Open in app

Sign in

Write

Sign in

How dare you think KERI is superfluous?

Henk van Cann
Happy Blockchains
Published in
15 min read5 days ago

It’s about time to dive into the contradiction in terms “KERI lite”, that some people use. KERI lite doesn’t exist, the term suggests that KERI is superfluous, meaning that there are redundant elements in there, stuff that is obsolete and could be removed from KERI without consequences.

Unintentionally, we hope, it’s also a slap in the face of people who have worked on KERI for half a decade, because they’ve fully committed to a minimally sufficient design and implementation. Talking about “KERI lite” means saying to these early supporters that they haven’t done their work well enough.

But the worst insult is yet to come: by selling a version as KERI lite you offer more than is real. Picking off what you see as low-hanging fruit in the KERI orchard means you are over-selling the harvest, and that is harmful. Security is either complete or it is broken; you can’t choose the pieces of the solution to leave out. You have to pick all of the fruits, even the ones hard to access, before you can sell.

A humorous and exaggerated image of a superfluous and redundant system

How we approach KERI in this article

KERI is the Key Event Receipt Infrastructure, an autonomous identifier system. A beginner can start learning about it here at htpps://keri.one.
‘KERI lite’ is a dreamed-up, stripped-down version of KERI.

This article starts by comparing the ability of today’s identifier systems to push competitors out of the market. The conclusion is that KERI is resilient to hostile circumstances because it’s optimally secure, universal, and minimally sufficient. This insight leads us to reverse the burden of proof. If you dare to think that parts of KERI are superfluous, show us the meat of your argument.

“May the best win”
This is not always the way it works out. We’ve seen this in the video recorder competition between Betamax and VHS.
The Betamax-VHS war began in the 1970s, with Betamax offering superior picture quality and reliability. However, VHS tapes had longer recording times and were more affordable. Despite Betamax’s technological edge, VHS’s better marketing and strategic licensing to multiple manufacturers led to broader adoption and more extensive content availability. VHS’s market penetration and consumer preference ultimately secured its victory over Betamax.

Could KERI become the Betamax of the next decade? What’s the essential difference between a proprietary analog video recorder and digital cryptography-based security? Could we more easily grasp the power of marketing and strategic moves over sheer quality in the autonomic identity space so we know better what kind of competition lies ahead?

The problem with Internet security is that it’s based on flawed identity, and security experts don’t understand identity well enough to fix it.
The problem with Internet identity is that it’s based on flawed security, and identity experts don’t understand security well enough to fix it.
KERI’s design reflects a sufficient understanding of both security and identity to fix both Internet identity and Internet security at the same time.
~ Samuel Smith, August 2024

That’s a big claim, Mr. Smith! Let’s analyze that first.

KERI is an autonomic identifier system protocol. What is an autonomic identifier system, and why do we need it?

You can read the answer here in full: You Control, Therefore You Are, and You Get to Decide; but to summarize for our purpose here:
It offers ambiently available decentralized trust without relying on intermediate parties or infrastructure.

Comparison table identifier systems by Phil Windley

To create a protocol and system that delivers the dual fix mentioned above, Smith, the inventor of KERI, needed complete security AND identity expertise in at least one human brain — his brain. Why? Because security is either complete or it is broken, safe from the force of the waves or breached by the rising tide, and identifiers are confidential and private or they are shipwrecked.

Our considerations could be grouped into two indispensable features of modern identifier systems:

  1. Security first
  2. Various typical identifier characteristics

You have to trust the KERI team that all of this is on board in the specifications, running to become ISO standards and that the KERI Suite code produced so far is minimally sufficient to conform to those factors. You could also convince yourself by reading the white papers and specifications and inspecting or testing the open-source code.

Let’s return to the disputed ability of KERI to manifest itself over time. Look at another historical battle closer to home: open-source operating systems. We can see what might happen if inferior protocols were able to drown out others with their loud sales pitch.

Minix and Linux.
A less known and much smaller battle has played out between these operating systems in an early stage of development.
The Minix-Linux battle started in the early 1990s. Minix had better marketing and academic backing, being a teaching tool. However, Linux, an open-source project by Linus Torvalds, rapidly evolved with community contributions, offering greater flexibility and functionality. Despite Minix’s initial advantages, Linux’s collaborative development model and robust performance led to its dominance in the operating system landscape, not only over Minix in the early stage, but nowadays, Linux also outnumbers the commercial seats by a factor of ‘who knows.’

  • Microsoft Windows NT/2000/XP: Despite Windows’ dominance in desktops, Linux became preferred for servers due to its stability and security.
  • IBM AIX: A Unix-based system, IBM’s commercial offering lost ground to Linux’s flexibility and cost-effectiveness.
  • Sun Microsystems Solaris: Once popular in enterprise environments, Solaris saw its user base decline as Linux gained traction.
  • HP-UX: Hewlett-Packard’s Unix variant was another casualty of Linux’s rise in enterprise settings.
  • SCO UnixWare: Failed to compete with Linux’s growing popularity and extensive support community.

