Official Abbreviations:

• OOR: Official Organizational Role
• vLEI: verifiable Legal Entity Identifier
• QVI: Qualified vLEI Issuer
• LAR: Legal Entity Authorized Representative
• QAR: QVI Authorized Representative

Governance Context

Position in vLEI Ecosystem Hierarchy

The OOR vLEI Credential Governance Framework occupies a critical position in the vLEI ecosystem trust chain. According to Document 9, the ecosystem establishes a hierarchical trust chain: GLEIF → QVIs → Legal Entities → OOR Persons → ECR Persons.

The OOR credential framework sits at the fourth tier of this hierarchy:

1. GLEIF Root: GLEIF operates as both Governing and Administering Authority with LEI 506700GE1G29325QX363
2. QVI Tier: Qualified vLEI Issuers receive credentials from GLEIF via the Qualified vLEI Issuer vLEI Credential Governance Framework
3. Legal Entity Tier: Legal Entities receive credentials via the Legal Entity vLEI Credential Governance Framework
4. OOR Tier: Individuals in official organizational roles receive OOR vLEI Credentials (this framework)
5. ECR Tier: Individuals in engagement context roles receive ECR vLEI Credentials

GLEIF Ecosystem Integration

As documented in Document 9, GLEIF serves dual roles as both Governing and Administering Authority for the vLEI ecosystem, consolidating governance control while maintaining the public-private partnership model that has characterized the Global LEI System (GLEIS) since its inception following the 2008 financial crisis. The OOR credential framework operates under this consolidated authority structure.

The framework represents a significant evolution from traditional LEI systems to a cryptographically verifiable credential system built on KERI infrastructure using Authentic Chained Data Container (ACDC) credentials. This technical foundation enables the OOR credentials to provide cryptographically verifiable proof of an individual's authority to act on behalf of a Legal Entity.

Related Governance Entities

The OOR framework interacts with several key governance entities:

• Qualified vLEI Issuers (QVIs): Organizations contracted by Legal Entities to issue OOR credentials
• Legal Entity Authorized Representatives (LARs): Individuals authorized to request OOR credential issuance
• QVI Authorized Representatives (QARs): Representatives who perform identity verification and credential issuance
• OOR Persons: Individuals holding official organizational roles who receive OOR credentials

Roles & Responsibilities

Core Purpose and Scope

According to Document 4, the OOR vLEI Credential enables simple, safe, secure identification of individuals holding official organizational roles to any verifier accepting such credentials. The framework scope is explicitly limited to three stakeholder categories:

• Issuers: Qualified vLEI Issuers (QVIs) contracted by Legal Entities
• Holders: Individuals serving in official organizational roles
• Verifiers: Any party accepting OOR vLEI Credentials for identity verification

Primary Responsibilities

Issuer Responsibilities (QVIs)

Only Qualified vLEI Issuers (QVIs) contracted by Legal Entities holding valid Legal Entity vLEI Credentials may issue OOR vLEI Credentials. As specified in Document 4, the issuance process requires:

1. Use of the standardized OOR vLEI Credential schema defined in the WebOfTrust GitHub repository
2. Inclusion of all required claims as specified in the schema
3. Adherence to the ACDC (Authentic Chained Data Container) specification
4. Performance of multi-level identity verification (detailed below)
5. Maintenance of credential lifecycle management capabilities

Holder Responsibilities (OOR Persons)

Individuals receiving OOR vLEI Credentials must:

• Maintain control over their Autonomic Identifier (AID)
• Protect their private keys and credential data
• Present credentials only in authorized contexts
• Report credential compromise or loss
• Comply with the Legal Entity's policies regarding credential use

Verifier Responsibilities

Entities accepting OOR vLEI Credentials must:

• Verify the cryptographic integrity of presented credentials
• Check credential revocation status
• Validate the credential chain back to GLEIF's root of trust
• Implement appropriate access control based on verified roles

Authority and Permissions

Cryptographic Binding to Holder

As established in Document 4, the framework establishes a foundational principle of strong cryptographic binding to the OOR vLEI Credential Holder. This binding enables proof requests to be satisfied through verification against:

• The Legal Entity
• The credential holder
• Public sources (such as the Global LEI System)

This ensures non-repudiable attribution of the credential to its rightful holder, meaning the holder cannot deny their association with the credential or actions taken using it.

Context Independence

The OOR credential functions across diverse verification contexts including:

• In-person scenarios: Physical presentation and verification
• Online scenarios: Digital presentation via web interfaces
• Telephonic scenarios: Voice-based verification processes

This universal applicability ensures consistent identity verification regardless of interaction modality, a critical feature for global business operations.

Limitations

The OOR credential framework has specific limitations:

1. Official Roles Only: The framework explicitly covers only official organizational roles, not functional or engagement context roles (which are covered by the ECR framework)

2. Legal Entity Dependency: OOR credentials can only be issued to individuals representing Legal Entities that hold valid Legal Entity vLEI Credentials

3. QVI Mediation: All OOR credential issuance must be mediated by a contracted QVI; Legal Entities cannot issue OOR credentials directly

4. Schema Compliance: All OOR credentials must conform to the standardized schema; custom credential structures are not permitted

Credential Lifecycle

Issuance Process

According to Document 4, the framework mandates a sophisticated three-tiered identity verification approach:

Level 1: Legal Entity Identity Verification

QVI Authorized Representatives (QARs) must verify:

• The supplied LEI corresponds to the requesting Legal Entity
• LEI Entity Status is Active
• LEI Registration Status is Issued, Pending Transfer, or Pending Archival in the Global LEI System

Notably, identity authentication is not required at the Legal Entity level for OOR credential issuance, as the Legal Entity's identity is already established through its Legal Entity vLEI Credential.

Level 2: Legal Entity Authorized Representative (LAR) Verification

LAR identity assurance and authentication requirements are inherited from the Legal Entity vLEI Credential Governance Framework, maintaining consistency across the credential hierarchy. The LAR is the individual authorized by the Legal Entity to request OOR credential issuance.

Level 3: OOR Person Identity Verification

This is the most critical verification level for OOR credentials. The QAR must:

1. Verify Identity Assurance: Confirm the OOR Person's identity meets required assurance levels
2. Authenticate Identity: Verify the OOR Person controls the claimed identity
3. Verify Role Authorization: Confirm the Legal Entity has authorized this individual for the specific official organizational role
4. Verify AID Control: Confirm the OOR Person controls the Autonomic Identifier (AID) that will be bound to the credential

Verification Procedures

Verification of OOR vLEI Credentials involves multiple cryptographic checks:

1. Signature Verification: Verify the digital signatures on the credential using the issuing QVI's public key
2. Chain Verification: Verify the credential chain from the OOR credential → Legal Entity credential → QVI credential → GLEIF root
3. SAID Verification: Verify the Self-Addressing Identifier (SAID) of the credential matches its content
4. AID Control Verification: Verify the holder controls the AID bound to the credential
5. Revocation Status Check: Query the Transaction Event Log (TEL) to confirm the credential has not been revoked

Revocation Conditions

OOR vLEI Credentials may be revoked under several conditions:

1. Role Termination: The individual no longer holds the official organizational role
2. Legal Entity Request: The Legal Entity requests revocation through its LAR
3. Credential Compromise: The credential's cryptographic material has been compromised
4. Legal Entity Credential Revocation: The underlying Legal Entity vLEI Credential is revoked
5. QVI Credential Revocation: The issuing QVI's credential is revoked
6. Policy Violation: The holder or Legal Entity violates governance framework policies

Revocation is recorded in the credential's Transaction Event Log (TEL), which is anchored to the issuing QVI's Key Event Log (KEL), ensuring the revocation is cryptographically verifiable and cannot be undone.

Technical Foundation

KERI Infrastructure

As documented in Document 9, the OOR credential framework is fundamentally built on KERI (Key Event Receipt Infrastructure) technology, representing a significant architectural shift from traditional PKI-based systems to self-sovereign identity infrastructure.

