Questions about KERI:

What is the legal status of what you do with KERI, how does it meet regulations and law?
How to integrate KERI in a solution, anticipating the requests eIDAS organisational wallets, at scale, have?
ARF eIDAS - a comparison with KERI features
Is Bridging possible and if so what a the integration cost
What enables KERI: what do you need to get going, what are the infrastructural costs, etc.
A main question is: Eidas2, EUDI wallet and basically the ARF is becoming mandatory for EU in all levels of industry. If you force all companies on EUDI, how GLEIF want to enforce keri in addition to the companies?
Does KERI really brings so much value in comparison to the law-enforced eidas regulation, that companies would think for vLEI?

This issue tries to answer these DICE sponsor questions. These people are in businesses that'll earn money in the future to control EUID holders for governments. It's a federated design (eIDAS). To become a member of the gang (QI) they have to conform to an ARF. I've fed our KERI Wizard (chatGPT) all these documents and started asking the questions. Here are the results of the questions in chat GPT 'KERI wizard': https://chatgpt.com/share/1cdcb4db-467c-4fc4-a208-8174ffc93bcf

What I do here in this issue, copy each answer in the comments below, find the gibberish (hallucinations of chatGPT), take it out and amend the content in general. So you don't need to check the chatGPT result, it's in the comments of this issue already and then we improve it here.

My question to you is: could you go over the answers and point me to KERI parts, features or characteristics that I forgot to mention? You can comment on each comment.

What is the legal status of what you do with KERI, how does it meet regulations and law?

KERI wizard answer curated:

The legal status of KERI (Key Event Receipt Infrastructure) is important for its acceptance and integration into existing legal frameworks. KERI, as an open source decentralized identifier system, must adhere to various legal and regulatory standards, particularly those concerning digital identity, data protection, and cybersecurity. Here's how KERI meets these requirements:

Legal and Regulatory Compliance

Data Protection Regulations (GDPR in Europe):

Data Minimization and User Control: KERI ensures that users have control over their data. Users can manage their cryptographic keys, with which all sensitive data can be encrypted without binding to the control of the keys, thus maintaining privacy and minimizing data exposure.

Consent Management: Users must give explicit consent for any data sharing, aligning with GDPR requirements for data subject consent. They do so by allowing access to encrypted data and supplying public keys to verify signatures.

Right to Be Forgotten: Although KERI uses immutable ledgers, the system can be designed to revoke and retire identifiers to comply with the right to be forgotten by making identifiers inactive without altering historical data.

Electronic Identification, Authentication and Trust Services (eIDAS) Regulation:

Qualified Electronic Signatures: KERI can integrate with Qualified Electronic Signature (QES) providers, ensuring that signatures made using KERI infrastructure are legally binding across EU member states.

Interoperability and Certification: KERI's infrastructure can be certified under schemes such as those provided by eIDAS to ensure its components meet high-security standards. The use of common protocols and standards ensures interoperability with other digital identity solutions.

Cybersecurity Standards:

Certification and Auditing: KERI components can undergo certification processes to ensure they meet cybersecurity standards such as those outlined in the EU Cybersecurity Act. Regular audits and conformity assessments could be done, but are not needed, because KERI is inherently and proven secure.

Encryption and Key Management: KERI start off from the precondition that a controller needs to his/her secrets secret. The use of strong but seasoned cryptographic functions ensure that all data is securely encrypted. KERI advises for private keys to be managed in secure environments, complying with global standards for cybersecurity.

Meeting Specific Legal Requirements

Mutual Authentication and Secure Transactions:

Authentication Protocols: KERI uses robust mutual authentication protocols to ensure that both parties in a transaction can verify each other's identities securely. This aligns with legal requirements for secure electronic transactions.

User Awareness and Authorization: The system includes mechanisms for controller (user) awareness and explicit authorization. All transactions are peer to peer and signing happens on the edge. Thus users know about who is requesting their data and for what purpose, thereby creating transparency and informed consent.

Integration with National and International Frameworks:

Interfacing with National ID Systems: KERI can interface with national identity systems and electronic identification cards (e.g., EU Member States' identity cards), providing seamless integration and compliance with national legal frameworks.

Compliance with the European Digital Identity Framework: As detailed in the European Digital Identity (EUDI) Wallet architecture, KERI supports the functionalities required for electronic identification and trust services within the EU.

EUDI Wallet Functionalities

KERI aligns with the proposed functionalities of the EUDI Wallet, which include:

Storage and Management of Personal Identification Data: Securely storing and managing qualified electronic attestations and personal identification data, both locally and remotely.

Cryptographic Functions: Providing secure cryptographic functions for identification, authentication, and electronic signatures.

User Interface for Awareness and Authorization: Ensuring users are aware of and authorize data transactions, promoting transparency and user control.

Conclusion KERI's infrastructure is designed to meet stringent legal and regulatory requirements by integrating advanced cryptographic techniques, robust authentication mechanisms, and comprehensive user control features. By adhering to GDPR, eIDAS, and other relevant cybersecurity standards, KERI ensures that its operations are legally compliant and secure, fostering trust and acceptance among users and relying parties alike. This compliance is essential for its adoption in various regulatory environments and its integration into national and international digital identity frameworks.

Forgetting

There are three ways that forgettability can be provided by the identity system. The proposed identity system could eventually support all three methods of forgetting.

The first way is to just to delete the encryption keys. Once all copies of the encryption key is deleted there is no way to decrypt the data. Another approach is to make the data nonretrievable by deleting certain number of shares in thresholdstorage protocols. The users might need to explicitly waive the right to have the encrypted data deleted and accept key deletion as sufficient for forgetting.

Another way is to use time limited ledgers. The transaction ledgers can be checkpointed every certain period of time so that the ledger is essentially closed out and started over. Current transactions are brought forward and entered anew in the ledger but stale transactions are deleted. As mentioned previously, a distributed consensus pool can act as a trusted third party enabling triple signed transaction receipts. In a triple signed transaction, both sides of the exchange and the notary all sign the transaction. A receipt can be generated that is proof of the transaction. The transaction can be deleted from the ledger, but each party can keep a copy of the receipt that proves all three parties agreed to the transaction. This allows transactions to be “forgotten” from the public ledger.

The final way is to use a mutable database in concert with the metadata transaction ledger. The consensus pool manages the transactions in the database including change or delete transactions. The metadata includes a full audit trail including the delete transactions. This is analogous to accounting systems where transactions can’t be deleted but a subsequent transaction can undo the previous transaction. The ledger of transactions is immutable but the data in the database is mutable.

from: https://github.com/SmithSamuelM/Papers/blob/master/whitepapers/Identity-System-Essentials.pdf

How to integrate KERI in a solution, anticipating the requests eIDAS organisational wallets, at scale, have?

Integrating KERI into a solution that meets eIDAS organizational wallet requirements at scale involves several streamlined steps, leveraging KERI's open-source nature, lean design, and the CESR protocol for efficient data streaming. Here's a concise guide:

Understand the Requirements

eIDAS Organizational Wallets Compliance: Align with eIDAS regulations for identification, authentication, and trust services. Interoperability: Ensure seamless interaction with other eIDAS-compliant systems. Scalability: Design for large-scale use by multiple organizations.

Develop the Technical Architecture

KERI Core Components

Decentralized Identifiers (DIDs): Use DIDs to uniquely identify organizations and users over the web; did:webs and did:keri
Key Event Receipt (KER) Log: Manage the lifecycle of cryptographic keys securely including signatures and seals.
Verifiable Data Registry / Transaction Event Logs (TELs): Store and manage verifiable credentials and attestations.

Implement Security and Compliance Measures

Cryptographic Security

Strong Cryptography: KERI has robust cryptographic algorithms for key management: multi-signature, inception, pre-rotation, delegation and revocation.
Compliance: Integrate with Qualified Trust Service Providers (QTSPs) for qualified electronic signatures (QES) and obtain necessary certifications.

Develop Interoperability Features

Standard Protocols

API Integration: Extend and use KERI API (KAPI) so that it conform to eIDAS and ARF EUID requirements. CESR Protocol: Leverage CESR (Compact Event Streaming Representation) for efficient and secure data streaming.

Build a Scalable Infrastructure

Cloud-Based Solutions

Cloud Hosting: Utilize cloud infrastructure for high availability and scalability, host KERI agents to service witnesses, validators, jurors, etc. Microservices Architecture: Enable the independent scaling of KERI components that are in the KERI by design.

Develop a User-Friendly Interface

Organizational Wallet Interface

User Experience: Use Signify and KERIA to offer an intuitive interface for administrators and users. Access Controls: Implement role-based access controls in the decentralised KERI governance model of Qualified Issuers.

Implement Monitoring and Management Tools

Continuous Monitoring

Security and Performance Monitoring: Track system performance and security continuously. This is something the KERI Suite would typically involve externally. Management Tools: Provide administrative dashboards and maintain audit logs. KERI's KEL and TEL are audit logs in itself. The explorer or dashboard is still in its infancy to get a historical management overview of the data a user is allowed to see and the signatures and seals that can be verified. It also is highly dependent on which type of user rights an individual in a management role over a set of AIDs has: controller, verifier, delegator, delegatee, etc.

Pilot and Scale

Pilot Implementation

Initial Deployment: Test the integration in a controlled environment. Because eIDAS is a federated identity protocol, KERI needs at least two AIDs of two Qualified Issuers (one each) and one subject AID issued by one of the QI, or if you'd like to test the true SSI value of KERI: subject becomes controller of an AID of which the controller start issuing credentials and share with one the QIs. The QIs then propagates the credential to another QI signing it once.
Feedback Loop: Collect and implement feedback to refine the system. All KERI UX operations have corresponding kli commands. Collecting commands and replaying them and improving them offers the Feedback Loop.

Scaling Up Gradual Scaling: Increase users and transactions gradually, optimizing based on performance metrics.

Vision on KERI's Open Source Character KERI’s open-source nature fosters innovation and collaboration, allowing developers to customize and extend the system to meet specific needs. Its lean and mean design ensures efficiency and simplicity, making it easier to implement and scale. The CESR protocol further enhances this by providing a general-purpose, efficient method for streaming data securely and reliably.

Conclusion By leveraging KERI’s open-source nature, lean design and the CESR protocol, you can build a scalable, compliant, and efficient solution for eIDAS organizational wallets. This approach ensures robust security, interoperability, federated Qualified Issuing and gradable user control, meeting the needs of organizational users at scale.

Could you create a comparison between the ARF of eIDAS based EUID and the main KERI features: KERI core, ACDC, CESR, OOBI, Signify, KERIA? Please pick the 10 most important aspects of which security, confidentiality, privacy are 3.

