Loading vLEI.wiki Fetching knowledge base...
vLEI.wiki Comprehensive knowledge base for KERI (Key Event Receipt Infrastructure) and vLEI (verifiable Legal Entity Identifier) ecosystem.
Made by Key State Capital .
© 2025 vLEI.wiki. Educational resource for KERI/vLEI ecosystem.
governance-framework - vLEI.wiki | KERI Knowledge Base - vLEI.wiki
Short Definition A governance framework is a structured collection of governance documents published by a governing body that establishes rules , procedures, policies, and informational guidelines for a trust community, defining power structures and management roles within an organization or ecosystem.
Related Concepts No related concepts available
Comprehensive Explanation governance-framework
Official Definition
A governance framework is formally defined as a collection of one or more governance documents published by the governing body of a trust community . In the digital identity industry, the term trust framework is often used interchangeably with governance framework.
According to the canonical KERI/GLEIF glossary, governance frameworks are "the structure of a government and reflect the interrelated relationships, factors, and other influences upon the institution. Governance frameworks structure and delineate power and the governing or management roles in an organization. They also set rules, procedures, and other informational guidelines."
Within the Trust over IP (ToIP) ecosystem, a governance framework must conform to the ToIP Governance Architecture Specification and follow the ToIP Governance Metamodel .
Official Abbreviations
GF : Governance FrameworkEGF : Ecosystem Governance Framework (as in vLEI EGF)ToIP GF : Trust over IP Governance Framework
Governance Context
vLEI Ecosystem Role
In the verifiable Legal Entity Identifier (vLEI) ecosystem , governance frameworks serve as the authoritative policy documents that establish:
Credential Requirements : Technical specifications for each vLEI credential type (QVI, Legal Entity, OOR, ECR)Identity Verification Standards : Procedures for identity assurance and authentication (e.g., NIST IAL2 compliance)
Implementation Notes Governance Framework Implementation Considerations
For Governing Bodies
Document Structure : Use the ToIP Governance Metamodel to structure frameworks with clear sections for purpose, scope, principles, policies, and definitionsVersion Control : Implement semantic versioning (major.minor.patch) with clear change logsDID-Based Identification : Assign KERI-based DIDs to governance documents for immutable referencesStakeholder Engagement : Involve trust community members in framework development through public comment periodsCompliance Monitoring : Establish audit mechanisms and enforcement procedures
For Governed Parties (QVIs, Legal Entities)
Policy Mapping : Create internal compliance matrices mapping governance requirements to operational proceduresTraining Programs : Ensure all personnel understand applicable governance requirementsAudit Preparation : Maintain documentation demonstrating compliance with MUST/SHOULD requirementsVersion Tracking : Monitor governance framework updates and plan implementation within required timeframesIncident Response : Establish procedures for reporting and remediating governance violations
For Implementers (Software Developers)
Schema Validation : Implement automated validation against published JSON schemasPolicy Enforcement : Build business logic that enforces governance rules (e.g., multi-signature thresholds)Audit Trails : Log all governance-relevant actions for compliance verificationVersion Compatibility : Support multiple governance framework versions during transition periodsError Handling : Provide clear error messages when governance requirements are not met
Critical Success Factors
Clarity : Governance requirements must be unambiguous and testableConsistency : Policies across different frameworks must not conflictCompleteness : All credential lifecycle stages must be addressedEnforceability : Violations must have clear consequences
Operational Policies : Rules for credential issuance, verification, and revocation
Trust Policies : Information security, privacy, availability, confidentiality, and processing integrity requirements
Technical Requirements : KERI infrastructure specifications, witness pool configurations, key management standardsThe vLEI Ecosystem Governance Framework v3.0 represents the overarching governance structure, with multiple subsidiary frameworks addressing specific credential types and operational domains.
GLEIF Context The Global Legal Entity Identifier Foundation (GLEIF) serves as the governing body for the vLEI ecosystem, publishing and maintaining governance frameworks that:
Establish GLEIF as the cryptographic root of trust through the GLEIF Root AID
Define qualification requirements for Qualified vLEI Issuers (QVIs)
Specify credential schemas and validation rules
Set compliance standards for all ecosystem participants
Provide risk assessment and trust assurance frameworks
GLEIF's governance frameworks operate under a Creative Commons Attribution license , ensuring open access while maintaining clear provenance and authority.
Governance frameworks interact with several key entities:
Governing Body : The authoritative party (or set of parties) responsible for developing, publishing, and maintaining the governance frameworkTrust Community : The ecosystem of participants governed by the framework (issuers, holders, verifiers)Governed Parties : Entities whose roles are defined and constrained by governance requirementsRegulatory Oversight Committee (ROC) : In GLEIF's case, 71 regulators and 19 observers from 50 countries providing oversight
Roles & Responsibilities
Primary Responsibilities A governance framework establishes:
Authority Structures : Defines who has power to make decisions, issue credentials, verify identities, and enforce policiesOperational Procedures : Specifies step-by-step processes for credential lifecycle managementCompliance Requirements : Establishes mandatory standards (using RFC 2119 keywords: MUST, SHOULD, MAY)Risk Management : Identifies threats and mitigation strategiesDispute Resolution : Provides mechanisms for handling conflicts and violations
Authority and Permissions Governance frameworks grant specific authorities:
For GLEIF (as Governing Body) :
Authority to qualify and terminate QVIs
Power to update governance framework versions
Right to audit QVI compliance
Ability to revoke credentials for non-compliance
For QVIs (Qualified vLEI Issuers) :
Authority to issue Legal Entity vLEI Credentials
Permission to verify Legal Entity identities
Right to revoke credentials under specified conditions
Obligation to maintain qualification standards
Authority to designate Authorized Representatives
Permission to request credential issuance
Right to revoke role credentials
Obligation to maintain valid LEI status
Limitations Governance frameworks explicitly define limitations:
Scope Boundaries : Frameworks apply only to specified credential types and participantsJurisdictional Limits : Must comply with local regulations (GDPR, data protection laws)Technical Constraints : Cannot violate KERI protocol specifications or cryptographic requirementsTemporal Limits : Version upgrade policies (e.g., 18-month backward compatibility, 12-month implementation windows)Authority Constraints : QVIs cannot issue credentials outside their qualification scope
Governance Framework Types
Ecosystem-Level Frameworks The vLEI Ecosystem Governance Framework establishes universal policies applying to all participants:
Information Trust Policies : Security, privacy, availability, confidentiality, processing integrityCore Policies : Foundational principles guiding all subsidiary frameworksRisk Assessment : Comprehensive threat analysis and mitigation strategiesTrust Assurance : Compliance matrices mapping requirements to implementation
Credential-Specific Frameworks Each vLEI credential type has a dedicated governance framework:
Qualified vLEI Issuer Identifier Governance Framework : Governs QVI Delegated AIDs and QVI vLEI CredentialsLegal Entity vLEI Credential Framework : Defines requirements for organizational identity credentialsLegal Entity Official Organizational Role (OOR) vLEI Credential Framework : Governs credentials for official representativesLegal Entity Engagement Context Role (ECR) vLEI Credential Framework : Addresses functional/contextual role credentialsQVI Authorization vLEI Credential Framework : Governs authorization credentials enabling Legal Entities to instruct QVIs
Technical Requirements Frameworks Separate frameworks address technical infrastructure:
KERI Infrastructure Technical Requirements : Witness pools, key management, AID generationvLEI Credential Schema Registry : Schema definitions and validation rulesACDC Technical Requirements : Authentic Chained Data Container specifications
Governance Framework Structure
Document Components A typical vLEI governance framework includes:
Purpose and Scope : Defines objectives and applicability boundariesGuiding Principles : Foundational concepts (e.g., "Binding to Holder," "Context Independence")Issuer Policies : Qualification requirements, operational proceduresHolder Policies : Rights, responsibilities, credential managementVerifier Policies : Verification procedures, acceptance criteriaCredential Definition : Schema specifications, required fields, data formatsIdentity Verification Requirements : Identity assurance and authentication proceduresRevocation Policies : Conditions and procedures for credential revocationCompliance and Enforcement : Audit requirements, violation consequencesGlossary : Definitions of capitalized terms
Policy Hierarchy Governance frameworks operate in a hierarchical structure:
vLEI Ecosystem Governance Framework (Core Policies)
├── Information Trust Policies
├── Risk Assessment Framework
├── Trust Assurance Framework
└── Credential-Specific Frameworks
├── QVI Identifier Governance Framework
├── Legal Entity vLEI Credential Framework
├── OOR vLEI Credential Framework
├── ECR vLEI Credential Framework
└── QVI Authorization vLEI Credential Framework
Subsidiary frameworks apply policies "in addition to " the Core Policies, creating layered compliance requirements.
