Open in app

Sign in

Write

Sign in

vLEI Demystified Part 1: Comprehensive Overview

Yanisa Sunanchaiyakarn
Finema
Published in
15 min readDec 27, 2023

Authors: Yanisa Sunanchaiyakarn & Nuttawut Kongsuwan, Finema Co. Ltd.

vLEI Demystified Series:

As global business transactions are increasingly conducted online, the rise of digital fraud and impersonation have become a growing threat. Consequently, digital means for the identification and verification of businesses have emerged as indispensable facilitators for seamless business transactions. Nevertheless, cross-border commerce is hindered by the diverse practices, standards, and regulations used by individual countries, presenting a substantial obstacle for businesses.

The global challenge of identifying businesses saw a significant step forward with the introduction of the Legal Entity Identifier (LEI) by the Global Legal Entity Identifier Foundation (GLEIF) in the 2010s. While LEIs have proven to be a successful and reliable means of identifying organizations on a global scale, there remains a gap in effectively identifying organizations’ representatives.

Consequently, GLEIF has introduced an innovative solution to address this gap through the verifiable Legal Entity Identifier (vLEI). The vLEI is a globally interoperable framework that enables individuals to digitally verify their status as authorized representatives of LEI-registered organizations worldwide. Stephan Wolf, GLEIF’s CEO, has articulated the necessity and significance of this revolutionary approach in Organizational Identity and the LEI.

The vLEI is a globally interoperable framework that enables individuals to digitally verify their status as authorized representatives of LEI-registered organizations worldwide.

The vLEI harbors the potential to revolutionize the dynamics of digital interactions among organizations, fostering seamless global business transactions online. It is imperative for large organizations and regulators worldwide to diligently heed this transformative advancement.

In this blog, we provide a visual guide for GLEIF’s vLEI ecosystem and explore how it stands out from any other organizational digital identity infrastructures.

vLEI Ecosystem Governance Framework

In 2022, GLEIF introduced the verifiable Legal Entity Identifier (vLEI) Ecosystem Governance Framework (EGF), aligning with the Trust over IP (ToIP) Governance Specifications and Templates. The vLEI EGF meticulously outlines the following details:

  • Rules, responsibilities, and obligations for all stakeholders involved in the vLEI ecosystem, including GLEIF itself.
  • Hierarchical relationships among the stakeholders, including organizations and their representatives.
  • Identity Verification processes for all human stakeholders.
  • Detailed qualification processes for vLEI issuing stakeholders, known as qualified vLEI issuers (QVIs).
  • Technical specifications for the management of cryptographic keys and self-certifying identifiers, known as autonomic identifiers (AIDs).
  • Technical specifications for six types of vLEI credentials.
  • Rigorous technical and business processes governing the issuance and revocation of vLEI credentials.

According to Drummond Reed, a member of the Trust over IP Foundation Steering Committee, the strategic choice to build vLEI EGF on the ToIP governance model is poised to foster a secure and interoperable system on a global scale. This move has the potential to revolutionize the global digital trust ecosystem, bringing substantial benefits to businesses and individuals across various industries and international borders.

As of December 2023, the vLEI EGF stands out as arguably the most comprehensive digital identity framework to date.

vLEI Stakeholders

Within the vLEI ecosystem, there are four key stakeholders that are issuers and holders of vLEI credentials. The key stakeholders include GLEIF, qualified vLEI issuers (QVIs), legal entities (LEs), and organization representatives. The first three in the list are organizations, which are made of representatives who are authorized to participate in the vLEI ecosystem. The overview of all vLEI stakeholders is displayed below.

vLEI Stakeholders, including organizations and their representatives.

1. Global Legal Entity Identifier Foundation (GLEIF): GLEIF appointed representatives, called GLEIF Authorized Representatives (GARs), to participate in the vLEI ecosystem and issue the QVI vLEI Credential. There are three types of GARs as follows:

  • Root GARs: The root GARs collectively serve as the root of reputational trust of the entire vLEI ecosystem. Root GARs do not directly participate in the vLEI ecosystem but, instead, delegate their authority to internal GARs and external GARs
  • Internal GARs: The internal GARs participate directly in the vLEI ecosystem as a collective holder of an LE vLEI credential.
  • External GARs: The external GARs are responsible for the issuance and revocation of QVI vLEI credentials as well as performing identity assurance of QARs.

Note: There are two types of trust in a digital identity system: reputational trust and attributional trust. The former is the human side of trust whereas the latter is the technical side. In the vLEI ecosystem, GLEIF serves as the root of reputational trust, providing trust for identity assurance of all stakeholders. The attributional trust, on the other hand, is purely cryptographic in the vLEI ecosystem and is provided by the KERI protocol.

2. Qualified vLEI Issuer (QVI): A QVI is an organization that is qualified by GLEIF to participate in the vLEI ecosystem as an issuer of vLEI credentials. Prior to being a QVI, a candidate organization has to undergo thorough qualification processes by GLEIF to ensure that they are capable financially and technically of issuing vLEI credentials. QVI authorizes two types of representatives:

  • Designated Authorized Representative (DAR): The DAR of a QVI is the primary representative that is authorized to sign contracts with GLEIF and legal entities. The DAR designates and replaces the QARs of the QVI.
  • Qualified vLEI Issuer Authorized Representatives (QARs): The QARs are a collective holder of a QVI vLEI credential. The QARs perform identity assurance, issue, and revoke LE, OOR, and ECR vLEIs.

3. Legal Entity (LE): Within the vLEI ecosystem, an LE is an LEI-registered organization. The LEs also appoint two types of representatives:

  • Designated Authorized Representative (DAR): The DAR of an LE is the primary representative that is authorized to sign contracts with a QVI. The DAR designates and replaces the LARs of the LE.
  • Legal Entity Authorized Representatives (LARs): The LARs are a collective holder of an LE vLEI credential. The LARs perform identity assurance, issue, and revoke ECR and AUTH vLEIs.

4. Organization Representative: An organization representative is a person who is authorized to represent an LE. Representatives are categorized by either their official or functional roles within their LE.

  • Official Organizational Role Person (OOR Person): An OOR person represents an LE in an official organizational role.
  • Engagement Context Role Person (ECR Person): An ECR person represents an LE in a functional role.

Note: A person may hold any number of role vLEI credentials from a single or multiple LEs.

Official Organization Role (OOR)

In ISO 5009, an official organization role (OOR) is defined as an “official role of a person within an organization or legal entity within a particular jurisdiction that is publicly discoverable in formation, registration or other official documents of the organization or legal entity”.

GLEIF has released the Official Organizational Roles (OOR) Code List, comprising over 2000 OORs across 89 jurisdictions. While this list provides an overview of OORs in respective native languages, it is by no means exhaustive, and there are still numerous countries awaiting inclusion.

A legal entity may assign an OOR that is not in the official OOR code list as long as the OOR is publicly discoverable in a business registry or defined in official documents of incorporation for the organization. For example, Stephan Wolf has an OOR as the CEO of GLEIF. While GLEIF is registered in Switzerland, the CEO role does not exist in the official OOR code list for Switzerland.

Engagement Context Role (ECR)

An engagement context role (ECR) is loosely defined by GLEIF to widely include as many use cases as possible. Here are some examples of ECRs:

  • ECR as an “unofficial” organization role: An organization role that is neither publicly discoverable nor defined in official documents may be considered an ECR. For example, an employee could have an ECR as a software engineer.
  • ECR as an internal functional role: An ECR could be defined and used internally within an LE. For example, an employee who is officially a software engineer could also have an ECR as a Cultural Ambassador.
  • ECR as an external functional role: An ECR could be defined and used externally to an LE. For example, the European Banking Authority (EBA) may define an ECR called an “EBA Submitter”. An LE may designate an employee to be their EBA Submitter so that the employee may submit a financial report to EBA.

Collective Identifiers for vLEIs

The vLEI ecosystem is designed to be used by organizations that are made of humans and inevitably prone to human errors and shortcomings. For the vLEI to be reliably used on the global scale with the utmost trustworthiness, the vLEI EGF chooses a decentralized approach to digital identity management, also known as self-sovereign identity (SSI), to eliminate a single point of failure to the entire ecosystem by a single human administrator.

On the flip side, the absence of an administrator leaves an organization without a safety net in the case of disastrous mishaps. Consequently, the architecture of decentralized identity management for an organization should prioritize fault tolerance, avoiding dependency on a singular person or key. Otherwise, there’s a potential risk of an organization permanently losing control over its digital identity — such as in the unfortunate event of a key employee’s sudden demise.