Conclusion: KERI and other identifier systems might engage in a Betamax-VHS-like battle, but KERI is more similar to Linux than to Betamax, and therefore, we can trust that KERI will prevail.

Well, KERI team, if you’re so confident, why such an emotional opening with aggressive terms like ‘harmful’ and ‘slap in the face’?

We are so committed because KERI’s security is becoming crucial for humans.

At DICE 2024, Timothy Ruff claimed that “if we are not going to put security first,’ it’s going to cause deaths.” He pointed out the “known security flaws” in current designs and the implementation of identifier systems being rolled out on a large scale anyway. The effect of taking control over someone’s identifier or successfully binding individuals to credentials where these credentials should have stayed confidential or private can be downright disastrous.

All experts in the field who know this is true should be embarrassed. How could you look away and accept a system with flaws in the protection against known cyber-attacks?

There is another type of expert who might still need to fully grasp the extent of measures a system must take for security at all times (like myself) but voices simplifications of the set of measures anyway (unlike myself, hopefully).

Blissfully ignorant
The story goes that the late Cruyff, known for his deep understanding of soccer and ability to see the game differently, once tried his hand at golf. Despite being relatively new to the sport, Cruyff’s analytical mind and confidence led him to start explaining aspects of golf to the golf professional José María Olazábal. This incident is often recounted to illustrate Cruyff’s belief in his analytical abilities and willingness to share his thoughts, even on subjects on which he was not an expert.

Ex-soccer phenomenon Cruyff teaching golf

KERI lite vendors remind me of Johan Cruyff. The KERI team is José María Olazábal, a renowned Spanish golfer. This story is a testament to Cruyff’s confidence and belief in his ability to understand and explain sports, even those outside his primary expertise.
Olazábal, being an accomplished golfer with multiple major championships to his name, was likely amused by Cruyff’s boldness and willingness to discuss the finer points of golf.

Less relaxed

The KERI team is less amused and less relaxed than Olazábal. We must be critical of braggers because there’s much more at stake than a game of golf. Identifiers done wrongly will be harmful.

To anyone thinking KERI lite exists: Show us the use cases in which you can prove that the KERI Suite’s minimal sufficient means principle is not met.
Secondly, prove how your solution defends itself against the exponentially growing attacks in numbers and creativity.

“KERI lite” advertising is annoying for a few reasons:

  1. A simplification overpromises features it can’t deliver because it cuts out vital parts and possibly slanders a good name.
    It is as if you were to take away the liver and kidneys from a human body and then still advertise it as a viable person. In reality, a person without a liver can’t survive.
  2. A slap in the face for those who, for years, invented and worked on the concept: the (standardization of the) protocol, its open source and freely available code, and its governance. Hard-working experts with the main principle constantly in mind, which is ‘security first with minimal sufficient means’.

“KERI is interesting, but it introduces more complexity than needed.”
“KERI says it doesn’t need blockchains, but I don’t believe it.”

KERI is not complex or complicated. Instead, it simplifies.

To begin with, if you’d read the article ‘KERI Is Not Complex or Complicated. Instead, it simplifies,’ you might reformulate the first statement into:

“KERI is interesting but introduces more complication than needed.”

Secondly, although the article mentions several simplifications that KERI introduces along with some apparent complications and new terminology, we understand that the emergence of a new foundational concept and protocol in the digital-identifier space can be disturbing to some.

Let’s consider it a severe challenge that people think KERI is overly complicated. However, and this is my final point, we will not go into defense; instead, those who doubt KERI’s minimal sufficient design must prove it’s superfluous.

A town full of traffic engineers

A narrative: I once talked to a traffic engineer — a real one. At the time, he worked for the local government and was responsible for designing and placing traffic lights and smaller roundabouts.
A little irritated, he told me how every second person would come over and tell him how the traffic flow could be better arranged. According to them, unhindered by any particular knowledge, with no hesitation or restraint, and full of prejudice and conviction, these citizens and laypeople would start monologues, wave arms, and point fingers at the real experts in the field.

What does this narrative have to do with KERI? KERI might be complicated, and it has a steep learning curve. Does this KERI characteristic excuse ignorant people who talk about risky simplifications?

Well, at the heart of the example of the traffic roundabout flow design is this:
It’s rather condescending that you don’t grasp the full depth of a solution and you can’t reproduce why it’s complicated. Still, instead of investing time to learn more and study how the solution has already been simplified and reduced to its core functionality, you say it’s too complex and not effective. And you have the audacity (or stupidity) to think you can take out vital parts and still have the same characteristics and features of the KERI that the real experts have worked on for years.

I wanted to throw people who behave that way off balance for a moment. Now, let’s see how we can be more friendly and productive.

Let’s create two extreme personas and a few auxiliary personas and tell the KERI story:

Henry Ardworking
Henry is a long-time KERI adept. He codes in the KERI Suite and is a believer. He claims that KERI has nothing superfluous in its protocol, code, or governance. Henry works his ass off every day to make KERI a success.

Casper Ritic
For all the years Casper has been an expert in the identity field, he has yet to see something as complicated, nerdy, and incomprehensible as KERI.

So, if only Casper showed Henry how to simplify KERI, then Henry would be more than willing to remove unnecessary elements and reduce the system to its essential components!

Did:KL (KERI-lite)

In the four years of KERI’s existence, Dr. H. Ardworking has seen more types come and go than just Mr. C. Ritic. He remembers the couple Young and Naïve all too well. Henry also tried to warn Leo Azy again and again and again not to spend time on his hopeless case but first read a few, if not all, of Samuel M. Smith’s white papers — but with no success.

Hopefully, this time with Casper, it’ll be different.

Did:web, did:keri and did:webs

Did:web trusts the controller of the domain (URL) for its security. But it can’t distinguish between a trustworthy controller and a malicious or compromised one.

Did:KERI has introduced the term authoritative for this. Did:web clearly can’t tell the difference between the actors mentioned above and therefore can’t be considered secure from known key comprimises / attacks.

And what if one of those is a dead attack? If you can’t tell the difference between a live attack and a dead attack, you could read the KERI white paper. The difference is crucial.

Did:KL intends to reduce and simplify KERI. Happily, in this article, we’ve come a long way to know this is a giant red flag. Casper is convinced of the viability of the KERI lite implementation, and Henry knows Casper is overpromising. Henry feels misunderstood and even a bit undervalued.

But Casper is not really a bad guy! The friendly chap also uses parts of Fido2, which is more widely used than KERI. Pre-rotation based on Fido2 as proposed in did:KL can protect against live attacks. So far, so good. But not against dead attacks! The only system on earth known to Henry Ardworking that has a functioning key rotation mechanism, despite the key compromise of PKI-based private keys, is KERI, full KERI, because nothing in KERI is superfluous. ‘Full’ stems from the fact that these have been Henry’s guiding principles: stupid but weathered cryptography, minimal sufficient means, and security first.

Fido2 security no better than did:web

  1. PKI authorization
  2. Challenge-response
  3. Signing
  4. Rotation

Fido2 key rotation features come at a cost: it’s weaker than TLS encryption (did:web) because the latter is based on Diffy Hellman cryptography.

Whether you choose did:web or Fido2 based did:KL, you’re trusting your web interface. It’s suitable for authentication in limited use cases, such as websites, but not for general purposes.

Did:KL advertises security that they don’t have.

Simple turn around

Instead of accepting people saying:

“KERI is interesting, but it introduces more complication than needed, so we’ll simplify it,”

From now on, we’ll challenge them by saying:

“In which cases can you prove that the KERI team hasn’t met the minimal sufficient means rule in the KERI design?”

And if Henry is right, Casper can’t be.

The price of “lite”

If you (unknowingly) take away vital parts of KERI and still refer to KERI-like security, you’re misleading people, whether you like this typification or not.

The reason is that you will have to accept one or more of these characteristics when reducing KERI:

  • the likelihood of attacks
  • accept the costs
  • accept the (idle) time involved
  • reputational damage

Now that you know it, you can’t deny it anymore. If you reduce KERI, you knowingly accept these pitfalls from today onwards.

Henry knows PKI attacks are hard, but they are not impossible. Therefore, as soon as Casper has a few honeypots up and running, he can’t afford to let something happen that he was warned of.

Another one of Henry’s concerns is that a breach of bearer tokens will be progressive: not only will the successfully attacked person be breached, but also the victim’s digital relationships are at risk. They will be the next to be attacked (only) if enough value is at stake.

Security first

In the KERI world, “security first” is not the hollow term you see in slogans or on display. It has been the design principle. Another critical design factor of a system attempting to win universal adoption is minimal sufficient means.

Monopoly on wisdom

Does the KERI team have a monopoly on wisdom? Of course not. I am not the most educated person regarding cyber security, but I know people who are. The same goes for the ins and outs of Identifier systems: regardless of what I know, I know that I don’t know everything.
So, I verify what real experts have to say, and I don’t look away from the results. Suppose a system is considered inherently unsafe and has known attacks. How can you then see that it is a reasonable alternative to something safe that can withstand all known attacks and protect against disclosure of its behavior toward those attacks?

Before we go into the impact of the lack of security, let’s finalize what comes after security.

Confidentiality is second, and Privacy is third

Sam Smith has convincingly pointed out that you can’t have all three for a hundred percent of the time: security, confidentiality, and privacy

Sam Smith’s Triangle

KERI’s design prioritizes security (the result is authentic). If a system is breachable, the rest is irrelevant.

Guess where they are going to attack

At DICE 2024 in Zürich, Sam Smith presented the characteristics and effects of flaws in medieval armor to symbolize what happens to you if you accept known flaws in identifier systems.

Smith held an engaging argument by saying, “Guess where they’re going to attack you when you’re prone to a known cyber-attack?”

Example: pre-rotation
Advertising more security than you have if you choose to use pre-rotation in an isolated manner.

Isolated tank on a virtual battlefield

Phil Feairheller, the CTO of KERI at HealthKERI, also compares security with warfare: “The only thing that’s going to matter once you’ve spotted an isolated tank on the battlefield is the size of the armor you’re going to take it out with. But it’s a done deal, as soon as it’s worth it to attack.”

Heavy-weight arguments

Given the destructive nature of flaws in your armor, you must have excellent reasons to go ahead unprotected. Not only are you in danger, but you also put everyone else who believes you at risk*. Moreover, you must deliver conclusive evidence of a complete analysis of the possible consequences of the accepted flaw in the armor you provide.

Example: designing an identifier system in 2024 based on bearer tokens, which have only the low-hanging fruit of KERI and not the complete protection, makes you responsible as an expert for all possible risks, directly and indirectly. Just imagine the domino effect of a lost master key. It has happened before (e.g. MGM hack), so you cannot deny these as a known threat.

If you’re still convinced you can pull off a KERI-lite, it would be best to have solid arguments and extensive disclosures for bypassing the real deal: complete security, as we know it today. Moreover, you must prove that you’ve investigated all possible effects of deliberately lowered defense. It’d be immoral and unethical to cherry-pick from KERI and oversell the simplification to others, as you should know.Apart from black-swan events (unprecedented new events happening), of course, where KERI could also fall victim to.

How dare you

This appeal to ethics is the point at which we get back to the title of this article and Johan Cruyff: even if you’re a reputable expert in your line of work (like Cruyff was in soccer), how did he dare to act as if he was an expert in another line of work and overrule an expert in the field of golf?

José María Olazábal, a renowned Spanish golfer

It’s all pretty harmless, what Cruyff did, and Olazábal just smiled. But it’s far from harmless to capitalize on a thesis that KERI is superfluous and then oversell a weakened version of KERI to others, given the impact this article has described.
We’ve only scratched the surface of what can go wrong. But now you know, you can’t unknow, which makes you responsible for the consequences.

We invite you to join us if you’re involved in an insecure or shipwrecked KERI lite project. For example, the KERI Foundation will support projects in working groups under the protective eye of the KERI inventor. You can still focus on your objectives even with funds directed by whoever believes in your initiative. The foundation has a few hosting requirements. One is only to be supportive of KERI.

In general, you can think whatever you want about KERI. But if you think that KERI is superfluous or you’re even convinced that it has redundant parts, that is a stance that we have to consider an accusation. The KERI Suite is innocent of that “crime” until proven guilty.

Why is it so crucial for KERI adepts that people realize that KERI is minimally sufficient (the opposite of superfluous)? Because lots of energy, time, and money is wasted on copies and forks of KERI, that makes no sense and divides the community.

People are fooling themselves into thinking they could strip down KERI. They shop in the KERI cafeteria and think they can pick a few items and then build a slimmer version of KERI. But by doing so, they ruin their reputation and customer identifier system because it’s not safe anymore, either complete or broken. You can’t be a little bit pregnant.

Acknowledgments

Thanks to Sam Smith for his tireless efforts to train our team. Also, thanks to my English teacher, William Lindsay, for editing the earlier version of the article.

Images

https://www.golf.nl/nieuws/2016/mrt/2303cruyff
https://www.theguardian.com/football/2016/mar/25/johan-cruyff-father-modern-game-dutch
https://www.rte.ie/sport/ryder-cup/2010/0513/265006-olazabalj/
https://www.deviantart.com/cyberflora/art/Heavy-Tank-1069003840
https://www.flickr.com/photos/rbowen/52827759

Comparison table from the article Architecture of Identity Systems by Phil Windley

PAC Theorem by Sam Smith

A humorous and exaggerated image of a superfluous and redundant system inspired by multiple coffee machines. Made by DALE, chat.openai.com.

Digital Credentials
Identity
Digital Identifiers
Autonomic

--

--

Henk van Cann
Happy Blockchains

Written by Henk van Cann

275 Followers
Editor for

TrustoverIP concepts & terms, Bitcoin, Self Sov Identity, Deep Divers Lagos, #BlockDAM Amsterdam, husband, father, musician; else?: open source minded, trainer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams