Loading vLEI.wiki Fetching knowledge base...
vLEI.wiki Comprehensive knowledge base for KERI (Key Event Receipt Infrastructure) and vLEI (verifiable Legal Entity Identifier) ecosystem.
Made by Key State Capital .
© 2025 vLEI.wiki. Educational resource for KERI/vLEI ecosystem.
authorized-vlei-representative - vLEI.wiki | KERI Knowledge Base - vLEI.wiki
authorized-vlei-representative Short Definition An Authorized vLEI Representative (AVR) is a representative of a Legal Entity who is formally authorized by the entity's Designated Authorized Representative (DAR) to request the issuance and revocation of vLEI credentials on behalf of that Legal Entity within the GLEIF vLEI Ecosystem Governance Framework.
Related Concepts No related concepts available
Comprehensive Explanation authorized-vlei-representative
Official Definition
The Authorized vLEI Representative (AVR) is a formally designated governance role within the vLEI Ecosystem Governance Framework established by GLEIF (Global Legal Entity Identifier Foundation). An AVR represents a Legal Entity and operates under the explicit authorization of the entity's Designated Authorized Representative (DAR).
Canonical Definition : An AVR is a representative of a Legal Entity authorized by the DAR to request issuance and revocation of:
Official Abbreviation : AVR
Source Governance Framework : Draft vLEI Ecosystem Governance Framework Glossary (v0.9, February 7, 2022) published by GLEIF
Governance Context
Position in vLEI Ecosystem Hierarchy
The AVR role occupies a critical operational position within the vLEI credential issuance chain:
Implementation Notes Governance Implementation
Authorization Establishment : Organizations must implement formal procedures for DAR designation of AVRs, including documentation of authorization scope, validity periods, and revocation conditions. This typically involves legal agreements, organizational policies, and cryptographic key management infrastructure.
Multi-Signature Coordination : When multiple AVRs exist, organizations should implement threshold signature schemes using KERI multi-sig capabilities. The governance framework recommends at least 3 AVRs with a 2-of-N threshold for enhanced security, though single-signature configurations are permitted for sole proprietorships.
Credential Request Workflows : AVRs should establish standardized procedures for credential requests, including:
Pre-request validation of LEI status
Coordination with Legal Entity Authorized Representatives (LARs) for signatures
Verification of credential schema compliance
Submission through approved vLEI software implementations
Revocation Monitoring : Organizations must implement systems to monitor revocation triggers, including:
LEI status changes in the Global LEI System
Employee role changes and departures
Security incident detection
Governance compliance violations
Audit and Compliance : All AVR actions should be logged in verifiable audit trails, with regular reviews to ensure governance framework compliance. Organizations should maintain documentation of:
AVR designation and authorization records
Credential issuance and revocation requests
QAR interactions and responses
Security incidents and remediation actions
Technical Infrastructure : AVRs typically require:
KERI-compatible key management systems (KERIA agents, Signify clients)
Secure communication channels with QARs
Access to TEL registries for credential status verification
Integration with organizational identity and access management systems
Operational Considerations : Organizations should define clear escalation procedures for:
Emergency revocation scenarios
Key compromise incidents
Disputes with QVIs or QARs
Governance framework interpretation questions
Hierarchical Structure
The AVR serves as the operational interface between the Legal Entity and the QVI/QAR for credential lifecycle management. While the DAR holds ultimate authorization authority for the Legal Entity, AVRs execute the day-to-day credential management operations.
GLEIF Ecosystem Integration The AVR role is integral to GLEIF's mission of providing verifiable organizational identity through the Legal Entity Identifier (LEI) system. The vLEI ecosystem extends the traditional LEI framework into the decentralized digital identity space using KERI protocol infrastructure.
Key Ecosystem Relationships :
Legal Entity : The AVR acts on behalf of a specific Legal Entity with a valid LEIDAR : The AVR receives authorization from the DAR through formal designationQAR : The AVR interacts with QARs to request credential operationsACDC CredentialsAuthentic Chained Data Container credentials
GLEIF Authorized Representative (GAR)QAR : QVI representatives who process AVR requestsLegal Entity Authorized Representatives (LARs) : Representatives who hold the Legal Entity's cryptographic keys (may overlap with AVRs)
GLEIF : Root governance authority for the vLEI ecosystemQVI : Qualified issuers operating under GLEIF authorizationLegal Entity : The organization being represented
Roles & Responsibilities
Primary Responsibilities The AVR's core function is credential lifecycle management on behalf of their Legal Entity. This encompasses:
1. Credential Issuance Requests AVRs are authorized to request issuance of three types of vLEI credentials:
Legal Entity vLEI Credentials :
Primary organizational identity credentials
Bind the Legal Entity's AID (Autonomic Identifier) to its LEI
Enable the Legal Entity to participate in verifiable credential ecosystems
Serve as the foundation for subsequent role credentials
Official Organizational Role (OOR) vLEI Credentials :
Attest to official positions within the Legal Entity's organizational structure
Examples: CEO, CFO, Board Member, Legal Counsel
Enable individuals to cryptographically prove their official capacity
Support formal business transactions requiring organizational authority
Engagement Context Role (ECR) vLEI Credentials :
Attest to functional or contextual roles beyond official positions
Examples: Project Manager, Sales Representative, Technical Lead
Enable flexible role-based authorization for specific engagements
Support dynamic business relationships and collaborations
2. Credential Revocation Requests AVRs must manage credential revocation when:
An individual leaves the organization or changes roles
Credentials are compromised or suspected of compromise
The Legal Entity's LEI status changes (lapsed, transferred, archived)
Organizational restructuring requires credential updates
Compliance or governance requirements mandate revocation
AVR submits revocation request to QAR
QAR validates AVR's authorization
Revocation is recorded in the Transaction Event Log (TEL)
Credential status becomes verifiably revoked
Verifiers can detect revoked credentials through TEL queries
3. Credential Lifecycle Monitoring While not explicitly mandated in governance documents, operational best practices suggest AVRs should:
Monitor credential expiration dates
Track credential usage and verification patterns
Coordinate with LARs on key management
Maintain records of issued and revoked credentials
Ensure compliance with organizational policies
Authority and Permissions
Granted Authority AVRs possess delegated authority from the DAR, which includes:
Submit fully signed issuance requests to QARs
Specify credential attributes and parameters
Coordinate with LARs for multi-signature requirements
Represent the Legal Entity in credential negotiations
Initiate revocation procedures for any credential type they can issue
Respond to security incidents requiring immediate revocation
Coordinate revocation with affected individuals and systems
Communicate with QARs on behalf of the Legal Entity
Coordinate OOBI (Out-Of-Band Introduction) sessions
Manage credential presentation and verification workflows
Represent the Legal Entity in vLEI ecosystem interactions
Authorization Mechanism The AVR's authority is established through:
DAR Designation : The DAR formally designates individuals as AVRsCryptographic Binding : AVR actions are signed using authorized key pairsGovernance Framework Compliance : AVRs operate within defined policy boundariesQAR Validation : QARs verify AVR authorization before processing requests Multi-Signature Requirements : When multiple AVRs exist, the governance framework may require:
Threshold signatures for high-value operations
Separation of duties for issuance vs. revocation
Consensus mechanisms for critical decisions
Limitations
Scope Restrictions
Modify the Legal Entity's LEI data (managed by LEI Registration Agents)
Authorize other AVRs (only DARs can designate AVRs)
Issue credentials on behalf of other Legal Entities
Override QVI/QAR decisions on credential issuance
Modify governance framework policies
Act beyond their designated authorization scope
Operational Constraints Credential Type Limitations :
AVRs can only request credential types defined in governance frameworks
Custom credential types require governance framework amendments
Credential schemas are immutable and version-controlled
AVR authorization may have expiration dates
Credentials have defined validity periods
Revocation requests must be processed within governance-defined timeframes
AVRs must use approved vLEI software implementations
Cryptographic operations must follow KERI protocol specifications
Witness and Watcher configurations must meet minimum requirements
Accountability Requirements AVRs are accountable for:
Accurate representation of the Legal Entity
Proper use of delegated authority
Compliance with governance framework policies
Security of their cryptographic key material
Timely revocation of compromised credentials
Liability Considerations : The governance framework establishes that AVRs act as agents of the Legal Entity, meaning:
The Legal Entity bears ultimate responsibility for AVR actions
AVRs may face personal liability for fraudulent or negligent actions
Contractual agreements define liability boundaries
Credential Lifecycle
Issuance Process The AVR-initiated credential issuance process follows a structured workflow defined in the vLEI governance frameworks:
Phase 1: Pre-Issuance Preparation
Legal Entity obtains a valid LEI from an accredited LEI Registration Agent
LEI must have Entity Status: Active in the Global LEI System
LEI Registration Status must be: Issued, Pending Transfer, or Pending Archival
DAR formally designates individuals as AVRs
AVRs undergo identity verification (typically IAL2)
AVRs establish KERI AIDs and key management infrastructure
AVR authorization is recorded in verifiable data structures
Phase 2: Credential Request Submission
Request Preparation :
AVR prepares credential issuance request
Request includes required attributes per credential schema
Request specifies target AIDs for credential binding
Multi-Signature Coordination :
If multiple AVRs exist, coordinate threshold signatures
Legal Entity Authorized Representatives (LARs) provide signatures
Signatures prove control over Legal Entity's AID
Request Submission :
AVR submits fully signed issuance request to QAR
Request is transmitted via secure KERI protocol channels
Request includes all required cryptographic proofs
QAR Validation :
QAR verifies AVR's authorization from DAR
QAR validates Legal Entity's LEI status
QAR confirms compliance with governance requirements
QAR verifies cryptographic signatures and key states
Phase 3: Credential Issuance QVI Credential Generation :
QAR approves issuance request
QVI generates ACDC credential using approved schema
Credential includes:
Legal Entity's LEI
Legal Entity's AID
Credential type and attributes
Issuance date and validity period
QVI's cryptographic signature
Credential is transmitted to Legal Entity's AID
Credential is anchored in QVI's Key Event Log (KEL)
Credential status is recorded in Transaction Event Log (TEL)
Credential becomes verifiable by any party with access to KELs and TELs
In some cases, credentials may be issued without explicit AVR request:
QAR provides notice to AVR(s) that a credential has been solicited on the Legal Entity's behalf
AVR reviews and approves the issuance
Credential is issued following standard procedures
This workflow supports scenarios where third parties initiate credential issuance for a Legal Entity.
Verification Procedures While AVRs primarily manage issuance and revocation, understanding verification is critical:
Verifier Workflow
Credential Presentation :
Credential holder presents credential to verifier
Presentation may use Graduated Disclosure (compact, partial, selective, or full)
Cryptographic Verification :
Verifier validates QVI's signature on credential
Verifier checks QVI's authorization from GLEIF
Verifier validates Legal Entity's AID and key state
Verifier confirms credential schema compliance
Status Verification :
Verifier queries TEL for credential status
Verifier confirms credential has not been revoked
Verifier checks credential validity period
LEI Verification :
Verifier confirms LEI is active in Global LEI System
Verifier validates LEI matches credential data
AVR Role in Verification
Provide additional context or documentation to verifiers
Coordinate with credential holders on presentation workflows
Respond to verifier inquiries about credential authenticity
Facilitate OOBI exchanges for verifier onboarding
Revocation Conditions Credentials must be revoked when specific conditions occur:
Mandatory Revocation Triggers
LEI becomes Lapsed (registration not renewed)
LEI is Transferred to another Registration Agent
LEI is Retired or Annulled
Legal Entity ceases to exist (merger, dissolution)
Individual leaves the organization
Individual's role changes (no longer holds OOR/ECR)
Organizational restructuring eliminates the role
Private keys are compromised or suspected of compromise
Credential is used fraudulently
Security audit identifies credential misuse
Legal Entity fails to maintain QVI qualification requirements
Governance framework violations are detected
Regulatory requirements mandate revocation
Revocation Process
Revocation Request :
AVR submits revocation request to QAR
Request includes credential identifier and reason
Request is cryptographically signed by authorized AVR
QAR Processing :
QAR validates AVR's authorization
QAR confirms revocation is appropriate
QAR initiates TEL update
TEL Update :
Revocation event is recorded in TEL
Event is anchored to QVI's KEL
Revocation becomes verifiable by all parties
Notification :
Affected parties are notified of revocation
Credential holder's systems update credential status
Verifiers can detect revoked status in real-time
Grace Periods The governance framework defines a 90-day grace period for certain transitions:
Allows time for credential renewal or replacement
Prevents service disruption during administrative changes
Credentials remain valid but flagged for upcoming revocation
AVRs must coordinate renewal before grace period expires
Primary Governance Frameworks vLEI Ecosystem Governance Framework v3.0 :
Establishes overall governance structure for vLEI ecosystem
Defines roles, responsibilities, and policies
Specifies technical requirements and standards
Available at: GLEIF vLEI Governance Framework
Legal Entity vLEI Credential Governance Framework :
Defines requirements for Legal Entity vLEI Credentials
Specifies issuance and verification procedures
Establishes identity assurance requirements
Document reference: 2025-04-16_vlei-egf-v3.0-legal-entity-vlei-credential-framework_v1.4_final
Qualified vLEI Issuer Credential Governance Framework :
Defines QVI qualification requirements
Establishes QVI-QAR relationship
Specifies QVI operational requirements
Document reference: 2025-04-16_vlei-egf-v3.0-qualified-vlei-issuer-identifier-governance-framework-and-vlei-credential-framework_v1.5_final
Legal Entity Official Organizational Role vLEI Credential Governance Framework :
Defines requirements for OOR credentials
Specifies official role types and verification
Establishes issuance procedures for role credentials
Legal Entity Engagement Context Role vLEI Credential Governance Framework :
Defines requirements for ECR credentials
Specifies functional role types and verification
Establishes issuance procedures for engagement roles
Policy Documents vLEI Issuer Qualification Agreement :
Contractual agreement between GLEIF and QVIs
Defines legal obligations and liabilities
Establishes compliance requirements
Specifies audit and monitoring procedures
vLEI Issuer Qualification Program Checklist :
Detailed requirements for QVI qualification
Technical infrastructure requirements
Operational capability assessments
Compliance verification procedures
Document reference: 2022-12-06_appendix-3-vlei-issuer-qualification-program-checklist_v1.0_final
Trust Assurance Framework :
Maps governance requirements to implementation
Specifies ISO 20000 certification obligations
Defines vLEI software specifications
Document reference: 2025-04-16_vlei-egf-v3.0-trust-assurance-framework_v1.5_final
Technical Specifications KERI Protocol Specification :
IETF draft specification for Key Event Receipt Infrastructure
Defines AID creation, key rotation, and event logs
Available at: IETF KERI Draft
Trust Over IP specification for Authentic Chained Data Containers
Defines credential structure and chaining
Available at: ACDC Specification
Composable Event Streaming Representation
Defines encoding for cryptographic primitives
Available at: CESR Specification
Supporting Documentation
Comprehensive overview of vLEI ecosystem
Explains technical architecture and use cases
Document reference: 2022-02-07_vlei-q-a_v1.1-final
Draft vLEI Ecosystem Governance Framework Glossary :
Authoritative definitions for vLEI terminology
Establishes canonical terms and aliases
Version 0.9 (February 7, 2022)
Implementation Considerations
Organizational Setup Organizations implementing the AVR role should:
Establish Clear Authorization Chains :
Document DAR designation procedures
Define AVR selection criteria
Implement authorization tracking systems
Implement Key Management Infrastructure :
Deploy KERI-compatible key management systems
Establish secure key generation and storage
Implement multi-signature coordination mechanisms
Define Operational Procedures :
Create credential issuance request workflows
Establish revocation trigger monitoring
Implement credential lifecycle tracking
Ensure Compliance :
Maintain audit trails for all AVR actions
Implement governance framework compliance checks
Establish regular review and update procedures
Technical Integration AVRs typically interact with:
KERIA Agents : Cloud-based KERI agents that manage AIDs and key events
Signify Clients : Client applications for signing and credential management
QVI Systems : Interfaces for submitting credential requests to QVIs
TEL Registries : Systems for querying credential status
Security Best Practices
Key Protection :
Use hardware security modules (HSMs) or trusted execution environments (TEEs)
Implement key rotation schedules
Maintain offline backup keys
Access Control :
Implement least-privilege access for AVRs
Use multi-factor authentication
Monitor and log all AVR actions
Incident Response :
Establish procedures for key compromise
Define rapid revocation workflows
Maintain communication channels with QARs
Operational Challenges Coordination Complexity : Managing multi-signature requirements across multiple AVRs and LARs requires robust coordination mechanisms.
Temporal Constraints : Credential validity periods and grace periods require proactive monitoring and renewal processes.
Governance Evolution : As governance frameworks evolve, AVRs must adapt procedures to maintain compliance.
Interoperability : Ensuring compatibility across different vLEI software implementations and QVI systems requires adherence to standards.