The section outlines how the vLEI EGF specifies the usage of a collective identifier for an organization that is collectively controlled by multiple individuals using the KERI protocol and a multi-signature autonomic identifier.

Key Event Receipt Infrastructure

To achieve the highest level of security, scalability, and decentralization for the vLEI ecosystem, the vLEI EGF chooses the Key Event Receipt Infrastructure (KERI) protocol for the management of cryptographic keys and decentralized identifiers.

Invented in 2019 by Samuel M. Smith, KERI is a decentralized protocol for the management of cryptographic keys and identifiers that utilizes hash-chain data structures in a similar manner to traditional distributed ledger technology, also known as blockchains. Unlike traditional distributed ledgers, the KERI protocol is not subject to the blockchain trilemma because KERI does not rely on a distributed consensus mechanism such as proof-of-work and proof-of-stake.

Note: For more information and a glossary related to KERI, I recommend KERISSE, which is the KERI Suite Search Engine, and an upcoming browser extension KERIfic.

Autonomic Identifiers (AIDs)

As mentioned above, GLEIF only provides the root of reputational trust — i.e., human trust — within the vLEI ecosystem. The root of attributional trust — i.e., technical trust — is purely cryptographic and provided by autonomic identifiers (AIDs).

Without going into too much technical detail, an AID is a variant of a self-certifying identifier (SCID), which is used within the KERI protocol. This means an AID is derived by a cryptographic protocol in a decentralized manner. An AID has the following properties:

  • An AID does not rely on any centralized entity, e.g., a human administrator. An AID is derived and controlled purely in a cryptographic manner.
  • An AID is persistent and is suitable for long-term use. This is because an AID is not tied to a single cryptographic key pair via a mechanism called pre-rotation.
  • An AID does not rely on a distributed ledger. However, it may be used in combination with one or more distributed-ledger networks.
  • An AID is portable across multiple platforms. In the case that an AID is used with a distributed ledger, an AID is not locked to that specific ledger and may be migrated to another ledger.
  • An AID is quantum-recoverable. In the case that an AID is attacked by a quantum computer, the control over the AID can be recovered from the attack.

Collective AIDs

In the KERI protocol, an AID may be cryptographically controlled via a multi-signature scheme that allows multiple individuals, called controllers, to collectively control a single identifier. This makes the KERI protocol and AIDs particularly suitable for organizational uses.

Note: It is called the multi-signature scheme because multiple digital signatures from multiple private keys are required to control a single AID.

Arbitrary levels of control authority over an AID may also be given to its controllers. For example, an AID of an LE may be controlled by three LARs — a CEO, an IT administrator, and a human resource manager — with the following control authority:

  • The CEO of the LE has “2/3” control over the LE AID
  • The IT administrator has “1/3” control over the LE AID
  • The human resource manager has “1/3” control over the LE AID

Note: This type of scheme is called a fractionally weighted multi-signature scheme.

A multi-signature AID requires signatures with a combined control authority of “1” or more. In the above example, the CEO may authorize a transaction with either the IT admin or the HR. However, the IT admin and the HR—without the CEO—are not able to authorize a transaction since their combined control authority is only “1/3” + “1/3” = “2/3”.

Multi-device AIDs and MFA

The multi-signature scheme also allows an AID to be controlled by multiple devices. For example, an ECR person may control their AID using a mobile phone and a laptop, each having control authority of “1”. In this example, the ECR person may either use their mobile phone or laptop to, e.g., sign a contract with the ECR vLEI credential.

Note: To be more technically precise, the ECR person uses a private key that is associated with an AID to sign the contract. The AID must be the same as the AID specified in their ECR vLEI credential.

The multi-signature scheme could be utilized to enable KERI-native multi-factor authentication (MFA). For example, an ECR person may assign “1/2” control over their AID to a mobile phone and another “1/2” to a laptop. In this example, the ECR must use both the mobile and the laptop to, e.g., sign a contract.

Note: The multi-signature scheme may be used recursively. For example, an LE AID may be controlled by three individuals, each with control authority “1/3”. Each “1/3” could be further divided into two halves using two devices. For more details, see Key Management for Organizational Identity by Samuel M. Smith.

AID Management by vLEI Stakeholders

The vLEI EGF requires that all vLEI issuing organizations — including GLEIF, QVIs, and LEs — hold collective AIDs using such multi-signature schemes. This enables the maker-checker process that requires the approval of at least two individuals for all workflows related to the issuance and revocation of vLEI credentials.

An example of the management of the AIDs and associated cryptographic keys for all vLEI stakeholders is shown below.

Management of AIDs and associated keys by representatives of vLEI stakeholders.
  • GLEIF Root AID: The GLEIF Root AID enables the root of reputational trust of the vLEI ecosystem. The role of the GLEIF Root AID is to delegate to GIDA and GEDA. Currently, the GLEIF Root AID is controlled by 7 Root GARs, each with control authority of “1/3”.

Note: Delegation in the vLEI ecosystem utilizes the cooperative delegation mechanism in the KERI protocol. It requires a cryptographic commitment from both the Delegator and the Delegate to initialize or update the key states of AIDs.

  • GLEIF Internal Delegated AID (GIDA): The GIDA is used to participate in the vLEI ecosystem as the holder of the LE vLEI credential. Currently, the GIDA is controlled by the 5 Internal GARs, each with a controlled authority of “1/2”.
  • GLEIF External Delegated AID (GEDA): The GEDA is used to issue and revoke the QVI vLEI credentials. Currently, the GEDA is controlled by the 5 External GARs, each with controlled authority of “1/2

Note: The key management for the GLEIF’s AIDs can be inspected from their KERI witnesses as follows: GLEIF Root AID, GIDA, and GEDA.

  • QVI AID: A QVI AID is delegated by the GEDA and must be controlled by at least 3 QARs where at least 2 QARs are required to authorize issuance and revocation of vLEI credentials. For example, a QVI AID could be controlled by 4 QARs with control authority of [“2/3”, “2/3”, “1/3”, “1/3”] such that the QVI cannot authorize a transaction without either of the first two QARs.

Note: All QVI AIDs are also delegated by the GEDA using the cooperative delegation mechanism in the KERI protocol. As a result, key rotation of a QVI AID must be approved by the External GARs. For example, if a QVI wishes to change one of their QARs by rotating the key of the leaving QAR, the QVI must inform the External GARs to approve the key rotation event.

  • LE AID: An LE AID must be controlled by at least 3 LARs where at least 2 LARs are required to authorize issuance and revocation of vLEI credentials. There is an exception to this rule when an LE has fewer than 3 employees. In this case, the LE cannot directly issue a vLEI credential and must authorize a QVI to issue it on their behalf.
  • Role AID: There is no requirement for a multi-signature scheme for ECR and OOR persons. An organization representative may control their AID using a single signing key. They may also use a multi-signature scheme to divide the control authority of their AID to multiple devices.

Types of vLEI Credentials

The previous sections have outlined the stakeholders, their relationships, and the management of their identifiers, called AIDs, in the vLEI ecosystem. We are now well-positioned to explore what the vLEI credentials actually are. The vLEI credentials, in fact, consist of six types of verifiable credentials that are issued and received by different vLEI stakeholders. Their schemas can be found here.

Note: vLEI credentials utilize Authentic Chained Data Containers (ACDCs), which are considered a variant of the W3C Verifiable Credentials Data Model.

(1) Qualified vLEI Issuer (QVI) vLEI Credential

A QVI vLEI credential is issued by the External GARs (i.e., the GEDA) to a candidate QVI after they complete the formal qualification process. The issuance of the QVI vLEI credential serves as the formal qualification by GLEIF that the QVI is now eligible to participate in the vLEI ecosystem.

Before the issuance of a QVI vLEI credential, the External GARs must perform identity verification on all of the QARs. After the issuance of the QVI vLEI credential, if the QVI wishes to add more QARs, the identity of the new QARs must also be verified by the External GARs.

(2) Legal Entity (LE) vLEI Credential

An LE vLEI credential is issued by a QVI to an LE. The issuance of the LE vLEI credential allows the LE to issue role and AUTH vLEI credentials.

Before the issuance of an LE vLEI credential, the QARs must perform identity verification on all of the LARs. After the issuance of the LE vLEI credential, if the LE wishes to add more LARs, the identity of the new LARs must also be verified by the QARs.

Note: A QVI may issue an LE vLEI credential to the GIDA. The GIDA’s LE vLEI was initially issued by Provenant Inc., the first QVI.

(3) & (4) Qualified vLEI Issuer (QVI) Authorization (AUTH) vLEI Credentials

A QVI AUTH vLEI credential is issued by an LE to a QVI to authorize the QVI to issue a role vLEI credentials, including the LE ECR and LE OOR vLEI credentials. A LAR of the LE has to input the accurate data of their representative — including the legal name and role — in the QVI AUTH vLEI credential. There are two variants of the QVI AUTH vLEI credentials as follows:

  • OOR AUTH vLEI credential, which authorizes a QVI to issue an OOR vLEI credential
  • ECR AUTH vLEI credential, which authorizes a QVI to issue an ECR vLEI credential

Before the issuance of a QVI AUTH vLEI credential, the LARs must perform identity verification on the representative, who is either an OOR or ECR person.

(5) Official Organizational Role (OOR) vLEI Credential

An OOR vLEI credential is a role vLEI credential issued by a QVI to an OOR person. Before issuing an OOR vLEI credential, the QVI must be first authorized by the OOR AUTH vLEI credential, which has been issued by the LE that the OOR person represents.

Before the issuance of an OOR vLEI credential, the QARs must perform identity verification on the OOR person. The QVI must also verify that the OOR person genuinely holds the specified OOR using official public sources or documents of the LE.

(6) Engagement Context Role (ECR) vLEI Credential:

An ECR vLEI Credential is a role vLEI credential issued to an ECR person. Unlike other types of vLEI credentials, an ECR vLEI credential may be issued by two approaches as follows:

  • Direct issuance by an LE: The LARs of the LE perform identity verification on the ECR person and directly issue the ECR vLEI credential.
  • Issuance by a QVI: The LARs perform identity verification on the ECR person and issue an ECR AUTH vLEI credential to a QVI. The QARs of the QVI then perform identity verification on the ECR person again before issuing the ECR vLEI credential.

Credential Chaining

One of the unique properties of vLEI credentials, which utilize authentic chained data containers (ACDCs), is credential chaining. vLEI credentials are chained using strong cryptographic digests, starting from QVI vLEI credentials issued by the External GARs. For example, an OOR vLEI credential of an OOR person is chained in the following manner:

  • (5) the OOR vLEI credential, which is issued by a QVI, is cryptographically chained to (3) an OOR AUTH vLEI credential issued by an LE that the OOR person represents,
  • (3) the OOR AUTH vLEI credential is cryptographically chained to (2) an LE vLEI credential that the same QVI issues to the LE,
  • (2) LE vLEI credential is cryptographically chained to (1) a QVI vLEI credential that the External GARs (GEDA) issue to the QVI
  • The GEDA is cryptographically linked to the GLEIF Root AID.

Due to credential chaining, every vLEI credential can be cryptographically verified, all the way, to the GLEIF Root AID.

Note: The cryptographic digests for ACDCs are generated using the Self-Addressing Identifier (SAID) protocol.

Conclusion

The verifiable Legal Entity Identifier (vLEI) Ecosystem Governance Framework (EGF) has laid a foundation for a globally interoperable digital identity system for organizations. The vLEI EGF defines a hierarchical governance structure where GLEIF is the root of reputational trust. It employs a novel approach to key management using Key Event Receipt Infrastructure (KERI) and autonomic identifiers (AIDs) that serve as the root of attributional trust. This approach enables multiple authorized representatives to collectively control their organizations’ decentralized identifiers. Most importantly, the vLEI EGF defines 6 types of vLEI credentials with rigorous cryptographic relationships that reflect the hierarchical structure of the vLEI ecosystem. Every vLEI credential is cryptographically chained and can be verified, all the way, to the GLEIF Root AID.

The vLEI EGF facilitates the issuance of vLEI credentials, providing the highest level of identity assurance. These credentials enable digital verification of organizations and their authorized representatives globally and across industries. The vLEIs stand as a cutting-edge, interoperable, and decentralized solution in the organizational digital identity ecosystem, positioning them as the utmost secure and trustworthy choice for global business transactions.

Credentials
Cryptography
Vlei
Digital Identity
Keri

--

--

Yanisa Sunanchaiyakarn
Finema

Written by Yanisa Sunanchaiyakarn

9 Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams