This hierarchical structure implements a delegated trust model where GLEIF maintains ultimate authority while distributing operational credential issuance to qualified organizations. The QVI serves as the essential bridge between GLEIF's root authority and the broader ecosystem of legal entities requiring verifiable digital identities.

GLEIF Governance Framework Integration

QVIs operate under the comprehensive vLEI Ecosystem Governance Framework v3.0, which establishes:

• Qualification requirements through the vLEI Issuer Qualification Program
• Operational policies via the vLEI Issuer Qualification Agreement
• Technical standards through KERI Infrastructure Technical Requirements
• Service level agreements defining availability and performance targets
• Annual re-qualification procedures to maintain QVI status

The governance framework ensures that QVIs maintain consistent standards globally while operating under their own business models and fee structures.

Related Governance Entities

GLEIF Authorized Representatives (GARs): Representatives of GLEIF authorized to perform identity verification requirements needed to issue QVI vLEI Credentials. GARs conduct the qualification process and ongoing oversight of QVIs.

QVI Authorized Representatives (QARs): Designated representatives of a QVI authorized to conduct QVI operations with GLEIF and interface with Legal Entities. QARs are the operational personnel who execute credential issuance workflows.

Legal Entity Authorized Representatives (LARs): Representatives of Legal Entities who interact with QVIs to request credential issuance and manage their organization's vLEI credentials.

Roles & Responsibilities

Primary Responsibilities

1. Credential Issuance Authority

QVIs are authorized to issue three distinct types of vLEI credentials:

Legal Entity vLEI Credentials: Core organizational identity credentials that bind a Legal Entity's LEI (Legal Entity Identifier) to a KERI AID (Autonomic Identifier). These credentials establish the foundational digital identity for organizations in the vLEI ecosystem.

Legal Entity Official Organizational Role (OOR) vLEI Credentials: Credentials issued to individuals holding formal positions within legal entities (e.g., CEO, CFO, Board Directors). These credentials verify that a person holds an official organizational role and is authorized to act on behalf of the legal entity in that capacity.

Legal Entity Engagement Context Role (ECR) vLEI Credentials: Credentials issued to individuals representing legal entities in functional or engagement-specific contexts rather than official organizational positions (e.g., project managers, consultants, engagement-specific representatives).

2. Identity Verification and Assurance

QVIs must perform rigorous identity verification procedures before issuing credentials:

Legal Entity Identity Verification: QARs must verify that the supplied LEI corresponds to the requesting legal entity and that the LEI has:

• Active Entity Status in the Global LEI System
• Registration Status of Issued, Pending Transfer, or Pending Archival

Individual Identity Assurance: For OOR and ECR credentials, QVIs must perform identity assurance to at least Identity Assurance Level 2 (IAL2) as defined in NIST 800-63A. This includes:

• Manual verification of legal identity credentials during live video sessions
• OOBI (Out-Of-Band Introduction) sessions with real-time audio/video presence
• Challenge-response authentication using cryptographic signatures
• Verification of control over AIDs through signed messages

Alternative Identity Verification Pathways: The governance framework permits acceptance of digital identity credentials from approved schemes including:

• European eIDAS schemes (High/Substantial Level of Assurance)
• Asian schemes: Australia myGov, India Aadhaar, Singapore SingPass
• Latin American schemes: Brazil e-CPF

3. Credential Verification Services

QVIs provide verification services to validate the authenticity and current status of vLEI credentials. This includes:

• Cryptographic verification of ACDC (Authentic Chained Data Container) signatures
• Chain of trust validation through KERI infrastructure
• Revocation status checking via Transaction Event Logs (TELs)
• Schema validation against official vLEI credential schemas

4. Credential Revocation Management

QVIs must maintain the ability to revoke credentials when:

• The Legal Entity's LEI lapses or is retired
• The Legal Entity requests revocation
• The individual holding an OOR or ECR credential no longer holds that role
• Contractual obligations with the Legal Entity are terminated
• The QVI fails annual re-qualification or has its qualification terminated by GLEIF

Revocation is implemented through Transaction Event Logs anchored to the QVI's KEL (Key Event Log), providing cryptographically verifiable revocation status.

Authority and Permissions

Delegated Authority from GLEIF

QVIs receive their authority through a cooperative delegation mechanism in KERI:

1. QVI Delegated AID Creation: The QVI creates a delegated AID with GLEIF's GEDA (GLEIF External Delegated AID) as the delegator
2. GLEIF Approval: GLEIF must cryptographically approve the delegation through an interaction event containing a seal of the QVI's inception event
3. Credential Issuance: GLEIF issues a QVI vLEI Credential to the QVI, authorizing credential issuance operations

This delegation structure ensures that:

• QVIs cannot unilaterally assert authority
• GLEIF maintains ultimate control through delegation approval
• The delegation relationship is cryptographically verifiable
• GLEIF can revoke QVI authority by revoking the QVI vLEI Credential

Multi-Signature Requirements

The governance framework mandates that QVI AIDs use multi-signature control with:

• Minimum 3 QARs (QVI Authorized Representatives) recommended when possible
• 2-of-N signature threshold required for credential issuance operations
• Separate key management for each QAR to prevent single points of failure
• Witness pool configuration with minimum 5 witnesses using KAACE (KERI Agreement Algorithm for Control Establishment)

This multi-signature architecture provides:

• Distributed control preventing unilateral actions
• Compromise resilience through threshold signatures
• Operational continuity if individual QARs become unavailable

Commercial Autonomy

QVIs retain significant commercial autonomy:

Fee Structure Discretion: QVIs may charge fees for:

• Issuance of Legal Entity vLEI Credentials
• Verification services
• Revocation of credentials
• OOR and ECR credential issuance

Ancillary Services: QVIs may offer additional services to Legal Entities regarding vLEIs, expanding their service offerings beyond core credential management.