Credential Lifecycle Governance
Issuance Process Governance frameworks specify detailed issuance procedures:
Pre-Issuance Requirements :
Identity verification (IAL2 compliance, OOBI sessions)
Authorization validation (DAR/LAR approval)
AID establishment and witness configuration
Registry creation for credential status tracking
Issuance Execution :
Schema validation against published JSON schemas
Multi-signature requirements (threshold configurations)
ACDC construction with proper chaining (edges to parent credentials)
Anchoring to Transaction Event Log (TEL)
Post-Issuance Obligations :
Notification to credential holder
Registry status updates
Audit trail maintenance
Verification Procedures Frameworks define verification requirements:
Cryptographic Verification :
SAID validation (content integrity)
Signature verification against issuer AID
KEL validation (key state verification)
Witness receipt validation
Status Verification :
TEL query for revocation status
LEI validity check (Active Entity Status)
Grace period consideration (90-day default)
Business Logic Verification :
Schema compliance
Edge validation (credential chaining)
Attribute verification (LEI format, role descriptions)
Revocation Conditions Governance frameworks specify mandatory and optional revocation triggers:
QVI fails Annual vLEI Issuer Qualification
Legal Entity's LEI lapses or is retired
Credential holder requests revocation
Fraud or misrepresentation discovered
Role change (OOR/ECR person leaves position)
Legal Entity terminates QVI contract
Security compromise detected
Primary vLEI Governance Documents
vLEI Ecosystem Governance Framework v3.0 (Umbrella document)vLEI Ecosystem Information Trust Policies v1.2 vLEI Ecosystem Risk Assessment v1.2 vLEI Ecosystem Trust Assurance Framework v1.5 vLEI Ecosystem Glossary v1.3
Credential Framework Documents
Qualified vLEI Issuer Identifier Governance Framework and vLEI Credential Framework v1.5 Legal Entity vLEI Credential Framework v1.4 Legal Entity Official Organizational Role vLEI Credential Framework v1.4 Legal Entity Engagement Context Role vLEI Credential Framework v1.4 Qualified vLEI Issuer Authorization vLEI Credential Framework v1.3
Technical Specifications
Technical Requirements Part 1: KERI Infrastructure 2024 v1.3 Technical Requirements Part 2: vLEI Credentials (referenced but not fully provided)Technical Requirements Part 3: vLEI Credential Schema Registry (referenced but not fully provided)
Operational Documents
vLEI Issuer Qualification Agreement (Appendices 1-3)
Appendix 1: Non-Disclosure Agreement
Appendix 2: Service Level Agreement
Appendix 3: vLEI Issuer Qualification Program Checklist
GLEIF Identifier Governance Framework v1.0
Governance Framework Evolution
Version Management Governance frameworks follow structured versioning:
Major versions (e.g., v3.0): Significant structural changes, new credential typesMinor versions (e.g., v1.4): Policy updates, clarifications, non-breaking changesRevision dates : All documents include publication dates for temporal tracking
Update Policies The vLEI ecosystem implements specific update policies:
18-month backward compatibility : Previous versions must be supported for 18 months after new version adoption12-month implementation window : New versions must be implemented within 12 months of approvalBreaking change restrictions : Breaking changes cannot be used until adoption period expires
DID-Based Identification Governance documents are identified using KERI-based DIDs :
did:keri:EINmHd5g7iV-UldkkkKyBIH052bIyxZNBn9pq-zNrYoS?service=vlei-documents&relativeRef=/egf/docs/...
Immutable references : DIDs uniquely identify document versionsVerifiable provenance : Cryptographic proof of GLEIF authorshipDecentralized resolution : Documents accessible without centralized infrastructure
Governance Framework Compliance
Compliance Levels Frameworks use RFC 2119 keywords to specify requirement levels:
MUST/REQUIRED/SHALL : Mandatory for complianceSHOULD/RECOMMENDED : Strong recommendation, deviation requires justificationMAY/OPTIONAL : Implementer discretion
Audit and Enforcement Governance frameworks establish audit mechanisms:
Annual vLEI Issuer Qualification : Formal evaluation of QVI complianceExtraordinary Qualification : Ad-hoc reviews for suspected violationsIncident Reporting : Mandatory documentation of security/privacy breachesAudit Reports : QVIs must provide internal/external audit documentation
Consequences of Non-Compliance
QVI Termination : Loss of qualification and credential issuance authorityCredential Revocation : Automatic revocation of issued credentialsLegal Liability : Potential breach of vLEI Issuer Qualification AgreementReputational Damage : Public disclosure of non-compliance
Governance Framework Benefits
For Ecosystem Participants
Clarity : Unambiguous rules and proceduresInteroperability Trust : Transparent governance builds confidenceRisk Mitigation : Defined security and privacy protectionsLegal Protection : Clear contractual obligations and liabilities
For the Ecosystem
Scalability : Standardized processes enable growthSecurity Regulatory Compliance : Alignment with GDPR, ISO standardsInnovation : Clear boundaries enable creative solutions within constraintsSustainability : Long-term viability through structured governance
Relationship to KERI Protocol Governance frameworks operate above the KERI protocol layer:
KERI provides : Cryptographic infrastructure (AIDs, KELs, witnesses, pre-rotation)Governance frameworks provide : Business rules, identity verification, credential semantics
Protocol stability : KERI specifications remain unchangedGovernance flexibility : Frameworks can evolve without protocol changesMultiple ecosystems : Different governance frameworks can use the same KERI infrastructure
Future Directions
Machine-Readable Governance The ToIP Governance Metamodel envisions machine-readable governance frameworks where:
Policies are expressed in formal languages
Automated compliance checking is possible
Smart contracts enforce governance rules
Cross-Ecosystem Interoperability Governance frameworks are evolving to support:
Mutual recognition : Credentials from one ecosystem accepted in anotherFederated governance : Multiple governing bodies coordinating policiesPortable reputation : Trust signals transferring across ecosystems
Regulatory Integration Governance frameworks increasingly align with:
eIDAS 2.0 : European digital identity regulationsNIST standards : Identity assurance and authentication frameworksISO certifications : 20000, 27001, and other international standards Evolvability