# Controllers and Identifiers

Before we dive into creating identifiers and managing keys with the KLI, let's understand two fundamental concepts: **Identifiers** and the **Controller**.

**What is an Identifier?**

In KERI the identifiers are called Autonomic Identifier (AID). They are defined as secure, self-governing digital identifiers. Here's what makes them distinct:

- **Self-Managed** — Unlike traditional identifiers (like usernames or domain names) that rely on central administrators or registries, an AID is controlled directly by its owner(s) — known as controllers —  through cryptographic means
- **Self-Certifying** — An AID can prove its own authenticity and history. Its validity comes from its own secure, verifiable log of key events (like key changes), not from an external authority saying it's valid
- **Cryptographically Secured** — The identity, its history, and control over it are all grounded in strong cryptography

Essentially, an AID provides a trustworthy and independent foundation for digital identity and interactions, controlled by the entity itself.

**What is a Controller?**

In KERI, the entity responsible for managing an identifier – specifically an Autonomic Identifier (AID) – is called the Controller.

A Controller isn't necessarily a person. It can be:

* An individual managing their own digital identity
* An organization managing its official identifier
* An autonomous piece of software managing an identifier for a device or service

While the Controller holds authority over the AID, it relies on software to operate and maintain it. In this training, you’ll be using the KLI as the Controller’s tool for interacting with and managing AIDs.

In short, the Controller is the entity with the authority to make decisions and perform actions on behalf of a specific AID.

**How is Control Exercised? The Key Event Log (KEL)**

This authority isn't just a claim; it's proven using cryptography. Controllers possess the private keys associated with their AID. They use these keys to sign messages and authorize actions.

Every significant action taken by a Controller regarding their AID – like creating it (inception), changing its keys (rotation), or establishing relationships – is recorded as a Key Event.

These Key Events are stored in a specific order in a Key Event Log (KEL). Think of the KEL as the official, unchangeable history book for an AID.

* It starts with the AID's "birth certificate" – the Inception Event.
* Every subsequent authorized change (like a key rotation) is added as a new entry, cryptographically linked to the previous one.
* Anyone can potentially view the KEL to verify the AID's history and current state, but only the Controller(s) can add new, valid events to it.

**One Controller or Many? Multi-Signature (Multi-Sig)**

An AID doesn't have to be managed by just one entity. KERI fully supports shared control:

* **Single Controller** — One entity holds all the keys and makes all the decisions.
* **Multiple Controllers** — Control authority is shared among several entities (e.g., members of a board, different departments in a company, or a group of collaborating individuals).

When multiple entities share control, they often use a Multi-Signature (Multi-Sig) setup. This means that a certain number of signatures from the authorized controllers are required to approve a Key Event.

* Sometimes *all* controllers must sign.
* More commonly, a threshold is set – for example, requiring signatures from 2 out of 3 designated controllers, or controllers representing a certain combined "weight". This provides both security and flexibility.

**Advanced Forms of Control (Sneak Peek)**

Control in KERI can be quite nuanced. While the Controller ultimately holds authority, they can sometimes grant specific permissions to others:

* **Signing vs. Rotation Authority** — A Controller might keep the power to fundamentally change the AID's keys (rotation authority) but allow another entity (a "custodian") to perform more routine actions like signing messages (signing authority). This is useful in Custodial Rotation scenarios.
* **Delegation** — A Controller can grant some level of authority to a completely separate Delegated Identifier. This allows for creating hierarchies and complex organizational structures.

We'll explore these advanced concepts like delegation and specific multi-sig configurations in later sections.

<div class="alert alert-prymary">
  <b>📝 SUMMARY</b><hr>
    Understanding the Controller is key to understanding KERI. It's the entity that uses cryptographic keys to authorize Key Events, building the KEL and managing the lifecycle of an Autonomic Identifier. With this foundation, we can now move on to see how Controllers use tools like the KLI to create and manage their AIDs.</br></br>   
<b>Key Terms Recap:</b>
    <ul>
        <li><b>Controller</b> The entity (person, organization, software) with the authority to manage an AID.
        <li><b>Key Event</b> A signed record of a significant change or action related to an AID (e.g., inception, rotation).
        <li><b>Key Event Log (KEL)</b> The secure, ordered, append-only list of all Key Events for an AID, forming its verifiable history.
    </ul>
</div>