GLEIF (Global Legal Entity Identifier Foundation) governs the vLEI ecosystem through the vLEI Ecosystem Governance Framework v3.0, which establishes comprehensive policies for OOR credentials. GLEIF's role includes:

• Defining identity assurance requirements for OOR persons
• Establishing qualification criteria for QVIs who issue OOR credentials
• Maintaining schema registries for OOR credential structures
• Providing governance oversight for the entire vLEI ecosystem

The OOR credential framework operates under GLEIF's authority as the governing body of the Global LEI System (GLEIS), extending the traditional LEI framework into verifiable digital credentials.

Related Governance Entities

The OOR concept interacts with several key governance entities:

Legal Entity Authorized Representatives (LARs): Individuals authorized by the Legal Entity to request OOR credential issuance. LARs perform initial identity assurance and create QVI OOR AUTH vLEI Credentials that authorize QVIs to issue OOR credentials to specific individuals.

QVI Authorized Representatives (QARs): Representatives of Qualified vLEI Issuers who conduct additional identity verification and issue the final OOR credentials to individuals.

Designated Authorized Representatives (DARs): Legal Entity representatives who authorize LARs and manage the Legal Entity's participation in the vLEI ecosystem.

OOR Persons: The individuals who receive and hold OOR vLEI Credentials, representing the Legal Entity in their official organizational capacity.

Roles & Responsibilities

Primary Responsibilities

An OOR Person holding an OOR vLEI Credential has several key responsibilities:

Representation Authority: The OOR Person is authorized to represent the Legal Entity in their official capacity as defined by the credential. This representation is cryptographically verifiable through the KERI infrastructure, enabling third parties to confirm the person's authority without contacting the Legal Entity.

Credential Management: The OOR Person must maintain control over their Autonomic Identifier (AID) and associated cryptographic keys. This includes:

• Protecting private keys from compromise
• Performing key rotations when necessary
• Responding to challenge-response authentication requests
• Presenting credentials when required

Identity Verification Compliance: OOR Persons must undergo rigorous identity verification processes that meet NIST 800-63A Identity Assurance Level 2 (IAL2) standards or equivalent digital identity credentials from approved schemes.

Credential Presentation: When acting in their official capacity, OOR Persons present their credentials to verifiers using the IPEX (Issuance and Presentation Exchange) protocol, enabling cryptographic verification of their role and authority.

Authority and Permissions

The OOR credential grants specific authorities:

Official Representation: The credential provides cryptographic proof that the holder is authorized to act in an official organizational capacity. This enables:

• Signing contracts on behalf of the Legal Entity
• Authorizing transactions within the scope of their role
• Representing the Legal Entity in regulatory filings
• Making official statements on behalf of the organization

Credential Chaining: OOR credentials can serve as the basis for issuing additional credentials. For example, an OOR Person might authorize the issuance of Engagement Context Role (ECR) credentials to individuals working on specific projects.

Multi-Signature Participation: In organizations with multiple OOR Persons, credentials may require multi-signature authorization for certain actions, implementing governance policies through cryptographic thresholds.

Limitations

The OOR credential has specific limitations:

Scope Restriction: The credential only verifies the person's official organizational role. It does not:

• Attest to the person's competence or qualifications
• Guarantee the Legal Entity's trustworthiness
• Provide legal compliance assurance
• Verify the person's current employment status beyond the credential's validity period

Revocation Dependency: The credential's validity depends on:

• The Legal Entity maintaining an active LEI
• The QVI maintaining qualification status
• The credential not being revoked in the Transaction Event Log (TEL)
• The Legal Entity's vLEI credential remaining valid

Context Specificity: OOR credentials are designed for official organizational roles only. They are not appropriate for:

• Temporary project roles (use ECR credentials instead)
• Consultant or contractor relationships (use ECR credentials)
• Functional roles without official organizational authority

Credential Lifecycle

Issuance Process

The OOR credential issuance process varies based on Legal Entity structure:

Multi-Employee Entities

For Legal Entities with multiple authorized signers:

Phase 1: LAR Authorization

1. LARs perform identity assurance of the OOR Person to IAL2 standards
2. LARs conduct a supervised real-time OOBI session with audio/video presence
3. During the OOBI session:
   • Manual verification of legal identity credentials
   • Exchange of Autonomic Identifiers (AIDs)
   • Challenge-response authentication using private key stores
4. LARs create a QVI OOR AUTH vLEI Credential authorizing the QVI to issue the OOR credential
5. Multiple LARs sign the authorization credential according to the Legal Entity's multi-signature threshold

Phase 2: QVI Issuance

1. QARs receive the QVI OOR AUTH vLEI Credential
2. QARs conduct additional identity verification
3. QARs verify control of the OOR Person's AID through challenge-response
4. QARs issue the Legal Entity Official Organizational Role vLEI Credential
5. The credential is anchored to the QVI's Transaction Event Log (TEL)

Sole Proprietor Entities

For Legal Entities with a single employee:

1. The sole LAR performs all identity assurance steps
2. The LAR creates the QVI OOR AUTH vLEI Credential with a single signature
3. The QVI issues the OOR credential following the same verification procedures

Verification Procedures

Verifiers validate OOR credentials through multiple mechanisms:

Cryptographic Verification:

1. Verify the credential's SAID (Self-Addressing Identifier) matches its content
2. Verify the QVI's signature on the credential
3. Verify the credential chains to a valid QVI credential
4. Verify the QVI credential chains to GLEIF's root of trust

Status Verification:

1. Query the credential's Transaction Event Log (TEL) for revocation status
2. Verify the Legal Entity's LEI remains active in the Global LEI System
3. Verify the QVI maintains qualification status
4. Check the credential's issuance date and any expiration conditions

Authorization Chain Verification:

1. Verify the edges block references a valid QVI OOR AUTH vLEI Credential
2. Verify the authorization credential was issued by the Legal Entity
3. Verify the authorization credential chains to the Legal Entity's vLEI credential
4. Verify the Legal Entity credential chains to the QVI credential

Challenge-Response Authentication:

1. Issue a cryptographic challenge to the OOR Person
2. Verify the response signature matches the AID in the credential
3. Confirm the OOR Person controls the private keys associated with their AID

Revocation Conditions

OOR credentials may be revoked under several conditions:

Legal Entity Initiated Revocation:

• The OOR Person leaves the organization
• The OOR Person's role changes to a non-official capacity
• The Legal Entity determines the credential should no longer be valid
• The Legal Entity's LEI lapses or is retired

QVI Initiated Revocation:

• The QVI loses qualification status
• The QVI determines the credential was issued in error
• The QVI's contract with the Legal Entity terminates

GLEIF Initiated Revocation:

• The QVI fails annual qualification requirements
• The QVI fails to remediate qualification issues
• Governance framework violations are detected

Automatic Revocation Triggers:

• The Legal Entity's vLEI credential is revoked
• The QVI's credential is revoked
• The authorization credential (QVI OOR AUTH) is revoked

Revocation is recorded in the credential's TEL, which is anchored to the issuer's Key Event Log (KEL), creating an immutable audit trail.

Technical Implementation

ACDC Structure

The OOR vLEI Credential is implemented as an Authentic Chained Data Container (ACDC) with the schema SAID EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy at version 1.0.0.

Top-Level Fields:

• v: Version string for ACDC protocol compliance
• d: Credential SAID providing cryptographic binding
• u: One-time-use nonce for privacy protection
• i: QVI Issuer AID
• ri: Credential status registry identifier (TEL reference)
• s: Schema SAID
• a: Attributes block (can be compact SAID or full disclosure)
• e: Edges block (authorization chain)
• r: Rules block (legal disclaimers)

Attributes Block:

• i: OOR Person's AID
• dt: Issuance datetime (ISO 8601 format)
• LEI: Legal Entity Identifier
• personLegalName: Full legal name from identity verification
• officialRole: Specific organizational position (e.g., "Chief Executive Officer")

Edges Block:

• auth: Reference to QVI OOR AUTH vLEI Credential
  • n: SAID of the authorization credential
  • s: Required schema SAID (EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E)
  • o: Operator type I2I (Issuer-to-Issuer delegation)

KERI Integration

The OOR credential leverages KERI's core infrastructure:

Autonomic Identifiers (AIDs): Each participant (Legal Entity, QVI, OOR Person) maintains their own AID with associated Key Event Log (KEL) tracking all key management events.

Key Pre-Rotation: KERI's pre-rotation mechanism provides post-quantum security by committing to next keys before current keys are exposed.

Witness Networks: Witnesses provide duplicity detection and high availability for KELs, ensuring the integrity of the credential chain.

Transaction Event Logs (TELs): Credential issuance and revocation events are recorded in TELs anchored to the issuer's KEL, creating verifiable audit trails.

Out-Of-Band Introductions (OOBIs): Discovery and verification of AIDs occurs through OOBI resolution, enabling secure communication channel establishment.

Graduated Disclosure

OOR credentials support graduated disclosure patterns:

Compact Disclosure: Present only the credential SAID and edges block, revealing minimal information while maintaining verifiability.

Partial Disclosure: Reveal specific attributes (e.g., LEI and officialRole) while keeping personLegalName private.

Full Disclosure: Reveal all credential attributes for complete verification.

This flexibility enables privacy-preserving credential presentations where only necessary information is disclosed for a given transaction.

Related Governance Documents

Primary Governance Framework

Legal Entity Official Organizational Role vLEI Credential Framework v1.4 (2025-04-16): The authoritative governance document defining all requirements for OOR credentials, including:

• Identity assurance procedures
• Identity authentication protocols
• Issuance workflows for multi-employee and sole proprietor entities
• Verification requirements
• Revocation conditions

Supporting Governance Documents

vLEI Ecosystem Governance Framework v3.0 Primary Document (2023-08-30): Establishes the overall governance structure, stakeholder roles, and core policies applicable to all vLEI credentials.

vLEI Ecosystem Governance Framework v3.0 Glossary v1.3 (2023-12-15): Provides authoritative definitions for all terms used in the vLEI ecosystem, including OOR and related concepts.

vLEI Ecosystem Governance Framework v3.0 Trust Assurance Framework v1.5 (2025-04-16): Defines trust assurance requirements, risk assessments, and compliance obligations for all vLEI ecosystem participants.

vLEI Ecosystem Governance Framework v3.0 Information Trust Policies v1.2 (2025-04-16): Establishes security, privacy, availability, and confidentiality policies governing all vLEI operations.

Qualified vLEI Issuer Authorization vLEI Credential Framework v1.3 (2025-04-16): Defines the authorization credentials (QVI OOR AUTH) that enable OOR credential issuance.

Technical Specifications

vLEI Credential Schema Registry v1.1 (2023-12-15): Maintains the official JSON Schema definitions for all vLEI credential types, including the OOR credential schema.

KERI (Key Event Receipt Infrastructure) Specification: The foundational protocol specification defining AIDs, KELs, witnesses, and other core infrastructure used by OOR credentials.

ACDC (Authentic Chained Data Containers) Specification: Defines the credential structure, chaining mechanisms, and disclosure patterns used by OOR credentials.

IPEX (Issuance and Presentation Exchange) Specification: Defines the protocol for issuing and presenting OOR credentials between parties.

Legal and Compliance Documents

vLEI Issuer Qualification Agreement: The contractual agreement between GLEIF and QVIs that establishes qualification requirements and operational obligations.

vLEI Issuer Qualification Program Checklist: Detailed checklist of requirements that QVIs must satisfy to qualify for issuing OOR credentials.

Legal Entity vLEI Credential Framework: Defines the prerequisite Legal Entity credential that must exist before OOR credentials can be issued.

Distinction from Engagement Context Roles

It is critical to distinguish OOR credentials from Engagement Context Role (ECR) credentials:

OOR Credentials are for:

• Permanent official organizational positions
• Roles with formal governance authority
• Positions defined in organizational bylaws or governance documents
• Examples: CEO, CFO, Board Director, Corporate Secretary

ECR Credentials are for:

• Temporary or project-based roles
• Functional positions without official organizational authority
• Consultant, contractor, or external engagement roles
• Examples: Project Manager, Security Consultant, External Auditor

The governance frameworks for these credential types differ significantly in their identity assurance requirements, issuance procedures, and intended use cases.

Ecosystem Benefits

The OOR credential provides several key benefits to the vLEI ecosystem:

Cryptographic Verification: Third parties can verify an individual's official organizational role without contacting the Legal Entity, reducing friction in business transactions.

Fraud Prevention: The cryptographic binding between the person, their AID, and their organizational role makes impersonation extremely difficult.

Regulatory Compliance: OOR credentials enable automated compliance checking for regulatory filings and other official submissions.

Audit Trail: The complete credential lifecycle is recorded in immutable KELs and TELs, providing comprehensive audit trails for governance and compliance purposes.

Interoperability: The standardized ACDC structure and KERI infrastructure enable OOR credentials to be verified across different systems and jurisdictions without requiring proprietary integration.

Privacy Preservation: Graduated disclosure mechanisms allow OOR Persons to reveal only necessary information for each transaction, protecting privacy while maintaining verifiability.