Key technical elements include:

Autonomic Identifiers (AIDs)

The system utilizes Autonomic Identifiers (AIDs) as the foundation for cryptographic identity. All vLEI issuers must verify AID control by holders. This represents a move from administratively assigned identifiers to cryptographically self-certifying identifiers that provide:

• Self-certification: The identifier is cryptographically derived from the controlling key pair
• Transferability: Control can be transferred through key rotation
• Portability: The identifier is not bound to any specific infrastructure provider

ACDC Credential Structure

OOR credentials are implemented as Authentic Chained Data Containers (ACDCs), which provide:

• Chained Provenance: Each credential references its issuing credential, creating a verifiable chain
• Selective Disclosure: Holders can disclose only necessary attributes
• Graduated Disclosure: Progressive revelation of information based on verifier requirements
• Compact Representation: Efficient encoding using CESR

Schema Requirements

As specified in Document 4, all OOR vLEI Credentials must use the standardized OOR vLEI Credential schema defined in the WebOfTrust GitHub repository. This schema defines:

• Required claims (attributes) that must be included
• Optional claims that may be included
• Data types and formats for each claim
• Encoding requirements using CESR
• SAID calculation methods

The schema ensures interoperability across the vLEI ecosystem, allowing any compliant verifier to process OOR credentials from any QVI.

Related Governance Documents

Primary Governance Framework

The OOR credential framework operates under the vLEI Ecosystem Governance Framework v3.0, which serves as the master governance document for the entire vLEI ecosystem. As documented in Document 9, this framework:

• Establishes GLEIF as Governing and Administering Authority
• Defines the trust chain architecture
• Sets localization policies (American English as official language, G20 translations required)
• Establishes stakeholder roles and responsibilities

Related Credential Governance Frameworks

The OOR framework is one of four interconnected credential governance frameworks:

1. Qualified vLEI Issuer vLEI Credential Governance Framework: Defines requirements for credentials issued by GLEIF to QVIs, enabling them to issue, verify, and revoke downstream credentials. (Document 10, Document 11)

2. Legal Entity vLEI Credential Governance Framework: Details requirements for vLEI credentials issued by QVIs to Legal Entities

3. Legal Entity Official Organizational Role vLEI Credential Governance Framework: This framework (the subject of this document)

4. Legal Entity Engagement Context Role vLEI Credential Governance Framework: Details requirements for credentials issued to individuals in non-official functional or engagement context roles (Document 5)

Technical Specifications

The OOR framework references several technical specifications:

• KERI Specification: The foundational protocol specification for key event infrastructure
• ACDC Specification: Defines the structure and processing of Authentic Chained Data Containers
• CESR Specification: Defines the Composable Event Streaming Representation encoding
• IPEX Specification: Defines the Issuance and Presentation Exchange protocol
• OOR vLEI Credential Schema: The specific schema definition in the WebOfTrust GitHub repository

Policy Documents

Additional policy documents that govern OOR credential operations include:

• vLEI Issuer Qualification Agreement: Contract between GLEIF and QVIs
• Information Trust Policies: Define information security, privacy, availability, confidentiality, and processing integrity requirements
• Localization Policies: Mandate language requirements for ecosystem materials

Ecosystem Benefits and Use Cases

The OOR vLEI Credential Governance Framework enables several critical use cases:

Corporate Representation

OOR credentials allow individuals to cryptographically prove they are authorized to represent a Legal Entity in official capacities, such as:

• Signing contracts on behalf of the organization
• Making financial commitments
• Representing the organization in legal proceedings
• Authorizing business transactions

Regulatory Compliance

The framework supports regulatory compliance by providing:

• Verifiable proof of authority for regulatory filings
• Audit trails through the KEL/TEL infrastructure
• Non-repudiable attribution of actions to authorized individuals
• Cryptographic proof of identity assurance levels

Cross-Border Operations

The context-independent nature of OOR credentials enables:

• Consistent identity verification across jurisdictions
• Reduced friction in international business operations
• Interoperable credentials accepted globally
• Multilingual support through GLEIF's localization policies

Digital Transformation

OOR credentials enable digital transformation initiatives by:

• Eliminating paper-based authorization processes
• Enabling automated verification of authority
• Supporting zero-trust security architectures
• Providing cryptographic proof for digital signatures

Conclusion

The Legal Entity Official Organizational Role vLEI Credential Governance Framework represents a sophisticated governance structure that bridges traditional legal entity identification (through LEIs) with modern cryptographic identity infrastructure (through KERI). By establishing clear roles, responsibilities, and technical requirements, the framework enables a global ecosystem of verifiable organizational credentials that provide strong cryptographic assurance while maintaining the flexibility needed for diverse business contexts.

The framework's integration with the broader vLEI ecosystem, its foundation on KERI infrastructure, and its comprehensive approach to identity verification and credential lifecycle management position it as a critical component of the emerging verifiable credential landscape for organizational identity.