External GARs: Manage the GLEIF External Delegated AID (GEDA) and interact with external ecosystem participants, specifically QVIs. External GARs are responsible for:

• Approving QVI delegated AID inception events
• Approving QVI group multisig rotations
• Issuing QVI vLEI Credentials to qualified issuers
• Managing the relationship between GLEIF and the QVI community

Internal GARs: Manage the GLEIF Internal Delegated AID (GIDA) for GLEIF's internal operations and infrastructure management.

The distinction ensures separation of concerns between GLEIF's internal operations and its external-facing authorization functions.

KERI Infrastructure Foundation

GARs operate within a KERI-based infrastructure where:

• GLEIF maintains a Root AID as the apex of the trust hierarchy
• The GLEIF External Delegated AID (GEDA) serves as the delegator for all QVI AIDs
• GARs control the GEDA through multi-signature group operations
• All GAR actions are cryptographically verifiable through KERI key event logs (KELs)

Roles & Responsibilities

Primary Responsibilities

1. Identity Verification and Assurance

GARs must perform rigorous identity verification of QVI Authorized Representatives (QARs) before authorizing QVI credential issuance. This verification process includes:

• NIST 800-63A Identity Assurance Level 2 (IAL2) compliance
• Real-time Out-Of-Band Introduction (OOBI) sessions with continuous audio/video presence
• Manual verification of legal identity credentials
• Challenge-response authentication using cryptographic signatures

The identity verification workflow requires GARs to:

1. Conduct live video sessions with all QVI participants
2. Verify government-issued identity documents
3. Exchange Autonomic Identifiers (AIDs) using OOBI protocols
4. Execute cryptographic challenge-response protocols to verify key control
5. Document all verification steps for governance compliance

2. QVI Delegation Approval

GARs approve the creation and management of QVI delegated AIDs through KERI delegation mechanisms:

Inception Approval: When a QVI establishes its group multisig AID, GARs must:

• Review the delegation inception configuration specifying the GEDA as delegator
• Verify that QVI participants meet qualification requirements
• Approve the delegation through KERI interaction events containing cryptographic seals
• Coordinate with other GAR group members to achieve signing threshold

Rotation Approval: When QVIs rotate their group multisig keys or change membership:

• GARs execute kli delegate confirm --alias "GLEIF External AID" --interact commands
• Multiple GARs coordinate to meet the GEDA's signing threshold
• The approval creates verifiable proof in the GLEIF KEL that the QVI rotation is authorized

3. QVI vLEI Credential Issuance

GARs issue QVI vLEI Credentials to qualified issuers, which serve as the authorization mechanism enabling QVIs to issue downstream credentials including:

• Legal Entity vLEI Credentials
• Legal Entity Official Organizational Role (OOR) vLEI Credentials
• Legal Entity Engagement Context Role (ECR) vLEI Credentials

The QVI vLEI Credential is an ACDC (Authentic Chained Data Container) that cryptographically binds the QVI's identity to GLEIF's authorization, creating a verifiable chain of trust.

4. Multi-Signature Group Coordination

GARs operate as part of a multi-signature group controlling the GEDA. This requires:

• Coordination among multiple GAR participants to achieve signing thresholds
• Secure key management using private key stores
• Participation in group multisig inception and rotation ceremonies
• Witness configuration and management for the GEDA

Authority and Permissions

GARs possess specific authorities within the vLEI ecosystem:

Authorization Authority: GARs have the exclusive authority to authorize QVIs by issuing QVI vLEI Credentials. This authorization is cryptographically verifiable through the ACDC credential structure and the KERI delegation chain.

Delegation Control: Through their control of the GEDA, GARs can approve or reject QVI delegated AID operations, including:

• Initial QVI AID inception
• QVI group membership changes
• QVI key rotations
• QVI credential revocations (when QVIs fail qualification or their LEI lapses)

Governance Enforcement: GARs enforce compliance with the vLEI Ecosystem Governance Framework by:

• Verifying QVI qualification requirements before authorization
• Monitoring QVI operations for governance compliance
• Revoking QVI credentials when qualification lapses or violations occur

Limitations

GAR authority is bounded by specific constraints:

Scope Limitation: GARs authorize QVIs but do not directly issue credentials to Legal Entities or individuals. The authorization chain is: GLEIF → GAR → QVI → Legal Entity → Individuals.

Governance Constraints: GARs must operate within the policies defined by the vLEI Ecosystem Governance Framework and cannot unilaterally modify governance rules.

Multi-Signature Requirements: Individual GARs cannot act alone; all GEDA operations require coordination among multiple GARs to meet signing thresholds, ensuring no single GAR can compromise the system.

Qualification Dependency: GARs can only authorize entities that meet the QVI qualification requirements defined in the vLEI Issuer Qualification Agreement and associated governance documents.

Credential Lifecycle

QVI vLEI Credential Issuance Process

The lifecycle of QVI authorization through GAR operations follows a structured process:

1. QVI Qualification Phase

• Prospective QVI completes the vLEI Issuer Qualification Program
• Submits vLEI Issuer Qualification Program Checklist
• Executes vLEI Issuer Qualification Agreement with GLEIF
• Designates QVI Authorized Representatives (QARs)

2. Identity Verification Phase

• GARs conduct NIST IAL2 identity verification of all QARs
• Real-time OOBI sessions establish cryptographic proof of key control
• Challenge-response protocols verify QAR AIDs
• Documentation of verification process for governance records

3. Delegation Approval Phase

• QVI participants create delegated multisig AID configuration
• Configuration specifies GEDA as delegator
• GARs review and approve delegation through KERI interaction events
• Multiple GARs coordinate to achieve GEDA signing threshold

4. Credential Issuance Phase

• GARs issue QVI vLEI Credential as ACDC
• Credential includes QVI's LEI, grace period, and authorization scope
• Credential is anchored to GEDA's KEL through cryptographic seals
• QVI receives credential and can begin issuing downstream credentials

Verification Procedures

Verifiers of QVI vLEI Credentials can cryptographically verify:

• The credential's SAID (Self-Addressing Identifier) for integrity
• The GAR's signature on the credential
• The delegation chain from GLEIF Root → GEDA → QVI
• The credential's status in the Transaction Event Log (TEL) registry

Revocation Conditions

GARs may revoke QVI vLEI Credentials under specific conditions:

Qualification Failure: QVI fails Annual vLEI Issuer Qualification or does not remediate qualification issues.

LEI Status Change: The QVI's Legal Entity Identifier lapses or is retired, invalidating their authorization to issue vLEI credentials.

Governance Violations: QVI violates terms of the vLEI Issuer Qualification Agreement or vLEI Ecosystem Governance Framework policies.

Grace Period Management: QVI vLEI Credentials include a grace period to allow GLEIF to manage transitions when QVIs are terminated, enabling Legal Entities to contract with new QVIs without credential disruption.

Revocation is executed through the TEL registry, creating a verifiable record of the credential's status change.

Related Governance Documents

Primary Governance Framework

vLEI Ecosystem Governance Framework v3.0 (2023-2025): The overarching governance document that establishes GLEIF's authority, defines stakeholder roles, and sets policies for the entire vLEI ecosystem.

GLEIF Identifier Governance Framework v1.0 (December 2022): Establishes the technical requirements and policies for GLEIF's Root AID and Delegated AIDs (GIDA and GEDA), including GAR operational procedures.

Credential-Specific Frameworks

Qualified vLEI Issuer vLEI Credential Governance Framework v1.5 (April 2025): Defines the requirements, issuance procedures, and lifecycle management for QVI vLEI Credentials that GARs issue.

Legal Entity vLEI Credential Framework v1.4 (April 2025): Establishes requirements for credentials issued by QVIs to Legal Entities, defining the downstream trust chain that GARs enable.

Legal Entity Official Organizational Role vLEI Credential Framework v1.4 (April 2025): Governs OOR credentials issued by QVIs, part of the credential hierarchy GARs authorize.

Legal Entity Engagement Context Role vLEI Credential Framework v1.4 (April 2025): Governs ECR credentials issued by QVIs, completing the credential types GARs indirectly enable through QVI authorization.

Technical Requirements

vLEI Ecosystem Governance Framework Technical Requirements Part 1: KERI Infrastructure v1.3 (April 2025): Specifies the KERI protocol requirements for all vLEI ecosystem participants, including GAR operations with the GEDA.

vLEI Ecosystem Governance Framework Technical Requirements Part 2: vLEI Credentials v1.1 (December 2023): Defines technical specifications for ACDC credential structures, including QVI vLEI Credentials issued by GARs.

Qualification and Compliance

vLEI Issuer Qualification Agreement: The contractual agreement between GLEIF and QVIs that GARs enforce through credential issuance and revocation.

vLEI Issuer Qualification Program Checklist v1.0 (December 2022): The assessment tool GARs use to verify QVI qualification before authorization.

vLEI Ecosystem Information Trust Policies v1.2 (April 2025): Establishes security, privacy, and operational policies that GARs must enforce in their interactions with QVIs.

Risk and Assurance

vLEI Ecosystem Governance Framework Risk Assessment v1.2 (December 2023): Identifies risks in the vLEI ecosystem, including risks related to GAR operations and QVI authorization.

vLEI Ecosystem Governance Framework Trust Assurance Framework v1.5 (April 2025): Maps governance requirements to ISO 20000 certification and other assurance mechanisms, including GAR operational controls.

Operational Context

GARs operate at the critical juncture where GLEIF's governance authority translates into operational trust infrastructure. Their role combines:

• Governance enforcement through credential issuance and revocation
• Cryptographic verification through KERI protocol operations
• Identity assurance through rigorous verification procedures
• Multi-party coordination through group multisig operations

This combination ensures that the vLEI ecosystem maintains both strong cryptographic security (through KERI) and robust governance compliance (through GLEIF's oversight), with GARs serving as the operational bridge between these two dimensions of trust.