1. GLEIF Root - Establishes the root-of-trust for the vLEI ecosystem
2. Qualified vLEI Issuer (QVI) - Authorized by GLEIF to issue vLEI credentials
3. QVI Authorized Representative (QAR) - Operates on behalf of the QVI
4. Legal Entity - Organization requesting vLEI credentials
5. Designated Authorized Representative (DAR) - Legal Entity's primary authorized signatory
6. Authorized vLEI Representative (AVR) - Operational representatives designated by the DAR

The AVR serves as the operational interface between the Legal Entity and the QVI/QAR for credential lifecycle management. While the DAR holds ultimate authorization authority for the Legal Entity, AVRs execute the day-to-day credential management operations.

GLEIF Ecosystem Integration

The AVR role is integral to GLEIF's mission of providing verifiable organizational identity through the Legal Entity Identifier (LEI) system. The vLEI ecosystem extends the traditional LEI framework into the decentralized digital identity space using KERI protocol infrastructure.

Key Ecosystem Relationships:

• Legal Entity: The AVR acts on behalf of a specific Legal Entity with a valid LEI
• DAR: The AVR receives authorization from the DAR through formal designation
• QAR: The AVR interacts with QARs to request credential operations
• ACDC Credentials: AVRs manage the lifecycle of Authentic Chained Data Container credentials

Related Governance Entities

Peer Roles:

• GLEIF Authorized Representative (GAR): GLEIF's representatives who authorize QVIs
• QAR: QVI representatives who process AVR requests
• Legal Entity Authorized Representatives (LARs): Representatives who hold the Legal Entity's cryptographic keys (may overlap with AVRs)

Governance Bodies:

• GLEIF: Root governance authority for the vLEI ecosystem
• QVI: Qualified issuers operating under GLEIF authorization
• Legal Entity: The organization being represented

Roles & Responsibilities

Primary Responsibilities

The AVR's core function is credential lifecycle management on behalf of their Legal Entity. This encompasses:

1. Credential Issuance Requests

AVRs are authorized to request issuance of three types of vLEI credentials:

Legal Entity vLEI Credentials:

• Primary organizational identity credentials
• Bind the Legal Entity's AID (Autonomic Identifier) to its LEI
• Enable the Legal Entity to participate in verifiable credential ecosystems
• Serve as the foundation for subsequent role credentials

Official Organizational Role (OOR) vLEI Credentials:

• Attest to official positions within the Legal Entity's organizational structure
• Examples: CEO, CFO, Board Member, Legal Counsel
• Enable individuals to cryptographically prove their official capacity
• Support formal business transactions requiring organizational authority

Engagement Context Role (ECR) vLEI Credentials:

• Attest to functional or contextual roles beyond official positions
• Examples: Project Manager, Sales Representative, Technical Lead
• Enable flexible role-based authorization for specific engagements
• Support dynamic business relationships and collaborations

2. Credential Revocation Requests

AVRs must manage credential revocation when:

• An individual leaves the organization or changes roles
• Credentials are compromised or suspected of compromise
• The Legal Entity's LEI status changes (lapsed, transferred, archived)
• Organizational restructuring requires credential updates
• Compliance or governance requirements mandate revocation

Revocation Process:

1. AVR submits revocation request to QAR
2. QAR validates AVR's authorization
3. Revocation is recorded in the Transaction Event Log (TEL)
4. Credential status becomes verifiably revoked
5. Verifiers can detect revoked credentials through TEL queries

3. Credential Lifecycle Monitoring

While not explicitly mandated in governance documents, operational best practices suggest AVRs should:

• Monitor credential expiration dates
• Track credential usage and verification patterns
• Coordinate with LARs on key management
• Maintain records of issued and revoked credentials
• Ensure compliance with organizational policies

Authority and Permissions

Granted Authority

AVRs possess delegated authority from the DAR, which includes:

Issuance Authority:

• Submit fully signed issuance requests to QARs
• Specify credential attributes and parameters
• Coordinate with LARs for multi-signature requirements
• Represent the Legal Entity in credential negotiations

Revocation Authority:

• Initiate revocation procedures for any credential type they can issue
• Respond to security incidents requiring immediate revocation
• Coordinate revocation with affected individuals and systems

Operational Authority:

• Communicate with QARs on behalf of the Legal Entity
• Coordinate OOBI (Out-Of-Band Introduction) sessions
• Manage credential presentation and verification workflows
• Represent the Legal Entity in vLEI ecosystem interactions

Authorization Mechanism

The AVR's authority is established through:

1. DAR Designation: The DAR formally designates individuals as AVRs
2. Cryptographic Binding: AVR actions are signed using authorized key pairs
3. Governance Framework Compliance: AVRs operate within defined policy boundaries
4. QAR Validation: QARs verify AVR authorization before processing requests

Multi-Signature Requirements: When multiple AVRs exist, the governance framework may require:

• Threshold signatures for high-value operations
• Separation of duties for issuance vs. revocation
• Consensus mechanisms for critical decisions

Limitations

Scope Restrictions

AVRs cannot:

• Modify the Legal Entity's LEI data (managed by LEI Registration Agents)
• Authorize other AVRs (only DARs can designate AVRs)
• Issue credentials on behalf of other Legal Entities
• Override QVI/QAR decisions on credential issuance
• Modify governance framework policies
• Act beyond their designated authorization scope

Operational Constraints

Credential Type Limitations:

• AVRs can only request credential types defined in governance frameworks
• Custom credential types require governance framework amendments
• Credential schemas are immutable and version-controlled

Temporal Constraints:

• AVR authorization may have expiration dates
• Credentials have defined validity periods
• Revocation requests must be processed within governance-defined timeframes

Technical Constraints:

• AVRs must use approved vLEI software implementations
• Cryptographic operations must follow KERI protocol specifications
• Witness and Watcher configurations must meet minimum requirements

Accountability Requirements

AVRs are accountable for:

• Accurate representation of the Legal Entity
• Proper use of delegated authority
• Compliance with governance framework policies
• Security of their cryptographic key material
• Timely revocation of compromised credentials

Liability Considerations: The governance framework establishes that AVRs act as agents of the Legal Entity, meaning:

• The Legal Entity bears ultimate responsibility for AVR actions
• AVRs may face personal liability for fraudulent or negligent actions
• Contractual agreements define liability boundaries

Credential Lifecycle

Issuance Process

The AVR-initiated credential issuance process follows a structured workflow defined in the vLEI governance frameworks:

Phase 1: Pre-Issuance Preparation

Legal Entity Setup:

1. Legal Entity obtains a valid LEI from an accredited LEI Registration Agent
2. LEI must have Entity Status: Active in the Global LEI System
3. LEI Registration Status must be: Issued, Pending Transfer, or Pending Archival

DAR Establishment:

1. Legal Entity designates one or more DARs
2. DARs undergo Identity Assurance Level 2 (IAL2) verification per NIST 800-63A
3. DARs establish cryptographic identities using KERI AIDs

AVR Designation:

1. DAR formally designates individuals as AVRs
2. AVRs undergo identity verification (typically IAL2)
3. AVRs establish KERI AIDs and key management infrastructure
4. AVR authorization is recorded in verifiable data structures

Phase 2: Credential Request Submission

Solicited Issuance Workflow:

1. Request Preparation:

   • AVR prepares credential issuance request
   • Request includes required attributes per credential schema
   • Request specifies target AIDs for credential binding

2. Multi-Signature Coordination:

   • If multiple AVRs exist, coordinate threshold signatures
   • Legal Entity Authorized Representatives (LARs) provide signatures
   • Signatures prove control over Legal Entity's AID

3. Request Submission:

   • AVR submits fully signed issuance request to QAR
   • Request is transmitted via secure KERI protocol channels
   • Request includes all required cryptographic proofs

4. QAR Validation:

   • QAR verifies AVR's authorization from DAR
   • QAR validates Legal Entity's LEI status
   • QAR confirms compliance with governance requirements
   • QAR verifies cryptographic signatures and key states

Phase 3: Credential Issuance

QVI Credential Generation:

1. QAR approves issuance request
2. QVI generates ACDC credential using approved schema
3. Credential includes:
   • Legal Entity's LEI
   • Legal Entity's AID
   • Credential type and attributes
   • Issuance date and validity period
   • QVI's cryptographic signature

Credential Delivery:

1. Credential is transmitted to Legal Entity's AID
2. Credential is anchored in QVI's Key Event Log (KEL)
3. Credential status is recorded in Transaction Event Log (TEL)
4. Credential becomes verifiable by any party with access to KELs and TELs

Unsolicited Issuance Workflow:

In some cases, credentials may be issued without explicit AVR request:

1. QAR provides notice to AVR(s) that a credential has been solicited on the Legal Entity's behalf
2. AVR reviews and approves the issuance
3. Credential is issued following standard procedures

This workflow supports scenarios where third parties initiate credential issuance for a Legal Entity.

Verification Procedures

While AVRs primarily manage issuance and revocation, understanding verification is critical:

Verifier Workflow

1. Credential Presentation:

   • Credential holder presents credential to verifier
   • Presentation may use Graduated Disclosure (compact, partial, selective, or full)

2. Cryptographic Verification:

   • Verifier validates QVI's signature on credential
   • Verifier checks QVI's authorization from GLEIF
   • Verifier validates Legal Entity's AID and key state
   • Verifier confirms credential schema compliance

3. Status Verification:

   • Verifier queries TEL for credential status
   • Verifier confirms credential has not been revoked
   • Verifier checks credential validity period

4. LEI Verification:

   • Verifier confirms LEI is active in Global LEI System
   • Verifier validates LEI matches credential data

AVR Role in Verification

AVRs may need to:

• Provide additional context or documentation to verifiers
• Coordinate with credential holders on presentation workflows
• Respond to verifier inquiries about credential authenticity
• Facilitate OOBI exchanges for verifier onboarding

Revocation Conditions

Credentials must be revoked when specific conditions occur:

Mandatory Revocation Triggers

LEI Status Changes:

• LEI becomes Lapsed (registration not renewed)
• LEI is Transferred to another Registration Agent
• LEI is Retired or Annulled
• Legal Entity ceases to exist (merger, dissolution)

Role Changes:

• Individual leaves the organization
• Individual's role changes (no longer holds OOR/ECR)
• Organizational restructuring eliminates the role

Security Events:

• Private keys are compromised or suspected of compromise
• Credential is used fraudulently
• Security audit identifies credential misuse

Governance Compliance:

• Legal Entity fails to maintain QVI qualification requirements
• Governance framework violations are detected
• Regulatory requirements mandate revocation

Revocation Process

1. Revocation Request:

   • AVR submits revocation request to QAR
   • Request includes credential identifier and reason
   • Request is cryptographically signed by authorized AVR

2. QAR Processing:

   • QAR validates AVR's authorization
   • QAR confirms revocation is appropriate
   • QAR initiates TEL update

3. TEL Update:

   • Revocation event is recorded in TEL
   • Event is anchored to QVI's KEL
   • Revocation becomes verifiable by all parties

4. Notification:

   • Affected parties are notified of revocation
   • Credential holder's systems update credential status
   • Verifiers can detect revoked status in real-time

Grace Periods

The governance framework defines a 90-day grace period for certain transitions:

• Allows time for credential renewal or replacement
• Prevents service disruption during administrative changes
• Credentials remain valid but flagged for upcoming revocation
• AVRs must coordinate renewal before grace period expires

Related Governance Documents

Primary Governance Frameworks

vLEI Ecosystem Governance Framework v3.0:

• Establishes overall governance structure for vLEI ecosystem
• Defines roles, responsibilities, and policies
• Specifies technical requirements and standards
• Available at: GLEIF vLEI Governance Framework

Legal Entity vLEI Credential Governance Framework:

• Defines requirements for Legal Entity vLEI Credentials
• Specifies issuance and verification procedures
• Establishes identity assurance requirements
• Document reference: 2025-04-16_vlei-egf-v3.0-legal-entity-vlei-credential-framework_v1.4_final

Qualified vLEI Issuer Credential Governance Framework:

• Defines QVI qualification requirements
• Establishes QVI-QAR relationship
• Specifies QVI operational requirements
• Document reference: 2025-04-16_vlei-egf-v3.0-qualified-vlei-issuer-identifier-governance-framework-and-vlei-credential-framework_v1.5_final

Legal Entity Official Organizational Role vLEI Credential Governance Framework:

• Defines requirements for OOR credentials
• Specifies official role types and verification
• Establishes issuance procedures for role credentials

Legal Entity Engagement Context Role vLEI Credential Governance Framework:

• Defines requirements for ECR credentials
• Specifies functional role types and verification
• Establishes issuance procedures for engagement roles

Policy Documents

vLEI Issuer Qualification Agreement:

• Contractual agreement between GLEIF and QVIs
• Defines legal obligations and liabilities
• Establishes compliance requirements
• Specifies audit and monitoring procedures

vLEI Issuer Qualification Program Checklist:

• Detailed requirements for QVI qualification
• Technical infrastructure requirements
• Operational capability assessments
• Compliance verification procedures
• Document reference: 2022-12-06_appendix-3-vlei-issuer-qualification-program-checklist_v1.0_final

Trust Assurance Framework:

• Maps governance requirements to implementation
• Specifies ISO 20000 certification obligations
• Defines vLEI software specifications
• Document reference: 2025-04-16_vlei-egf-v3.0-trust-assurance-framework_v1.5_final

Technical Specifications

KERI Protocol Specification:

• IETF draft specification for Key Event Receipt Infrastructure
• Defines AID creation, key rotation, and event logs
• Available at: IETF KERI Draft

ACDC Specification:

• Trust Over IP specification for Authentic Chained Data Containers
• Defines credential structure and chaining
• Available at: ACDC Specification

CESR Specification:

• Composable Event Streaming Representation
• Defines encoding for cryptographic primitives
• Available at: CESR Specification

vLEI Credential Schemas:

• JSON Schema definitions for all vLEI credential types
• Hosted at: GLEIF vLEI Schema Repository

Supporting Documentation

vLEI Q&A Document:

• Comprehensive overview of vLEI ecosystem
• Explains technical architecture and use cases
• Document reference: 2022-02-07_vlei-q-a_v1.1-final

Draft vLEI Ecosystem Governance Framework Glossary:

• Authoritative definitions for vLEI terminology
• Establishes canonical terms and aliases
• Version 0.9 (February 7, 2022)

Implementation Considerations

Organizational Setup

Organizations implementing the AVR role should:

1. Establish Clear Authorization Chains:

   • Document DAR designation procedures
   • Define AVR selection criteria
   • Implement authorization tracking systems

2. Implement Key Management Infrastructure:

   • Deploy KERI-compatible key management systems
   • Establish secure key generation and storage
   • Implement multi-signature coordination mechanisms

3. Define Operational Procedures:

   • Create credential issuance request workflows
   • Establish revocation trigger monitoring
   • Implement credential lifecycle tracking

4. Ensure Compliance:

   • Maintain audit trails for all AVR actions
   • Implement governance framework compliance checks
   • Establish regular review and update procedures

Technical Integration

AVRs typically interact with:

KERIA Agents: Cloud-based KERI agents that manage AIDs and key events Signify Clients: Client applications for signing and credential management QVI Systems: Interfaces for submitting credential requests to QVIs TEL Registries: Systems for querying credential status

Security Best Practices

1. Key Protection:

   • Use hardware security modules (HSMs) or trusted execution environments (TEEs)
   • Implement key rotation schedules
   • Maintain offline backup keys

2. Access Control:

   • Implement least-privilege access for AVRs
   • Use multi-factor authentication
   • Monitor and log all AVR actions

3. Incident Response:

   • Establish procedures for key compromise
   • Define rapid revocation workflows
   • Maintain communication channels with QARs

Operational Challenges

Coordination Complexity: Managing multi-signature requirements across multiple AVRs and LARs requires robust coordination mechanisms.

Temporal Constraints: Credential validity periods and grace periods require proactive monitoring and renewal processes.

Governance Evolution: As governance frameworks evolve, AVRs must adapt procedures to maintain compliance.

Interoperability: Ensuring compatibility across different vLEI software implementations and QVI systems requires adherence to standards.