Comparison between eIDAS-based EUDI and KERI Features

Aspect	eIDAS-based EUDI	KERI Features
1. Compliance and Regulation	Compliant with EU regulations, specifically eIDAS. Ensures interoperability across EU member states.	Decentralized and designed to be flexible. Can be integrated into existing compliance frameworks.
2. Decentralized Identifiers	Uses centralized identifiers issued by member states or qualified trust service providers.	Uses decentralized identifiers (DIDs) managed through KERI's decentralized infrastructure. However, KERI is versatile: it's all about who controls the keys.
3. Security	High security standards, including strong authentication and encryption. Regular audits and certifications required.	KERI core provides secure key management and event logs. Security built into the core design with cryptographic mechanisms.
4. Confidentiality	Ensures confidentiality through legal and technical measures, including compliance with GDPR.	KERI ensures confidentiality through cryptographically secured gradual disclosure protocols and decentralized key management, compliant with GDPR and other laws and regulations.
5. Privacy	Compliant with GDPR, ensuring data minimization, user consent, and the right to be forgotten.	Privacy by design. Users control their own data and keys, with minimal exposure through cryptographic techniques.
6. Interoperability	Ensures interoperability across different member states and systems through standard protocols and interfaces.	KERI is an open source protocol, trust spanning layer for the web, interoperable by design. Uses CESR for interoperable data streaming. Designed to be able to work with various digital identity systems, extensible and configurable to practically do so.
7. Scalability	Scalable across the EU, designed to handle large volumes of transactions and users.	Highly scalable due to its decentralized nature, lean and mean protocols, and microservices architecture.
8. User Control and Consent	Strong emphasis on user control and consent. Users can manage their data and provide explicit consent for data sharing. It's SSI: self-service identity.	Users have full control over their identifiers and data, with mechanisms for explicit consent (seals) and data sharing (TELs). KERI is pure SSI: self-sovereign identity.
9. Trust Framework	Built on a centralized trust framework with qualified trust service providers and conformity assessment bodies.	Built on a decentralized trust framework. Uses AIDs as identifiers verifiable to their roots-of-trust, ACDC for verifiable credentials and attestations, OOBI for out-of-band 2nd factor authentication, CESR for encrypted and signed data streaming, composable in text and binary format. Lastly Signify and KERIA offer 'signing on the edge'.
10. Ecosystem Roles	Defines clear roles for identity providers, trust service providers, and users. Comprehensive governance structure.	Defines roles for various entities, including issuers, verifiers, and holders. Uses Signify and KERIA for administration and governance. KERI implementers adhere to the ToIP governance model and there are template docs available at GLEIF

Key Features Explained

KERI Core: Provides a decentralized identifier system with secure key management and event logs.
ACDC (Authentic Chained Data Container): Used for issuing and verifying verifiable credentials.
CESR (Compact Event Streaming Representation): A protocol for efficient and secure data streaming.
OOBI (Out of Band Interaction): Mechanism for establishing out-of-band (the web serves this protocol) introduced KERI authentication enabling secure data exchange.
Signify: Agent tool for managing identifiers. Signify is a web client + signing - and key pair creation app that minimizes the use of KERI on the client.
KERIA (KERI Agent): Framework for administering and governing KERI-based systems. KERI Agent in the cloud. The KERIA service will expose 3 separate HTTP endpoints on 3 separate network interfaces:

Boot Interface - Exposes one endpoint for Agent Worker initialization.

Admin Interface - The REST API for command and control operations from the Signify Client.

KERI Protocol Interface - CESR over HTTP endpoint for KERI protocol interactions with the rest of the world.

Conclusion

The eIDAS-based EUDI and KERI both aim to provide secure and trusted digital identity solutions, but they differ significantly in their architecture and approach. The eIDAS-based EUDI relies on a centralized framework with strict regulatory compliance, while KERI emphasizes decentralization, user control, and flexibility, making it adaptable to various regulatory environments. Both systems prioritize security, confidentiality, and privacy, ensuring that users can trust their digital identities.

Eidas2, EUDI wallet and basically the ARF is becoming mandatory for EU in all levels of industry. If you force all companies on EUDI, by which means GLEIF or any other organizational ID supplier wants to enforce keri as an addition or alternative to the companies that run to comply with the ARF?

To address the mandatory adoption of the eIDAS2, EUDI wallet, and ARF (Architecture and Reference Framework) across all levels of industry in the EU, while also considering the integration of KERI as an addition or alternative, we suggest the strategic approach below. This approach highlights the benefits of KERI, leverage partnerships with organizational ID suppliers like GLEIF (Global Legal Entity Identifier Foundation), and comply with the ARF and offer enhanced functionality at the same time. Here’s a comprehensive plan:

Strategy for Integrating KERI with EUDI and ARF

Highlight the Unique Benefits of KERI

Decentralization and Flexibility

Decentralized Identifiers (DIDs): Emphasize how KERI’s presence in DIDs (did:webs and did:keri) provides a more secure and resilient identity management system compared to centralized systems.

Interoperability: Highlight KERI’s ability to seamlessly integrate with existing eIDAS-compliant systems, enhancing interoperability across different platforms. The overall system will have the security features of the least secure.

Security and Privacy

Enhanced Security: The barer tokens of the federated identity model are a known security risk. Attacks are known and successful. Showcase KERI’s advanced cryptographic mechanisms that ensure secure key management, secure authentication, verifiability to the root-of-trust (no intermediaries to be trusted or as a security vulnerability / honey pot), gradual disclosure (step-by-step lifting of confidentiality), event logging, multi-signature schemes, (pre-)rotation of controlling keys.

Privacy by Design: Demonstrate KERI’s privacy features, including user control over their data and minimal data exposure.

Scalability and Efficiency

Scalability: Explain how KERI’s lean and mean design, along with its use of the CESR protocol, ensures scalability and efficient data streaming.

Efficiency: Point out the efficiency of KERI in managing decentralized identities and verifiable credentials, reducing overhead and simplifying compliance processes.

Leverage Partnerships with Organizational ID Suppliers

Collaboration with GLEIF

GLEIF Integration: Work with GLEIF's suppliers to integrate KERI-based vLEI identifiers providing trust services.

Joint Initiatives: Launch joint initiatives and demonstrate the benefits of vLEIs as organizational identifiers.

Engagement with Other ID Suppliers

Broader Ecosystem: Engage other organizational ID suppliers to create a broader ecosystem of identity solutions that incorporate KERI, offering alternatives and additions to the EUDI framework.

Standardization Efforts: Continue to participate in standardization efforts to prove that KERI-based solutions are recognized and can be seamlessly integrated with existing regulatory frameworks, such as the ARF.

Compliance and Integration

Compliance Framework Regulatory Alignment: Ensure that KERI-based solutions are fully aligned with eIDAS2 and EUDI requirements, providing clear guidelines for organizations on how to achieve compliance. This means demonstration of the hand over of control over keys from the citizen / subject to the government via Qualified TSP.

Certification: Obtain necessary certifications and conduct regular audits to ensure ongoing compliance with EU regulations. The audit of KERI is a one-time effort for the part that it intrinsically complies with EU regulations like GDPR and ? KERI adjustments to comply with other EU regulations that require centralized control are possible through control over identifiers and process automation.

Integration Roadmap Step-by-Step Guide: Develop a step-by-step integration roadmap for organizations to adopt KERI alongside or as an alternative to the EUDI wallet, highlighting key stages and milestones.

Technical Support: Offer comprehensive technical support and resources, including APIs, SDKs, and documentation, to facilitate seamless integration.

Promote Awareness and Adoption

Awareness Campaigns

Educational Programs: Conduct educational programs and workshops to raise awareness about the benefits of KERI and how it complements the EUDI wallet.

Case Studies and Success Stories: Share case studies and success stories from early adopters to demonstrate the practical benefits and impact of integrating KERI.

Incentives for Adoption Incentive Programs: Create incentive programs for organizations that adopt KERI-based solutions, such as grants, tax benefits, or reduced compliance costs.

Partnership Opportunities: Offer partnership opportunities and collaboration initiatives to encourage broader adoption and integration.

Commercial Services: Show the practical and financial characteristics of cloud services to play a role in a KERI based ecosystem online.

Conclusion

By highlighting the unique benefits of KERI (killer feature is security), leveraging partnerships with organizational ID suppliers like GLEIF, providing a clear path for compliance and integration, and promoting awareness and adoption, KERI can be positioned as a valuable addition or alternative to the mandatory EUDI framework. This approach ensures that organizations can meet regulatory requirements while benefiting from the enhanced security, sophisticated key management, gradual disclosure (step-by-step lifting of confidentiality), privacy, delegation and overall scalability and flexibility that KERI offers.

Here's my take at the questions: