vLEI Demystified Part 2: Identity Verification

Authors: Yanisa Sunanchaiyakarn & Nuttawut Kongsuwan, Finema Co. Ltd.

vLEI Demystified Series:

• Part1: Comprehensive Overview
• Part 2: Identity Verification
• Part 3: QVI Qualification Program

This blog is the second part of the vLEI Demystified series. Part 1 of the series outlines different stakeholders, their roles, and six types of credentials that are involved in the trust chain and the foundational structures of the vLEI ecosystem. This part delves deeper into the qualifications and verification procedures that persons representing these organizations have to go through prior to the issuance of vLEI credentials.

Overview of vLEI Identity Verification

Before participating in the vLEI ecosystem, including obtaining and issuing vLEI credentials, the representatives of all organization stakeholders must undergo rigorous identity verification processes to confirm their legal identity.

Note: Legal identity is defined as the basic characteristics of an individual’s identity. e.g. name, sex, place, and date of birth conferred through registration and the issuance of a certificate by an authorized civil registration authority following the occurrence of birth. [Ref: https://unstats.un.org/legal-identity-agenda/]

With some exceptions, authorized representatives of each organization stakeholder are responsible for performing identity verification on representatives of organizations downstream within the vLEI trust chain. That is, GLEIF verifies qualified vLEI issuers (QVIs), QVIs verify legal entities (LEs), and LEs verify role representatives, as shown below.

The vLEI trust chain

Note: The authorized representatives are the persons designated by an organization (either GLEIF, a QVI, or a legal entity) to officially represent the organization.

Note: There are two types of role representatives: official organization role (OOR) and engagement context role (ECR).

GLEIF Authorized Representative (GARs)

GARs are controllers of the GLEIF Root AID, GLEIF Internal Delegated AID (GIDA), and GLEIF External Delegated AID (GEDA).

As the root of trust of the vLEI ecosystem, GLEIF established an internal process to verify their GARs, as outlined in the GLEIF Identifier Governance Framework. This includes:

• The policies and processes for the genesis events of the GLEIF Root AID, GIDA, and GEDA
• Detailed identity verification process of all GARs where they mutually authenticate each other
• Contingency plans such as a designated survivor policy as well as restrictions on joint travel and in-person attendance of meetings.

Designated Authorized Representative (DAR)

DARs are representatives authorized to act on behalf of a Qualified vLEI Issuer (QVI) or an LE.

• Identity verification on a QVI’s DAR is performed by an external GAR.
• Identity verification on an LE’s DAR is performed by a QAR.

Qualified vLEI Issuer Authorized Representatives (QARs)

A QAR is a representative designated by a QVI’s DAR to carry out vLEI operations with GLEIF and LEs.

• Identity verification on a QAR is performed by an external GAR.

This process is detailed in Qualified vLEI Issuer Identifier Governance Framework and vLEI Credential Framework.

Legal Entity Authorized Representatives (LARs)

An LAR is a representative designated by an LE’s DAR to request the issuance and revocation of LE vLEI credentials and Role vLEI credentials.

• Identity verification on an LAR is performed by a QAR.

This process is detailed in Legal Entity vLEI Credential Framework.

Role Representatives (OOR and ECR Persons)

A role representative, either an OOR or ECR person, is designated by an LAR to represent an LE in a functional or official organization role, respectively. The identity verification process for a role representative depends on whether an authorization vLEI credential is used, see Part 1 of the series for more detail.

• In the case where an authorization vLEI credential is used, identity verification on a role representative is performed by both a QAR and an LAR.
• In a case where an LE issues a role vLEI credential directly without using an ECR authorization vLEI credential, identity verification of an ECR person needs to be performed by only a LAR.

This process is detailed in the following documents:

• Qualified vLEI Issuer Authorization vLEI Credential Framework
• Legal Entity Official Organizational Role vLEI Credential Framework
• Legal Entity Engagement Context Role vLEI Credential Framework

Identity Verification Processes

The identity verification process of all representatives in the vLEI ecosystem includes two subprocesses namely:

• Identity Assurance Process, which verifies the veracity and existence of a legal identity, as well as binding the legal identity to a representative
• Identity Authentication Process, which binds the representative to an autonomic identifier (AID)

Once the identity verification process is completed, a vLEI credential may be subsequently issued to the AID that has been bound to the representative.

Illustration of the identity verification process

Identity Assurance

The first stage of identity verification for the vLEI ecosystem is called identity assurance. This step involves an identity proofing process to verify the legal identities of all individuals prior to obtaining vLEI credentials. The vLEI Ecosystem Governance Framework (EGF) requires that Identity Assurance is performed according to Identity Assurance Level 2 (IAL2) as defined in NIST SP 800–63A.

The National Institute of Standards and Technology (NIST) standardized the identity proofing process in their Special Publication (SP) 800–63A. Although originating in the United States, SP 800–63A is one of the most influential standards for identity proofing and is widely referenced by various industries and governments worldwide.

Identity Assurance Level

NIST SP 800–63A has categorized the degrees of assurance in one’s identity into 3 levels:

• Identity Assurance Level 1 (IAL1): The service provider is not required to validate or link the applicant’s self-asserted attributes to their real-life identity.
• Identity Assurance Level 2 (IAL2): Either remote or physical identity proofing is required at this level. The applicant’s submitted evidence supports the real-world their real-world identity and verifies that the applicant is accurately linked to this identity.
• Identity Assurance Level 3 (IAL3): Physical presence is required for the identity proofing process at this level. Identifying attributes must be verified by an authorized and trained service provider representative.

Only IAL2 is relevant in the context of the vLEI EGF.

Identity Resolution, Validation, and Verification

Identity proofing in NIST SP 800–63A consists of three main components, namely:

• Identity Resolution: a process for uniquely distinguishing an individual within a given context.
• Identity Validation: a process for determining the authenticity, validity, and accuracy of the identity evidence
• Identity Verification: a process for establishing a linkage between the claimed identity and the person presenting the identity evidence.

For example, an applicant for a vLEI credential could present a verifier with a set of required identity evidence. The verifier must resolve the applicant’s legal identity and validate that the presented information on the collected evidence is legitimate. Validation may involve confirming the information with an authoritative source and determining that there is no alteration to the images and data of the presented evidence. Subsequently, the verifier may verify the applicant by comparing the applicant’s live image with the one displayed on the provided identity evidence.

Identity Evidence Collection

During identity resolution and validation, the collection of “identity evidence” is required to establish the uniqueness of the individual’s identity.

Note: Identity evidence is defined as information or documentation provided by the applicant to support the claimed identity. Identity evidence may be physical (e.g. a driver’s license) or digital.

To comply with IAL2, one of the following sets of identity evidence must be collected:

• a piece of STRONG or SUPERIOR evidence if the evidence’s issuing source confirmed the claimed identity by collecting at least two forms of SUPERIOR or STRONG evidence before and the service provider validates the evidence with the source directly; OR
• two pieces of STRONG evidence; OR
• one piece of STRONG evidence plus two pieces of FAIR evidence

NIST SP 800–63A defines five tiers of identity evidence’s strength: UNACCEPTABLE, WEAK, FAIR, STRONG, and SUPERIOR. While the strength of specific identity evidence, e.g., a driver’s license, may vary across jurisdictions, NIST provides examples of common evidence and their estimated strength, based on their general quality characteristics, for instance:

• SUPERIOR: passports and permanent resident cards
• STRONG: driver’s licenses and U.S. military ID cards
• FAIR: school ID cards and credit/debit cards

Further details on the ​​strengths of identity evidence can be found in Section 5.2.1 on the NIST SP 800–63A.

Identity Authentication

After completing identity assurance, an organization representative who applies for a vLEI credential may proceed to identity authentication, which establishes a connection between the representative — whose legal identity has been assured to meet IAL2 — to an autonomic identifier (AID).

Once such a connection has been established, a vLEI credential could be issued to the AID with confidence that the representative is the sole controller of the AID. Subsequently, the representative may cryptographically prove their control over the AID and the issued vLEI credential.

Note: An autonomic identifier (AID) is a persistent self-certifying identifier (SCID) that is derived and managed by cryptographic means without reliance on any centralized entity or distributed ledger technology.

Credential Wallet Setup

Before identity authentication can begin, a credential wallet must be set up for the organization representative. The primary role of a credential wallet includes:

• Creation, storage, and management of key pairs
• Creation, storage, and management of AIDs.
• Digital signature creation and verification

The specification for a credential wallet is detailed in Technical Requirements Part 1: KERI Infrastructure. The credential wallet must also be used during the live Out-of-band-Introduction (OOBI) session to complete the identity authentication process.

Note: A credential wallet for vLEI credentials is essentially a KERI-compatible identity wallet. It must be compliant with three specifications currently being developed under the Trust Over IP (ToIP) Foundation, namely, KERI, ACDC, and CESR specifications.

Out-of-band-Introduction (OOBI) Protocol

The identity authentication process is implemented using the Out-of-band-Introduction (OOBI) Protocol, which is a protocol defined in the ToIP Key Event Receipt Infrastructure (KERI) specification. The OOBI protocol provides a discovery mechanism for verifiable information related to an AID — including its key event log (KEL) and its service endpoint — by associating the AID with a URL.

For example, an AID EaU6JR2nmwyZ-i0d8JZAoTNZH3ULvYAfSVPzhzS6b5CM may provide a service endpoint at www.example.com with an OOBI URL of

http://www.example.com/oobi/EaU6JR2nmwyZ-i0d8JZAoTNZH3ULvYAfSVPzhzS6b5CM

The OOBI protocol is “out-of-band” as it enables any internet and web search infrastructure to act as an “out-of-band” infrastructure to discover information that is verified using the “in-band” KERI protocol. The OOBI protocol leverages the existing IP and DNS infrastructure for discovery so that a dedicated discovery network is not needed.

Note: The OOBI by itself is insecure, and the information discovered by the OOBI must be verified using the KERI protocol.

This OOBI URL may be used to discover the AID’s KEL as well as send messages to the AID, including sending a challenge message in a challenge-response protocol and sending a vLEI credential.

Challenge-Response Protocol

To establish a connection between a representative and an AID, the challenge-response protocol is implemented to ensure that the representative holds the private key that controls the AID.

With the OOBI protocol, the verifier uses the OOBI URL as a service endpoint to deliver the challenge message to the AID controller. The verifier of an AID then generates a random number as a challenge message and sends it to the AID controller. The AID controller then uses the private key associated with the AID to sign a digital signature on the challenge. The signature is the response to the challenge message and is returned to the verifier. Finally, the verifier verifies the response using the public key of the AID.

Illustration of a challenge-response session

Man-In-the-Middle Attack

However, there is a risk that an attacker could intercept the communication between the representative and the verifier in a man-in-the-middle (MITM) attack. Here, the attacker obtains the authentic OOBI URL, which contains the representative’s AID, and sends a false OOBI URL, which instead contains the attacker’s AID, to the verifier.

Illustration of a challenge-response session that is intercepted by a man-in-the-middle (MITM) attack.

Real-time OOBI Session

To mitigate the risk of an MITM attack, the vLEI EGF specifies an authentication process that is called a real-time OOBI session that a representative and their verifier must complete before issuance of a vLEI credential.

An illustration of an OOBI session

During a real-time OOBI session, the representative and the verifier must organize a real-time in-person or a virtual face-to-face meeting, e.g., using a Zoom call. For a virtual face-to-face meeting, there are extra requirements as follows:

• The meeting must be continuous and uninterrupted throughout the entire OOBI session.
• Both audio and video feeds of all participants must be active throughout the entire OOBI session.

The OOBI session consists of the following steps:

1) The identity verifier performs manual verification of the representative’s legal identity, which has been verified during the identity assurance process. For example, if the representative had provided a passport as their identity evidence during identity assurance, they may present the passport to the verifier once again during their live session.

2) After the verifier confirms that the evidence is accurately associated with the representative present in the meeting, they must exchange their AIDs through an out-of-band channel. For example, OOBI URLs can be shared in the live chat of a Zoom call or shared via QR codes via video feeds.

3) The verifier sends a unique challenge message to cryptographically authenticate the representative’s AID.

4) The representative uses their private key that is associated with the AID to sign and respond to the challenge.

5) The verifier verifies the response using the public key obtained from the AID’s key event log (KEL).

6) The challenge-response protocol is repeated where the representative is now the challenger and the verifier the responder.

Group Real-time OOBI Session for QARs and LARs

For issuance of QVI and LE vLEI credentials, all QARs and all LARs of the candidate QVI and LE, respectively, must be present in the real-time OOBI session.

• For the issuance of a QVI vLEI credential, 2 External GARs and at least 3 QARs must be present during the real-time OOBI session.
• For the issuance of a LE vLEI credential, 1 QAR and at least 3 LARs must be present during the real-time OOBI session.

An example authentication process of LARs by QARs

Once the Authentication steps are completed, the identity verifier can now sign the vLEI credential to the representatives of the vLEI candidate organizations. However, the vLEI credential issuance process cannot be completed by a single representative. To meet the required weight threshold of the multi-signature scheme stated in the vLEI EGF, another representative in control of the issuer’s AID must combine the authority and approve the vLEI issuance. For instance, a QAR may perform the required verification processes on all LARs of an LE and initiate the issuance of an LE vLEI credential. At least one other QAR must review and approve the issuance.

Conclusion

While the verification processes that applicants seeking vLEI credentials have to complete before the issuance might appear rather involved, these thorough steps to verify the identity of individuals representing organizations are crucial to safeguarding against identity theft, impersonation, and other fraudulent activities across various industries. After the identity assurance process validates the legal identities of representatives, and the identity authentication process cryptographically associates the representatives to AIDs. After identity verification, vLEI credentials may be issued with confidence, maintaining the integrity and reliability of the vLEI ecosystem.