# Controllers and Identifiers

Before we dive into creating identifiers and managing keys with the KLI, let's understand two fundamental concepts: **Identifiers** and the **Controller**.

**What is an Identifier?**

In KERI the identifiers are called **Autonomic Identifier (AID)**. Here's what makes them different:

- **Self-Managed**: Unlike traditional identifiers (like usernames or domain names) that rely on central administrators or registries, an AID is controlled directly by its owner(s) — known as Controllers —  through cryptographic means
- **Self-Certifying**: An AID can prove its own authenticity and history. Its validity comes from its own secure, verifiable log of key events (key events will be explained later), not from an external authority saying it's valid
- **Cryptographically Secured**: The identity, its history, and control over it are all grounded in strong cryptography

**What is a Controller?**

In KERI, the entity responsible for managing an identifier – specifically an Autonomic Identifier (AID) – is called the Controller.

A Controller isn't necessarily a person. It can be:

* An individual managing their own digital identity
* An organization managing its official identifier
* An autonomous piece of software managing an identifier for a device or service

While the Controller holds authority over the AID, it relies on software to operate and maintain it. In this training, you’ll be using the KLI as the Controller’s tool for interacting with and managing AIDs.

In short, the Controller is the entity with the authority to perform actions on behalf of a specific AID.

**The Key Event Log (KEL)**

The Controller's authority isn't just a claim; it's proven using cryptography. Controllers possess the private keys associated with their AID. They use these keys to sign messages and authorize actions.

Every significant action taken by a Controller regarding their AID – like creating it (inception), changing its keys (rotation), or establishing relationships – is recorded as a **Key Event**.

These Key Events are stored sequentially in a **Key Event Log (KEL)**. Think of the KEL as the official, unchangeable history book for an AID.

* It starts with the AID's "birth certificate" – the **Inception Event**.
* Every subsequent authorized change (like a key rotation) is added as a new entry, cryptographically linked to the previous one.
* Anyone can potentially view the KEL to verify the AID's history and current state, but only the Controller(s) can add new, valid events to it.

**One Controller or Many? Multi-Signature (Multi-Sig)**

KERI provides a flexible and secure protocol that supports different ways an AID can be controlled. It's important to remember that while KERI defines the rules and makes these scenarios possible, the specific features described below rely on wallet software and applications implementing these KERI capabilities. Here are some scenarios KERI enables using features like multi-signature (multi-sig):

- **Single Controller**: Even when one person fully controls their own AID, multi-sig offers powerful possibilities for managing access across their devices:
    - **Multi-Device Convenience**: Software using KERI could allow you to set up your AID so signing from any one of your devices (phone, laptop, tablet) is enough to approve an action. If you only have your tablet handy, you could still sign things.
    - **Enhanced Security (like MFA)**: For more critical operations, an application could use KERI to let you configure your AID to require signatures from multiple specific devices (e.g., needing approval from both your phone and your laptop), effectively implementing Multi-Factor Authentication for your identity actions.
- **Multiple Controllers (Shared Control)**: When different entities need to share control over a single AID (like a business or group), they often use KERI's Multi-Signature (Multi-Sig) features. This means software can be configured so a specific number of approvals (signatures) from the authorized controllers are needed to authorize key events. Sometimes this might require all designated controllers to sign. More commonly, a threshold is set – for example, needing signatures from 2-out-of-3 board members, or from members whose combined authority meets a specific "weight". This approach provides both group security and operational flexibility, enabled by the KERI protocol.

**Advanced Forms of Control**

Control in KERI can be quite nuanced. While the Controller ultimately holds authority, they can sometimes grant specific permissions to others:

* **Signing vs. Rotation Authority**: A Controller might keep the power to fundamentally change the AID's keys (rotation authority) but allow another entity (a "custodian") to perform more routine actions like signing messages (signing authority). This is useful in Custodial Rotation scenarios.
* **Delegation**: A Controller can grant some level of authority to a completely separate Delegated Identifier. This allows for creating hierarchies and complex organizational structures.

We'll explore these advanced concepts like delegation and multi-sig configurations in later sections.

<div class="alert alert-prymary">
  <b>📝 SUMMARY</b><hr>
    Understanding the Controller is key to understanding KERI. It's the entity that uses cryptographic keys to authorize Key Events, building the KEL and managing the lifecycle of an Autonomic Identifier.</br></br>   
<b>Key Terms Recap:</b>
    <ul>
        <li><b>Controller</b> The entity (person, organization, software) with the authority to manage an AID.
        <li><b>Key Event</b> A signed record of a significant change or action related to an AID (e.g., inception, rotation).
        <li><b>Key Event Log (KEL)</b> The secure, ordered, append-only list of all Key Events for an AID, forming its verifiable history.
    </ul>
</div>