an entity conforms with a stated (set of) requirement(s).
Compliance management
Essif-Lab
the process that is run by (or on behalf of) a specific party for the purpose of managing its compliance objectives.
Composability
TSWG (CESR)
short for text-binary concatenation composability. An encoding has Composability when any set of Self-Framing concatenated Primitives expressed in either the Text domain or Binary domain may be converted as a group to the other Domain and back again without loss.
Concept
Concise Binary Object Representation
TSWG (Keri)
a binary serialization format, similar in concept to JSON but aiming for greater conciseness. Defined in [RFC7049].
Configuration traits
TSWG (Keri)
a list of specially defined strings representing a configuration of a KEL. See (Configuration traits field)[#configuration-traits-field].
Content Authenticity Initiative
ToIP
The Content Authenticity Initiative (CAI) is an association founded in November 2019 by Adobe, the New York Times and Twitter. The CAI promotes an industry standard for provenance metadata defined by the C2PA. The CAI cites curbing disinformation as one motivation for its activities.
Source: Wikipedia.
Also known as: CAI.
Contractually Protected Disclosure
TSWG (ACDC)
a discloser of an ACDC that leverages a Graduated Disclosure so that contractual protections can be put into place to minimize the leakage of information that can be correlated. A Contractually Protected Disclosure partially or selectively reveals the information contained within the ACDC in the initial interaction with the recipient and disclose further information only after the recipient agrees to the terms established by the discloser. More information may be progressively revealed as the recipient agrees to additional terms.
Control
Essif-Lab
the combination of resources (e.g. people, tools, budgets, time) and processes that are tasked to realize a specific control objective of a particular party.
Control Objective
Control Process
Control level
Essif-Lab
a measure for the efficiency and effectiveness in which a control produces the results specified by its control objective
Controller
TSWG (ACDC)
an entity that can cryptographically prove the control authority over an AID and make changes on the associated KEL. A controller of a multi-sig AID may consist of multiple controlling entities. See controller.TSWG (Keri)
an entity that can cryptographically prove the control authority over an AID and make changes on the associated KEL. A controller of a multi-sig AID may consist of multiple controlling entities.
Controllership
Essif-Lab
the capability of an actor to execute action on a specific entity for the purpose of ensuring that this entity will act/behave, or be used, in a particular way.
Corpus of Terminology
Credential
Credential Catalogue
Essif-Lab
a functional component that has the capability to register and advertise the information about credential types that their respective governing parties have decided to disclose so as to enable other parties to decide whether or not it is beneficial for them to use credential of such types.
Credential Type
Essif-Lab
the specification of the contents, properties, constraints etc. that credential of this type must have/comply with.
Cryptographic Primitive
TSWG (CESR)
the serialization of a value associated with a cryptographic operation including but not limited to a digest (hash), a salt, a seed, a private key, a public key, or a signature.TSWG (Keri)
the serialization of a value associated with a cryptographic operation including but not limited to a digest (hash), a salt, a seed, a private key, a public key, or a signature.
Cryptonym
TSWG (Keri)
a cryptographic pseudonymous identifier represented by a string of characters derived from a random or pseudo-random secret seed or salt via a one-way cryptographic function with a sufficiently high degree of cryptographic strength (e.g., 128 bits, see appendix on cryptographic strength) [13] [14] [12] [11]. A Cryptonym is a type of Primitive. Due to the entropy in its derivation, a Cyptonym is a universally unique identifier and only the Controller of the secret salt or seed from which the Cryptonym is derived may prove control over the Cryptonym. Therefore the derivation function must be associated with the Cryptonym and may be encoded as part of the Cryptonym itself.
Current threshold
TSWG (Keri)
represents the number or fractional weights of signatures from the given set of current keys required to be attached to a Message for the Message to be considered fully signed.
DAG
Nist
Term found but the definition does not exist yet.WebOfTrust
DAR
Nist
Term found but the definition does not exist yet.WebOfTrust
DEL
WebOfTrust
DHT
WebOfTrust
DID
Nist
Term found but the definition does not exist yet.ToIP
See: decentralized identifier.
WebOfTrust
DID URL
ToIP
A DID plus any additional syntactic component that conforms to the definition in section 3.2 of the W3C Decentralized Identifiers (DIDs) 1.0 specification. This includes an optional DID path (with its leading / character), optional DID query (with its leading ? character), and optional DID fragment (with its leading # character).
Source: W3C DID.
W3C (DID)
A DID plus any additional syntactic component that conforms to thedefinition in 3.2 DID URL Syntax. This includes an optional DIDpath (with its leading / character), optional DID query(with its leading ? character), and optional DID fragment(with its leading # character).
DID URL dereferencer
W3C (DID)
A software and/or hardware system that performs the DID URL dereferencingfunction for a given DID URL or DID document.
DID URL dereferencing
W3C (DID)
The process that takes as its input a DID URL and a set of inputmetadata, and returns a resource. This resource might be a DIDdocument plus additional metadata, a secondary resourcecontained within the DID document, or a resource entirelyexternal to the DID document. The process uses DID resolution tofetch a DID document indicated by the DID contained within theDID URL. The dereferencing process can then perform additional processingon the DID document to return the dereferenced resource indicated by theDID URL. The inputs and outputs of this process are defined in7.2 DID URL Dereferencing.
DID controller
ToIP
An entity that has the capability to make changes to a DID document. A DID might have more than one DID controller. The DID controller(s) can be denoted by the optional controller property at the top level of the DID document. Note that a DID controller might be the DID subject.
Source: W3C DID.
See also: controller.
W3C (DID)
An entity that has the capability to make changes to a DID document. ADID might have more than one DID controller. The DID controller(s)can be denoted by the optional controller property at the top level of theDID document. Note that a DID controller might be the DIDsubject.
DID delegate
W3C (DID)
An entity to whom a DID controller has granted permission to use averification method associated with a DID via a DIDdocument. For example, a parent who controls a child's DID documentmight permit the child to use their personal device in order toauthenticate. In this case, the child is the DID delegate. Thechild's personal device would contain the private cryptographic materialenabling the child to authenticate using the DID. However, the childmight not be permitted to add other personal devices without the parent'spermission.
DID document
ToIP
A set of data describing the DID subject, including mechanisms, such as cryptographic public keys, that the DID subject or a DID delegate can use to authenticate itself and prove its association with the DID. A DID document might have one or more different representations as defined in section 6 of the W3C Decentralized Identifiers (DIDs) 1.0 specification.
Source: W3C DID.
ToIP (DID:Webs)
A set of data describing the subject of a DID, as defined by DID Core. See also section DID Documents.W3C (DID)
A set of data describing the DID subject, including mechanisms, such ascryptographic public keys, that the DID subject or a DID delegatecan use to authenticate itself and prove its association with theDID. A DID document might have one or more differentrepresentations as defined in 6. Representations or in theW3C DID Specification Registries [DID-SPEC-REGISTRIES].
DID document metadata
ToIP (DID:Webs)
DID document metadata is metadata about the DID and the DID document that is the result of the DID Resolution process. See also DID Document Metadata in the DID Core specification.
DID fragment
W3C (DID)
The portion of a DID URL that follows the first hash sign character(#). DID fragment syntax is identical to URI fragment syntax.
DID method
ToIP
A definition of how a specific DID method scheme is implemented. A DID method is defined by a DID method specification, which specifies the precise operations by which DIDs and DID documents are created, resolved, updated, and deactivated.
Source: W3C DID.
For more information: https://www.w3.org/TR/did-core/#methods
W3C (DID)
A definition of how a specific DID method scheme is implemented. A DID method isdefined by a DID method specification, which specifies the precise operations bywhich DIDs and DID documents are created, resolved, updated,and deactivated. See 8. Methods.
DID path
W3C (DID)
The portion of a DID URL that begins with and includes the first forwardslash (/) character and ends with either a question mark(?) character, a fragment hash sign (#) character,or the end of the DID URL. DID path syntax is identical to URI path syntax.See Path.
DID query
W3C (DID)
The portion of a DID URL that follows and includes the first questionmark character (?). DID query syntax is identical to URI querysyntax. See Query.
DID resolution
W3C (DID)
The process that takes as its input a DID and a set of resolutionoptions and returns a DID document in a conforming representationplus additional metadata. This process relies on the "Read" operation of theapplicable DID method. The inputs and outputs of this process aredefined in 7.1 DID Resolution.
DID resolution metadata
ToIP (DID:Webs)
DID resolution metadata is metadata about the DID Resolution process that was performed in order to obtain the DID document for a given DID. See also DID Resolution Metadata in the DID Core specification.
DID resolver
W3C (DID)
A DID resolver is a software and/or hardware component that performs theDID resolution function by taking a DID as input and producing aconforming DID document as output.
DID scheme
W3C (DID)
The formal syntax of a decentralized identifier. The generic DID schemebegins with the prefix did: as defined in 3.1 DID Syntax. Each DID method specification defines a specificDID method scheme that works with that specific DID method. In a specific DIDmethod scheme, the DID method name follows the first colon and terminates withthe second colon, e.g., did:example:
DID subject
ToIP
The entity identified by a DID and described by a DID document. Anything can be a DID subject: person, group, organization, physical thing, digital thing, logical thing, etc.
Source: W3C DID.
See also: subject.
W3C (DID)
The entity identified by a DID and described by a DID document.Anything can be a DID subject: person, group, organization, physical thing,digital thing, logical thing, etc.
DKMI
WebOfTrust
DPKI
WebOfTrust
DRM
ToIP
DWN
ToIP
See: Decentralized Web Node.
Data
Essif-Lab
something (tangible) that can be used to communicate a meaning (which is intangible/information).
Dead-Attack
TSWG (Keri)
an attack on an establishment event that occurs after the Key-state for that event has become stale because a later establishment event has rotated the sets of signing and pre-rotated keys to new sets. See (Security Properties of Prerotation)[#dead-attacks].
Decentralized GRC Pattern
Essif-Lab
a set of concepts and other semantic units that can be used to explain one's thinking about topics related to Governance, Risk management and Compliance (GRC) in a decentralized context, i.e., a context in which parties all autonomously do their own GRC.
Decentralized Identity Foundation
ToIP
A non-profit project of the Linux Foundation chartered to develop the foundational components of an open, standards-based, decentralized identity ecosystem for people, organizations, apps, and devices.
See also: OpenWallet Foundation, ToIP Foundation.
For more information, see: http://identity.foundation/
Decentralized Risk Management Pattern
Essif-Lab
a set of concepts and other semantic units that can be used to explain how individual parties can efficiently and effectively perform their own risk management processes, while taking into account that there are other parties that have expectations towards them.
Decentralized Web Node
ToIP
A decentralized personal and application data storage and message relay node, as defined in the DIF Decentralized Web Node specification. Users may have multiple nodes that replicate their data between them.
Source: DIF DWN Specification.
Also known as: DWN.
For more information, see: https://identity.foundation/decentralized-web-node/spec/
Decentralized key management infrastructure
TSWG (Keri)
a key management infrastructure that does not rely on a single entity for the integrity and security of the system as a whole. Trust in a DKMI is decentralized through the use of technologies that make it possible for geographically and politically disparate entities to reach an agreement on the key state of an identifier DPKI.
Decision
Decision Making Pattern
Essif-Lab
a set of concepts and other semantic units that can be used to explain how parties would, could, or should reason in order to reach good conclusions and make good decisions. This can be used as a basis for understanding the information needs of parties as they need to decide e.g. whether or not to commit to a Transaction proposal, or whether or not data is valid for some purpose. This pattern is based on Toulmin's use of arguments (of which a pragmatical text can be found here)
Define
Essif-Lab
to provide a criterion and a term, where the criterion can be used by people to determine whether or not something is an instance/example of a concept (or other semantic unit), and the term is used to refer to that concept, or an arbitrary instance thereof.
Definition
Definition Pattern
Essif-Lab
a mental model that describes the relations between a concept (or any other semantic unit), the term(s) that are used to refer to it, and the criteria to use for determining whether or not something is an instance (example) of that semantic unit.
Delegate
Essif-Lab
the transferral of ownership of one or more obligation of a party (the delegator), including the associated accountability, to another party (the delegatee)), which implies that the delegatee can realize such obligation as it sees fit.
Dependent
Essif-Lab
an entity for the caring for and/or protecting/guarding/defending of which a guardianship arrangement has been established.
Dictionary
Essif-Lab
an alphabetically sorted list of term with various meanings they may have in different contexts.
Disclosee
TSWG (ACDC)
a role of an entity that is a recipient to which an ACDC is disclosed. A Disclosee may or may not be the Issuee of the disclosed ACDC.
Discloser
TSWG (ACDC)
a role of an entity that discloses an ACDC. A Discloser may or may not be the Issuer of the disclosed ACDC.
Documentation Interoperability
Essif-Lab
the property that a documentation system of making its content comprehensible for a variety of people that come from different backgrounds.
Domain
TSWG (CESR)
a representation of a Primitive either Text (T), Binary (B) or Raw binary (R).
Duplicity
TSWG (ACDC)
the existence of more than one Version of a Verifiable KEL for a given AID. See duplicity.TSWG (Keri)
the existence of more than one Version of a Verifiable KEL for a given AID.
Duties and Rights Pattern
Essif-Lab
a set of concepts and other semantic units that can be used to explain what a generic duties and rights consists of (based on Hofeld's theories), and relates it to jurisdictions, parties and legal entities.
E2E
WebOfTrust
ECR
WebOfTrust
ESSR
WebOfTrust
Ecosystem
Essif-Lab
a set of at least two (autonomous) parties (its 'members') whose individual work complements that of other members, and is of benefit to the set as a whole.
Edge
TSWG (ACDC)
a top-level field map within an ACDC that provides edges that connect to other ACDCs, forming a labeled property graph (LPG).
Employee
Employer
Employment Contract
End-to-End Principle
ToIP
The end-to-end principle is a design framework in computer networking. In networks designed according to this principle, guaranteeing certain application-specific features, such as reliability and security, requires that they reside in the communicating end nodes of the network. Intermediary nodes, such as gateways and routers, that exist to establish the network, may implement these to improve efficiency but cannot guarantee end-to-end correctness.
Source: Wikipedia.
For more information, see: https://trustoverip.org/permalink/Design-Principles-for-the-ToIP-Stack-V1.0-2022-11-17.pdf
End-verifiability
TSWG (Keri)
a data item or statement may be cryptographically securely attributable to its source (party at the source end) by any recipient verifier (party at the destination end) without reliance on any infrastructure not under the verifiers ultimate control.
Entity
Essif-Lab
someone or something that is known to exist.
Establishment event
TSWG (Keri)
a Key event that establishes or changes the Key state which includes the current set of authoritative keypairs (Key state) for an AID.
Expectation
FAL
ToIP
FFI
WebOfTrust
First-Seen
TSWG (Keri)
refers to the first instance of a Message received by any Witness or Watcher. The first-seen event is always seen, and can never be unseen. It forms the basis for Duplicity detection in KERI based systems.
Framework (Conceptual)
Essif-Lab
a set of assumptions, concepts, values, and practices that constitutes a way of viewing reality.
Framing Code
TSWG (ACDC)
a code that delineate a number of characters or bytes, as appropriate, that can be extracted atomically from a Stream.
Framing Codes
TSWG (CESR)
codes that delineate a number of characters or bytes, as appropriate, that can be extracted atomically from a Stream.
Full Disclosure
TSWG (ACDC)
a disclosure of an ACDC that discloses the full details of some or all of its field maps. In the context of Selective Disclosure, Full Disclosure means detailed disclosure of the selectively disclosed attributes, not the detailed disclosure of all selectively disclosable attributes. In the context of Partial Disclosure, Full Disclosure means detailed disclosure of the field map that was so far only partially disclosed.
GAR
WebOfTrust
GDPR
ToIP
GLEIF
WebOfTrust
GLEIS
WebOfTrust
GLEIS
Definition
Global Legal Entity Identifier System
GPG
WebOfTrust
GRC
General Data Protection Regulation
ToIP
The General Data Protection Regulation (Regulation (EU) 2016/679, abbreviated GDPR) is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business.
Source: Wikipedia.
Also known as: GDPR.
Glossary
Essif-Lab
an alphabetically sorted list of term with the (single) meaning it has in (at least) one context.
Governance
Governance and Management Pattern
Essif-Lab
a set of concepts and other semantic units that can be used to explain how parties organize that their objectives are realized, either by doing the associated work themselves, or by arranging for other parties to do that.
Governance, Risk Management, and Compliance
ToIP
Governance, risk management, and compliance (GRC) are three related facets that aim to assure an organization reliably achieves objectives, addresses uncertainty and acts with integrity. Governance is the combination of processes established and executed by the directors (or the board of directors) that are reflected in the organization's structure and how it is managed and led toward achieving goals. Risk management is predicting and managing risks that could hinder the organization from reliably achieving its objectives under uncertainty. Compliance refers to adhering with the mandated boundaries (laws and regulations) and voluntary boundaries (company's policies, procedures, etc.)
Source: Wikipedia.
Also known as: GRC.
Governor
Graduated Disclosure
TSWG (ACDC)
a disclosure of an ACDC that does not to reveal its entire content in the initial interaction with the recipient and, instead, partially or selectively reveal only the information contained within the ACDC that is necessary to further a transaction with the recipient. A Graduated disclosure may invole multiple steps where more information is prgressively revealed as the recipient satisfy the conditions set by the discloser. Compact disclosure, Partial disclosure, Selective disclosure and Full disclosure are all Graduated disclosure mechanisms.
Group/Count Codes
TSWG (CESR)
special Framing Codes that can be specified to support groups of Primitives which make them pipelinable. Self-framing grouping using Count Codes is one of the primary advantages of composable encoding.
Guardian
Essif-Lab
a party that has been assigned rights and duties in a Guardianship Arrangement for the purpose of caring for and/or protecting/guarding/defending the entity that is the dependent in that Guardianship Arrangement.
Guardianship (in a Jurisdiction)
Essif-Lab
the specification of a set of rights and duties between legal entities of the jurisdiction that enforces these rights and duties, for the purpose of caring for and/or protecting/guarding/defending one or more of these entities. (Synonym of Guardianship Arrangement)
Guardianship Arrangement
Essif-Lab
guardianship Arrangement (in a Jurisdiction): the specification of a set of rights and duties between legal entities of the jurisdiction that enforces these rights and duties, for the purpose of caring for and/or protecting/guarding/defending one or more of these entities.
Guardianship Pattern
Essif-Lab
a set of concepts and other semantic units that can be used to explain what a generic guardianship consists of, and how it relates to guardians, dependents, jurisdictions, etc.
Guardianship-type
Essif-Lab
a class of guardianship arrangements within the jurisdiction that governs and manages them.
HSM
Nist
Term found but the definition does not exist yet.ToIP
See: hardware security module.
WebOfTrust
Holder
Essif-Lab
a component that implements the capability to handle presentation requests from a peer agent, produce the requested data (a presentation) according to its principal's holder-policy, and send that in response to the request.
Holder Policy
Essif-Lab
a digital policy that enables an operational holder component to function in accordance with the objective of its principal.
Home
WebOfTrust
Home
Welcome to the WebofTrust terms wiki!
The wiki also serves the glossary terms for the underlying and related techniques to ACDC, like KERI, CESR and OOBI.
There are a few practical rules from the originator ToIP to get these wiki terms through their equivalent github actions script, please:
- beware all new wiki items you create, lead to new .md files. We'd like to know
- introduce lowercase names with spaces (they will convert into lower case names with dashes between the words)
- start with ## Definition header; example
- start with uppercase abbreviations with only the "## See" header; example
- don't delete items (i.e. .md files) but make clear they are depreciated and / or link to the new concept / term
- don't change or update the name of an item single handed, for it might change the concept / meaning for other people and create dead links for those who read - or link to the term. Please open an issue or a PR to discuss first.
- any other immediate updates and amendments welcome, the revisions are available for us to be able to (partially) revert if something unwanted or unexpected happens.
KERISSE reads this wiki
The weboftrust wiki glossary is currently our input tool for our KERI Suite glossary. However, we regularly scrape the wiki into KERISSE, we add features and metadata, we connect relevant matching terms from related glossaries and finally we index it for the KERI Suite Search Engine (KERISSE).
Have fun CRU-ing!
'* CRU=Create Read Update
Human Being
Essif-Lab
a person of flesh and blood (homo sapiens), that we classify both as a party,an actor, and a jurisdiction.
I O
WebOfTrust
IAL
ToIP
See: identity assurance level.
IANA
Nist
Term found but the definition does not exist yet.WebOfTrust
IDP
ToIP
See: identity provider.
IP
ToIP
See: Internet Protocol.
IP address
ToIP
An Internet Protocol address (IP address) is a numerical label such as 192.0.2.1 that is connected to a computer network that uses the Internet Protocol for communication. An IP address serves two main functions: network interface identification, and location addressing.
Source: Wikipedia.
IPEX
WebOfTrust
Identification Pattern
Identifier
Identifier Pattern
Essif-Lab
a set of concepts and other semantic units that can be used to explain how identifiers are defined and used for identification purposes.
Identify
Identity
Identity Pattern
Essif-Lab
a set of concepts and other semantic units that can be used to explain how digital identities work, how this relates to (attributes in) credentials, and how all this can be made to work in SSI contexts.
Inception
TSWG (Keri)
the operation of creating an AID by binding it to the initial set of authoritative keypairs and any other associated information. This operation is made verifiable and Duplicity evident upon acceptance as the Inception event that begins the AIDs KEL.
Inception event
TSWG (ACDC)
an Establishment event that provides the incepting information needed to derive an AID and establish its initial Key state. See inception event.TSWG (Keri)
an Establishment event that provides the incepting information needed to derive an AID and establish its initial Key state.
Information Process
Information theoretic security
TSWG (ACDC)
the highest level of cryptographic security with respect to a cryptographic secret (seed, salt, or private key).
Interaction event
TSWG (ACDC)
a Non-establishment event that anchors external data to the Key state as established by the most recent prior Establishment event. See interaction event.TSWG (Keri)
a Non-establishment event that anchors external data to the Key state as established by the most recent prior Establishment event.
Internet Protocol
ToIP
The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite (also known as the TCP/IP suite) for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.
IP has the task of delivering packets from the source host to the destination host solely based on the IP addresses in the packet headers. For this purpose, IP defines packet structures that encapsulate the data to be delivered. It also defines addressing methods that are used to label the datagram with source and destination information.
Source: Wikipedia.
Also known as: IP.
See also: Transmission Control Protocol, User Datagram Protocol.
Internet protocol suite
ToIP
The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suite are the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP), and the Internet Protocol (IP).
Source: Wikipedia
Also known as: TCP/IP.
See also: protocol stack.
Issuee
TSWG (ACDC)
a role of an entity to which the claims of an ACDC are asserted.
Issuer
Essif-Lab
a component that implements the capability to construct credential from data objects, according to the content of its principal's issuer-Policy (specifically regarding the way in which the credential is to be digitally signed), and pass it to the wallet-component of its principal allowing it to be issued.TSWG (ACDC)
a role of an entity that asserts claims and creates an ACDC from these claims.
Isuer Policy
Essif-Lab
a digital policy that enables an operational issuer component to function in accordance with the objective of its principal.
JOSE
Nist
Term found but the definition does not exist yet.WebOfTrust
JSON
Nist
Term found but the definition does not exist yet.WebOfTrust
JSON
Definition
JavaScript Object Notation. JSON is a language-independent data format. It was derived from JavaScript. It's an open standard file format and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute–value pairs and arrays (or other serializable values).
More on source Wikipedia
Jurisdiction
Essif-Lab
the composition of a legal system (legislation, enforcement thereof, and conflict resolution), a party that governs that legal system, a scope within which that legal system is operational, and one or more objective for the purpose of which the legal system is operated. See also the Jurisdictions pattern.
Jurisdiction Pattern
Essif-Lab
a set of concepts and other semantic units that can be used to explain what a generic jurisdiction consists of, and relates it to parties and legal entities.
KA2CE
WebOfTrust
KAACE
WebOfTrust
KAPI
WebOfTrust
KAPI
Definition
Application programmer interfaces (APIs) for the various components in the KERI ecosystem such as Controllers, Agents, Witnesses, Watchers, Registrars etc need by which they can share information. The unique properties of the KERI protocol require APIs that preserve those properties. We call the set of APIs the KERI API.
Source Kapi Repo
KATE
ToIP
See: keys-at-the-edge.
KEL
WebOfTrust
KEL backed data
ToIP (DID:Webs)
KEL backed data in did:webs provides the highest level of data security assurance and such data can be found either in the KEL or anchored to an event in the KEL. This means that the signatures on the events in the KEL are strongly bound to the key state at the time the events are entered in the KEL, that is the data. This provides strong guarantees of non-duplicity to any verifiers receiving a presentation as the KELs are protected and can be watched by agents (watcher) of the verifiers. The information is end-verifiable and any evidence of duplicity in the events is evidence that the data or presentation should not be trusted. See WebOfTrust glossary for more detail.
KERI
ToIP
WebOfTrust
KERI Request Authentication Mechanism
ToIP (DID:Webs)
A non-interactive replay attack protection algorithm that uses a sliding window of date-time stamps and key state (similar to the tuple in BADA-RUN) but the date-time is the repliers not the queriers. KRAM is meant to protect a host. See the WebOfTrust glossary for more detail.
KERI event stream
ToIP (DID:Webs)
A stream of verifiable KERI data, consisting of the key event log (KEL) and other data such as a transaction event log (TEL). This data is a CESR event stream, with media type application/cesr, and may be serialized in a file using CESR encoding. We refer to these CESR stream resources as KERI event streams to simplify the vocabulary. See WebOfTrust glossary for more detail.
KERIMask
WebOfTrust
KERIMask
Definition
A wallet similar to MetaMask, the manifestation will be a browser extension and it will connect to KERIA servers in order for a person to control AIDs from their browser.
Status
As of October 2023 KERIMask is only planned.
Related
KERISSE
WebOfTrust
KERIs Algorithm for Witness Agreement
TSWG (Keri)
a type of Byzantine Fault Tolerant (BFT) algorithm
KERL
WebOfTrust
KID
WebOfTrust
KMS
ToIP
See: key management system.
KRAM
WebOfTrust
Key Event Receipt Infrastructure
ToIP
A decentralized permissionless key management architecture.
Also known as: KERI.
For more information, see: https://keri.one/, ToIP ACDC Task Force
Key Event Receipt Infrastructure (KERI)
TSWG (CESR)
or the KERI protocol, is an identity system-based secure overlay for the Internet.
Key event
TSWG (Keri)
concretely, the serialized data structure of an entry in the Key event log (KEL) for an AID. Abstractly, the data structure itself. Key events come in different types and are used primarily to establish or change the authoritative set of keypairs and/or anchor other data to the authoritative set of keypairs at the point in the KEL actualized by a particular entry.
Key event log
TSWG (Keri)
a Verifiable data structure that is a backward and forward chained, signed, append-only log of key events for an AID. The first entry in a KEL must be the one and only Inception event of that AID.
Key event message
TSWG (Keri)
message whose body is a Key event and whose attachments may include signatures on its body.
Key event receipt
TSWG (Keri)
message whose body references a Key event and whose attachments must include one or more signatures on that Key event.
Key event receipt log
TSWG (Keri)
a key event receipt log is a KEL that also includes all the consistent key event receipt Messages created by the associated set of witnesses. See annex Key event receipt log
Key-State
TSWG (Keri)
a set of authoritative keys for an AID along with other essential information necessary to establish, evolve, verify, and validate control-signing authority for that AID. This information includes the current public keys and their thresholds (for a multi-signature scheme); pre-rotated key digests and their thresholds; witnesses and their thresholds; and configurations. An AIDs key state is first established through its inception event and may evolve via subsequent rotation events. Thus, an AIDs key state is time-dependent.
Key-state
TSWG (ACDC)
a set of currently authoritative keypairs for an AID and any other information necessary to secure or establish control authority over an AID. This includes current keys, prior next key digests, current thresholds, prior next thresholds, witnesses, witness thresholds, and configurations. A key-state of an AID is first established through an inception event and may be altered by subsequent rotation events. See validator.
Knowledge
LEI
ToIP
See: Legal Entity Identifier.
WebOfTrust
LEI
Definition
Legal Entity Identifier
LID
WebOfTrust
LLM
WebOfTrust
LLM
See Large Language Model
Laws of Identity
ToIP
A set of seven “laws” written by Kim Cameron, former Chief Identity Architect of Microsoft (1941-2021), to describe the dynamics that cause digital identity systems to succeed or fail in various contexts. His goal was to define the requirements for a unifying identity metasystem that can offer the Internet the identity layer it needs.
For more information, see: https://www.identityblog.com/?p=352.
Layer 1
ToIP
See: ToIP Layer 1.
Layer 2
ToIP
See: ToIP Layer 2.
Layer 3
ToIP
See: ToIP Layer 3.
Layer 4
ToIP
See: ToIP Layer 4.
Legal Entity
Essif-Lab
an entity that is known by, recognized to exist, and registered in that jurisdiction.
Legal Entity Identifier
ToIP
The Legal Entity Identifier (LEI) is a unique global identifier for legal entities participating in financial transactions. Also known as an LEI code or LEI number, its purpose is to help identify legal entities on a globally accessible database. Legal entities are organisations such as companies or government entities that participate in financial transactions.
Source: Wikipedia.
Note: LEIs are administered by the Global Legal Entity Identifier Foundation (GLEIF).
Legal Jurisdiction
Essif-Lab
a jurisdiction that is governed/operated by a governmental body.
Legal System
Essif-Lab
a system in which rules are defined, and mechanisms for their enforcement and conflict resolution are (implicitly or explicitly) specified.
Live-Attack
TSWG (Keri)
an attack that compromises either the current signing keys used to sign non-establishment events or the current pre-rotated keys needed to sign a subsequent establishment event. See (Security Properties of Prerotation)[#live-attacks].
LoA
WebOfTrust
LoC
WebOfTrust
MFA
Nist
Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).WebOfTrust
MIME type
WebOfTrust
MPC
ToIP
See: multi-party computation.
Management
Mandate
Mandates, Delegation and Hiring Pattern
Essif-Lab
a set of concepts and other semantic units that can be used to explain the ideas behind Mandating, Delegating, Hiring and their relations.
Mental Model
Essif-Lab
a description, both casual and formal, of a set of concept (ideas), relations between them, and constraints, that together form a coherent and consistent 'viewpoint', or 'way of thinking' about a certain topic.
Mental Model Pattern
Essif-Lab
a set of concepts and other semantic units that can be used to explain how to create, maintain and use (decentralized) vocabularies (terminologies) that groups of people can use for the specific purposes they pursue.
Message
TSWG (CESR)
consists of a serialized data structure that comprises its body and a set of serialized data structures that are its attachments. Attachments may include but are not limited to signatures on the body.TSWG (Keri)
a serialized data structure that comprises its body and a set of serialized data structures that are its attachments. Attachments may include but are not limited to signatures on the body.
Mission
NFT
Nist
An owned, transferable, and indivisible data record that is a digital representation of a physical or virtual linked asset. The data record is created and managed by a smart contract on a blockchain.WebOfTrust
Next threshold
TSWG (Keri)
represents the number or fractional weights of signatures from the given set of next keys required to be attached to a Message for the Message to be considered fully signed.
Non-establishment event
TSWG (Keri)
a Key event that does not change the current Key state for an AID. Typically, the purpose of a Non-establishment event is to anchor external data to a given Key state as established by the most recent prior Establishment event for an AID.
Normative framework
Essif-Lab
a set of rules that are followed and/or criteria that remain fulfilled by (a specific kind of) entities whose behavior and/or properties are characterized as 'normal'.
OOBI
ToIP
See: out-of-band introduction.
WebOfTrust
OOR
WebOfTrust
Objective
Obligation
Onboarding
Essif-Lab
a process that is run for a specific (set of) actor on behalf of a specific party, that terminates successfully if and only if the party has (a) established the suitability of the actor for executing certain kinds of action on its behalf, (b) ensured that their mutual rights and duties are properly specified and will be appropriately enforced, and (c) provided the circumstances/contexts within which the actor is enabled to do so.
OpenWallet Foundation
ToIP
A non-profit project of the Linux Foundation chartered to build a world-class open source wallet engine.
See also: Decentralized Identity Foundation, ToIP Foundation.
For more information, see: https://openwallet.foundation/
Operator
TSWG (ACDC)
an optional field map in the Edge section that enables expression of the edge logic on edge subgraph as either a unary operator on the edge itself or an m-ary operator on the edge-group.
Organization
Outsourcing
Essif-Lab
the state of affairs in which a party has an objective (better: an expectation) for the realization of a (set of) result(s), where the actual production of these results is expected to be done by a party other than itself.
Owned
Essif-Lab
an entity over which another entity (its owner) has the power (duty, right) to enjoy it, dispose of it and control it; that power is limited to (the scope of) that jurisdiction, and by its rules.
Owner
Ownership
Essif-Lab
a relationship between two entities that exists within the scope of control of a jurisdiction, in which one of them (called the owner) has legal, rightful or natural rights and/or duties to enjoy, dispose of, and control the other (called the owned).
P2P
Nist
Term found but the definition does not exist yet.ToIP
See: peer-to-peer.
WebOfTrust
PGP
Nist
Term found but the definition does not exist yet.WebOfTrust
PID
WebOfTrust
PII
ToIP
PKI
Nist
The architecture, organization, techniques, practices, and procedures that collectively support the implementation and operation of a certificate-based public key cryptographic system. Framework established to issue, maintain, and revoke public key certificates.ToIP
WebOfTrust
PRNG
Nist
A deterministic computational process that has one or more inputs called "seeds", and it outputs a sequence of values that appears to be random according to specified statistical tests. A cryptographic PRNG has the additional property that the output is unpredictable, given that the seed is not known.WebOfTrust
PRNG
Definition
means "Pseudorandom Number Generator" which means that a sequence of numbers (bits, bytes...) is produced from an algorithm which looks random, but is in fact deterministic (the sequence is generated from some unknown internal state), hence pseudorandom.
Such pseudorandomness can be cryptographically secure, or not. It is cryptographically secure if nobody can reliably distinguish the output from true randomness, even if the PRNG algorithm is perfectly known (but not its internal state). A non-cryptographically secure PRNG would fool basic statistical tests but can be distinguished from true randomness by an intelligent attacker.
(Source: https://crypto.stackexchange.com/questions/12436/what-is-the-difference-between-csprng-and-prng)See also
PTEL
WebOfTrust
Partial Disclosure
TSWG (ACDC)
a disclosure of an ACDC that partially discloses its field maps using Compact Disclosure. The Compact Disclosure provides a cryptographically equivalent commitment to the yet-to-be-disclosed content, and later exchange of the uncompacted content is verifiable to an earlier Partial Disclosure. Unlike Selective dDsclosure, a partially disclosable field becomes correlatable to its encompassing block after its Full Disclosure.
Partial identity
Participant
Essif-Lab
a party is negotiating (or has negotiated) a transaction agreement.
Party
Party Representation Pattern
Essif-Lab
a set of concepts and other semantic units that can be used to explain how parties can be represented in various circumstances.
Party, Actor and Actions Pattern
Essif-Lab
a set of concepts and other semantic units that can be used to explain how things get done. It answers questions such as: 'Who/what does things?', 'How are their actions being guided/controlled?', 'Who controls whom/what?', 'Who/what may be held accountable?'.
Pattern
Essif-Lab
a description, both casual and formal, of a set of concept (ideas), relations between them, and constraints, that together form a coherent and consistent 'viewpoint', or 'way of thinking' about a certain topic.
Peer Actor
Essif-Lab
Peer Party
Essif-Lab
a party that also participates in that business transaction.
Peer-agent
Essif-Lab
Percolated discovery
TSWG (ACDC)
a discovery mechanism for information associated with an AID or a SAID, which is based on Invasion Percolation Theory. Once an entity has discovered such information, it may in turn share what it discovers with other entities. Since the information so discovered is end-verifiable, the percolation mechanism and percolating intermediaries do not need to be trusted.
Perfect security
TSWG (ACDC)
a special case of Information theoretic security ITPS
PoP
ToIP
See: proof of personhood.
Policy
Presentation
Essif-Lab
a (signed) digital message that a holder component may send to a verifier component that contains data derived from one or more verifiable credential (that (a colleague component of) the holder component has received from issuer components of one or more parties), as a response to a specific presentation request of a Verifier component.
Presentation Request
Essif-Lab
a (signed) digital message that a verifier component sends to a holder component asking for specific data from one or more verifiable credential that are issued by specific Parties.
Primitive
TSWG (ACDC)
a serialization of a unitary value. All Primitives in KERI must be expressed in CESR.TSWG (CESR)
a serialization of a unitary value. All Primitives in KERI must be expressed in CESR.
Primitive:
TSWG (Keri)
a serialization of a unitary value. All Primitives in KERI must be expressed in CESR [1].
Principal
Principles of SSI
ToIP
A set of principles for self-sovereign identity systems originally defined by the Sovrin Foundation and republished by the ToIP Foundation.
For more information, see: https://sovrin.org/principles-of-ssi/ and https://trustoverip.org/wp-content/uploads/2021/10/ToIP-Principles-of-SSI.pdf
Property (of a Concept)
QAR
WebOfTrust
QR code
ToIP
A QR code (short for "quick-response code") is a type of two-dimensional matrix barcode—a machine-readable optical image that contains information specific to the identified item. In practice, QR codes contain data for a locator, an identifier, and web tracking.
Source: Wikipedia.
See also: out-of-band introduction.
QVI
WebOfTrust
Quadlet
TSWG (CESR)
a group of 4 characters in the T domain and equivalently in triplets of 3 bytes each in the B domain used to define variable size.
Qualified Data
RBAC
ToIP
RID
Nist
Term found but the definition does not exist yet.WebOfTrust
RUN
WebOfTrust
RUN
Definition
The acronym for the new peer-to-peer end-verifiable monotonic update policy is RUN (Read, Update, Nullify).
RUN as opposed to CRUD which is the traditional client-server database update policy.
OOBI related
We RUN off the CRUD, which means that because the source of truth for each data item is a decentralized controller Peer, a given database hosted by any Peer does not create records in the traditional sense of a server creating records for a client.
RWI
ToIP
See: real world identity.
Relation (between Concepts)
Essif-Lab
a (significant) connection or association between two or more concepts.
Revocation Policy
Essif-Lab
a digital policy that enables an operational revocation component to function in accordance with the objective of its principal.
Revocation component
Essif-Lab
a component that implements the capability to revoke credential that are issued by its principal, according to its principal revocation policy.
Revoke/Revocation
Essif-Lab
the act, by or on behalf of the party that has issued the credential, of no longer vouching for the correctness or any other qualification of (arbitrary parts of) that credential.
Risk
Risk Objective
Risk Owner
Risk level
Risk management
Essif-Lab
a process that is run by (or on behalf of) a specific party for the purpose of managing the risk that it owns (thereby realizing specific risk objectives).
Role
Essif-Lab
a defined set of characteristics that an entity has in some context, such as responsibilities it may have, action (behaviors) it may execute, or pieces of knowledge that it is expected to have in that context, which are referenced to by a specific role name.
Role name
Essif-Lab
name (text) that refers to (and identifies) a role in a specific context.
Rotation
TSWG (Keri)
the operation of revoking and replacing the set of authoritative keypairs for an AID. This operation is made verifiable and Duplicity evident upon acceptance as a Rotation event that is appended to the AIDs KEL.
Rotation event
TSWG (ACDC)
an Establishment Event that provides the information needed to change the Key state which includes a change to the set of authoritative keypairs for an AID. See rotation event.TSWG (Keri)
an Establishment Event that provides the information needed to change the Key state which includes a change to the set of authoritative keypairs for an AID.
Rules
TSWG (ACDC)
a top-level field map within an ACDC that provides a legal language as a Ricardian Contract [43], which is both human and machine-readable and referenceable by a cryptographic digest.
SAD
Nist
Term found but the definition does not exist yet.WebOfTrust
SAID
WebOfTrust
SATP
WebOfTrust
SCID
ToIP
WebOfTrust
SEMVER
TSWG (ACDC)
Semantic Versioning Specification 2.0. See also (https://semver.org)[https://semver.org]
SKRAP
WebOfTrust
SKWA
WebOfTrust
SPAC
WebOfTrust
SSI
Nist
Term found but the definition does not exist yet.ToIP
See: self-sovereign identity.
Note: In some contexts, such as academic papers or industry conferences, this acronym has started to replace the term it represents.
WebOfTrust
SSI (Self-Sovereign Identity)
Essif-Lab
sSI (Self-Sovereign Identity) is a term that has many different interpretations, and that we use to refer to concepts/ideas, architectures, processes and technologies that aim to support (autonomous) parties as they negotiate and execute electronic transaction with one another.
SSI Agent
Essif-Lab
a digital agent that provides one or more of the ssi functionalities (issuer, holder, verifier, wallet) to its principal.
SSI Assurance Community (SSI-AC)
Essif-Lab
a community that supports its members as they seek to increase their confidence in the SSI infrastructure and/or (specific) qualifications of the data exchanged through that infrastructure.
SSI Infrastructure
Essif-Lab
the technological components that are (envisaged to be) all over the world for the purpose of providing, requesting and obtaining qualified data, for the purpose of negotiating and/or executing electronic transaction.
SSL
ToIP
See: Secure Sockets Layer.
Salt
TSWG (Keri)
random data fed as an additional input to a one-way function that hashes data.
Schema
TSWG (ACDC)
the SAID of a JSON schema that is used to issue and verify an ACDC.
Scope
Essif-Lab
the extent of the area or subject matter (which we use, e.g., to define pattern, concept, term and glossaries in, but it serves other purposes as well).
Scope of Control
Scope: essifLabTerminology
Essif-Lab
specification of the eSSIF-Lab scope.
Seal
TSWG (Keri)
a seal is a cryptographic commitment in the form of a cryptographic digest or hash tree root (Merkle root) that anchors arbitrary data or a tree of hashes of arbitrary data to a particular event in the key event sequence. See annex (Seal)[#seal].
Secure Enclave
ToIP
A coprocessor on Apple iOS devices that serves as a trusted execution environment.
Secure Sockets Layer
ToIP
The original transport layer security protocol developed by Netscape and partners. Now deprecated in favor of Transport Layer Security (TLS).
Also known as: SSL.
Selective Disclosure
TSWG (ACDC)
a disclosure of an ACDC that selectively discloses its attributes using Compact Disclosure. The set of selectively disclosable attributes is provided as an array of blinded blocks where each attribute in the set has its own dedicated blinded block. Unlike Partial Disclosure, the selectively disclosed fields are not correlatable to the so far undisclosed but selectively disclosable fields in the same encompassing block.
Self-Addressing Identifier (SAID)
TSWG (ACDC)
any identifier which is deterministically generated out of the content, digest of the content.
Self-Framing
TSWG (CESR)
a textual or binary encoding that begins with type, size, and value so that a parser knows how many characters (when textual) or bytes (when binary) to extract from the stream for a given element without parsing the rest of the characters or bytes in the element is Self-Framing. A self-framing Primitive may be extracted without needing any additional delimiting characters. Thus, a stream of concatenated Primitives may be extracted without the need to encapsulate each Primitive inside a set of delimiters or an envelope.
Self-Sovereign Identity (SSI)
Essif-Lab
self-Sovereign Identity (SSI) is a term that has many different interpretations, and that we use to refer to concepts/ideas, architectures, processes and technologies that aim to support (autonomous) parties as they negotiate and execute electronic transaction with one another.
Self-Sovereignty
Self-addressed data
TSWG (Keri)
a representation of data content from which a SAID is derived. The SAID is both cryptographically bound to (content-addressable) and encapsulated by (self-referential) its SAD SAID.
Self-addressing identifiers
TSWG (Keri)
an identifier that is content-addressable and self-referential. A SAID is uniquely and cryptographically bound to a serialization of data that includes the SAID as a component in that serialization SAID.
Self-certifying identifier
TSWG (Keri)
a type of Cryptonym that is uniquely cryptographically derived from the public key of an asymmetric signing keypair, (public, private).
Semantic Unit
Semantics
Semantics Pattern
Essif-Lab
a set of concepts and other semantic units that can be used to explain the relations between the (intangible) concepts (and other semantic units) that are part of a party's knowledge, and how they are (tangibly) represented by terms, attributes, etc.
Sovrin Foundation
ToIP
A 501 (c)(4) nonprofit organization established to administer the governance framework governing the Sovrin Network, a public service utility enabling self-sovereign identity on the internet. The Sovrin Foundation is an independent organization that is responsible for ensuring the Sovrin identity system is public and globally accessible.
For more information, see: https://sovrin.org/
Stable
TSWG (CESR)
todo
Stream
TSWG (ACDC)
a CESR Stream is any set of concatenated Primitives, concatenated groups of Primitives or hierarchically composed groups of Primitives.TSWG (CESR)
any set of concatenated Primitives, concatenated groups of Primitives or hierarchically composed groups of Primitives.
Subject
Essif-Lab
the (single) entity to which a given set of coherent data relates/pertains. Examples of such sets include attributes, Claims/Assertions, files/dossiers, (verifiable) credentials, (partial) identities, employment contracts, etc.
Sybil attack
ToIP
A Sybil attack is a type of attack on a computer network service in which an attacker subverts the service's reputation system by creating a large number of pseudonymous identities and uses them to gain a disproportionately large influence. It is named after the subject of the book Sybil, a case study of a woman diagnosed with dissociative identity disorder.
Source: Wikipedia.
TCP
Nist
TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees the delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.ToIP
WebOfTrust
TCP/IP
ToIP
See: Internet Protocol Suite.
TCP/IP stack
ToIP
The protocol stack implementing the TCP/IP suite.
TEE
Nist
An area or enclave protected by a system processor.ToIP
WebOfTrust
TEL
WebOfTrust
TLS
ToIP
See: Transport Layer Security.
TOAD
WebOfTrust
TPM
Nist
Term found but the definition does not exist yet.WebOfTrust
TSP
Nist
Term found but the definition does not exist yet.ToIP
WebOfTrust
TTA
ToIP
TTP
ToIP
See: trusted third party.
Tag
Essif-Lab
an alphanumeric string that is used to identify scope (so called 'scopetags'), group term (so called 'grouptags'), or identify a specific version of a terminology (so called 'versiontags') from within a specific scope.
Targeted ACDC
TSWG (ACDC)
an ACDC with the presence of the Issuee field in the attribute or attribute aggregate sections.
Term
Term (Scoped)
Essif-Lab
a term, the meaning of which is determined by the definition to which it refers in a specific scope/context.
Terminology
Essif-Lab
the set of term that are used within a single scope to refer to a single definition, enabling parties to reason and communicate ideas they have about one or more specific topics.
Terminology Pattern
Essif-Lab
a set of concepts and other semantic units that one can use to explain one's thinking about a certain topic, as well as to devise/design a way of thinking that members of a community can use to align their thinking as they pursue that community's objectives.
Terminology Process
Essif-Lab
a method for recognizing misunderstandings as such, and creating or maintaining definition that resolve them.
Terms Community
Essif-Lab
a community that maintains a terminology for the purpose of avoiding misunderstandings between its members as they collaborate.
ToIP
ToIP
See: Trust Over IP
ToIP Foundation
ToIP
A non-profit project of the Linux Foundation chartered to define an overall architecture for decentralized digital trust infrastructure known as the ToIP stack.
See also: Decentralized Identity Foundation, OpenWallet Foundation.
For more information, see: https://trustoverip.org/.
ToIP Governance Architecture Specification
ToIP
The specification defining the requirements for the ToIP Governance Stack published by the ToIP Foundation.
For more information, see: https://trustoverip.org/our-work/deliverables/.
ToIP Governance Metamodel
ToIP
A structural model for ToIP governance frameworks that specifies the recommended governance documents that should be included depending on the objectives of the trust community.
ToIP Governance Stack
ToIP
The governance half of the four layer ToIP stack as defined by the ToIP Governance Architecture Specification.
See also: ToIP Technology Stack.
ToIP Layer 1
ToIP
The trust support layer of the ToIP stack, responsible for supporting the trust spanning protocol at ToIP Layer 2.
ToIP Layer 2
ToIP
The trust spanning layer of the ToIP stack, responsible for enabling the trust task protocols at ToIP Layer 3.
ToIP Layer 3
ToIP
The trust task layer of the ToIP stack, responsible for enabling trust applications at ToIP Layer 4.
ToIP Layer 4
ToIP
The trust application layer of the ToIP stack, where end users have the direct human experience of using applications that call trust task protocols to engage in trust relationships and make trust decisions using ToIP decentralized digital trust infrastructure.
ToIP Technology Architecture Specification
ToIP
The technical specification defining the requirements for the ToIP Technology Stack published by the ToIP Foundation.
For more information: ToIP Technology Architecture Specification.
ToIP Technology Stack
ToIP
The technology half of the four layer ToIP stack as defined by the ToIP Technology Architecture Specification.
See also: ToIP Governance Stack, ToIP layer.
ToIP Trust Registry Protocol
ToIP
The open standard trust task protocol defined by the ToIP Foundation to perform the trust task of querying a trust registry. The ToIP Trust Registry Protocol operates at Layer 3 of the ToIP stack.
ToIP Trust Spanning Protocol
ToIP
The ToIP Layer 2 protocol for verifiable messaging that implements the trust spanning layer of the ToIP stack. The ToIP Trust Spanning Protocol enables actors in different digital trust domains to interact in a similar way to how the Internet Protocol (IP) enables devices on different local area networks to exchange data.
Mental model: hourglass model, see the Design Principles for the ToIP Stack.
For more information, see: Section 7.3 of the ToIP Technology Architecture Specification and the Trust Spanning Protocol Task Force.
ToIP application
ToIP
A trust application that runs at ToIP Layer 4, the trust application layer.
ToIP channel
ToIP
See: VID relationship.[c]
ToIP communication
ToIP
Communication that uses the ToIP stack to deliver ToIP messages between ToIP endpoints, optionally using intermediary systems[d][e], to provide authenticity, confidentiality, and correlation privacy.
ToIP connection
ToIP
A connection formed using the ToIP Trust Spanning Protocol between two ToIP endpoints identified with verifiable identifiers. A ToIP connection is instantiated as one or more VID relationships.
ToIP controller
ToIP
The controller of a ToIP identifier.
ToIP endpoint
ToIP
An endpoint that communicates via the ToIP Trust Spanning Protocol as described in the ToIP Technology Architecture Specification.
ToIP governance framework
ToIP
A governance framework that conforms to the requirements of the ToIP Governance Architecture Specification.
ToIP identifier
ToIP
A verifiable identifier for an entity that is addressable using the ToIP stack.
See also: autonomous identifier, decentralized identifier.
For more information, see: Section 6.4 of the ToIP Technology Architecture Specification.
ToIP intermediary
ToIP
See: intermediary system.
ToIP layer
ToIP
One of four protocol layers in the ToIP stack. The four layers are ToIP Layer 1, ToIP Layer 2, ToIP Layer 3, and ToIP Layer 4.
For more information, see: ToIP Technology Architecture Specification, ToIP Governance Architecture Specification.
ToIP message
ToIP
A message communicated between ToIP endpoints using the ToIP stack.
ToIP stack
ToIP
The layered architecture for decentralized digital trust infrastructure defined by the ToIP Foundation. The ToIP stack is a dual stack consisting of two halves: the ToIP Technology Stack and the ToIP Governance Stack. The four layers in the ToIP stack are ToIP Layer 1, ToIP Layer 2, ToIP Layer 3, and ToIP Layer 4.
For more information, see: ToIP Technology Architecture Specification, ToIP Governance Architecture Specification.
ToIP system
ToIP
A computing system that participates in the ToIP Technology Stack. There are three types of ToIP systems: endpoint systems, intermediary systems, and supporting systems.
For more information, see: Section 6.3 of the ToIP Technology Architecture Specification.
ToIP trust community
ToIP
A trust community governed by a ToIP governance framework.
ToIP trust network
ToIP
A trust network implemented using the ToIP stack.
Transaction
Essif-Lab
the exchange of goods, services, funds, or data between some parties (called participant of the transaction).
Transaction Agreement
Essif-Lab
the set of rules that specify the rights (expectation) and duties (obligation) of participant towards one another in the context of a specific business transaction.
Transaction Form
Essif-Lab
the specification of the set of data that this party needs to (a) commit to a (proposed) business transaction of that kind, (b) fulfill its duties/obligation and (c) escalate if necessary.
Transaction Id
Essif-Lab
character string that this participant uses to identify, and refer to, that business transaction.
Transaction Proposal
Essif-Lab
a transaction agreement that is 'in-the-making' (ranging from an empty document to a document that would be a transaction agreement if it were signed by all participant).
Transaction Request
Essif-Lab
a message, send by a requesting party to a providing party, that initiates the negotiation of a new transaction agreement between these parties for the provisioning of a specific product or service.
Transmission Control Protocol
ToIP
The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Major internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP, which is part of the Transport Layer of the TCP/IP suite. SSL/TLS often runs on top of TCP.
Source: Wikipedia.
Also known as: TCP.
See also: User Datagram Protocol.
Transport Layer Security
ToIP
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and Voice over IP, but its use in securing HTTPS remains the most publicly visible. The TLS protocol aims primarily to provide security, including privacy (confidentiality), integrity, and authenticity through the use of cryptography, such as the use of certificates, between two or more communicating computer applications.
Source: Wikipedia.
Also known as: TLS.
Note: TLS replaced the deprecated Secure Sockets Layer (SSL) protocol.
Tritet
TSWG (CESR)
3 bits. See Performant resynchronization with unique start bits
Trust
Essif-Lab
the (un)conscious decision by a party to believe that X is in fact the case.
Trust Pattern
Essif-Lab
a set of concepts and other semantic units that can be used to explain how the concept of trust relates to parties that do the trusting, and other concepts that express what it is that these parties trust.
Trust level
Essif-Lab
the (subjective) degree of belief or confidence that a party has in X (someone, something, ...).
Trust over IP
ToIP
A term coined by John Jordan to describe the decentralized digital trust infrastructure made possible by the ToIP stack. A play on the term Voice over IP (abbreviated VoIP).
Also known as: ToIP.
UDP
ToIP
See: User Datagram Protocol.
UI
Nist
The physical or logical means by which users interact with a system, device or process.WebOfTrust
URL
Nist
A uniform resource locator, or URL, is a short string containing an address which refers to an object in the "web." URLs are a subset of URIs.WebOfTrust
Uniform Resource Identifier (URI)
W3C (DID)
The standard identifier format for all resources on the World Wide Web asdefined by [RFC3986]. A DID is a type of URI scheme.
Universally Unique Identifier (UUID)
W3C (DID)
A type of globally unique identifier defined by [RFC4122]. UUIDs are similarto DIDs in that they do not require a centralized registration authority. UUIDsdiffer from DIDs in that they are not resolvable orcryptographically-verifiable.
Unpermissioned correlation
TSWG (ACDC)
a correlation established between two or more disclosed ACDCs whereby the discloser of the ACDCs does not permit the disclosee to establish such a correlation.
Untargeted ACDC
TSWG (ACDC)
an ACDC without the presence of the Issuee field in the attribute or attribute aggregate sections.
User Datagram Protocol
ToIP
In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages (transported as datagrams in packets) to other hosts on an Internet Protocol (IP) network. Within an IP network, UDP does not require prior communication to set up communication channels or data paths.
Source: Wikipedia.
Also known as: UDP.
VC
Nist
Term found but the definition does not exist yet.ToIP
See: verifiable credential.
WebOfTrust
VC TEL
WebOfTrust
VDS
Nist
Term found but the definition does not exist yet.WebOfTrust
VID
ToIP
WebOfTrust
VID relationship
ToIP
The communications relationship formed between two VIDs using the ToIP Trust Spanning Protocol. A particular feature of this protocol is its ability to establish as many VID relationships as needed to establish different relationship contexts between the communicating entities.
VID-to-VID
ToIP
The specialized type of peer-to-peer communications enabled by the ToIP Trust Spanning Protocol. Each pair of VIDs creates a unique VID relationship.
Validate
Validator
Essif-Lab
a component that implements the capability to determine whether or not (verified) data is valid to be used for some specific purpose(s).TSWG (ACDC)
any entity or agent that evaluates whether or not a given signed statement as attributed to an identifier is valid at the time of its issuance. See validator.TSWG (Keri)
any entity or agent that evaluates whether or not a given signed statement as attributed to an identifier is valid at the time of its issuance.
Validator Policy
Essif-Lab
a digital policy that enables an operational validator component to function in accordance with the objective of its principal.
Variable Length
TSWG (CESR)
a type of count code allowing for vaiable size signatures or attachments which can be parsed to get the full size
Verifiable
TSWG (Keri)
a condition of a KEL: being internally consistent with integrity of its backward and forward chaining digest as well as authenticity of its non-repudiable signatures.
Verifiable data registry
TSWG (ACDC)
A role a system might perform by mediating issuance and verification of ACDCs. See verifiable data registry.
Verifier
Essif-Lab
a component that implements the capability to request peer agents to present (provide) data from credentials (of a specified kind, issued by specified parties), and to verify such responses (check structure, signatures, dates), according to its principal's verifier policy.TSWG (ACDC)
any entity or agent that cryptographically verifies the signature(s) and/or digests on an event Message. See verifier.TSWG (Keri)
any entity or agent that cryptographically verifies the signature(s) and digests on an event Message.
Verifier Policy
Essif-Lab
a digital policy that enables an operational verifier component to function in accordance with the objective of its principal.
Verify
Version
TSWG (CESR)
the CESR Version is provided by a special Count Code that specifies the Version of all the the CESR code tables in a given Stream or Stream section.TSWG (Keri)
an instance of a KEL for an AID in which at least one event is unique between two instances of the KEL
Version String
TSWG (CESR)
the first field in any top-level KERI field map in which it appears.
VoIP
ToIP
See: Voice over IP.
Vocabulary
Essif-Lab
the sum or stock of words employed by a language, group, individual, or work or in a field of knowledge.
Voice over IP
ToIP
Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for voice calls for the delivery of voice communication sessions over Internet Protocol (IP) networks, such as the Internet.
Also known as: VoIP.
W3C Verifiable Credentials Data Model Specification
ToIP
A W3C Recommendation defining a standard data model and representation format for cryptographically-verifiable digital credentials. Version 1.1 was published on 03 March 2022.
For more information, see: https://www.w3.org/TR/vc-data-model/
Wallet
Essif-Lab
a component that implements the capability to securely store data as requested by colleague agents, and to provide stored data to colleague agents or peer agents, all in compliance with the rules of its principal's wallet policy.
Wallet Policy
Essif-Lab
a digital policy that enables an operational wallet component to function in accordance with the objective of its principal.
Watcher
TSWG (Keri)
an entity or component that keeps a copy of a KERL for an identifier but that is not designated by the controller of the identifier as one of its witnesses. See annex watcher
Weight
TSWG (ACDC)
an optional field map in the Edge section that provides edge weight property that enables directed weighted edges and operators that use weights.
Witness
TSWG (Keri)
a witness is an entity or component designated (trusted) by the controller of an identifier. The primary role of a witness is to verify, sign, and keep events associated with an identifier. A witness is the controller of its own self-referential identifier which may or may not be the same as the identifier to which it is a witness. See Annex A under KAWA (KERIs Algorithm for Witness Agreement).
XBRL
WebOfTrust
ZKP
ToIP
See: zero-knowledge proof.
[a]@christine.martin@continuumloop.com you're good to go - start moving this to a
https://github.com/trustoverip/ctwg-main-glossary
put the content in specs/terms_and_definitions.md
ping me with questions.
_Assigned to christine.martin@continuumloop.com_
[b]focus on the terms - do [[def: first, then see how many [[ref: you can get done.
[c]Christine, I had forgotten this link. Just added it now.
[d]definition no longer in document
[e]My bad. As you can tell, aligning terms with the ToIP Technology Architecture Specification was the last step I took, and when I did that, I didn't check to see where I had used the old terms. I fixed this.
access control
ToIP
The process of granting or denying specific requests for obtaining and using information and related information processing services.
Source: NIST-CSRC.
Supporting definitions:
Wikipedia: In physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization.
access controlled interaction
WebOfTrust
access controlled interaction
Definition
Access controlled actions like submitting a report. If you already have that report then load balancer needs a mechanism to drop repeated requests.
Source: Samuel Smith / Daniel Hardman / Lance Byrd - Zoom meeting KERI Suite Jan 16 2024; discussion minute 30-60 min
Replay attack prevention
Replay attacks are less of a concern, other than DDoS attack using resubmissions.
Also see
account
digital.govt.nz
an instance of entity information in a contextAdditional note:Note 1: A common term for the set of entity information relating to 1 entity to which an authenticator can be registered and from which credential subject information can be taken to establish a Credential.
accountable
digital.govt.nz
responsible for some action; answerable[Source: expanded Dictionary meaning of accountable]Additional note:Note 1: For roles such as Credential Provider and Relying Party, it is the primary publicly accessible party.
accreditation (of an entity)
ToIP
The independent, third-party evaluation of an entity, by a conformity assessment body (such as certification body, inspection body or laboratory) against recognised standards, conveying formal demonstration of its impartiality and competence to carry out specific conformity assessment tasks (such as certification, inspection and testing).
Source: Wikipedia.
accreditation body
ToIP
A legal entity that performs accreditation.
See also: certification body.
action
actor
ToIP
An entity that can act (do things/execute actions), e.g. people, machines, but not organizations. A digital agent can serve as an actor acting on behalf of its principal.
Source: eSSIF-Lab.
address
ToIP
See: network address.
administering authority
ToIP
See: administering body.
administering body
ToIP
A legal entity delegated by a governing body to administer the operation of a governance framework and governed infrastructure for a digital trust ecosystem, such as one or more trust registries.
Also known as: administering authority.
affected party
digital.govt.nz
a party that could be influenced; acted upon[Source: expanded Dictionary meaning of affected]Additional note:Note 1: For identification risk, the affected parties have been identified as:Entitled individual for example, an entitled individual applies for a service and is deemed ineligible because their identity has been used previously by someone else to claim the same service.Service provider for example, an organisations reputation suffers because of publicity that the agency has been defrauded by large numbers of individuals claiming false identities.Wider community for example, identification documents are mistakenly issued to people with false identities and are then used to commit fraud against other organisations.
agency
Nist
Any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include: (i) the Government Accountability Office; (ii) the Federal Election Commission; (iii) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or (iv) government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.
agent
digital.govt.nz
a person, firm, etc. empowered to act for another[Source: Dictionary]ToIP
An actor that is executing an action on behalf of a party (called the principal of that actor). In the context of decentralized digital trust infrastructure, the term “agent” is most frequently used to mean a digital agent.
Source: eSSIF-Lab.
See also: wallet.
Note: In a ToIP context, an agent is frequently assumed to have privileged access to the wallet(s) of its principal. In market parlance, a mobile app performing the actions of an agent is often simply called a wallet or a digital wallet.
ambient verifiability
WebOfTrust
ambient verifiability
Definition
Verifiable by anyone, anywhere, at anytime. Although this seems a pretty general term, it was first used in the context of KERI by Sam Smith.
An example of ambient verifiability is Ambient Duplicity Detection that describes the possibility of detecting duplicity by anyone, anywhere, anytime.
ample
WebOfTrust
ample
Definition
The minimum required number of participants in an event to have a supermajority so that one and only one agreement or consensus on an event may be reached. This is a critical part of the KAACE agreement algorithm (consensus) in KERI for establishing consensus between witnesses on the key state of a KERI identifier. This consensus on key state forms the basis for accountability for a KERI controller, or what a person who controls a KERI identifier may be held legally responsible for.
This supermajority is also called a sufficient majority that is labeled immune from certain kinds of attacks or faults.
From section 11.4.2.4 Immune of v2.60 of the KERI whitepaper,
Satisfaction of this constraint guarantees that at most one sufficient agreement occurs or none atall despite a dishonest controller but where at most F of the witnesses are potentially faulty.
Ample Agreement Constraint:
Can apply to either
- a group of KERI witnesses for a witnessed event or
- a group of KERI identifier controllers participating in a multi-signature group.
Problems avoided by using
ample
Ample witnesses avoids problems of accidental lockout from a multisig group which would occur if the signing threshold for the multisig group was set lower than the "ample" number of participants.
Table of minimum required, or ample, number of participants
N = Number of total participants
M = Number of participants needed to get the guarantees of "ample"Code Example
Python code implementation from keri.core.eventing.py of the
ample
algorithm used in KAACE:def ample(n, f=None, weak=True): """ Returns int as sufficient immune (ample) majority of n when n >=1 otherwise returns 0 Parameters: n is int total number of elements f is int optional fault number weak is Boolean If f is not None and weak is True then minimize m for f weak is False then maximize m for f that satisfies n >= 3*f+1 Else weak is True then find maximum f and minimize m weak is False then find maximum f and maximize m n,m,f are subject to f >= 1 if n > 0 n >= 3*f+1 (n+f+1)/2 <= m <= n-f """ n = max(0, n) # no negatives if f is None: f1 = max(1, max(0, n - 1) // 3) # least floor f subject to n >= 3*f+1 f2 = max(1, ceil(max(0, n - 1) / 3)) # most ceil f subject to n >= 3*f+1 if weak: # try both fs to see which one has lowest m return min(n, ceil((n + f1 + 1) / 2), ceil((n + f2 + 1) / 2)) else: return min(n, max(0, n - f1, ceil((n + f1 + 1) / 2))) else: f = max(0, f) m1 = ceil((n + f + 1) / 2) m2 = max(0, n - f) if m2 < m1 and n > 0: raise ValueError("Invalid f={} is too big for n={}.".format(f, n)) if weak: return min(n, m1, m2) else: return min(n, max(m1, m2))
amplification attack
W3C (DID)
A class of attack where the attacker attempts to exhaust a target system'sCPU, storage, network, or other resources by providing small, valid inputs intothe system that result in damaging effects that can be exponentially more costlyto process than the inputs themselves.
anonymous
digital.govt.nz
not easily distinguished from others or from one another because of a lack of individual features or character[Source: Dictionary]ToIP
An adjective describing when the identity of a natural person or other actor is unknown.
See also: pseudonym.
anycast
ToIP
Anycast is a network addressing and routing methodology in which a single IP address is shared by devices (generally servers) in multiple locations. Routers direct packets addressed to this destination to the location nearest the sender, using their normal decision-making algorithms, typically the lowest number of BGP network hops. Anycast routing is widely used by content delivery networks such as web and name servers, to bring their content closer to end users.
Source: Wikipedia.
anycast address
ToIP
A network address (especially an IP address) used for anycast routing of network transmissions.
append only event logs
WebOfTrust
append only event logs
Definition
Append-only is a property of computer data storage such that new data can be appended to the storage, but where existing data is immutable.
A blockchain is an example of an append-only log. The events can be transactions. Bitcoin is a well-known Append only log where the events are totally ordered and signed transfers of control over unspent transaction output.
More on Wikipedia
application programming interface
WebOfTrust
application programming interface
Definition
An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software.
API specification
A document or standard that describes how to build or use such a connection or interface is called an API specification. A computer system that meets this standard is said to implement or expose an API. The term API may refer either to the specification or to the implementation.
More on source Wikipedia.
appraisability (of a communications endpoint)
ToIP
The ability for a communication endpoint identified with a verifiable identifier to be appraised for the set of its properties that enable a relying party or a verifier to make a trust decision about communicating with that endpoint.
See also: trust basis, verifiability.
appropriate friction
architectural decision record
WebOfTrust
architectural decision record
Definition
Is a justified software design choice that addresses a functional or non-functional requirement that is architecturally significant.
Source adr.github.io
assurance
digital.govt.nz
a statement, assertion, etc. intended to inspire confidence or give encouragement[Source: Dictionary]
assurance level
ToIP
A level of confidence in a claim that may be relied on by others. Different types of assurance levels are defined for different types of trust assurance mechanisms. Examples include authenticator assurance level, federation assurance level, and identity assurance level.
attestation
ToIP
The issue of a statement, based on a decision, that fulfillment of specified requirements has been demonstrated. In the context of decentralized digital trust infrastructure, an attestation usually has a digital signature so that it is cryptographically verifiable.
Source: NIST-CSRC.
attribute
digital.govt.nz
(noun) a characteristic or quality of a person or thing[Source: Dictionary]ToIP
An identifiable set of data that describes an entity, which is the subject of the attribute.
See also: property.
Supporting definitions:
eSSIF-Lab: Data that represents a characteristic that a party (the owner of the attribute) has attributed to an entity (which is the subject of that attribute).
Note: An identifier is an attribute that uniquely identifies an entity within some context.
attribute-based access control
ToIP
An access control approach in which access is mediated based on attributes associated with subjects (requesters) and the objects to be accessed. Each object and subject has a set of associated attributes, such as location, time of creation, access rights, etc. Access to an object is authorized or denied depending upon whether the required (e.g., policy-defined) correlation can be made between the attributes of that object and of the requesting subject.
Source: NIST-CSRC.
Supporting definitions:
Wikipedia: Attribute-based access control (ABAC), also known as policy-based access control for IAM, defines an access control paradigm whereby a subject's authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment attributes.
attributional trust
WebOfTrust
attributional trust
Definition
KERI offers cryptographic root-of-trust to establish attributional trust. In the real world you'd also need reputational trust. You can't have reputation without attributional trust.
Read more in source Universal Identifier TheoryOOBI
Out-of-band Introductions (OOBIs) to establish attributional trust, like its done with OOBIs in KERI, is not the same as the high friction costs of establishing reputational trust by going through the heavy lifting of identity assurance by a to be trusted middle-men party, like GLEIF.
audit (of system controls)
audit log
ToIP
An audit log is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, event, or device.
Source: Wikipedia.
Also known as: audit trail.
See also: key event log.
auditor (of an entity)
ToIP
The party responsible for performing an audit. Typically an auditor must be accredited.
See also: human auditable.
authentic chained data container
WebOfTrust
authentic chained data container
Definition
In brief, an ACDC or ADC proves digital data consistency and authenticity in one go. An ACDC cryptographically secures commitment to data contained, and its identifiers are self-addressing, which means they point to themselves and are also contained ìn the data.
authentic chained data container (ACDC)
ToIP (DID:Webs)
a variant of the Verifiable Credential (VC) specification that inherits the security model derived from KERI, as defined by the ACDC specification. See WebOfTrust glossary for more detail.
authentic data
WebOfTrust
authentic data container
WebOfTrust
authentic data container
Definition
A mechanism for conveying data that allows the authenticity of its content to be proved.
Instance
A Verifiable Credential is an ACDC
authentic provenance chain
WebOfTrust
authentic provenance chain
Definition
Interlinked presentations of evidence that allow data to be tracked back to its origin in an objectively verifiable way.
authentic web
WebOfTrust
authentic web
Definition
The authentic web is the internet as a whole giant verifiable data structure. Also called Web5. The web will be one big graph. That's the mental model of the 'authentic web'.
Related
Signed at rest
- the data never throws away any signature of data. Because otherwise we can't validate data in the futureKey state at rest
- you need to solve this hard problem too. This is the hard problem KERI solves.Signed in motion
- signatures get thrown away. You use ephemeral identifiers. You have to do everything anew every time you want to reconstruct a verifiable data structure. Therefore we need 'Signed at rest'.
Scalability of Key state at rest
- You can append to any part of the (directed-acyclic) graph
- You can hop into the graph to verify any fragment of the graph
- You don't have to sign the data,you just have to sign hashes of this data
- Every tree that gets integrated in this giant graph-forest has its own Root of Trust
KERI related
KERI solves all hard problems of the authentic web in a scalable manner.
Technically oriented deep dive
See more in Concepts behind KERI
authenticate
W3C (DID)
Authentication is a process by which an entity can prove it has a specificattribute or controls a specific secret using one or more verificationmethods. With DIDs, a common example would be proving control of thecryptographic private key associated with a public key published in a DIDdocument.
authentication
digital.govt.nz
process for establishing an authenticator is genuine or as represented[Source: expanded Dictionary meaning of authenticate]
authentication (of a user, process, or device)
ToIP
Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
Source: NIST-CSRC.
See also: authenticator, verifiable message.
Supporting definitions:
Wikipedia: The act of proving an assertion, such as the identity of a computer system user.
authenticator
digital.govt.nz
things known and/or possessed and controlled by an entity that are used to be recognised when they return to an organisation[Source: Based on NIST SP 800-63-3 Digital Identity Guidelines]
authenticator (of an entity)
ToIP
Something the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity.
Source: NIST-CSRC.
authenticator assurance level
ToIP
A measure of the strength of an authentication mechanism and, therefore, the confidence in it.
Source: NIST-CSRC.
See also: federation assurance level, identity assurance level, identity binding.
Note: In NIST SP 800-63-3, AAL is defined in terms of three levels: AAL1 (Some confidence), AAL2 (High confidence), AAL3 (Very high confidence).
authenticator holder
digital.govt.nz
the entity to which an authenticator was initially bound; the rightful holder[Source: New definition]
authenticity
Nist
The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originatorToIP
The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.
Source: NIST-CSRC.
See also: confidentiality, correlation privacy, cryptographic verifiability.
WebOfTrust
authenticity
Definition
The quality of having an objectively verifiable origin ; contrast veracity. When a newspaper publishes a story about an event, every faithful reproduction of that story may be authentic — but that does not mean the story was true (has veracity).
Authenticity is strongly related to digital security. Ideally it should be verifiable (to a root-of-trust). The future picture therein is the Authentic Web.
KERI related
The three properties, authenticity, confidentiality, and privacy inhabit a trade space. ...One can have any two of the three (privacy, authenticity, confidentiality) at the highest level but not all three.
The trilemma insists that one must make a trade-off by prioritizing one or two properties over a third.The ToIP design goals reflect that trade-off and provide an order of importance. The design goals indicate that one should start with high authenticity, then high confidentiality, and then as high as possible privacy, given there is no trade-off with respect to the other two.
More on Source Samuel Smith SPAC whitepaper.
Also see
authoritative
digital.govt.nz
possessing or supported by authority; official[Source: Dictionary]Additional note:Note 1: Indigenous peoples, society and industry communities can nominate a party as authoritative. Its possible that such a party is subject to legal controls.WebOfTrust
authoritative
Definition
Established control authority over an identifier, that has received attestations to it, e.g. control over the identifier has been verified to its root-of-trust. So the (control over the) identifier is 'authoritative' because it can be considered accurate, renowned, honourable and / or respected.
Also used to describe PKI key pairs that have this feature.Four A’s of secure data control
- Author: creator, source-of-truth
- Authentic: provable origin, root-of-trust
- Authorized: consent, loci-of-control
- Authoritative: accurate, reputable
"A4" data control securely is established via self-certifying pseudonymous identifiers
Source Samuel M. Smith
authoritative source
ToIP
A source of information that a relying party considers to be authoritative for that information. In ToIP architecture, the trust registry authorized by the governance framework for a trust community is typically considered an authoritative source by the members of that trust community. A system of record is an authoritative source for the data records it holds. A trust root is an authoritative source for the beginning of a trust chain.
authority
WebOfTrust
authority
See ToIP glossary
authorization
ToIP
The process of verifying that a requested action or service is approved for a specific entity.
Source: NIST-CSRC.
See also: permission.
authorized organizational representative
A person who has the authority to make claims, sign documents or otherwise commit resources on behalf of an organization.
Source: Law Insider
WebOfTrust
authorization
Definition
Is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular.
More formally, "to authorize" is to define an access policy.
KERI specific
Authorizations have the form of a signed authorization statement where the statement typically includes the AID under which the authorization is issued. A verifier may then verify the authorization by verifying the attached signature using the keys that were authoritative at the time the authorization was issued. These authorizations are secure to the extent that the established control authority is secure. The authorizations inherit their security from their associated AID.
W3C VC form
Authorizations may take many forms. One form of particular interest is the W3C Verifiable Credential VC standard. Verifiable credentials use the W3C Decentralized Identifier DID standard. The DID standard provides name spacing syntax for decentralized identifiers that is evocative of URIs. A given DID may be a type of AID but not all DIDs are AIDs. Furthermore, because AIDs may use other name space syntax standards besides DIDs, not all AIDs are DIDs. KERI itself is name space agnostic so may be used to support AIDs in any name space that accepts pseudo-random strings as an element.
authorization graph
ToIP
A graph of the authorization relationships between different entities in a trust community. In a digital trust ecosystem, the governing body is typically the trust root of an authorization graph. In some cases, an authorization graph can be traversed by making queries to one or more trust registries.
See also: governance graph, reputation graph, trust graph.
authorized vlei representative
WebOfTrust
authorized vlei representative
Definition
Also 'AVR'. This a representative of a Legal Entity that are authorized by the DAR of a Legal Entity to request issuance and revocation of:
- vLEI Legal Entity Credentials
- Legal Entity Official Organizational Role vLEI Credentials (OOR vLEI Credentials)
- Legal Entity Engagement Context Role vLEI Credentials (ECR vLEI Credentials).
Paraphrased by @henkvancann from source Draft vLEI Ecosystem Governance Framework Glossary.
autonomic computing systems
WebOfTrust
autonomic computing systems
Definition
Self managing computing systems using algorithmic governance, from the 90's way way way before DAOs. KERI creator Sam Smith worked at funded Navy research in the 90's on autonomic survivable systems as in "self-healing" systems: "We called them autonomic way back then".
autonomic identifier
ToIP
The specific type of self-certifying identifier specified by the KERI specifications.
Also known as: AID.
WebOfTrust
autonomic identifier
Definition
An identifier that is self-certifying and self-sovereign (or self-managing).
KERI related requirements
A self-managing cryptonymous identifier that MUST be self-certifying (self-authenticating) and MUST be encoded in CESR as a qualified cryptographic primitive. An AID MAY exhibit other self-managing properties such as transferable control using key pre-rotation which enables control over such an AID to persist in spite of key weakness or compromise due to exposure. Authoritative control over the identifier persists in spite of the evolution of the key-state.
Source Samuel M. Smith, ietf-keri draftAutonomic Identifier more general
Autonomic Identifiers have been pretty well described in this piece as opposed to centralised (administrative) and blockchain-based (algorithmic) identifier systems: Architectural types of Identity Systems; originally by Phil Windley in this article.
A summarizing comparison table might say more than a hundred words:
autonomic identifier (AID)
ToIP (DID:Webs)
A self-certifying identifier (SCID) that is cryptographically bound cryptographically bound to a key event log (KEL), as defined by the KERI specification. An AID is either non-transferable or transferable. A non-transferable AID does not support key rotation while a transferable AID supports key rotation using a key pre-rotation mechanism that enables the AID to persist in spite of the evolution of its key state. See WebOfTrust glossary for more detail.
autonomic identity system
WebOfTrust
autonomic identity system
Definition
There's nobody that can intervene with the establishment of the authenticity of a control operation because you can verify all the way back to the root-of-trust.
autonomic namespace
WebOfTrust
autonomic namespace
Definition
A namespace that is self-certifying and hence self-administrating. ANs are therefore portable = truly self sovereign.
autonomic trust basis
WebOfTrust
autonomic trust basis
Definition
When use an AID as the root-of-trust we form a so-called autonomic trust basis. This is diagrammed as follows:
Other trust bases
Two other trust bases are in common use for identifier systems. One we call algorithmic, the other is .
An algorithmic trust basis relies on some network of nodes running some type of Byzantine fault tolerant totally ordering distributed consensus algorithm for its root-of-trust. These networks are more commonly known as a shared ledger or blockchain such as Bitcoin, Ethereum, or Sovrin
The other commonly used trust basis in identifier systems is an administrative or organizational trust basis, i.e. a trusted entity. This is neither secure nor decentralized.
backer
WebOfTrust
backer
Definition
The terms Backer and Witness are closely related in KERI. Backers include both regular KERI witnesses and ledger-registered backers.
base media type
WebOfTrust
base media type
Definition
credential
plusld
plusjson
.Other media types of credentials are allowed by must provide either unidirectional or bidirectional transformations. So for example we would create credential+acdc+json and provide a unidirectional transformation to credential+ld+json.
We are going for
credential
plusacdc
plusjson
without@context
. The main objection to use@context
is that it can change the meaning of a credential. The other way around: ACDCs will include W3C credentials.Media types will be used to differentiate between types of credentials and verifiable credentials.
base64
WebOfTrust
base64
Definition
In computer programming, Base64 is a group of binary-to-text encoding schemes that represent binary data (more specifically, a sequence of 8-bit bytes) in sequences of 24 bits that can be represented by four 6-bit Base64 digits.
More on source Wikipedia
bespoke credential
WebOfTrust
bespoke credential
Definition
It's an issuance of the disclosure or presentation of other ACDCs. Bespoke means Custom or tailor made.A bespoke credential serves as an on-the-fly contract with the issuee; it's a self-referencing and self-contained contract between the issuer and the verifier. Mind you, here the issuer and issuee are merely the discloser and disclosee of another (set of) ACDC(s).
Example
If I want consent terms attached to a presentation of an (set of) ACDC(s).
Consider a disclosure-specific ACDC, aka tailor made, custom or bespoke. The Issuer is the Discloser, the Issuee is the Disclosee. The rule section includes a context-specific (anti) assimilation clause that limits the use of the information to a single one-time usage purpose, that is for example, admittance to a restaurant. The ACDC includes an edge that references some other ACDC that may for example be a coupon or gift card. The attribute section could include the date and place of admittance.
For the code of this example, see this section 11.1 in GithubAdvantage
We can use all the tools available for issuance and presentation we already have.
How the process work
Similar to a presentation exchange, a verifier will first be asked for what they are looking for, secondly the discloser creates the dataset and publishes only the structure and the fields. To accomplish this, thirdly a compact ACDC will be issued (you publish the fields, not the content) and then issuer asks to sign it first. After signing, the disclosee can get the content associated with the on-the-fly contract.
More at Github source
best available data acceptance mechanism
WebOfTrust
best available data acceptance mechanism
Definition
The BADA security model provides a degree of replay attack protection. The attributate originator (issuer, author, source) is provided by an attached signature couple or quadruple. A single reply could have multiple originators. When used as an authorization the reply attributes may include the identifier of the authorizer and the logic for processing the associated route may require a matching attachment.BADA is part of KERI's Zero Trust Computing Architecture for Data Management: How to support Secure Async Data Flow Routing in KERI enabled Applications.
See also
bexter
WebOfTrust
bexter
Definition
The class variable length text that is used in CESR and preserves the round-trip transposability using Base64 URL safe-only encoding even though the text variable length.
More details
From readthedocs.io
Bexter is subclass of Matter, cryptographic material, for variable length strings that only contain Base64 URL safe characters, i.e. Base64 text (bext).
When created using the 'bext' paramaeter, the encoded matter in qb64 format in the text domain is more compact than would be the case if the string were passed in as raw bytes. The text is used as is to form the value part of theqb64 version not including the leader.
Due to ambiguity that arises from pre-padding bext whose length is a multiple of three with one or more 'A' chars. Any bext that starts with an 'A' and whose length is either a multiple of 3 or 4 may not round trip. Bext with a leading 'A' whose length is a multiple of four may have the leading 'A' stripped when round tripping.
- Bexter(bext='ABBB').bext == 'BBB'
- Bexter(bext='BBB').bext == 'BBB'
- Bexter(bext='ABBB').qb64 == '4AABABBB' == Bexter(bext='BBB').qb64
To avoid this problem, only use for applications of base 64 strings that never start with 'A'
Examples: base64 text strings:
- bext = ""
- qb64 = '4AAA'
- bext = "-"
- qb64 = '6AABAAA-'
- bext = "-A"
- qb64 = '5AABAA-A'
- bext = "-A-"
- qb64 = '4AABA-A-'
- bext = "-A-B"
- qb64 = '4AAB-A-B'
Example uses:
- CESR encoded paths for nested SADs and SAIDs
- CESR encoded fractionally weighted threshold expressions
Attributes
Inherited Properties: (See Matter) .pad is int number of pad chars given raw .code is str derivation code to indicate cypher suite .raw is bytes crypto material only without code .index is int count of attached crypto material by context (receipts) .qb64 is str in Base64 fully qualified with derivation code + crypto mat .qb64b is bytes in Base64 fully qualified with derivation code + crypto mat .qb2 is bytes in binary with derivation code + crypto material .transferable is Boolean, True when transferable derivation code False otherwiseProperties: .text is the Base64 text value, .qb64 with text code and leader removed.Hidden: ._pad is method to compute .pad property ._code is str value for .code property ._raw is bytes value for .raw property ._index is int value for .index property ._infil is method to compute fully qualified Base64 from .raw and .code ._exfil is method to extract .code and .raw from fully qualified Base64Methods:"""
binding
digital.govt.nz
(noun) the action of a person or thing that binds[Source: Dictionary]Nist
Process of associating two related elements of information.WebOfTrust
binding
Definition
In short, the technique of connecting two data elements together. In the context of KERI it's the association of data or an identifier with another identifier or a subject (a person, organization or machine), thereby lifting the privacy of the subject through that connection, i.e. binding.
biometric
bis
WebOfTrust
bis
Definition
bis = backed vc issue, registry-backed transaction event log credential issuance
bivalent
WebOfTrust
bivalent
Definition
A nested set of layered delegations in a delegation tree, wraps each layer with compromise recovery protection of the next higher layer. This maintains the security of the root layer for compromise recovery all the way out to the leaves in spite of the leaves using less secure key management methods.
To elaborate, in a cooperative delegation, the key generation and storage functions of the delegator and delegate, in terms of the controlling private keys, may be completely isolated from each other. This means that each may use its own independent key management infrastructure with no movement of private keys between the two infrastructures. We call this a bivalent key management infrastructure.
Source Universal Identifier Theory by Samuel Smith
Also see
blake3
WebOfTrust
blake3
Definition
BLAKE3 is a relatively young (2020) cryptographic hash function based on Bao and BLAKE2.
Features and programming languages
BLAKE3 is a single algorithm with many desirable features (parallelism, XOF, KDF, PRF and MAC), in contrast to BLAKE and BLAKE2, which are algorithm families with multiple variants. BLAKE3 has a binary tree structure, so it supports a practically unlimited degree of parallelism (both SIMD and multithreading) given long enough input.
The official Rust and C implementations[24] are dual-licensed as public domain (CC0) and the Apache License.
Fast, parallel and streaming
BLAKE3 is designed to be as fast as possible. It is consistently a few times faster than BLAKE2. The BLAKE3 compression function is closely based on that of BLAKE2s, with the biggest difference being that the number of rounds is reduced from 10 to 7, a change based on the assumption that current cryptography is too conservative. In addition to providing parallelism, the Merkle tree format also allows for verified streaming (on-the-fly verifying) and incremental updates.
blind oobi
WebOfTrust
blind oobi
Definition
A blind OOBI means that you have some mechanisms in place for verifying the AID instead of via the OOBI itself. A blind OOBI is essentially a URL. It's called "blind" because the witness is not in the OOBI itself. You haves other ways of verifying the AID supplied.
Example
A blind OOBI through an AID that is on some witness list and has been verified to root-of-trust already. So you know the human being behind this referred AID. Because it's an AID that has a KEL out there, which has been securely established, you can trust it. So a blind OOBI makes a via-via commitment.
The working
A natural person that you trust is an owner of an AID. Then you cryptographically commit this AID to another AID through some mechanism (e.g. a witness list).
"Here's my public key and here's my AID and because this in an another witness list I trust it."
Unblind
A 'blind' AID becomes "unblind" when you establish a direct relationship with human being who controls the referenced AID. You shortcut the blind OOBI because you established a direct OOBI to the formerly reference AID.
Why is a blind OOBI interesting
type 2 authentication: minimise the friction| TBW prio 3 |
Related terms
Authentication by reference, latent authenticity
blinded revocation registry
WebOfTrust
blinded revocation registry
Definition
The current state of a transaction event log (TEL) may be hidden or blinded such that the only way for a potential verifier of the state to observe that state is when the controller of a designated AID discloses it at the time of presentation.
| TBW: BE CAREFUL WITH THE REST, JUST TEXT SNIPPETS TYPED IN FROM A CONVERSATION |
No information can be obtained via a rainbow table attack because the hash has enough entropy added to it.
| TBW | on the basis of the last half hour of the recording ACDC meetup Dec 6 }
The issuer creates and signs the bulk issuance set of credentials and shares a salt with the presenters.The shared salt correlates between the issuer and the issuee, but that is the worst problem we have to consider, which is acceptable.
See more in the section blindable state tel
Important observation
The presenter does the decomposition in a way that allows a verifier to conclude: "Yes that was an approved schema issued by the issuer!"
blockchain
ToIP
A distributed digital ledger of cryptographically-signed transactions that are grouped into blocks. Each block is cryptographically linked to the previous one (making it tamper evident) after validation and undergoing a consensus decision. As new blocks are added, older blocks become more difficult to modify (creating tamper resistance). New blocks are replicated across copies of the ledger within the network, and any conflicts are resolved automatically using established rules.
Source: NIST-CSRC
Supporting definitions:
Wikipedia: A distributed ledger with growing lists of records (blocks) that are securely linked together via cryptographic hashes. Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data (generally represented as a Merkle tree, where data nodes are represented by leaves). Since each block contains information about the previous block, they effectively form a chain (compare linked list data structure), with each additional block linking to the ones before it. Consequently, blockchain transactions are irreversible in that, once they are recorded, the data in any given block cannot be altered retroactively without altering all subsequent blocks.
bran
WebOfTrust
bran
Definition
A cryptographic string used as a primary input, a seed, for creating key material for and autonomic-identifier.
Usages
This is used in Signify TS:
Controller
constructor argumentconstructor(bran: string, tier: Tier, ridx: number = 0, state: any | null = null) { this.bran = MtrDex.Salt_128 + 'A' + bran.substring(0, 21) // qb64 salt for seed this.stem = "signify:controller" this.tier = tier this.ridx = ridx this.salter = new Salter({ qb64: this.bran, tier: this.tier })...
Sources
Quote, a Zoom chat message, from Dr. Sam Smith on 8/22/23 in the Tuesday morning KERI & ACDC ToIP specification discussion call:
We already use seed and salt for something else so bran is related to seed so we used a term that was evocative of its use but not conflict with already used seed
branch
WebOfTrust
branch
Definition
In software development a 'branch' refers to the result of branching: the duplication of an object under version control for further separate modification.
More info on Wikipedia
Branching, in version control and software configuration management, is the duplication of an object under version control (such as a source code file or a directory tree). Each object can thereafter be modified separately and in parallel so that the objects become different. In this context the objects are called branches. The users of the version control system can branch any branch.
broadcast
ToIP
In computer networking, telecommunication and information theory, broadcasting is a method of transferring a message to all recipients simultaneously. Broadcast delivers a message to all nodes in the network using a one-to-all association; a single datagram (or packet) from one sender is routed to all of the possibly multiple endpoints associated with the broadcast address. The network automatically replicates datagrams as needed to reach all the recipients within the scope of the broadcast, which is generally an entire network subnet.
Source: Wikipedia.
See also: anycast, multicast, unicast.
Supporting definitions:
NIST-CSRC: Transmission to all devices in a network without any acknowledgment by the receivers.
broadcast address
ToIP
A broadcast address is a network address used to transmit to all devices connected to a multiple-access communications network. A message sent to a broadcast address may be received by all network-attached hosts. In contrast, a multicast address is used to address a specific group of devices, and a unicast address is used to address a single device. For network layer communications, a broadcast address may be a specific IP address.
Source: Wikipedia.
broken object level authorization
WebOfTrust
broken object level authorization
Definition
Refers to security flaws where users can access data they shouldn't, due to inadequate permission checks on individual (sub)objects.
brv
WebOfTrust
brv
Definition
brv = backed vc revoke, registry-backed transaction event log credential revocation
byzantine agreement
WebOfTrust
byzantine agreement
Definition
(non PoW) Byzantine Agreement is Byzantine fault tolerance of distributed computing systems that enable them to come to consensus despite arbitrary behavior from a fraction of the nodes in the network. BA consensus makes no assumptions about the behavior of nodes in the system. Practical Byzantine Fault Tolerance (pBFT) is the prototypical model for Byzantine agreement, and it can reach consensus fast and efficiently while concurrently decoupling consensus from resources (i.e., financial stake in PoS or electricity in PoW).
Stellar
More about the Stellar consensus protocol
"What if PBFT and Stellar had a baby?that was missing liveness and total ordering but had safety and was completely decentralized, portable, and permission-less? It would be named KERI."SamMSmith
byzantine fault tolerance
WebOfTrust
byzantine fault tolerance
Definition
A Byzantine fault (also interactive consistency, source congruency, error avalanche, Byzantine agreement problem, Byzantine generals problem, and Byzantine failure) is a condition of a computer system, particularly distributed computing systems, where components may fail and there is imperfect information on whether a component has failed. The term takes its name from an allegory, the "Byzantine Generals Problem", developed to describe a situation in which, in order to avoid catastrophic failure of the system, the system's actors must agree on a concerted strategy, but some of these actors are unreliable.In a Byzantine fault, a component such as a server can inconsistently appear both failed and functioning to failure-detection systems, presenting different symptoms to different observers. It is difficult for the other components to declare it failed and shut it out of the network, because they need to first reach a consensus regarding which component has failed in the first place.Byzantine fault tolerance (BFT) is the dependability of a fault-tolerant computer system to such conditions.
Consensus two third
A system has Byzantine Fault Tolerance (BFT) when it can keep functioning correctly as long as two-thirds of the network agree or reaches consensus. BFT is a property or characteristic of a system that can resist up to one-third of the nodes failing or acting maliciously.
The pBFT model primarily focuses on providing a practical Byzantine state machine replication that tolerates Byzantine faults (malicious nodes) through an assumption that there are independent node failures and manipulated messages propagated by specific, independent nodes.The algorithm is designed to work in asynchronous systems and is optimized to be high-performance with an impressive overhead runtime and only a slight increase in latency. More on wikipedia about
More on Wikipedia
- Byzantine Fault
- pBFT : An article that explains practical BFT.
- Here's a complete beginners guide.
certificate authority
ToIP
The entity in a public key infrastructure (PKI) that is responsible for issuing public key certificates and exacting compliance to a PKI policy.
Source: NIST-CSRC.
Also known as: certification authority.
Supporting definitions:
Wikipedia: In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate.[1] The format of these certificates is specified by the X.509 or EMV standard.
certificate transparency
WebOfTrust
certificate transparency
Definition
Certificate Transparency (CT) is an Internet security standard and open source framework for monitoring and auditing digital certificates. The standard creates a system of public logs that seek to eventually record all certificates issued by publicly trusted certificate authorities, allowing efficient identification of mistakenly or maliciously issued certificates. As of 2021, Certificate Transparency is mandatory for all SSL/TLS certificates.
2011 Diginotar Attack
Certificate Transparency was a response to the 2011 attack on DigiNotar and other Certificate Authorities. These attacks showed that the lack of transparency in the way CAs operated was a significant risk to the Web Public Key Infrastructure. It led to the creation of this ambitious project to improve security online by bringing accountability to the system that protects HTTPS.
More information
More on certificate.transparency.dev and Wikipedia.
certification (of a party)
ToIP
A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Source: NIST-CSRC.
certification authority
ToIP
See: certificate authority.
certification body
ToIP
A legal entity that performs certification.
For more information: https://en.wikipedia.org/wiki/Professional_certification
cesr proof signatures
WebOfTrust
cesr proof signatures
Definition
CESR Proof Signatures are an extension to the Composable Event Streaming Representation [CESR] that provide transposable cryptographic signature attachments on self-addressing data (SAD) [SAID]. Any SAD, such as an Authentic Chained Data Container (ACDC) Verifiable Credential [ACDC] for example, may be signed with a CESR Proof Signature and streamed along with any other CESR content. In addition, a signed SAD can be embedded inside another SAD and the CESR proof signature attachment can be transposed across envelope boundaries and streamed without losing any cryptographic integrity.
(Philip Feairheller, IETF-cesr-proof)
cesride
WebOfTrust
cesride
Definition
is concerned with parsing CESR primitives.
Cesride is built from cryptographic primitives that are named clearly and concisely. There are:
Each primitive will have methods attached to it that permit one to generate and parse the qualified base2 or base64 representation. Common methods you'll find:
.qb64()
- qualified base-64 representation of cryptographic material as a string.qb64b()
- qualified base-64 representation of cryptographic material as octets (bytes).qb2()
- qualified base-2 representation of cryptographic material as octets (bytes).code()
- qualifying code (describes the type of cryptographic material).raw()
- raw cryptographic material (unqualified) as octets (bytes)
Source by Jason Colburne
Related
chain link confidentiality
WebOfTrust
chain link confidentiality
Definition
Chains together a sequence of Disclosees which may also include a set of constraints on data usage by both second and third parties expressed in legal language such that the constraints apply to all recipients of the disclosed data thus the phrase "chain link" confidentiality. Each Disclosee in the sequence in turn is the Discloser to the next Disclosee.
This is the primary mechanism of granting digital data rights through binding information exchange to confidentiality laws. Confidentiality is dynamically negotiated on a per-event, per-data exchange basis according to the data that is being shared in a given exchange.
Contrast
Disclosures via Presentations Exchanges may be contractually protected by Chain-Link Confidentiality (i.e. a Chain-Link Confidential disclosure). The chaining in this case is different from the chaining described above between Issuances in a DAG of chained Issuances. Chain-link confidentiality, in contrast, chains together a sequence of Disclosees.
More info at sourceArticle Woodrow Hartzog
An important article on the topic can be found here:
Woodrow Hartzog “Chain-Link Confidentiality”
chain of custody
WebOfTrust
chain of custody
Definition
From Wikipedia (Source):Chain of custody (CoC), in legal contexts, is the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of materials, including physical or electronic evidence. Of particular importance in criminal cases, the concept is also applied in civil litigation and more broadly in drug testing of athletes and in supply chain management, e.g. to improve the traceability of food products, or to provide assurances that wood products originate from sustainably managed forests.
New technology shortens CoC
It is often a tedious process that has been required for evidence to be shown legally in court. Now, however, with new portable technology that allows accurate laboratory quality results from the scene of the crime, the chain of custody is often much shorter which means evidence can be processed for court much faster.
(Source)
chain of trust
ToIP
See: trust chain.
chained credentials
ToIP
Two or more credentials linked together to create a trust chain between the credentials that is cryptographically verifiable.
Note: ACDCs are a type of digital credential that explicitly supports chaining.
chaining
ToIP
See: trust chain.
challenge
digital.govt.nz
(verb) to order (a person) to halt and be identified or to give a password[Source: Dictionary]Additional note:Note 1: A challenger issues a challenge and a responder replies.
channel
ToIP
See: communication channel.
cigar
WebOfTrust
ciphertext
ToIP
Encrypted (enciphered) data. The confidential form of the plaintext that is the output of the encryption function.
Source: NIST-CSRC.
claim
Nist
A true-false statement about the limitations on the values of an unambiguously defined property called the claims property; and limitations on the uncertainty of the propertys values falling within these limitations during the claims duration of applicability under stated conditions.ToIP
An assertion about a subject, typically expressed as an attribute or property of the subject. It is called a “claim” because the assertion is always made by some party, called the issuer of the claim, and the validity of the claim must be judged by the verifier.
Supporting definitions:
W3C VC: An assertion made about a subject.
Wikipedia: A claim is a statement that one subject, such as a person or organization, makes about itself or another subject. For example, the statement can be about a name, group, buying preference, ethnicity, privilege, association or capability.
Note: If the issuer of the claim is also the subject of the claim, the claim is self-asserted.
WebOfTrust
claim
Definition
An assertion of the truth of something, typically one which is disputed or in doubt. A set of claims might convey personally identifying information: name, address, date of birth and citizenship, for example. (Source).
clone
WebOfTrust
clone
Definition
A copy of a system that is - and works exactly as the original
More detail
In computing, a clone is hardware or software that is designed to function in exactly the same way as another system.
A specific subset of clones are remakes (or remades), which are revivals of old, obsolete, or discontinued products.
Source Wikipedia
cloud agent
WebOfTrust
cloud agent
Definition
Cloud agent is software that is installed on the cloud server instances in order to provide security, monitoring, and analysis solutions for the cloud. They actually provide information and helps to provide control over cloud entities.
Paraphrased by @henkvancann based on source.
Also see Agent.Cloud computing
Cloud computing[1] is the on-demand availability of computer system resources, especially data storage (cloud storage) and computing power, without direct active management by the user.
More at source on Wikipedia
code table
WebOfTrust
code table
Definition
a code table is the Internet's most comprehensive yet simple resource for browsing and searching for alt codes, ascii codes, entities in html, unicode characters, and unicode groups and categories.
SourceExample text code table from CESR
CESR related
Multiple text and binary code tables exist to pre-pend characters before the respective stream parts to characterize (self-framing) them or group them.
code table selector
WebOfTrust
code table selector
Definition
the first character in the text code of CESR stream that determines which code table to use, either a default code table or a code table selector character when not the default code table. Thus the 1 character text code table must do double duty. It must provide selectors for the different text code tables and also provide type codes for the most popular primitives that have a pad size of 1 that appear is the default code table.
Selector code table
See row 1.
cold start stream parsing
WebOfTrust
cold start stream parsing
Definition
After a reboot (or cold start), a stream processor looks for framing information to know how to parse groups of elements in the stream.
If that framing information is ambiguous then the parser may become confused and require yet another cold start. While processing a given stream a parser may become confused especially if a portion of the stream is malformed in some way. This usually requires flushing the stream and forcing a cold start to resynchronize the parser to subsequent stream elements.
re-synchronization
Better than flushing the stream and forcing a cold start is a re-synchronization mechanism that does not require flushing the in-transit buffers but merely skipping to the next well-defined stream element boundary in order to execute a cold start.
See an example in the sourceCESR related
Special CESR count codes support re-synchronization at each boundary between interleaved CESR and other serializations like JSON, CBOR, or MGPK.
collective signature
WebOfTrust
collective signature
Definition
a group signature scheme, that (i) is shared by a set of signing groups and (ii) combined collective signature shared by several signing groups and several individual signers. The protocol of the first type is constructed and described in detail. It is possible to modify the described protocol which allows transforming the protocol of the first type into the protocol of the second type. The proposed collective signature protocols have significant merits, one of which is connected with possibility of their practical using on the base of the existing public key infrastructures.
SourceCollective signature have a variable length as a function of the number of signers.
collision
Nist
An event in which two different messages have the same message digest.WebOfTrust
collision
Definition
In cryptography and identity collision generally refers to something going wrong because an identical result has been produced but it refers to - or points to - different sources or assets backing this result.
E.g. two hashes collide, meaning two different digital sources produce the same hash.
Another example is name(space) collision.Naming collision
A circumstance where two or more identifiers in a given namespace or a given scope cannot be unambiguously resolved.
Source Wikipedia
communication
ToIP
communication channel
ToIP
A communication channel refers either to a physical transmission medium such as a wire, or to a logical connection over a multiplexed medium such as a radio channel in telecommunications and computer networking. A channel is used for information transfer of, for example, a digital bit stream, from one or several senders to one or several receivers.
Source: Wikipedia.
See also: ToIP channel.
Supporting definitions:
eSSIF-Lab: a (digital or non-digital) means by which two actors can exchange messages with one another.
communication endpoint
ToIP
A type of communication network node. It is an interface exposed by a communicating party or by a communication channel. An example of the latter type of a communication endpoint is a publish-subscribe topic or a group in group communication systems.
Source: Wikipedia.
See also: ToIP endpoint.
communication metadata
ToIP
Metadata that describes the sender, receiver, routing, handling, or contents of a communication. Communication metadata is often observable even if the contents of the communication are encrypted.
See also: correlation privacy.
communication session
ToIP
A finite period for which a communication channel is instantiated and maintained, during which certain properties of that channel, such as authentication of the participants, are in effect. A session has a beginning, called the session initiation, and an ending, called the session termination.
Supporting definitions:
NIST-CSRC: A persistent interaction between a subscriber and an end point, either a relying party or a Credential Service Provider. A session begins with an authentication event and ends with a session termination event. A session is bound by use of a session secret that the subscriber’s software (a browser, application, or operating system) can present to the relying party or the Credential Service Provider in lieu of the subscriber’s authentication credentials.
Wikipedia: In computer science and networking in particular, a session is a time-delimited two-way link, a practical (relatively high) layer in the TCP/IP protocol enabling interactive expression and information exchange between two or more communication devices or ends – be they computers, automated systems, or live active users (see login session). A session is established at a certain point in time, and then ‘torn down’ - brought to an end - at some later point. An established communication session may involve more than one message in each direction. A session is typically stateful, meaning that at least one of the communicating parties needs to hold current state information and save information about the session history to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses. An established session is the basic requirement to perform a connection-oriented communication. A session also is the basic step to transmit in connectionless communication modes. However, any unidirectional transmission does not define a session.
compact event streaming representation (CESR)
ToIP (DID:Webs)
An encoding format that enables round-trip text-binary conversion of concatenated cryptographic primitives and general data types, as defined by the CESR specification and CESR Proof Signature specification. See WebOfTrust glossary for more detail.
compact variant
WebOfTrust
compact variant
Definition
Either a most compact version of an ACDC or the fully compact version of an ACDC. An Issuer commitment via a signature to any variant of ACDC (compact, full, etc) makes a cryptographic commitment to the top-level section fields shared by all variants of that ACDC because the value of a top level section field is either the SAD or the SAID of the SAD of the associated section.
Relation
All the variants of an ACDC are various degrees of expansion of the compact variant.
More at sourceAlso see
Fully (expanded) version of an ACDC
Fully compact(ed) version of an ACDC
Most compact version of an ACDC.
complementary integrity verification
WebOfTrust
complementary integrity verification
Definition
A mechanism that can verify integrity independent of needing access to a previous instance or reference version of the information for comparison.
Source: Neil ThomsonComplementary nature
Independent Integrity Verification is what is achieved by use of a public key from the data "controller" such that it does not need to compare received data/messages against the sent data/message.
The already verified chain up to a certain point in time in the past (previous instance or reference version) no longer needs to be verified.
Example: The tail of a KEL that has been verified to its root-of-trust on a certain date and time, can be cut off. You don't need to verify this any more from this date.
See also
complex password
ToIP
A password that meets certain security requirements, such as minimum length, inclusion of different character types, non-repetition of characters, and so on.
Supporting definitions:
Science Direct: According to Microsoft, complex passwords consist of at least seven characters, including three of the following four character types: uppercase letters, lowercase letters, numeric digits, and non-alphanumeric characters such as & $ * and !
compliance
ToIP
In the context of decentralized digital trust infrastructure, the extent to which a system, actor, or party conforms to the requirements of a governance framework or trust framework that pertains to that particular entity.
See also: Governance, Risk Management, and Compliance.
Supporting definitions:
eSSIF-Lab: The state of realization of a set of conformance criteria or normative framework of a party.
comply ~ance
digital.govt.nz
to act in accordance with rules, wishes, etc; be obedient (to)[Source: Dictionary]
composability
WebOfTrust
composable
WebOfTrust
composable event streaming representation
WebOfTrust
composable event streaming representation
Definition
Also called 'CESR'. This compact encoding scheme fully supports both textual and binary streaming applications of attached crypto material of all types. This approach includes composability in both the textual and binary streaming domains. The primitives may be the minimum possible but still composable size.
Making composability a guaranteed property allows future extensible support of new compositions of streaming formats based on pre-existing core primitives and compositions of core primitives. This enables optimized stream processing in both the binary and text domains.
concatenation
WebOfTrust
concatenation
In formal language theory and computer programming, string concatenation is the operation of joining character strings end-to-end. For example, the concatenation of "snow" and "ball" is "snowball".
More on source Wikipedia pageKERI related
In CESR Concatenation is an important property of CESR's Composability; it is associative and may be applied to any two primitives or any two groups or sets of concatenated primitives.
The composability property of CESR allows us to create arbitrary compositions of primitives via concatenation in either the text or binary domain and then convert the composition en masse to the other domain and then de-concatenate the result without loss. The self-framing property of the primitives enables de-concatenation.
concept
ToIP
An abstract idea that enables the classification of entities, i.e., a mental construct that enables an instance of a class of entities to be distinguished from entities that are not an instance of that class. A concept can be identified with a term.
Supporting definitions:
eSSIF-Lab: the ideas/thoughts behind a classification of entities (what makes entities in that class 'the same').
Wikipedia: A concept is defined as an abstract idea. It is understood to be a fundamental building block underlying principles, thoughts and beliefs. Concepts play an important role in all aspects of cognition.
concise binary object representation
WebOfTrust
concise binary object representation
Definition
It is a binary data serialization format loosely based on JSON authored by C. Bormann. Like JSON it allows the transmission of data objects that contain name–value pairs, but in a more concise manner. This increases processing and transfer speeds at the cost of human readability.
IETF specification
It is defined in IETF RFC 8949.[1]
MessagePack
CBOR was inspired by MessagePack, which was developed and promoted by Sadayuki Furuhashi. CBOR extended MessagePack, particularly by allowing to distinguish text strings from byte strings, which was implemented in 2013 in MessagePack.[4][5]
More on Wikipedia
confidential computing
ToIP
Hardware-enabled features that isolate and process encrypted data in memory so that the data is at less risk of exposure and compromise from concurrent workloads or the underlying system and platform.
Source: NIST-CSRC.
Supporting definitions:
Wikipedia: Confidential computing is a security and privacy-enhancing computational technique focused on protecting data in use. Confidential computing can be used in conjunction with storage and network encryption, which protect data at rest and data in transit respectively. It is designed to address software, protocol, cryptographic, and basic physical and supply-chain attacks, although some critics have demonstrated architectural and side-channel attacks effective against the technology.
confidentiality
ToIP
In a communications context, a type of privacy protection in which messages use encryption or other privacy-preserving technologies so that only authorized parties have access.
See also: authenticity, correlation privacy.
Supporting definitions:
NIST-CSRC: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Wikipedia: Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information.
WebOfTrust
confidentiality
Definition
All statements in a conversation are only known by the parties to that conversation. Source: Samuel Smith, at IIW-37, Oct 2023.
Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information.
More on source WikipediaKERI related
The three properties, authenticity, confidentiality, and privacy inhabit a trade space. ...One can have any two of the three (privacy, authenticity, confidentiality) at the highest level but not all three.
The trilemma insists that one must make a trade-off by prioritizing one or two properties over a third.The ToIP design goals reflect that trade-off and provide an order of importance. The design goals indicate that one should start with high authenticity, then high confidentiality, and then as high as possible privacy, given there is no trade-off with respect to the other two.
More on Source Samuel Smith SPAC whitepaper.
Also see
configuration files
WebOfTrust
configuration files
Definition
In computing, configuration files (commonly known simply as config files) are files used to configure the parameters and initial settings for some computer programs. They are used for user applications, server processes and operating system settings.
More on source Wikipedia
connection
ToIP
A communication channel established between two communication endpoints. A connection may be ephemeral or persistent.
See also: ToIP connection.
consensus mechanism
WebOfTrust
consensus mechanism
Definition
How groups of entitities come to decisions. In general to learn about consensus mechanisms read any textbook on decision making, automated reasoning, multi-objective decision making, operations research etc.
Overall reliability
A fundamental problem in distributed computing and multi-agent systems is to achieve overall system reliability in the presence of a number of faulty processes. This often requires coordinating processes to reach consensus, or agree on some data value that is needed during computation.
More information
More on wikipedia or in this 2018 report from the cryptocurrency field.
consent management
ToIP
A system, process or set of policies under which a person agrees to share personal data for specific usages. A consent management system will typically create a record of such consent.
Supporting definitions:
Wikipedia: Consent management is a system, process or set of policies for allowing consumers and patients to determine what health information they are willing to permit their various care providers to access. It enables patients and consumers to affirm their participation in e-health initiatives and to establish consent directives to determine who will have access to their protected health information (PHI), for what purpose and under what circumstances. Consent management supports the dynamic creation, management and enforcement of consumer, organizational and jurisdictional privacy policies.
consequence
digital.govt.nz
outcome of an event affecting objectives[Source: ISO 31073:2022]Additional notes:Note 1: A consequence can have positive or negative, direct or indirect, effects on objectives.Note 2: Consequences can be expressed qualitatively or quantitatively.Note 3: Any consequences can escalate through cascading and cumulative effects.
content addressable hash
WebOfTrust
content addressable hash
Definition
Finding content by a hash of this content, generated by a one-way hash function applied to the content.
Content addressing is a way to find data in a network using its content rather than its location. The way we do is by taking the content of the content and hashing it. Try uploading an image to IPFS and get the hash using the below button.
Content Addressable Storage
Content Addressable Storage systems work by passing the content of the file through a cryptographic hash function to generate a unique key, the "content address". The file system's directory stores these addresses and a pointer to the physical storage of the content. Because an attempt to store the same file will generate the same key, CAS systems ensure that the files within them are unique, and because changing the file will result in a new key, CAS systems provide assurance that the file is unchanged.
IPFS
In the IPFS ecosystem, this hash is called Content Identifier, or CID.
context
digital.govt.nz
environment with defined boundary conditions in which entities exist and interact[Source: ITU-T X.1252]
contextual linkability
WebOfTrust
contextual linkability
Definition
Refers to the condition where vendors or other data capture points provide enough context at point of capture to be able to use statistical correlation with existing data sets to link any of a person's disclosed attributes to a set of already known data points about a given person.
This sort of linkability nullifies the perceived protection of selective disclosure through zero knowledge proofs since the disclosed data can be combined with context to easily link the disclosed data to an existing profile of the person.
These threats mainly focus on a subject (the entity) who wants to hide as much of his identifiable information (or at least make it as unlikable as possible). This can occur when the subject wants to authenticate himself to a certain service (multiple authentication principles are shown in the tree), but also during regular communication (browsing, client-server requests, etc.) by means of the contextual information connected or linked to the the activity or communication.
More at sourceContractually protected disclosure is the primary defense against contextual linkability.
Example
Cameras in stores are already able to identify you due to the extremely high prevalence of modern security systems who do facial recognition or mobile device ping recognition on each person entering the premises of a store. In the context of you buying stuff in their store they can capture data linked to you and then go and sell your data to third parties since there is an implicit grant of permission to use the data and also since there are no legal constraints on the distribution of that data.
Dangers
Just have a look at what "they" are doing:
https://linkgraph.io/blog/how-to-contextual-link-building/
contiguous
digital.govt.nz
immediately preceding or following in time[Source: Dictionary modified by adding immediately]Additional note:Note 1: When applied to authentication, multiple factors are tested in such adjacent steps, that they are considered part of a single process.
contingent disclosure
WebOfTrust
contingent disclosure
Definition
Chain link confidentiality is a form of contingent disclosure.
| TBW prio 1 |
contractually protected disclosure
WebOfTrust
contractually protected disclosure
Definition
Usage of schema-based and contract-based controls to limit the exchange of information to provide both mechanical and legal protection on the sharing of data.
Mechanical protection is composed of sharing the schema of the data to be shared prior to sharing the actual data contents. This mechanical protection is then combined through the IPEX protocol with disclosures of legal contracts to be agreed to prior to sharing the desired data contents.
Once the legal agreements have been met then the disclosure mechanism exchanges the desired data contents.
This is also the most elaborate form of disclosure by an IPEX. Contractually protected disclosure includes both chain-link confidential and contingent disclosure.
Paraphrased by @henkvancann based on sourceRelation
This IPEX protocol leverages important features of ACDCs and ancillary protocols such as CESR, SAIDs, and CESR-Proofs as well as Ricardian contracts and graduated disclosure (partial, selective, full) to enable contractually protected disclosure. Contractually protected disclosure includes both [chain-link confidential](chain-link confidential) and [contingent disclosure](contingent disclosure).
Rule
The disclosure performed by a presentation exchange MAY be graduated and MAY be contractually protected.
control
digital.govt.nz
(verb) to command, direct, or rule[Source: Dictionary]Additional note:Note 1: Control is also used outside the context of risk mitigation. For example, to indicate the ability for an authenticator holder to retain use of their authenticator.
control authority
WebOfTrust
control authority
Definition
In identity systems Control Authority is who controls what and that is the primary factor in determining the basis for trust in them. The entity with control authority takes action through operations that affect the
- creation (inception)
- updating
- rotation
- revocation
- deletion
- and delegation of the authentication factors and their relation to the identifier.
Source of truth
How these events are ordered and their dependence on previous operations is important. The record of these operations is the source of truth for the identity system.
Change control authority
In the 2022 implementation of KeriPy two rotations were required to change control authority.In new rotation rules, you can rotate to new keys that aren't in the prior next key digests. You just need to reach the appropriate thresholds of prior-next-threshold and current-signing-threshold. So you now only need one rotation to change control authority.
Note: This change was the forcing function to require dual indexed codes in CESR.
controlled document
ToIP
A governance document whose authority is derived from a primary document.
controller
ToIP (DID:Webs)
A controlling entity that can cryptographically prove the control authority (signing and rotation) over an AID as well as make changes on the associated KEL. A controller may consist of multiple controlling entities in a multi-signature scheme. See WebOfTrust glossary for more detail.WebOfTrust
controller
Definition
A controller is a controlling entity (person, organization, or autonomous software) of an identifier. For an autonomic identifier (AID), a controlling entity has the capability to make changes to the key event log (KEL) of the AID. This capability is typically asserted by the control of a set of cryptographic keys used by software acting on behalf of the controller, though it might also be asserted via other mechanisms.
At any point in time, an identifier has at least one but may have more than one controlling entity. This set of controlling entities constitutes the controller. Without loss of generality, when the context is unambiguous, the term controller may refer either to the whole set or a member of the set of controlling entities.
All key events on the identifier must include a signature from the sole controlling entity when there is only one controlling entity or at least one signature from one of the controlling entities when there is more than one. Typically, when there is more than one controlling entity, control is established via signatures from all or a subset of controlling entities. This is called multi-signature (multi-sig). In a threshold multi-sig scheme, the control authority is split among the controlling entities, where each is assigned a weight. In this case, the control authority over the identifier is established via signatures from a subset of controlling entities whose combined weights exceed an agreed threshold. These thresholded multiple signatures may be expressed as a single collective threshold signature when a collective signing scheme is used.
The control authority over an identifier can also be divided into signing authority and rotation authority. The controller of the identifier may grant their authority to other entities. For example, in custodial rotation, the controller grants a designated custodial agent the signing authority while retaining their rotation authority. In the case of a delegated identifier, the delegated identifier is granted some degree of control authority from its delegating identifier.
controller (of a key, vault, wallet, agent, or device)
ToIP
In the context of digital communications, the entity in control of sending and receiving digital communications. In the context of decentralized digital trust infrastructure, the entity in control of the cryptographic keys necessary to perform cryptographically verifiable actions using a digital agent and digital wallet. In a ToIP context, the entity in control of a ToIP endpoint.
See also: device controller, DID controller, ToIP controller.
Supporting definitions:
eSSIF-Lab: the role that an actor performs as it is executing actions on that entity for the purpose of ensuring that the entity will act/behave, or be used, in a particular way.
cooperative delegation
WebOfTrust
cooperative delegation
Definition
The way KERI addresses the security-cost-performance architecture trade-off is via delegation of identifier prefixes. Delegation includes a delegator and a delegate. For this reason we may call this a cooperative delegation. This is a somewhat novel form of delegation. A major advantage of cooperative delegation is the delegator’s key management protects the delegate’s via recovery by the delegator. With cooperative delegation, any exploiter that compromises only the delegate’s authoritative keys may not capture control authority of the delegate. Any exploit of the delegate only is recoverable by the delegator.
Source Universal Identifier Theory by Samuel Smith
coroutines
WebOfTrust
coroutines
Definition
Computer programs that can be suspended and resumed at will.
What is a coroutine exactly?
Coroutines are computer program components that generalize subroutines for non-preemptive multitasking, by allowing execution to be suspended and resumed. Coroutines are well-suited for implementing familiar program components such as cooperative tasks, exceptions, event loops, iterators, infinite lists and pipes.
More on source Wikipedia
correlate~ion
digital.govt.nz
to place or be placed in a mutual, complementary, or reciprocal relationship[Source: Dictionary]
correlation
WebOfTrust
correlation
Definition
In our scope this is an identifier used to indicate that external parties have observed how wallet contents are related.
Example
When a public key is reused, it conveys that some common entity is controlling both identifiers. Tracking correlation allows for software to warn when some new information might be about to be exposed, for example: "Looks like you are about to send cryptocurrency, from an account you frequently use to a new account you just created."
correlation privacy
ToIP
In a communications context, a type of privacy protection in which messages use encryption, hashes, or other privacy-preserving technologies to avoid the use of identifiers or other content that unauthorized parties may use to correlate the sender and/or receiver(s).
See also: authenticity, confidentiality.
corroborate~ing
digital.govt.nz
to confirm or support (facts, opinions, etc), esp by providing fresh evidence[Source: Dictionary]
count code
WebOfTrust
counterparty
ToIP
From the perspective of one party, the other party in a transaction, such as a financial transaction.
See also: first party, second party, third party.
Supporting definitions:
Wikipedia: A counterparty (sometimes contraparty) is a legal entity, unincorporated entity, or collection of entities to which an exposure of financial risk may exist.
credential
digital.govt.nz
an artefact created as the result of a series of processes that bind an entity with information and an authenticator, on which other parties relyAdditional note:Note 1: At a minimum a credential includes an authenticator and information to enable presentation.Nist
Evidence attesting to ones right to credit or authority. In this Standard, it is the PIV Card or derived PIV credential associated with an individual that authoritatively binds an identity (and, optionally, additional attributes) to that individual.ToIP
A container of claims describing one or more subjects. A credential is generated by the issuer of the credential and given to the holder of the credential. A credential typically includes a signature or some other means of proving its authenticity. A credential may be either a physical credential or a digital credential.
See also: verifiable credential.
Supporting definitions:
eSSIF-Lab: data, representing a set of assertions (claims, statements), authored and signed by, or on behalf of, a specific party.
WebOfTrust
credential
Definition
Evidence of authority, status, rights, entitlement to privileges, or the like.
(source)
A credential has its current state and a history, which is captured in a doc or a graph.ACDC specific
The credential is the whole graph.
The pointers in the doc that contain the whole graph are universally globally distributable references via the SAIDs. Whereas in other credential systems pointers are only local in a credential doc.
credential family
ToIP
A set of related digital credentials defined by a governing body (typically in a governance framework) to empower transitive trust decisions among the participants in a digital trust ecosystem.
credential governance framework
ToIP
A governance framework for a credential family. A credential governance framework may be included within or referenced by an ecosystem governance framework.
credential offer
ToIP
A protocol request invoked by an issuer to offer to issue a digital credential to the holder of a digital wallet. If the request is invoked by the holder, it is called an issuance request.
credential provider
digital.govt.nz
the party accountable for the establishment and presentation facilitation of a credentialAdditional note:Note 1: A Credential Provider may employ other parties in the carrying out of their function.
credential request
ToIP
See: issuance request.
credential schema
ToIP
A data schema describing the structure of a digital credential. The W3C Verifiable Credentials Data Model Specification defines a set of requirements for credential schemas.
criterion
ToIP
In the context of terminology, a written description of a concept that anyone can evaluate to determine whether or not an entity is an instance or example of that concept. Evaluation leads to a yes/no result.
crypto libraries
WebOfTrust
crypto libraries
Definition
Cryptography libraries deal with cryptography algorithms and have API function calls to each of the supported features.
Selection criteria
Criteria to chose one or the other:
- Open Source (most of them are)
- Compliant with standards
- Key operations include key generation algorithms, key exchange agreements and public key cryptography standards.
- Supported cryptographic hash functions
- Implementations of message authentication code (MAC) algorithms
- Implementations of block ciphers
- Hardware-assisted support
- Code size and code to comment ratio
- Composable derivation codes
See a comparison here at Wikipedia.
cryptocurrency
WebOfTrust
cryptocurrency
Definition
A digital asset designed to work as a medium of exchange wherein individual coin ownership records are stored in a digital ledger or computerized database using strong cryptography to secure transaction record entries, to control the creation of additional digital coin records.
See more on source Wikipedia.KERI related
KERI doesn't need total global ordering, whereas cryptocurrencies do need this. As a consequence has been designed, without the need of a consensus-based distributed ledger (blockchain).
KERI doesn't provide for a currency system, however a KERI-based system can be easily extended with a money - or token system.
See also Non Fungible Tokens.
cryptographic binding
ToIP
Associating two or more related elements of information using cryptographic techniques.
Source: NIST-CSRC.
cryptographic commitment scheme
WebOfTrust
cryptographic commitment scheme
Definition
is a cryptographic primitive that allows one to commit to a chosen value (or chosen statement) while keeping it hidden to others, with the ability to reveal the committed value later.
Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding.
More on wikipedia
cryptographic key
ToIP
A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Symmetric cryptography refers to the practice of the same key being used for both encryption and decryption. Asymmetric cryptography has separate keys for encrypting and decrypting. These keys are known as the public keys and private keys, respectively.
Source: Wikipedia.
See also: controller.
cryptographic primitive
WebOfTrust
cryptographic primitive
Definition
Cryptographic primitives are well-established, low-level cryptographic algorithms that are frequently used to build cryptographic protocols for computer security systems. These routines include, but are not limited to, one-way hash functions and encryption functions.
More on source Wikipedia-pageKERI related
In KERI and ACDC it a serialization of a unitary value associated with a cryptographic operation including but not limited to a digest (hash), a salt, a seed, a private key, a public key, or a signature. All primitives in KERI MUST be expressed in CESR.
See also
The more general term primitive.
cryptographic strength
WebOfTrust
cryptographic strength
Definition
The term "cryptographically strong" is often used to describe an encryption algorithm, and implies, in comparison to some other algorithm (which is thus cryptographically weak), greater resistance to attack. But it can also be used to describe hashing and unique identifier and filename creation algorithms.
More on Wikipedia
cryptographic suite
W3C (DID)
A specification defining the usage of specific cryptographic primitives inorder to achieve a particular security goal. These documents are often usedto specify verification methods, digital signature types,their identifiers, and other related properties.
cryptographic trust
ToIP
A specialized type of technical trust that is achieved using cryptographic algorithms.
Contrast with: human trust.
cryptographic verifiability
ToIP
The property of being cryptographically verifiable.
Contrast with: human auditability.
cryptographically bound
ToIP
A state in which two or more elements of information have a cryptographic binding.
cryptographically verifiable
ToIP
A property of a data structure that has been digitally signed using a private key such that the digital signature can be verified using the public key. Verifiable data, verifiable messages, verifiable credentials, and verifiable data registries are all cryptographically verifiable. Cryptographic verifiability is a primary goal of the ToIP Technology Stack.
Contrast with: human auditable.
cryptonym
WebOfTrust
cryptonym
Definition
A code name, call sign or cryptonym is a code word or name used, sometimes clandestinely, to refer to another name, word, project, or person.
Source WikipediaKERI related
A cryptographic pseudonymous identifier represented by a string of characters derived from a random or pseudo-random secret seed or salt via a one-way cryptographic function with a sufficiently high degree of cryptographic strength (e.g. 128 bits, see appendix on cryptographic strength. A cryptonym is a type of primitive.
Due the entropy in its derivation, a cryptonym is a universally unique identifier and only the controller of the secret salt or seed from which the cryptonym is derived may prove control over the cryptonym. Therefore the derivation function MUST be associated with the cryptonym and MAY be encoded as part of the cryptonym itself.\
Source Smith, ietf-keri draft
custodial agent
WebOfTrust
custodial agent
Definition
An agent owned by an individual who has granted signing authority to a custodian who is usually also the host of the running agent software. Using partial rotation to facilitate custodial key management the owner of the identifier retains rotational authority and thus the ability to "fire" the custodian at any time without requiring the cooperation of the custodian.
Importance
Custodial Agents are important for individuals who may not be comfortable managing their own signing keys and agent software but still want to participate in a decentralized identity ecosystem and they enable a software as a service business model without centralizing control on the service provider.
(Source: Philip Feairheller)Key functionality
Since ninety-nine percent of people in the world might not feel comfortable taking responsibility for their own practical key management but still want to be stay in control over their assets and be able to hire and fire service providers, this functionality is considered a key feature for KERI and ACDC.
custodial rotation
WebOfTrust
custodial rotation
Definition
Rotation based on control authority that is split between two key sets. The first for signing authority and the second (pre-roateted) for rotation authority the associated thresholds and key list can be structured in such a way that a designated custodial agent can hold signing authority while the original controller can hold exclusive rotation authority.
Partial pre-rotation supports the important use case that of custodial key rotation to authorize a custodial agent.
Paraphrased by @henkvancann on the bases of the IETF-KERI draft 2022 by Samual Smith.
custodial wallet
ToIP
A digital wallet that is directly in the custody of a principal, i.e., under the principal’s direct personal or organizational control. A digital wallet that is in the custody of a third party is called a non-custodial wallet.
custodian
ToIP
A third party that has been assigned rights and duties in a custodianship arrangement for the purpose of hosting and safeguarding a principal ’s private keys, digital wallet and digital assets on the principal’s behalf. Depending on the custodianship arrangement, the custodian may act as an exchange and provide additional services, such as staking, lending, account recovery, or security features.
Contrast with: guardian, zero-knowledge service provider.
See also: custodial wallet.
Supporting definitions:
NIST-CSRC: A third-party entity that holds and safeguards a user’s private keys or digital assets on their behalf. Depending on the system, a custodian may act as an exchange and provide additional services, such as staking, lending, account recovery, or security features.
Note: While a custodian technically has the necessary access to in theory impersonate the principal, in most cases a custodian is expressly prohibited from taking any action on the principal’s account unless explicitly authorized by the principal. This is what distinguishes custodianship from guardianship.
custodianship arrangement
dark pattern
ToIP
A design pattern, mainly in user interfaces, that has the effect of deceiving individuals into making choices that are advantageous to the designer.
Source: Kantara PEMC Implementors Guidance Report
Also known as: deceptive pattern.
data
ToIP
In the pursuit of knowledge, data is a collection of discrete values that convey information, describing quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted. A datum is an individual value in a collection of data.
Source: Wikipedia.
See also: verifiable data.
Supporting definitions:
eSSIF-Lab: something (tangible) that can be used to communicate a meaning (which is intangible/information).
data anchor
WebOfTrust
data anchor
Definition
Data anchors are digests of digital data, that uniquely identify this data. The digest is the anchor and can be used to identify - and point to the data at the same time.
Anchoring data
The act of creating the digest of arbitrary data and then hook (or reference) the digest to (in) another data structure is called 'anchoring data'.
KERI related
SADs are a type of data anchors.
Beware
Link anchors are a totally different concepts.
data packet
ToIP
In telecommunications and computer networking, a network packet is a formatted unit of data carried by a packet-switched network such as the Internet. A packet consists of control information and user data; the latter is also known as the payload. Control information provides data for delivering the payload (e.g., source and destination network addresses, error detection codes, or sequencing information). Typically, control information is found in packet headers and trailers.
Source: Wikipedia.
data schema
ToIP
A description of the structure of a digital document or object, typically expressed in a machine-readable language in terms of constraints on the structure and content of documents or objects of that type. A credential schema is a particular type of data schema.
Supporting definitions:
Wikipedia: An XML schema is a description of a type of XML document, typically expressed in terms of constraints on the structure and content of documents of that type, above and beyond the basic syntactical constraints imposed by XML itself. These constraints are generally expressed using some combination of grammatical rules governing the order of elements, Boolean predicates that the content must satisfy, data types governing the content of elements and attributes, and more specialized rules such as uniqueness and referential integrity constraints.
data subject
ToIP
The natural person that is described by personal data. Data subject is the term used by the EU General Data Protection Regulation.
data vault
ToIP
See: digital vault.
datagram
ToIP
See: data packet.
dead drop
WebOfTrust
dead drop
Definition
| TBW | the presenter controls the disclosure so you can't re-identify the data
Tech meet KERI recording from minute 55, date June 29 2023.
decentralized identifier
ToIP
A globally unique persistent identifier that does not require a centralized registration authority and is often generated and/or registered cryptographically. The generic format of a DID is defined in section 3.1 DID Syntax of the W3C Decentralized Identifiers (DIDs) 1.0 specification. A specific DID scheme is defined in a DID method specification.
Source: W3C DID.
Also known as: DID.
See also: DID method, DID URL.
WebOfTrust
decentralized identifier
Definition
Decentralized identifiers (DID) are a new type of identifier that enables verifiable, decentralized digital identity. A DID refers to any subject (e.g., a person, organization, thing, data model, abstract entity, etc.) as determined by the controller of the DID.
Source W3C.org.Relation to federated identifiers
In contrast to typical, federated identifiers, DIDs have been designed so that they may be decoupled from centralized registries, identity providers, and certificate authorities. Specifically, while other parties might be used to help enable the discovery of information related to a DID, the design enables the controller of a DID to prove control over it without requiring permission from any other party.
Source W3C.org.Technical presence
DIDs are URIs that associate a DID subject with a DID document allowing trustable interactions associated with that subject.
Source W3C.org.
decentralized identifier (DID)
ToIP (DID:Webs)
A globally unique persistent identifier, as defined by DID Core.W3C (DID)
A globally unique persistent identifier that does not require a centralizedregistration authority and is often generated and/or registeredcryptographically. The generic format of a DID is defined in 3.1 DID Syntax. A specific DID scheme is defined in a DIDmethod specification. Manybut not allDID methods make use ofdistributed ledger technology (DLT) or some other form of decentralizednetwork.
decentralized identity
ToIP
A digital identity architecture in which a digital identity is established via the control of a set of cryptographic keys in a digital wallet so that the controller is not dependent on any external identity provider or other third party.
See also: federated identity, self-sovereign identity.
WebOfTrust
decentralized identity
Definition
is a technology that uses cryptography to allow individuals to create and control their own unique identifiers. They can use these identifiers to obtain
Verifiable Credentials
from trusted organizations and, subsequently, present elements of these credentials as proof of claims about themselves. In this model, the individual takes ownership of their own identity and need not cede control to centralized service providers or companies.KERI
s definition of decentralization (centralization) is about control not spatial distribution. In our definition decentralized is not necessarily the same as distributed. By distributed we mean that activity happens at more than one site. Thus decentralization is about control and distribution is about place. To elaborate, when we refer to decentralized infrastructure we mean infrastructure under decentralized (centralized) control no matter its spatial distribution. Thus decentralized infrastructure is infrastructure sourced or controlled by more than oneentity
.
decentralized identity management
W3C (DID)
Identitymanagement that is based on the use of decentralized identifiers.Decentralized identity management extends authority for identifier generation,registration, and assignment beyond traditional roots of trust such asX.500 directory services,the Domain Name System,and most national ID systems.
decentralized key management infrastructure
WebOfTrust
decentralized key management infrastructure
Definition
Decentralized Public Key Infrastructure (DPKI or Decentralized Key Management System (DKMS) goal is to ensure that no single third-party can compromise the integrity and security of the system as as whole.
Source
deceptive pattern
ToIP
See: dark pattern.
decryption
ToIP
The process of changing ciphertext into plaintext using a cryptographic algorithm and key. The opposite of encryption.
Source: NIST-CSRC.
deep link
ToIP
In the context of the World Wide Web, deep linking is the use of a hyperlink that links to a specific, generally searchable or indexed, piece of web content on a website (e.g. "https://example.com/path/page"), rather than the website's home page (e.g., "https://example.com"). The URL contains all the information needed to point to a particular item. Deep linking is different from mobile deep linking, which refers to directly linking to in-app content using a non-HTTP URI.
See also: out-of-band introduction.
Source: Wikipedia.
definition
ToIP
A textual statement defining the meaning of a term by specifying criterion that enable the concept identified by the term to be distinguished from all other concepts within the intended scope.
Supporting definitions:
eSSIF-Lab: a text that helps parties to have the same understanding about the meaning of (and concept behind) a term, ideally in such a way that these parties can determine whether or not they make the same distinction.
Wikipedia: A definition is a statement of the meaning of a term (a word, phrase, or other set of symbols). Definitions can be classified into two large categories: intensional definitions (which try to give the sense of a term), and extensional definitions (which try to list the objects that a term describes). Another important category of definitions is the class of ostensive definitions, which convey the meaning of a term by pointing out examples. A term may have many different senses and multiple meanings, and thus require multiple definitions.
delegate
digital.govt.nz
(noun) a person chosen or elected to act for or represent another or others[Source: Dictionary]Additional note:Note 1: Modified to remove reference to conference or meeting.
delegated identifier
WebOfTrust
delegated identifier
Definition
Matches the act of delegation with the appropriate digital twin. Consequently when applied recursively, delegation may be used to compose arbitrarily complex trees of hierarchical (delegative) key management event streams. This is a most powerful capability that may provide an essential building block for a generic universal decentralized key management infrastructure (DKMI) that is also compatible with the demand of generic event streaming applications.
More in the whitepaper
More KERI context
The KERI design approach is to build composable primitives instead of custom functionality that is so typical of other DKMI approaches:
- transferable identifiers
- non-transferable identifiers
- delegated identifiers
delegate~ed
digital.govt.nz
(verb) to give or commit (duties, powers, etc) to another as agent or representative; depute[Source: Dictionary]
delegation
ToIP
TODO
WebOfTrust
delegation
Definition
A person or group of persons officially elected or appointed to represent another or others.
Assign tasks but stay in control
Delegation can be defined as “the act of empowering to act for another”. With this bestowed power, a person, usually a subordinate, is able to carry out specific activities (normally given by a manager or supervisor). Delegation is a management tool designed to increase the efficiency of an organization. It allows for the goals of the organization to be broken down into tasks and assigned to the team member best suited for the duty.
delegation credential
ToIP
TODO
dependent
ToIP
An entity for the caring for and/or protecting/guarding/defending of which a guardianship arrangement has been established with a guardian.
Source: eSSIF-Lab
See also: custodian.
Mental Model: eSSIF-Lab Guardianship
derivation code
WebOfTrust
derivation code
Definition
To properly extract and use the public key embedded in a self-certifying identifier we need to know the cryptographic signing scheme used by the key pair. KERI includes this very compactly in the identifier, by replacing the pad character (a character used to fill a void to able to always end up with a fixed length public key) with a special character that encodes the derivation process. We call this the derivation code.
Example
For example suppose that the 44 character Base-64 with trailing pad character for the public key is as follows:
F5pxRJP6THrUtlDdhh07hJEDKrJxkcR9m5u1xs33bhp=
If B is the value of the derivation code then the resultant self-contained string is as follows:BF5pxRJP6THrUtlDdhh07hJEDKrJxkcR9m5u1xs33bhp
Relation with KERI
All crypto material appears in
KERI
in a fully qualified representation. This includes a derivation code prepended to the crypto-material.Example KERI derivation codes
Beware
Key derivation functions are not related to the pre-pended derivation codes used in KERI.
derived value
digital.govt.nz
value obtained by reasoning; deduction or inference[Source: expanded Dictionary meaning of derive]
designated aliases
ToIP (DID:Webs)
An array of AID controlled identifiers that have been designated by the AID controller to be used as aliases for equivalentId and alsoKnownAs DID document metadata and to foster verification of redirection to different did:webs identifiers. See WebOfTrust glossary for more detail.WebOfTrust
designated aliases
Definition
An AID controller can designate aliases which are AID controlled identifiers such as a did:keri, did:webs, etc. The AID controller issues a designated aliases attestation (no issuee) that lists the identifiers and manages the status through a registry anchored to their KEL. See the designated aliases docs
designated authorized representative
WebOfTrust
designated authorized representative
Definition
Also 'DAR'. These are representatives of a Legal Entity that are authorized by the Legal Entity to act officially on behalf of the Legal Entity. DARs can authorize:
- vLEI Issuer Qualification Program Checklists
- execute the vLEI Issuer Qualification Agreement
- provide designate/replace Authorized vLEI Representatives (AVRs).
Paraphrased by @henkvancann from source Draft vLEI Ecosystem Governance Framework Glossary.
device controller
ToIP
The controller of a device capable of digital communications, e.g., a smartphone, tablet, laptop, IoT device, etc.
dictionary
ToIP
A dictionary is a listing of lexemes (words or terms) from the lexicon of one or more specific languages, often arranged alphabetically, which may include information on definitions, usage, etymologies, pronunciations, translation, etc. It is a lexicographical reference that shows inter-relationships among the data. Unlike a glossary, a dictionary may provide multiple definitions of a term depending on its scope or context.
Source: Wikipedia.
diger
digest
WebOfTrust
digest
Definition
verifiable cryptographic commitment. It's a collision resistant hash of content.
From Wikipedia (Source):
A digest is a cryptographic hash function (CHF) is a mathematical algorithm that maps data of an arbitrary size (often called the "message") to a bit array of a fixed size (the "hash value", "hash", or "message digest"). It is a one-way function, that is, a function for which it is practically infeasible to invert or reverse the computation.[1]
Digest and ACDCs
An important property of high-strength cryptographic digests is that a verifiable cryptographic commitment (such as a digital signature) to the digest of some data is equivalent to a commitment to the data itself. Authentic Chained Data Containers (ACDCs) leverage this property to enable compact chains of ACDCs that anchor data via digests. The data contained in an ACDC may therefore be merely its equivalent anchoring digest. The anchored data is thereby equivalently authenticated or authorized by the chain of ACDCs.
digital agent
ToIP
In the context of decentralized digital trust infrastructure, an agent (specifically a type of software agent) that operates in conjunction with a digital wallet.
Note: In a ToIP context, a digital agent is frequently assumed to have privileged access to the digital wallet(s) of its principal. In market parlance, a mobile app that performs the actions of a digital agent is often simply called a wallet or a digital wallet.
digital asset
ToIP
A digital asset is anything that exists only in digital form and comes with a distinct usage right. Data that do not possess that right are not considered assets.
Source: Wikipedia.
See also: digital credential.
digital certificate
ToIP
See: public key certificate.
digital credential
ToIP
A credential in digital form that is signed with a digital signature and held in a digital wallet. A digital credential is issued to a holder by an issuer; a proof of the credential is presented by the holder to a verifier.
See also: issuance request, presentation request, verifiable credential.
Contrast with: physical credential.
Supporting definitions:
Wikipedia: Digital credentials are the digital equivalent of paper-based credentials. Just as a paper-based credential could be a passport, a driver's license, a membership certificate or some kind of ticket to obtain some service, such as a cinema ticket or a public transport ticket, a digital credential is a proof of qualification, competence, or clearance that is attached to a person.
digital ecosystem
ToIP
A digital ecosystem is a distributed, adaptive, open socio-technical system with properties of self-organization, scalability and sustainability inspired from natural ecosystems. Digital ecosystem models are informed by knowledge of natural ecosystems, especially for aspects related to competition and collaboration among diverse entities.
Source: Wikipedia.
See also: digital trust ecosystem, trust community.
digital identity
ToIP
An identity expressed in a digital form for the purpose representing the identified entity within a computer system or digital network.
Supporting definitions:
eSSIF-Lab: Digital data that enables a specific entity to be distinguished from all others in a specific context.
Wikipedia: Digital identity refers to the information utilized by computer systems to represent external entities, including a person, organization, application, or device. When used to describe an individual, it encompasses a person's compiled information and plays a crucial role in automating access to computer-based services, verifying identity online, and enabling computers to mediate relationships between entities.
digital rights management
ToIP
Digital rights management (DRM) is the management of legal access to digital content. Various tools or technological protection measures (TPM) like access control technologies, can restrict the use of proprietary hardware and copyrighted works. DRM technologies govern the use, modification and distribution of copyrighted works (e.g. software, multimedia content) and of systems that enforce these policies within devices.
Source: Wikipedia.
Also known as: DRM.
digital signature
ToIP
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created by a known sender (authenticity), and that the message was not altered in transit (integrity).
Source: Wikipedia.
Supporting definitions:
NIST-CSRC: The result of a cryptographic transformation of data which, when properly implemented, provides the services of: 1. origin authentication, 2. data integrity, and 3. signer non-repudiation.
WebOfTrust
digital signature
Definition
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very strong reason to believe that the message was created by a known sender (authentication), and that the message was not altered in transit (integrity).
Electronic signatures
There are
digital signatures
and Electronic signatures, the latter are quite different in purpose and practical use.
digital trust ecosystem
ToIP
A digital ecosystem in which the participants are one or more interoperating trust communities. Governance of the various roles of governed parties within a digital trust ecosystem (e.g., issuers, holders, verifiers, certification bodies, auditors) is typically managed by a governing body using a governance framework as recommended in the ToIP Governance Stack. Many digital trust ecosystems will also maintain one or more trust lists and/or trust registries.
digital trust utility
ToIP
An information system, network, distributed database, or blockchain designed to provide one or more supporting services to higher level components of decentralized digital trust infrastructure. In the ToIP stack, digital trust utilities are at Layer 1. A verifiable data registry is one type of digital trust utility.
digital vault
ToIP
A secure container for data whose controller is the principal. A digital vault is most commonly used in conjunction with a digital wallet and a digital agent. A digital vault may be implemented on a local device or in the cloud; multiple digital vaults may be used by the same principal across different devices and/or the cloud; if so they may use some type of synchronization. If the capability is supported, data may flow into or out of the digital vault automatically based on subscriptions approved by the controller.
Also known as: data vault, encrypted data vault.
See also: enterprise data vault, personal data vault, virtual vault.
For more information, see: https://en.wikipedia.org/wiki/Personal_data_service, https://digitalbazaar.github.io/encrypted-data-vaults/
digital wallet
ToIP
A user agent, optionally including a hardware component, capable of securely storing and processing cryptographic keys, digital credentials, digital assets and other sensitive private data that enables the controller to perform cryptographically verifiable operations. A non-custodial wallet is directly in the custody of a principal. A custodial wallet is in the custody of a third party. Personal wallets are held by individual persons; enterprise wallets are held by organizations or other legal entities.
See also: digital agent, key management system, wallet engine.
Supporting definitions:
eSSIF-Lab: a component that implements the capability to securely store data as requested by colleague agents, and to provide stored data to colleague agents or peer agents, all in compliance with the rules of its principal's wallet policy.
Wikipedia: A digital wallet, also known as an e-wallet, is an electronic device, online service, or software program that allows one party to make electronic transactions with another party bartering digital currency units for goods and services. This can include purchasing items either online or at the point of sale in a brick and mortar store, using either mobile payment (on a smartphone or other mobile device) or (for online buying only) using a laptop or other personal computer. Money can be deposited in the digital wallet prior to any transactions or, in other cases, an individual's bank account can be linked to the digital wallet. Users might also have their driver's license, health card, loyalty card(s) and other ID documents stored within the wallet. The credentials can be passed to a merchant's terminal wirelessly via near field communication (NFC).
Note: In market parlance, a mobile app that performs the actions of a digital agent and has access to a set of cryptographic keys is often simply called a wallet or a digital wallet.
dip
WebOfTrust
dip
Definition
dip = delcept, delegated inception
direct mode
ToIP (DID:Webs)
an operational mode of the KERI protocol where a controller and a verifier of an AID exchange the KEL of the AID directly, as defined by the KERI whitepaper. See WebOfTrust glossary for more detail.WebOfTrust
direct mode
Definition
Two primary trust modalities motivated the KERI design, One of these is the direct (one-to-one) mode, in which the identity controller establishes control via verified signatures of the controlling key-pair. The direct mode doesn't use witnesses nor KERLs, but has direct (albeit intermittent) network contact with the validator.
Operational mode
To protect a validator when engaging with some other controller’s identifier, be it verification, control authority establishment, or duplicity detection, are based on an ability to replay the sequence of key events (key event history or log) of that identifier. There are two main operational modes for providing replay capability that are distinguished by the degree of availability of the identifier’s controller when creating and promulgating the key events.
With direct mode, the promulgation of events to a validator does not happen unless the controller is attached to the network and able to communicate directly with a validator.
Direct mode assumes that the controller may have intermittent network availability, it also assumes that these mechanism may not be trusted in any persistent sense to promulgate key events. Nonetheless, direct mode is important as it is compatible with the use of mobile internet devices such as cell phones. A single direct mode identifier may be re-used in multiple one-to-one relationships as part of a select group.
More in Source: chapter Protocol Operational Modes in KERI white paperSecurity concerns
The protocol may operate in two basic modes, called direct and indirect. The availability and consistency attack surfaces are different for the two modes and hence the mitigation properties of the protocol are likewise mode specific.
Also see
directed acyclic graph
WebOfTrust
directed acyclic graph
Definition
From Wikipedia (source):
In mathematics, particularly graph theory, and computer science, a directed acyclic graph (DAG /ˈdæɡ/ (listen)) is a directed graph with no directed cycles. That is, it consists of vertices and edges (also called arcs), with each edge directed from one vertex to another.
Why a directed acyclic graph (DAG)
Following directions in a DAG will never form a closed loop. Steps through a DAG are finite. That's the main reason to choose for a DAG.
Unique properties
From Wikipedia (source):
A directed graph is a DAG if and only if it can be topologically ordered, by arranging the vertices as a linear ordering that is consistent with all edge directions.
Applications
From Wikipedia (source):
DAGs have numerous scientific and computational applications, ranging from biology (evolution, family trees, epidemiology) to information science (citation networks) to computation (scheduling).
disclosee
WebOfTrust
disclosee
Definition
an ACDC in a disclosure is disclosed to the Disclosee
discloser
WebOfTrust
discovery
WebOfTrust
discovery
Definition
A mechanism that helps systems or devices find each other automatically, often used in networks to identify services or resources. In decentralized identifier systems it helps to locate and verify digital identities without relying on a central authority.
Related but not the same
distributed hash table
WebOfTrust
distributed hash table
Definition
It is a distributed system that provides a lookup service similar to a hash table: key-value pairs are stored in a DHT, and any participating node can efficiently retrieve the value associated with a given key. The main advantage of a DHT is that nodes can be added or removed with minimum work around re-distributing keys. Keys are unique identifiers which map to particular values, which in turn can be anything from addresses, to documents, to arbitrary data.
(Source: Wikipedia)
distributed ledger
ToIP
A distributed ledger (also called a shared ledger or distributed ledger technology or DLT) is the consensus of replicated, shared, and synchronized digital data that is geographically spread (distributed) across many sites, countries, or institutions. In contrast to a centralized database, a distributed ledger does not require a central administrator, and consequently does not have a single (central) point-of-failure. In general, a distributed ledger requires a peer-to-peer (P2P) computer network and consensus algorithms so that the ledger is reliably replicated across distributed computer nodes (servers, clients, etc.). The most common form of distributed ledger technology is the blockchain, which can either be on a public or private network.
Source: Wikipedia.
distributed ledger (DLT)
W3C (DID)
A non-centralized system for recording events. These systems establishsufficient confidence for participants to rely upon the data recorded by othersto make operational decisions. They typically use distributed databases wheredifferent nodes use a consensus protocol to confirm the ordering ofcryptographically signed transactions. The linking of digitally signedtransactions over time often makes the history of the ledger effectivelyimmutable.
dnd
WebOfTrust
dnd
Definition
Do Not Delegate is a flag / attribute for a AID and this is default set to you can delegate.
| TBW |
domain
Nist
A set of elements, data, resources, and functions that share a commonality in combinations of (1) roles supported, (2) rules governing their use, and (3) protection needs.ToIP
See: security domain.
See also: trust domain.
WebOfTrust
domain name
WebOfTrust
domain name
Definition
A domain name is a string that identifies a realm of administrative autonomy, authority or control within the Internet. Domain names are used in various networking contexts and for application-specific naming and addressing purposes.
More on Source Wikipedia.
double spend proof
WebOfTrust
double spend proof
Definition
Total global ordering of transaction so that value can’t be spend twice at the same time from the unit of value. Or in common language: you can't spend your money twice.
| TBW |
KERI related
The most important feature of a cryptocurrency is that it must be double spend proof. Because KERI's key event operations are idempotent they do not need to be double spend proofed, so we can greatly simplify the distributed consensus algorithm in KERI. Which makes KERI relatively more attractive for many applications including IoT applications by comparison.
As a result of the relaxation of double spend proofing, KERI is able to break the distributed consensus algorithm into two halves and simplify it in the process. The two halves are the promulgation half (by witnesses) and the confirmation half (by valdators).
drt
WebOfTrust
drt
Definition
drt = deltate, delegated rotation
dual indexed codes
WebOfTrust
dual indexed codes
Definition
a context-specific coding scheme, for the common use case of thresholded multi-signature schemes in CESR.
Related to CESR
One way to compactly associated each signature with its public key is to include in the text code for that signature the index into the ordered set of public keys.A popular signature raw binary size is 64 bytes which has a pad size of 2. This gives two code characters for a compact text code. The first character is the selector and type code. The second character is the Base64 encoded integer index.
More at source Github Repo Ietf-CESR
dual text binary encoding format
WebOfTrust
dual text binary encoding format
Definition
An encoding format that allows for both text and binary encoding format, which is fully interchangeable. The composability property enables the round trip conversion en-masse of concatenated primitives between the text domain and binary domain while maintaining the separability of individual primitives.
Read more in source of Samuel SmithRelated
duplicitous event log
WebOfTrust
duplicitous event log
Definition
This is a record of inconsistent event messages produced by a given controller or witness with respect to a given KERL. The duplicitous events are indexed to the corresponding event in a KERL. A duplicitous event is represented by a set of two or more provably mutually inconsistent event messages with respect to a KERL. Each juror keeps a duplicitous event log (DEL) for each controller and all designated witness with respect to a KERL. Any validator may confirm duplicity by examining a DEL.
duplicity
WebOfTrust
duplicity
Duplicity
Duplicity is used to describe external inconsistency. Publication of two or more versions of a KEL, each of which is internally consistent is duplicity. Given that signatures are non-repudiable any duplicity is detectable and provable given possession of any two mutually inconsistent versions of a KEL. In KERI consistency is is used to described data that is internally consistent and cryptographically verifiably so.
KERI related
Duplicity means the existence of more than one version of a verifiable KEL for a given AID. Because every event in a KEL must be signed with non-repudiable signatures any inconsistency between any two instances of the KEL for a given AID is provable evidence of duplicity on the part of the signers with respect to either or both the key-state of that AID and/or any anchored data at a given key-state. A shorter KEL that does not differ in any of its events with respect to another but longer KEL is not duplicitous but merely incomplete. To clarify, duplicity evident means that duplicity is provable via the presentation of a set of two or more mutually inconsistent but independently verifiable instances of a KEL.Source Sam Smith
Outside world
In common language 'duplicity' has a slightly different connotation: 'two-facedness', 'dishonesty', 'deceitfulness', 'deviousness,'two-facedness', 'falseness'.
duplicity detection
WebOfTrust
duplicity detection
Definition
A mechanism to detect duplicity in cryptographically secured event logs.
KERI related
Duplicity detection, which protects, not against an external attacker, but against a malicious controller does require access to watchers that are also recording duplicitous events.
eIDAS
ToIP
eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation with the stated purpose of governing "electronic identification and trust services for electronic transactions". It passed in 2014 and its provisions came into effect between 2016-2018.
Source: Wikipedia.
eSSIF-Lab World Model
Essif-Lab
the set of concept, relations between them (pattern), and Principles (that are the starting point for eSSIF-Lab's thinking).
eclipse attack
WebOfTrust
eclipse attack
Definition
An eclipse attack is a P2P network-based attack. Eclipse attack can only be performed on nodes that accept incoming connections from other nodes, and not all nodes accept incoming connections.
In a bitcoin network, by default, there are a maximum of 117 incoming TCP connections and 8 outgoing TCP connections.
SourceKERI related
The only attack on KERI possible is an eclipse attack, so the larger your watcher network reach is the better your protection from this type of attack. The only limitation is a resource constraint.
Source Samuel Smith / Phil FeairhellerWorking of Eclipse Attack
Eclipse attacks are possible because nodes within the network are unable to connect with all other nodes and can connect with a limited number of neighboring nodes. This limitation might make it seem convenient for attackers to isolate a node from the rest of the network, but it is not an easy task.
More at Source GeeksforGeeks
ecosystem
ToIP
See: digital ecosystem.
ecosystem governance framework
ToIP
A governance framework for a digital trust ecosystem. An ecosystem governance framework may incorporate, aggregate, or reference other types of governance frameworks such as a credential governance framework or a utility governance framework.
electronic signature
WebOfTrust
electronic signature
Definition
An electronic signature, or e-signature, refers to data in electronic form, which is logically associated with other data in electronic form and which is used by the signatory to sign. This type of signature has the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation under which it was created (e.g., eIDAS in the European Union, NIST-DSS in the USA or ZertES in Switzerland).
Digital signature implementation of e-signatures
Electronic signatures are a legal concept distinct from digital signatures, a cryptographic mechanism often used to implement electronic signatures. While an electronic signature can be as simple as a name entered in an electronic document, digital signatures are increasingly used in e-commerce and in regulatory filings to implement electronic signatures in a cryptographically protected way.
encrypt sender sign receiver
WebOfTrust
encrypt sender sign receiver
Definition
An authenticated encryption approach, using PKI. It covers authenticity and confidentiality.
encrypted data vault
ToIP
See: digital vault.
encryption
ToIP
Cryptographic transformation of data (called plaintext) into a form (called ciphertext) that conceals the data’s original meaning to prevent it from being known or used. If the transformation is reversible, the corresponding reversal process is called decryption, which is a transformation that restores encrypted data to its original state.
Source: NIST-CSRC.
end role
end to end
WebOfTrust
end to end
Definition
Inter-host communication and data flow transformations, considered in motion and at rest.1. E2E Security. Inter-host communication must be end-to-end signed/encrypted and data must be stored signed/encrypted. Data is signed/encrypted in motion and at rest.
2. E2E Provenance. Data flow transformations must be end-to-end provenanced using verifiable data items (verifiable data chains or VCs). Every change shall be provenanced.Paraphrased from source Universal Identifier Theory by Samuel Smith
end verifiable
WebOfTrust
end verifiable
Definition
When a log is end verifiable, it means that the log may be verified by any end user that receives a copy. No trust in intervening infrastructure is needed to verify the log and validate the content.
end-to-end encryption
ToIP
Encryption that is applied to a communication before it is transmitted from the sender’s communication endpoint and cannot be decrypted until after it is received at the receiver’s communication endpoint. When end-to-end encryption is used, the communication cannot be decrypted in transit no matter how many intermediary systems are involved in the routing process.
Supporting definitions:
Wikipedia: End-to-end encryption (E2EE) is a private communication system in which only communicating users can participate. As such, no one, including the communication system provider, telecom providers, Internet providers or malicious actors, can access the cryptographic keys needed to converse. End-to-end encryption is intended to prevent data being read or secretly modified, other than by the true sender and recipient(s). The messages are encrypted by the sender but the third party does not have a means to decrypt them, and stores them encrypted. The recipients retrieve the encrypted data and decrypt it themselves.
endpoint
ToIP
See: communication endpoint.
See also: ToIP endpoint.
endpoint system
ToIP
The system that operates a communications endpoint. In the context of the ToIP stack, an endpoint system is one of three types of systems defined in the ToIP Technology Architecture Specification.
See also: intermediary system, supporting system.
engagement context role
WebOfTrust
engagement context role
Definition
A person that represents the Legal Entity in a functional or in another context role and is issued an ECR vLEI Credential.
Issuance of credentials
On the basis of Legal entity engagement context role vLEI credential governance framework an ECR vLEI Credential is issued to an engagement context role (ECR).
enrol ~ment
digital.govt.nz
to become or cause to become a member; enlist; register[Source: Dictionary]
enterprise data vault
ToIP
A digital vault whose controller is an organization.
enterprise wallet
ToIP
A digital wallet whose holder is an organization.
Contrast with: personal wallet.
entity
digital.govt.nz
something that has real or distinct existence from other things[Source: Dictionary]ToIP
Someone or something that is known to exist.
Source: eSSIF-Lab.
WebOfTrust
entropy
WebOfTrust
entropy
Definition
Unpredictable information. Often used as a secret or as input to a key generation algorithm.
More on Wikipedia
The term entropy is also used to describe the degree of unpredictability of a message. Entropy is then measured in bits. The degree or strength of randomness determines how difficult it would be for someone else to reproduce the same large random number. This is called collision resistance.
ephemeral
WebOfTrust
ephemeral
Definition
Lasting for a markedly brief time. Having a short lifespan.
In the context of identifiers is often referred to as identifiers for one time use; or throw-away identifiers.
ephemeral connection
ToIP
A connection that only exists for the duration of a single communication session or transaction.
Contrast with: persistent connection.
escrow
WebOfTrust
escrow
Definition
'Escrow' as a noun is a (legal) arrangement in which a third party temporarily holds money or property until a particular condition has been met.
'Escrow' as a verb: we use it in protocol design to handle out of order events. Store the event and wait for the other stuff to show up and then continue processing of the event. So escrowing is the process of storing this event. We root back to the event later.
escrow state
WebOfTrust
escrow state
Definition
The current state of all the temporary storage locations (what events are waiting for what other information) that KERI protocol needs to keep track of, due to its fully asynchronous nature.
Inner-working and motivation
Since the KERI protocol is fully asynchronous, there is no way to guarantee that events will arrive in order to be processed successfully. This includes things like anchoring events for transaction event logs for credentials (the TEL even could arrive before the anchoring event) and signatures arriving on a multisig event.
To account for this asynchronous nature, implementations need to "escrow" events (store them temporarily) while waiting for other events or additional signatures to show up. The current state of all the temporary storage locations (what events are waiting for what other information) is called the "escrow state".
Source: Philip FeairhellerBeware
An physical Escrow State that you might know from Real Estate transaction is not at all related to the one we define.
establishment event
WebOfTrust
establishment event
Definition
A key creation or rotation event that establishes or transfers control authority for an identifier.
Establishment events indicate which key pairs are authoritative (controlling) for an identifier at a given point in time.
The subset of a key event log (KEL) that are establishment events are an ordered subsequence of the full KEL.
For a non-transferable identifier this is one authoritative key pair and it never changes so there will only ever be one establishment event, the inception event.
For transferable identifiers there can be multiple establishment events which would include the initial rotation event and any subsequent rotation events.
Source Sam Smith
evidence
digital.govt.nz
to give proof of or evidence for[Source: Dictionary]
exn
WebOfTrust
exn
Definition
exn = exchange
exp
WebOfTrust
exp
Definition
exp = expose, sealed data exposition
expression language
ToIP
A language for creating a computer-interpretable (machine-readable) representation of specific knowledge.
Source: Wikipedia.
extensible business reporting language
WebOfTrust
extensible business reporting language
Definition
XBRL is the open international standard for digital business reporting, managed by a global not for profit consortium, XBRL International.
Practical
XBRL provides a language in which reporting terms can be authoritatively defined. Those terms can then be used to uniquely represent the contents of financial statements or other kinds of compliance, performance and business reports. XBRL lets reporting information move between organisations rapidly, accurately and digitally.
SourceTechnical
XBRL stands for eXtensible Business Reporting Language. It is one of a family of “XML” languages which is becoming a standard means of communicating information between businesses and on the internet.
Source
facilitate~ion
digital.govt.nz
to make easier; assist the progress of[Source: Dictionary]
facilitation providerFP
digital.govt.nz
the party accountable for the establishment and functioning of a facilitation mechanism[Source: New definition]Additional note:Note 1: A facilitation mechanism facilitates the presentation of 1 or more Credentials to a Relying Party.
federated identity
ToIP
A digital identity architecture in which a digital identity established on one computer system, network, or trust domain is linked to other computer systems, networks, or trust domains for the purpose of identifying the same entity across those domains.
See also: decentralized identity, self-sovereign identity.
Supporting definitions:
NIST-CSRC; A process that allows for the conveyance of identity and authentication information across a set of networked systems.
Wikipedia: A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
federate~d~ion
digital.govt.nz
united by common agreement under an authority[Source: Dictionary modified to remove central government]
federation
ToIP
A group of organizations that collaborate to establish a common trust framework or governance framework for the exchange of identity data in a federated identity system.
See also: trust community
Supporting definitions:
NIST-CSRC: A collection of realms (domains) that have established trust among themselves. The level of trust may vary, but typically includes authentication and may include authorization.
federation assurance level
ToIP
A category that describes the federation protocol used to communicate an assertion containing authentication and attribute information (if applicable) to a relying party, as defined in NIST SP 800-63-3 in terms of three levels: FAL 1 (Some confidence), FAL 2 (High confidence), FAL 3 (Very high confidence).
Source: NIST-CSRC.
See also: authenticator assurance level, identity assurance level.
fiduciary
ToIP
A fiduciary is a person who holds a legal or ethical relationship of trust with one or more other parties (person or group of persons). Typically, a fiduciary prudently takes care of money or other assets for another person. One party, for example, a corporate trust company or the trust department of a bank, acts in a fiduciary capacity to another party, who, for example, has entrusted funds to the fiduciary for safekeeping or investment. In a fiduciary relationship, one person, in a position of vulnerability, justifiably vests confidence, good faith, reliance, and trust in another whose aid, advice, or protection is sought in some matter.
Source: Wikipedia.
field map
WebOfTrust
field map
Definition
A traditional
key:value
pair renamed to avoid confusing with the cryptographic use of the term 'key'.To avoid confusion with the cryptographic use of the term key we instead use the term field to refer to a mapping pair and the terms field label and field value for each member of a pair. These pairs can be represented by two tuples e.g (
label, value
). We qualify this terminology when necessary by using the term field map to reference such a mapping.Nested field maps
Field maps may be nested where a given field value is itself a reference to another field map. We call this nested set of fields a nested field map or simply a nested map for short.
first party
ToIP
The party who initiates a trust relationship, connection, or transaction with a second party.
See also: third party, fourth party.
first seen
WebOfTrust
first seen
Definition
A "First seen" event in KERI refers to the first event received by validator such as a witness and that is valid and fits the available tail sequence number in the validator's KEL, and therefore is accepted into the validator's KEL. This rule has no effect on the timing of what has arrived in escrow for example; in escrow there can be garbage. Assuming a watched set of validators agree on the first-seen events and thus also agree on the KELs, the watchers of those validators will propagate only those first-seen events within microseconds.
The rule
From the perspective of a validator, the rule is "First seen, always seen, never unseen".
Key Compromise, Duplicity, and Recovery
Different validators might have a different first-seen number for the same originating transaction event. In the case of duplicitous (inconsistent) interaction events originating from the controller (of the current signing key(s)), which might not be discovered until after a key rotation, a recovery process involving judges and jury may be triggered. More here. Validators will not provide an outdated KEL or Event once an erroneous KEL has been corrected.
foreign function interface
WebOfTrust
foreign function interface
Definition
Is a mechanism by which a program written in one, usually an interpreted (scripted), programming language that can call routines or make use of services written or compiled in another one.
More on Source: https://en.wikipedia.org/wiki/Foreign_function_interfaceRelevance in CESR
To have the output from RUST-based developed (e.g. cesride) consumed by higher level languages.
forgery
digital.govt.nz
the act of reproducing something for a deceitful or fraudulent purpose[Source: Dictionary]
foundational identity
ToIP
A set of identity data, such as a credential, issued by an authoritative source for the legal identity of the subject. Birth certificates, passports, driving licenses, and other forms of government ID documents are considered foundational identity documents. Foundational identities are often used to provide identity binding for functional identities.
Contrast with: functional identity.
fourth party
ToIP
A party that is not directly involved in the trust relationship between a first party and a second party, but provides supporting services exclusively to the first party (in contrast with a third party, who in most cases provides supporting services to the second party). In its strongest form, a fourth party has a fiduciary relationship with the first party.
frame code
WebOfTrust
full disclosure
WebOfTrust
full disclosure
Definition
A disclosure of data in all its details.
When used in the context of selective disclosure, full disclosure means detailed disclosure of the selectively disclosed attributes not detailed disclosure of all selectively disclosable attributes. Whereas when used in the context of partial disclosure, full disclosure means detailed disclosure of the field map that was so far only partially disclosed.
fully compact
WebOfTrust
fully compact
definition
The most compact form of an ACDC. This is the only signed variant of an ACDC and this signature is anchored in a transaction event log (TEL) for the ACDC.This is one valid choice for an ACDC schema.
This form is part of the graduated disclosure mechanism in ACDCs.Anchoring to the TEL
The extra a fully compact version has to offer over a most compact version is the anchoring to the Tranaction event log. Here were various proofs (hashes) can be "stored" which are optional in all kind of ACDC variants.
See
Fully (expanded) version of an ACDC
Most compact version of an ACDC.Analogy
A fully compact ACDC is like the core of an onion and the fully expanded ACDC is like rest of the outer layers of the onion. Turn this onion inside-out: you only need to sign the core (most compact), and then the whole onion (expanded version) would verify. The complete (expanded) onion is the most user friendly information bulb you can get, and you don't need to peel off all the rings of the onion to securely attribute all the information to the controller of the SAID that signed the core.
You can present any version of the onion you like: only the core, one partially stripped back, one layer at a time, or the whole thing (fully expanded). This illustrates part of the rational for why ACDCs matter. They offer a layered, graduated disclosure mechanism of verifiable credentials never seen before in the SSI field.
fully expanded
WebOfTrust
fully expanded
Definition
The most user-friendly version of an ACDC credential. It doesn't need to be signed and typically is not signed since the most compact version which is signed can be computed from this form and then the signature can be looked up in the transaction event log of the ACDC in question.
Regarding the graduated disclosure objective this form is the one with the highest amount of disclosure for a given node of an ACDC graph.
See also
Fully compact(ed) version of an ACDC
Most compact version of an ACDC.
functional identity
ToIP
A set of identity data, such as a credential, that is issued not for the purpose of establishing a foundational identity for the subject, but for the purpose of establishing other attributes, qualifications, or capabilities of the subject. Loyalty cards, library cards, and employee IDs are all examples of functional identities. Foundational identities are often used to provide identity binding for functional identities.
gateway
ToIP
A gateway is a piece of networking hardware or software used in telecommunications networks that allows data to flow from one discrete network to another. Gateways are distinct from routers or switches in that they communicate using more than one protocol to connect multiple networks[1][2] and can operate at any of the seven layers of the open systems interconnection model (OSI).
See also: intermediary.
Source: Wikipedia.
ghost credential
WebOfTrust
ghost credential
Definition
Is a valid credential within in a 90 days grace period (the revocation transaction time frame before it's booked to revocation registry). | TBW prio 3 |
Design
When a relationship needs to be terminated with a QVI and the QVI has not revoked their credentials (yet) then those credentials become ghost credentials.
gleif authorized representative
glossary
ToIP
A glossary (from Ancient Greek: γλῶσσα, glossa; language, speech, wording), also known as a vocabulary or clavis, is an alphabetical list of terms in a particular domain of knowledge (scope) together with the definitions for those terms. Unlike a dictionary, a glossary has only one definition for each term.
Source: Wikipedia.
gnu privacy guard
WebOfTrust
gnu privacy guard
Definition
also GnuPG; is a free-software replacement for Symantec's PGP cryptographic software suite. It is compliant with RFC 4880, the IETF standards-track specification of OpenPGP. Modern versions of PGP are interoperable with GnuPG and other OpenPGP-compliant systems.
More on wikipedia
See more about the closely related and often-confusing term PGP.
governance
ToIP
The act or process of governing or overseeing the realization of (the results associated with) a set of objectives by the owner of these objectives, in order to ensure they will be fit for the purposes that this owner intends to use them for.
Source: eSSIF-Lab.
governance diamond
ToIP
A term that refers to the addition of a governing body to the standard trust triangle of issuers, holders, and verifiers of credentials. The resulting combination of four parties represents the basic structure of a digital trust ecosystem.
governance document
ToIP
A document with at least one identifier that specifies governance requirements for a trust community.
Note: A governance document is a component of a governance framework.
governance framework
ToIP
A collection of one or more governance documents published by the governing body of a trust community.
Also known as: trust framework.
Note: In the digital identity industry specifically, a governance framework is better known as a trust framework. ToIP-conformant governance frameworks conform to the ToIP Governance Architecture Specification and follow the ToIP Governance Metamodel.
WebOfTrust
governance framework
Definition
Also called 'Governance structure'. Governance frameworks are the structure of a government and reflect the interrelated relationships, factors, and other influences upon the institution. Governance frameworks structure and delineate power and the governing or management roles in an organization. They also set rules, procedures, and other informational guidelines.
More in source Wikipedia.Related to GLEIF and vLEI
In addition, governance frameworks define, guide, and provide for enforcement of these processes. These frameworks are shaped by the goals, strategic mandates, financial incentives, and established power structures and processes of the organization.
Within GLEIF context, governance frameworks manifest in a document that details the requirements for vLEI credentials.
governance graph
ToIP
A graph of the governance relationships between entities with a trust community. A governance graph shows which nodes are the governing bodies and which are the governed parties. In some cases, a governance graph can be traversed by making queries to one or more trust registries.Note: a party can play both roles and also be a participant in multiple governance frameworks.
See also: authorization graph, reputation graph, trust graph.
governance requirement
ToIP
A requirement such as a policy, rule, or technical specification specified in a governance document.
See also: technical requirement.
governed information
ToIP
Any information published under the authority of a governing body for the purpose of governing a trust community. This includes its governance framework and any information available via an authorized trust registry.
governed party
ToIP
A party whose role(s) in a trust community is governed by the governance requirements in a governance framework.
governed use case
ToIP
A use case specified in a governance document that results in specific governance requirements within that governance framework. Governed use cases may optionally be discovered via a trust registry authorized by the relevant governance framework.
governing authority
ToIP
See: governing body.
governing body
ToIP
The party (or set of parties) authoritative for governing a trust community, usually (but not always) by developing, publishing, maintaining, and enforcing a governance framework. A governing body may be a government, a formal legal entity of any kind, an informal group of any kind, or an individual. A governing body may also delegate operational responsibilities to an administering body.
Also known as: governing authority.
graduated disclosure
WebOfTrust
graduated disclosure
Definition
Lifting confidentiality step by step: Selectively disclosing more data as time and/or necessity progresses, offering backwards verifiability of earlier issued cryptographic proofs.
Example
You proof your insurance policy without disclosing details, before enjoying extreme sports. Only when something goes wrong, e.g. 1 in a 100, you disclose the data. This way confidentiality is kept in 99% of the cases.
KERI specific
Disclosure performed by a presentation exchange that has cross-variant (see compact variant) Issuer commitment verifiability as an essential property. It supports graduated disclosure by the Disclosee of any or all variants wether it be full, compact, metadata, partial, selective, bulk issued, or contractually protected.
Paraphrased by @henkvancann based on sourceReuse
The SAID of a given variant is useful even when it is not the SAID of the variant the Issuer signed because during graduated disclosure the Discloser MAY choose to sign that given variant to fulfil a given step in an IPEX graduated disclosure transaction.
Rule
The disclosure performed by a presentation exchange MAY be graduated and MAY be contractually protected.
Related terms
| TBW | check prio 1
graph fragment
WebOfTrust
graph fragment
Definition
An ACDC is a verifiable data structure and part of a graph, consisting of a node property and one or two edge proporties.
group code
WebOfTrust
group framing code
WebOfTrust
group framing code
Definition
special framing codes can be specified to support groups of primitives in CESR. Grouping enables pipelining. Other suitable terms for these special framing codes are group codes or count codes for short. These are suitable terms because these framing codes can be used to count characters, primitives in a group, or groups of primitives in a larger group when parsing and off-loading a stream of CESR primitives.\
SourceComposability property
One of the primary advantages of composable encoding is that we can use special framing code to support the above mentioned grouping.
guardian
ToIP
A party that has been assigned rights and duties in a guardianship arrangement for the purpose of caring for, protecting, guarding, and defending the entity that is the dependent in that guardianship arrangement. In the context of decentralized digital trust infrastructure, a guardian is issued guardianship credentials into their own digital wallet in order to perform such actions on behalf of the dependent as are required by this role.
Source: eSSIF-Lab
See also: custodian, zero-knowledge service provider.
Mental Model: eSSIF-Lab Guardianship
Supporting definitions:
Wikipedia: A legal guardian is a person who has been appointed by a court or otherwise has the legal authority (and the corresponding duty) to make decisions relevant to the personal and property interests of another person who is deemed incompetent, called a ward.
For more information, see: On Guardianship in Self-Sovereign Identity V2.0 (April, 2023).
Note: A guardian is a very different role than a custodian, who does not take any actions on behalf of a principal unless explicitly authorized.
guardianship arrangement
ToIP
A guardianship arrangement (in a jurisdiction) is the specification of a set of rights and duties between legal entities of the jurisdiction that enforces these rights and duties, for the purpose of caring for, protecting, guarding, and defending one or more of these entities. At a minimum, the entities participating in a guardianship arrangement are the guardian and the dependent.
Source: eSSIF-Lab
See also: custodianship arrangement.
Mental Model: eSSIF-Lab Guardianship
For more information, see: On Guardianship in Self-Sovereign Identity V2.0 (April, 2023).
guardianship credential
ToIP
A digital credential issued by a governing body to a guardian to empower the guardian to undertake the rights and duties of a guardianship arrangement on behalf of a dependent.
hab
habery
WebOfTrust
habery
Definition
'Hab' comes from ‘Habitat’. It’s a place where multi-sigs and AIDs are linked. Habery manages a collection of Habs. A Hab is a datastructure (a Python object).
| TBW |-prio2
Beware
The only hit (2022) in a Google search pointing to a github site 'habery DOT github DOT io' is NOT related.
hardware security module
ToIP
A physical computing device that provides tamper-evident and intrusion-resistant safeguarding and management of digital keys and other secrets, as well as crypto-processing.
Source: NIST-CSRC.
Also known as: HSM.
Supporting definitions:
NIST-CSRC: A physical computing device that provides tamper-evident and intrusion-resistant safeguarding and management of digital keys and other secrets, as well as crypto-processing. FIPS 140-2 specifies requirements for HSMs.
Wikipedia: A physical computing device that safeguards and manages secrets (most importantly digital keys), performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips.
WebOfTrust
hardware security module
Definition
A HSM is a physical computing device that safeguards and manages secrets (most importantly digital keys), performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions.
More in source Wikipedia
hash
ToIP
The result of applying a hash function to a message.
Source: NIST-CSRC.
Also known as: hash output, hash result, hash value.
hash function
ToIP
An algorithm that computes a numerical value (called the hash value) on a data file or electronic message that is used to represent that file or message, and depends on the entire contents of the file or message. A hash function can be considered to be a fingerprint of the file or message. Approved hash functions satisfy the following properties: one-way (it is computationally infeasible to find any input that maps to any pre-specified output); and collision resistant (it is computationally infeasible to find any two distinct inputs that map to the same output).
Source: NIST-CSRC.
hierarchical asynchronous coroutines and input output
WebOfTrust
hierarchical asynchronous coroutines and input output
Definition
HIO is an acronym which stands for 'Weightless hierarchical asynchronous coroutines and I/O in Python'.
It's Rich Flow Based Programming Hierarchical Structured Concurrency with Asynchronous IO. That mouthful of terms has been explained further on Github.
HIO builds on very early work on hierarchical structured concurrency with lifecycle contexts from ioflo, ioflo github, and ioflo manuals.
More info on Github
hierarchical composition
WebOfTrust
hierarchical composition
Definition
Encoding protocol that is composable in a hierarchy and enables pipelining (multiplexing and de-multiplexing) of complex streams in either text or compact binary. This allows management at scale for high-bandwidth applications.
Example
| TBW prio2 |
CESR related
Because of count codes and the composability - and concatenation property in CESR, pipelining is possible, which then uses multiplexing (combining self-framing primitives) and de-multiplexing (unravelling self-framing primitives).
hierchical deterministic keys
WebOfTrust
hierchical deterministic keys
Definition
A HDK type is a type of deterministic bitcoin wallet derived from a known seed, that allow for the creation of child keys from the parent key. Because the child key is generated from a known seed there is a relationship between the child and parent keys that is invisible to anyone without that seed. The HD protocol (BIP 32) can generate a near infinite number of child keys from a deterministically-generated seed (chain code) from its parent, providing the functionality of being able to recreate those exact same child keys as long as you have the seed.
More at W3 source
hio
WebOfTrust
hio
Definition
Weightless hierarchical asynchronous coroutines and I/O in Python.
Rich Flow Based Programming Hierarchical Structured Concurrency with Asynchronous IO.More on Github
This very technical topic can best be studied further at the Github Repository
Relation to KERI
Choosing HIO complies with the asynchronous nature of KERI, the minimal sufficient means design principle of KERI and the leading KERIpy implementation.
holder (of a claim or credential)
ToIP
A role an agent performs by serving as the controller of the cryptographic keys and digital credentials in a digital wallet. The holder makes issuance requests for credentials and responds to presentation requests for credentials. A holder is usually, but not always, a subject of the credentials they are holding.
Mental model: W3C Verifiable Credentials Data Model Roles & Information Flows
Supporting definitions:
eSSIF-Lab: a component that implements the capability to handle presentation requests from a peer agent, produce the requested data (a presentation) according to its principal's holder-policy, and send that in response to the request.
W3C VC: A role an