Each credential type serves a specific governance function within the trust chain, enabling verifiable organizational identity and role-based authorization.

GLEIF Context

GLEIF (Global Legal Entity Identifier Foundation) operates as the root of trust for the vLEI ecosystem. The organization:

• Issues QVI credentials to qualified organizations
• Maintains the vLEI Ecosystem Governance Framework
• Establishes credential schemas and validation requirements
• Oversees the qualification process for vLEI issuers
• Manages the transition of Legal Entities between QVIs

Credentials in this context serve to digitize and make verifiable the traditional LEI system, transforming static organizational identifiers into dynamic, cryptographically verifiable credentials that can participate in automated trust decisions.

Related Governance Entities

Qualified vLEI Issuers (QVIs): Organizations qualified by GLEIF to issue Legal Entity and role credentials. QVIs must hold valid QVI vLEI Credentials and operate under contractual obligations defined in the vLEI Issuer Qualification Agreement.

Legal Entities: Organizations holding LEIs that receive Legal Entity vLEI Credentials. These entities can then authorize QVIs to issue role credentials to their representatives.

Legal Entity Authorized Representatives (LARs): Individuals authorized by Legal Entities to request credential issuance and manage the entity's vLEI credential lifecycle.

QVI Authorized Representatives (QARs): Individuals authorized by QVIs to perform identity verification and credential issuance operations.

Roles & Responsibilities

Primary Responsibilities

Credentials in the KERI/ACDC framework serve multiple critical functions:

Proof of Authority: Credentials provide verifiable evidence that an entity has specific rights, permissions, or authorizations. In the vLEI context, this includes proving that a QVI is authorized to issue credentials, that a Legal Entity holds a valid LEI, or that an individual holds an official role within an organization.

Identity Binding: Credentials cryptographically bind claims to specific Autonomic Identifiers (AIDs), creating non-repudiable associations between identities and assertions. The credential's issuer AID appears at the top level, while the issuee AID (when present) appears in the attributes section.

Chain of Trust: Through ACDC's edge mechanism, credentials can reference other credentials, creating verifiable chains of authority. For example, an OOR credential chains to an OOR Authorization credential, which chains to a Legal Entity credential, which chains to a QVI credential, ultimately anchoring to GLEIF's root of trust.

Selective Disclosure: ACDC credentials support graduated disclosure mechanisms, allowing holders to reveal only necessary information in different contexts. Credentials can be presented in compact form (showing only SAIDs), partially disclosed (revealing some sections), or fully disclosed (showing all attributes).

Revocation Management: Credentials reference Transaction Event Logs (TELs) through their registry identifier (ri field), enabling verifiable revocation status checking without requiring centralized revocation lists.

Authority and Permissions

Issuance Authority: Only entities holding appropriate authorization credentials can issue specific credential types. For example, only QVIs holding valid QVI vLEI Credentials can issue Legal Entity credentials, and only after receiving proper authorization credentials from the Legal Entity.

Verification Authority: Any party can cryptographically verify a credential's authenticity by:

• Validating the issuer's signature against their current key state in the KEL
• Checking the credential's SAID for content integrity
• Verifying the credential chain through edge references
• Checking revocation status via the TEL

Presentation Authority: Credential holders control when and how their credentials are presented. The IPEX (Issuance and Presentation Exchange) protocol governs credential disclosure, enabling holders to negotiate what information to reveal based on verifier requirements and holder policies.

Limitations

Scope Boundaries: Each credential type has explicitly defined scope within its governance framework. For example, OOR credentials attest to official organizational roles but do not imply broader authority beyond what the role description specifies.

Temporal Constraints: Credentials include issuance timestamps (dt field) and may have grace periods or validity windows. Verifiers must check that credentials are being used within their intended temporal scope.

Context Restrictions: While vLEI credentials are designed for context independence (usable in-person, online, or telephonically), specific use cases may impose additional requirements through the rules section of the credential.

Non-Transferability: Credentials are cryptographically bound to specific AIDs and cannot be transferred between identities. The strong binding principle ensures that only the legitimate holder can present the credential.

Credential Lifecycle

Issuance Process

The credential issuance process varies by credential type but follows a general pattern:

1. Authorization Phase: For role credentials, the Legal Entity must first issue an authorization credential to the QVI, explicitly granting permission to issue the role credential to a specific individual.

2. Identity Verification: The issuer (or their authorized representative) must perform identity assurance according to the credential's governance framework. For vLEI credentials, this typically requires:

• Identity Assurance Level 2 (IAL2) verification per NIST 800-63A
• Real-time OOBI session with audio/video presence
• Challenge-response authentication using cryptographic signatures
• Manual verification of legal identity credentials

3. Credential Creation: The issuer constructs the ACDC following the appropriate JSON schema, including:

• Required attributes (AID, LEI, legal name, role, etc.)
• Edge references to prerequisite credentials
• Rules section with legal disclaimers
• Proper SAID generation for content integrity

4. Registry Anchoring: The credential issuance event is anchored to the issuer's KEL through a Transaction Event Log (TEL), creating a verifiable record of issuance.

5. IPEX Grant: The credential is transmitted to the holder using the IPEX protocol, which provides secure, authenticated credential delivery with cryptographic proof of transmission.

6. Holder Admission: The holder receives the credential, validates it, and stores it in their credential database, completing the issuance cycle.

Verification Procedures

Credential verification involves multiple validation steps:

Cryptographic Verification:

• Validate the issuer's signature using their current key state from the KEL
• Verify the credential's SAID matches its content
• Check that all nested SAIDs (attributes, edges, rules) are valid
• Validate any CESR proof signatures on the credential

Schema Validation:

• Confirm the credential conforms to its declared JSON schema
• Verify all required fields are present
• Check that field values meet format requirements (ISO dates, LEI format, etc.)

Chain Validation:

• Follow edge references to prerequisite credentials
• Verify each credential in the chain is valid
• Confirm the chain terminates at an appropriate root of trust
• Validate edge operators (I2I, NI2I, DI2I) are satisfied

Status Checking:

• Query the TEL referenced in the credential's ri field
• Verify the credential has not been revoked
• Check that the issuer's credential (if applicable) remains valid
• Confirm any grace periods or validity windows are satisfied

Policy Evaluation:

• Apply verifier-specific policies to determine credential acceptability
• Evaluate rules section for usage restrictions
• Assess whether disclosed information meets verification requirements

Revocation Conditions

Credentials may be revoked under various circumstances defined in their governance frameworks:

QVI Credential Revocation:

• QVI fails Annual vLEI Issuer Qualification
• QVI does not remediate qualification issues
• QVI's LEI lapses or is retired
• Contractual termination by GLEIF

Legal Entity Credential Revocation:

• Entity's LEI becomes lapsed or retired
• Contractual termination with QVI
• Entity requests revocation

Role Credential Revocation:

• Individual no longer holds the specified role
• Legal Entity requests revocation
• Authorization credential is revoked
• Underlying Legal Entity credential is revoked

Revocation is implemented through TEL events that are anchored to the issuer's KEL, creating an immutable, verifiable record of the revocation action.

Related Governance Documents

Primary Governance Framework

vLEI Ecosystem Governance Framework v3.0: The overarching governance document that establishes core policies, principles, and requirements for all vLEI credentials. This framework defines:

• Information trust policies (security, privacy, availability, confidentiality)
• Stakeholder roles and responsibilities
• Compliance requirements
• Risk assessment frameworks

Credential-Specific Frameworks

Qualified vLEI Issuer vLEI Credential Framework: Defines requirements for QVI credentials, including:

• Issuer qualifications (GLEIF as sole issuer)
• Holder requirements (qualified organizations)
• Credential schema specifications
• Grace period management

Legal Entity vLEI Credential Framework: Establishes requirements for Legal Entity credentials, including:

• QVI issuer qualifications
• Legal Entity holder requirements
• LEI validation procedures
• Credential chaining requirements

Legal Entity Official Organizational Role vLEI Credential Framework: Governs OOR credentials, including:

• Identity assurance requirements (IAL2)
• OOBI session protocols
• Challenge-response authentication
• Role verification procedures

Legal Entity Engagement Context Role vLEI Credential Framework: Governs ECR credentials, including:

• Distinction from official roles
• Flexible role definitions
• Context-specific authorization

Qualified vLEI Issuer Authorization vLEI Credential Framework: Defines authorization credentials, including:

• Multi-signature requirements
• LAR authorization procedures
• QAR operational constraints

Technical Specifications

ACDC Specification: The Trust over IP Foundation specification defining Authentic Chained Data Containers, including:

• ACDC structure and field definitions
• SAID generation protocols
• Edge operators and chaining mechanisms
• Graduated disclosure mechanisms
• Rules and Ricardian contracts

IPEX Specification: The Issuance and Presentation Exchange protocol specification, defining:

• Credential offer/apply/issue workflows
• Presentation request/response protocols
• Graduated disclosure negotiation
• Chain-link confidentiality mechanisms

CESR Proof Signatures Specification: Defines how credentials are cryptographically signed, including:

• Transposable signature attachments
• Nested partial signatures
• Signature verification procedures

vLEI Credential Schema Registry: Technical requirements document listing:

• Official credential schemas with SAIDs
• Semantic versioning requirements
• JSON Schema compliance rules
• Schema evolution policies

Policy Documents

vLEI Ecosystem Information Trust Policies: Establishes cross-cutting policies for:

• Information security management
• Data protection and privacy
• System availability requirements
• Confidentiality protections
• Processing integrity standards

vLEI Ecosystem Risk Assessment: Documents identified risks and mitigation strategies for:

• Governing authority risks
• QVI operational risks
• Verifier risks
• Technical infrastructure risks

vLEI Glossary: Provides authoritative definitions for all terms used in the vLEI ecosystem, ensuring consistent interpretation across governance documents and technical specifications.

Technical Implementation

Credentials in the KERI/ACDC framework are implemented as structured JSON documents with specific field ordering requirements. The top-level structure includes:

[v, d, u, i, ri, s, a, A, e, r]

Where fields must appear in this exact order when present. The attributes section (a) contains the substantive claims, the edges section (e) provides credential chaining, and the rules section (r) contains legal disclaimers and usage terms.

Credentials leverage SAIDs (Self-Addressing Identifiers) extensively, with each major section having its own SAID. This enables:

• Compact disclosure: Presenting only SAIDs without revealing content
• Partial disclosure: Revealing some sections while keeping others compact
• Selective disclosure: Using attribute aggregates to selectively reveal specific claims
• Content integrity: Any modification to content invalidates the SAID

The CESR encoding of credentials enables efficient streaming and attachment of cryptographic proofs, supporting both text and binary representations while maintaining composability.

Ecosystem Integration

Credentials integrate with the broader KERI ecosystem through multiple mechanisms:

KEL Anchoring: Credential issuance and revocation events are anchored to the issuer's Key Event Log, binding credential lifecycle to identifier control authority.

TEL Integration: Transaction Event Logs track credential status, enabling verifiable revocation checking without centralized infrastructure.

OOBI Discovery: Out-Of-Band Introductions enable discovery of credential issuers and their service endpoints, facilitating credential verification.

Witness Networks: KERI witnesses provide high availability and duplicity detection for credential-related events, ensuring ecosystem resilience.

Watcher Networks: Watchers provide ambient duplicity detection, enabling any party to verify credential authenticity without trusting specific infrastructure.

This integration creates a comprehensive, end-verifiable credential ecosystem that operates without requiring centralized registries, certificate authorities, or trusted intermediaries.

Policy Enforcement: Apply verifier-specific acceptance policies, evaluate credential rules, assess disclosure adequacy.