1  # Glossary
 2  
 3  ## Identity and cryptography
 4  
 5  | Term | Definition |
 6  |------|-----------|
 7  | **AID** | Autonomic Identifier. A self-certifying identifier derived from the inception event's public key. In Auths, the AID is the KERI prefix embedded in the `did:keri:E...` identifier. |
 8  | **Attestation** | A signed JSON document binding a device to an identity. Contains two signatures: one from the identity key (identity_signature) and one from the device key (device_signature). Fields include version, rid, issuer, subject, device_public_key, capabilities, and expires_at. |
 9  | **Canonical JSON** | Deterministic JSON serialization with sorted keys and no whitespace (RFC 8785). Used to produce consistent signing payloads via the `json-canon` crate. |
10  | **Capabilities** | Permissions granted in an attestation (e.g., `sign-commit`). Child attestations inherit the intersection of parent capabilities. |
11  | **DID** | Decentralized Identifier. A URI scheme for self-sovereign identifiers defined by the W3C specification. Auths uses two DID methods: `did:keri` and `did:key`. |
12  | **Ed25519** | An elliptic curve digital signature algorithm over Curve25519. Used for all Auths signing operations. Produces 64-byte signatures from 32-byte keys. |
13  | **Inception event** | The first event in a KERI Key Event Log. Creates the identity, commits to the initial public key, and pre-commits to the first rotation key via a hash. The inception event's content hash becomes the permanent identity prefix (AID). |
14  | **KEL** | Key Event Log. A hash-linked, append-only sequence of KERI events (inception, rotation, interaction). Stored in Auths as a Git commit chain at `refs/did/keri/<prefix>/kel`. |
15  | **KERI** | Key Event Receipt Infrastructure. A protocol for decentralized key management with pre-rotation, enabling key rotation without changing the identifier. |
16  | **Key alias** | A human-readable name for a key stored in the platform keychain (e.g., `my-key`, `laptop-key`). Maps to a `SecureSeed` in the OS-native credential store. |
17  | **Pre-rotation** | A KERI mechanism where the hash of the next rotation key is committed in the current event. An attacker who compromises the current key cannot rotate the identity because they lack the pre-image of the next-key commitment. |
18  | **Rotation** | Replacing the active signing key while preserving the identity DID. Recorded as a rotation event in the KEL. The new key must match the previously committed next-key hash. |
19  | **SAID** | Self-Addressing Identifier. A content-addressed hash that uniquely identifies a KERI event. Computed over the canonicalized event data. |
20  
21  ## DID methods
22  
23  | Term | Definition |
24  |------|-----------|
25  | **`did:keri`** | DID method using KERI. The identifier is derived from the inception event and remains stable across key rotations. Format: `did:keri:E<base64url-encoded-prefix>`. Used as the primary identity identifier (Controller DID). |
26  | **`did:key`** | DID method where the Ed25519 public key is directly embedded in the identifier using multicodec encoding. Format: `did:key:z6Mk<base58btc-encoded-key>`. Self-resolving but not rotatable. Used as the device identifier (Device DID). |
27  | **Controller DID** | The identity's `did:keri:E...` identifier. Called "controller" because this key controls the identity. |
28  | **Device DID** | A `did:key:z6Mk...` identifier for a device. Derived directly from the device's Ed25519 public key. |
29  | **Multicodec** | A self-describing codec identifier prefix. Ed25519 public keys use the `0xED01` prefix in multicodec encoding. |
30  
31  ## Devices and keys
32  
33  | Term | Definition |
34  |------|-----------|
35  | **Device** | Any machine holding a keypair that acts on behalf of an identity. Each device is identified by a `did:key` derived from its Ed25519 public key. |
36  | **Identity** | A stable cryptographic identifier (`did:keri`) representing a person or entity. Survives key rotation because the DID is derived from the inception event, not from the current key. |
37  | **Platform keychain** | OS-native secure storage used to hold key material: macOS Keychain (Security Framework), Linux Secret Service, or Windows Credential Manager. |
38  | **Revocation** | The act of disabling a device's attestation. Sets `revoked_at` on the attestation record. Revoked devices can no longer sign on behalf of the identity. |
39  | **SecureSeed** | A newtype wrapping `[u8; 32]` with no `Debug`, `Display`, or `Clone` implementation. Prevents accidental logging or copying of raw key material. |
40  | **Witness** | A third-party node that observes and receipts KERI events. Witnesses provide an additional layer of accountability by independently recording event sequences, making it harder for an attacker to present different event histories to different parties. |
41  
42  ## Storage and architecture
43  
44  | Term | Definition |
45  |------|-----------|
46  | **DLQ** | Dead Letter Queue. A Redis Stream (`auths:dlq:archival`) that stores KERI events whose Git write failed after all retry attempts. Preserves FIFO ordering for replay. |
47  | **Git ref** | A named pointer in a Git repository (e.g., `refs/auths/identity`, `refs/keri/kel`). Auths stores all identity data and attestations as Git refs in the `~/.auths` repository. |
48  | **`refs/auths/`** | Git ref namespace for identity data and attestations. |
49  | **`refs/keri/`** | Git ref namespace for KERI Key Event Logs. |
50  
51  ## Bindings and embedding
52  
53  | Term | Definition |
54  |------|-----------|
55  | **FFI** | Foreign Function Interface. The C-ABI boundary exposed by `auths-verifier` (feature: `ffi`) for calling verification functions from C, Swift, Kotlin, and other languages. |
56  | **UniFFI** | Mozilla's tool for generating language bindings (Swift, Kotlin, Python) from Rust. Used by `auths-mobile-ffi` and `auths-verifier-swift`. |
57  | **WASM** | WebAssembly. `auths-verifier` compiles to WASM (feature: `wasm`) for use in browsers and Node.js via the `@auths/verifier` npm package. |