Loading vLEI.wiki
Fetching knowledge base...
Fetching knowledge base...
This comprehensive explanation has been generated from 58 GitHub source documents. All source documents are searchable here.
Last updated: October 7, 2025
This content is meant to be consumed by AI agents via MCP. Click here to get the MCP configuration.
Note: In rare cases it may contain LLM hallucinations.
For authoritative documentation, please consult the official GLEIF vLEI trainings and the ToIP Glossary.
An electronic signature (e-signature) is data in electronic form that is logically associated with other electronic data and used by a signatory to sign documents or transactions. It has the same legal standing as handwritten signatures when compliant with jurisdiction-specific regulations (eIDAS in EU, NIST-DSS in USA, ZertES in Switzerland).
An electronic signature (e-signature) is formally defined as data in electronic form that is:
Critically, electronic signatures have the same legal standing as handwritten signatures when they comply with jurisdiction-specific regulatory requirements. The three major regulatory frameworks governing electronic signatures are:
This legal equivalence is fundamental for e-commerce, digital contracts, regulatory filings, and any scenario requiring legally binding commitments in digital form.
Regulatory Compliance: Organizations implementing electronic signatures in the vLEI ecosystem must ensure compliance with applicable regulations (eIDAS, ESIGN, ZertES) in their jurisdictions. This may require obtaining qualified certificates, implementing specific key management practices, or meeting audit requirements.
Credential Chain Verification: When relying on electronic signatures backed by vLEI credentials, verifiers must validate the entire credential chain from the signer's role credential back to the GLEIF root AID. This includes checking each credential's TEL for revocation status.
Multi-Jurisdictional Operations: Organizations operating across multiple jurisdictions should implement electronic signature policies that satisfy the most stringent applicable requirements. The vLEI governance framework provides a foundation that can be adapted to meet various regulatory regimes.
Audit Trail Requirements: Electronic signature implementations must maintain comprehensive audit trails including timestamps, key states, credential status, and verification results. KERI's KEL and TEL structures provide this audit trail inherently.
Key Management Policies: Organizations should establish formal key management policies covering key generation, storage, rotation, and revocation. These policies should align with the highest duty of care standards established in the GLEIF Identifier Governance Framework.
Signature Attachment: When implementing electronic signatures on documents or transactions, use CESR Proof Signatures to attach cryptographic signatures in a way that maintains integrity across different serialization formats (JSON, CBOR, MessagePack).
Timestamping: Implement trusted timestamping through witness receipts or external timestamping authorities to satisfy regulatory requirements for establishing when signatures were created.
Revocation Checking: Always verify credential revocation status at the time of signature verification, not at the time of signature creation. Query the credential's TEL to ensure it remains valid.
Algorithm Selection: Use cryptographically strong signature algorithms (minimum 128-bit security) and plan for migration to post-quantum algorithms as they become standardized and available in KERI implementations.
The most critical aspect of electronic signatures in the KERI/ACDC ecosystem is understanding the two-layer model:
Legal Layer: Electronic signature represents the legal concept and regulatory framework that establishes when a digital signing action has legal force equivalent to handwritten signatures.
Technical Layer: Digital signatures represent the cryptographic implementation mechanism that provides the technical foundation for implementing electronic signatures securely.
This distinction is emphasized across multiple source documents: "Electronic signatures are a legal concept, while digital signatures are a cryptographic mechanism often used to implement electronic signatures." The relationship is hierarchical - digital signatures serve as the cryptographic implementation that enables electronic signatures to satisfy legal requirements.
Electronic signatures exist on a spectrum of technical sophistication:
Simple Electronic Signatures: At the most basic level, an electronic signature can be as simple as a name typed into an electronic document. While legally valid in many contexts, these provide minimal security guarantees.
Advanced Electronic Signatures: Mid-tier implementations may include biometric data, timestamping, or other authentication factors that provide stronger evidence of signatory intent.
Qualified Electronic Signatures: The highest tier, particularly under eIDAS, requires cryptographic digital signatures backed by qualified certificates from trust service providers. These provide the strongest legal presumption of validity.
Within the vLEI (verifiable Legal Entity Identifier) ecosystem, electronic signatures play a critical role in establishing legally binding commitments:
Credential Issuance: When a QVI (Qualified vLEI Issuer) issues a Legal Entity vLEI Credential, the issuance must satisfy electronic signature requirements in the relevant jurisdiction. The KERI digital signature mechanism provides the cryptographic foundation, while the governance framework ensures legal compliance.
Authorized Representatives: Designated Authorized Representatives (DARs) and Authorized vLEI Representatives (AVRs) use electronic signatures to authorize credential issuance and revocation. The vLEI Issuer Qualification Program Checklist explicitly requires signatures from DARs, stating: "The Checklist can be signed with the digital certificate of the Designated Authorized Representative or a notarized copy of the Designated Authorized Representative's signature."
Regulatory Filings: Electronic signatures enable automated regulatory reporting, as demonstrated in the SEC registration pilot where ECR (Engagement Context Role) credential holders submit signed reports. The system uses KERI digital signatures to implement electronic signatures that satisfy regulatory requirements.
The signatory (the entity creating the electronic signature) bears several critical responsibilities:
Intent to Sign: The signatory must demonstrate clear intent to be bound by the signed document or transaction. This is typically evidenced through explicit user actions (clicking "I agree," entering credentials, or applying biometric authentication).
Key Control: When using cryptographic digital signatures as the implementation mechanism, the signatory must maintain exclusive control over their private keys. In KERI, this is achieved through autonomic identifiers (AIDs) where the controller maintains cryptographic proof of key control.
Authentication: The signatory must authenticate themselves before creating signatures. In the vLEI ecosystem, this is achieved through verifiable credentials that establish the signatory's authority to act on behalf of a legal entity.
The verifier (the entity relying on the electronic signature) must:
Signature Verification: Verify the cryptographic validity of digital signatures implementing the electronic signature. In KERI, this involves verifying key event logs (KELs) to establish current key state and validating signatures against authoritative keys.
Authority Verification: Confirm the signatory had authority to create the signature. In vLEI workflows, this requires verifying the credential chain from the signatory's role credential back through the Legal Entity credential to the GLEIF root of trust.
Compliance Verification: Ensure the electronic signature satisfies applicable regulatory requirements. This may involve checking that qualified certificates were used, that timestamping was applied, or that other jurisdiction-specific requirements were met.
Under regulations like eIDAS, trust service providers (TSPs) play a critical role:
Certificate Issuance: TSPs issue qualified certificates that bind public keys to legal entities or individuals. In the vLEI ecosystem, QVIs serve an analogous role by issuing verifiable credentials that establish organizational identity.
Signature Creation: TSPs may provide signature creation services, particularly for qualified electronic signatures requiring hardware security modules or other high-assurance key management.
Timestamping: TSPs provide trusted timestamping services that establish when signatures were created, which is critical for determining validity periods and establishing non-repudiation.
Revocation Services: TSPs maintain certificate revocation lists or provide online certificate status protocol (OCSP) services. In KERI, this is achieved through transaction event logs (TELs) that track credential issuance and revocation state.
KERI digital signatures provide the cryptographic foundation for implementing legally-binding electronic signatures:
Non-Repudiation: KERI's key event receipt infrastructure creates an immutable, verifiable record of all key management operations. When a controller signs a document or transaction, the signature is cryptographically bound to their AID and can be verified against their KEL, providing strong non-repudiation.
Authenticity: Self-certifying identifiers eliminate reliance on certificate authorities for establishing key-to-identifier bindings. The identifier itself is derived from the public key, creating a cryptographic root of trust that satisfies the authenticity requirements of electronic signature regulations.
Integrity: Every KERI event includes a SAID (Self-Addressing Identifier) that cryptographically binds the event content to its identifier. This ensures that signed documents cannot be altered without detection, satisfying integrity requirements.
Electronic signature regulations often require multiple signatories for certain transactions. KERI's multi-signature capabilities directly support these requirements:
Threshold Signatures: Multi-sig AIDs can be configured with signing thresholds that require M-of-N signatures. This directly implements regulatory requirements for multiple authorized signatories.
Weighted Signatures: KERI supports weighted multi-sig where different signatories have different voting weights. This enables sophisticated governance models where senior officers may have greater signing authority.
Delegated Authority: Cooperative delegation enables hierarchical signing authority where a root entity delegates signing rights to subordinate entities. This supports organizational structures where different departments or roles have different signing authorities.
Electronic signature regulations often require trusted timestamping. KERI provides this through:
Sequence Numbers: Every event in a KEL includes a sequence number that establishes ordering. While not a wall-clock timestamp, this provides verifiable ordering of signing events.
Witness Receipts: Witnesses provide receipts that include timestamps, creating a distributed timestamping infrastructure. The first-seen policy ensures that the earliest witness receipt establishes the authoritative timestamp.
Anchoring: KERI events can be anchored to external timestamping authorities or blockchains through seals, providing additional timestamp evidence when required by regulations.
While electronic signatures themselves don't have a lifecycle, the credentials that authorize electronic signatures do:
When a vLEI credential is issued that authorizes an individual to create electronic signatures on behalf of an organization:
When verifying an electronic signature created using a vLEI credential:
When an individual's signing authority is revoked:
The vLEI Ecosystem Governance Framework establishes the governance structure for electronic signatures in the vLEI ecosystem. Key documents include:
Core Policies: Define the fundamental principles governing electronic signatures, including requirements for non-repudiation, authenticity, and integrity.
Information Trust Policies: Establish requirements for information security, privacy, availability, confidentiality, and processing integrity that apply to all electronic signature operations.
Each vLEI credential type has its own governance framework that specifies electronic signature requirements:
QVI Credential Governance Framework: Defines requirements for electronic signatures used by GLEIF when issuing QVI credentials.
Legal Entity vLEI Credential Governance Framework: Specifies electronic signature requirements for QVIs issuing Legal Entity credentials.
OOR Credential Governance Framework: Establishes requirements for electronic signatures by Official Organizational Role holders.
ECR Credential Governance Framework: Defines electronic signature requirements for Engagement Context Role holders.
vLEI Issuer Qualification Program Checklist: Requires electronic signatures from DARs when applying to become a QVI. The document explicitly states: "The Checklist can be signed with the digital certificate of the Designated Authorized Representative or a notarized copy of the Designated Authorized Representative's signature."
vLEI Issuer Qualification Agreement: Establishes the contractual framework under which QVIs operate, including requirements for electronic signatures in credential issuance and revocation operations.
While not governance documents per se, several technical specifications are normatively referenced by governance frameworks:
KERI Specification: Defines the cryptographic primitives and protocols that implement electronic signatures in the vLEI ecosystem.
ACDC Specification: Specifies the credential format and signature attachment mechanisms.
CESR Specification: Defines the encoding format for cryptographic primitives including signatures.
CESR Proof Signatures Specification: Extends CESR to provide transposable cryptographic signature attachments on self-addressing data (SAD), enabling signatures on nested credential structures.
Electronic signature regulations vary significantly across jurisdictions, creating challenges for global systems like vLEI:
eIDAS (European Union): Establishes three tiers of electronic signatures (simple, advanced, qualified) with qualified electronic signatures having the highest legal presumption of validity. Requires qualified certificates from accredited trust service providers.
ESIGN Act (United States): Takes a technology-neutral approach, generally recognizing electronic signatures as legally binding without prescribing specific technical implementations. NIST-DSS provides technical standards for federal use.
ZertES (Switzerland): Similar to eIDAS, establishes regulated and advanced electronic signatures with specific technical requirements.
The vLEI ecosystem addresses cross-jurisdictional challenges through:
Technology-Neutral Governance: The vLEI governance framework establishes principles (non-repudiation, authenticity, integrity) that can be satisfied under multiple regulatory regimes rather than prescribing specific technical implementations.
Qualified Issuer Model: The QVI qualification process ensures issuers meet high standards that satisfy requirements across multiple jurisdictions. QVIs may hold additional certifications (eIDAS ETSI EN 319 401, WebTrust, ISO 27001) that provide regulatory recognition.
Credential Chaining: The vLEI credential chain from GLEIF root through QVI to Legal Entity to role holders creates a verifiable trust chain that can be mapped to qualified certificate hierarchies required by regulations like eIDAS.
Electronic signatures enable automated, legally-binding commercial transactions:
Purchase Orders: A company's authorized representative can electronically sign purchase orders using their ECR credential, creating a legally binding commitment.
Contracts: Multi-party contracts can be executed using multi-signature mechanisms where each party's authorized representative signs using their vLEI credentials.
Payment Authorizations: Financial transactions can be authorized through electronic signatures that satisfy banking regulations, with the vLEI credential chain providing the required identity assurance.
Government agencies increasingly require or accept electronic signatures for regulatory submissions:
SEC Filings: The SEC registration pilot demonstrates how ECR credential holders can submit signed regulatory reports that satisfy SEC electronic signature requirements.
Tax Filings: Corporate tax returns can be electronically signed by authorized officers using OOR credentials that establish their authority.
Licensing Applications: Applications for business licenses, permits, or certifications can be electronically signed by DARs or AVRs.
Electronic signatures streamline supply chain operations:
Bills of Lading: Shipping documents can be electronically signed by authorized representatives, reducing delays and fraud in international trade.
Certificates of Origin: Export documentation can be electronically signed by authorized company representatives and verified by customs authorities.
Quality Certifications: Product quality certificates can be electronically signed by authorized inspectors, with the signature chain providing traceability back to the certifying organization.
The security of electronic signatures implemented through digital signatures depends critically on key management:
Key Generation: Keys must be generated using cryptographically secure random number generators with sufficient entropy (minimum 128 bits).
Key Storage: Private keys should be stored in hardware security modules (HSMs) or trusted execution environments (TEEs) to prevent compromise.
Key Rotation: KERI's pre-rotation mechanism enables secure key rotation, allowing organizations to periodically update keys without disrupting operations.
The reliability of electronic signatures in KERI depends on witness infrastructure:
Witness Selection: Controllers should select witnesses with high availability and strong security practices. The witness threshold should be set to tolerate expected witness failures.
Witness Diversity: Geographic and organizational diversity of witnesses reduces the risk of coordinated compromise or censorship.
Witness Monitoring: Watchers provide additional security by monitoring for duplicity in witness behavior.
The effectiveness of electronic signature revocation depends on timely propagation:
TEL Updates: Credential revocations must be promptly recorded in TELs and propagated to witnesses.
Verification Frequency: Verifiers should check revocation status at the time of signature verification, not rely on cached credential status.
Grace Periods: Some regulations require grace periods between revocation and enforcement, which must be considered in system design.
As quantum computing advances threaten current cryptographic algorithms, electronic signature systems must evolve:
Algorithm Agility: KERI's derivation code system enables algorithm agility, allowing migration to post-quantum signature schemes without changing the overall architecture.
Pre-Rotation Protection: KERI's pre-rotation mechanism provides inherent post-quantum protection by keeping rotation keys hidden until use.
Electronic signature regulations continue to evolve:
Digital Identity Integration: Regulations increasingly recognize verifiable credentials and decentralized identity systems as valid electronic signature mechanisms.
Cross-Border Recognition: International agreements are emerging to provide mutual recognition of electronic signatures across jurisdictions.
Biometric Integration: Regulations are beginning to address biometric signatures and their relationship to traditional electronic signatures.
Emerging technologies create new electronic signature use cases:
Smart Contracts: Automated contract execution requires electronic signatures that can be verified by smart contract code.
AI Agents: As AI agents gain authority to act on behalf of organizations, electronic signature frameworks must address machine-generated signatures.
IoT Devices: Internet of Things devices may need to create electronic signatures, requiring lightweight cryptographic implementations.