Financial Independence: QVIs must be solely responsible for managing both revenue generation and operational costs. GLEIF does not contribute funds to QVI operations, ensuring QVIs operate as independent business entities.

Annual Fee Review: QVIs retain the right to review and unilaterally determine new fees annually, providing pricing flexibility.

Limitations

Qualification Requirements

QVIs face strict qualification constraints:

Organizational Structure: Sole proprietorships and natural persons cannot become QVIs. Only legal entities with appropriate organizational structure and accountability mechanisms qualify.

LEI Requirements: Both the candidate QVI and relevant parent organizations must maintain:

• Active LEI Entity Status
• LEI Registration Status of Issued, Pending Transfer, or Pending Archival

Qualification Timeline: Candidates must complete the vLEI Issuer Qualification Program Checklist and submit required documentation within 60 calendar days of NDA submission.

Operational Constraints

Software Requirements: QVIs must use the vLEI software for hosting Witnesses, Watchers, Discovery, and Oracles, and for key management. This ensures consistent technical implementation across the ecosystem.

Service Level Obligations: QVIs must meet defined availability targets documented in the Qualified vLEI Issuer Service Level Agreement (Appendix 5 to the vLEI Issuer Qualification Agreement).

Annual Re-Qualification: QVIs must successfully complete annual re-qualification procedures. Failure results in:

• Revocation of the QVI vLEI Credential
• Inability to issue new credentials
• Requirement to manage existing credential lifecycle (revocations)

Scope Limitations

Geographic Neutrality: While QVIs can operate globally, they must comply with applicable data protection legislation in their jurisdiction (or Swiss Federal Data Protection Act as minimum standard).

Credential Type Restrictions: QVIs can only issue the three authorized credential types (Legal Entity, OOR, ECR). They cannot create custom credential types without governance framework amendments.

No Unilateral Delegation: QVIs cannot delegate their authority to sub-issuers. The delegation chain stops at the QVI level for credential issuance authority.

Credential Lifecycle

QVI vLEI Credential Issuance Process

Phase 1: Qualification Application

1. Initial Contact: Candidate QVI sends email to [email protected] with signed Non-Disclosure Agreement
2. Portal Access: GLEIF grants access to communications portal for document submission
3. Checklist Completion: Candidate completes vLEI Issuer Qualification Program Checklist within 60 days
4. Documentation Submission: Candidate provides evidence of compliance with qualification requirements

Phase 2: GLEIF Review and Approval

1. Qualification Review: GLEIF reviews submitted documentation against qualification criteria
2. Remediation: If deficiencies exist, candidate must remediate within specified timeframes
3. Qualification Decision: GLEIF approves or denies qualification
4. Agreement Execution: Approved candidates execute the vLEI Issuer Qualification Agreement

Phase 3: Technical Setup

1. Multi-Sig AID Creation: QVI creates multi-signature AID with minimum 2 QARs
2. Delegation Request: QVI requests delegation from GLEIF GEDA
3. Identity Verification: GARs perform NIST IAL2 identity verification of QARs
4. OOBI Session: Real-time video session with challenge-response authentication
5. Delegation Approval: GLEIF approves delegation through cryptographic seal

Phase 4: Credential Issuance

1. QVI vLEI Credential Creation: GLEIF issues QVI vLEI Credential to the QVI's AID
2. Registry Anchoring: Credential issuance is anchored to GLEIF's KEL via TEL
3. Credential Delivery: QVI receives credential through IPEX (Issuance and Presentation Exchange) protocol
4. Operational Activation: QVI can begin issuing credentials to Legal Entities

Legal Entity Credential Issuance by QVI

Once qualified, QVIs follow this workflow to issue Legal Entity vLEI Credentials:

Step 1: Legal Entity Engagement

1. Contractual Agreement: Legal Entity contracts with QVI for vLEI services
2. LEI Verification: QVI verifies Legal Entity's LEI status in Global LEI System
3. AID Creation: Legal Entity creates AID (or QVI assists in creation)
4. OOBI Exchange: QVI and Legal Entity exchange OOBIs to establish communication

Step 2: Identity Verification

1. LAR Identification: Legal Entity designates Legal Entity Authorized Representatives (LARs)
2. Identity Assurance: QVI performs identity verification of LARs
3. AID Control Verification: LARs prove control of Legal Entity AID through signed challenges

Step 3: Credential Issuance

1. Credential Creation: QVI creates Legal Entity vLEI Credential with:
   • Legal Entity's AID
   • LEI identifier
   • Issuance timestamp
   • SAID references to QVI credential (establishing chain of trust)
2. Registry Recording: Issuance event recorded in QVI's TEL
3. Credential Delivery: Credential transmitted via IPEX protocol
4. LAR Acceptance: LARs accept credential into Legal Entity's credential wallet

Role Credential Issuance (OOR/ECR)

For OOR and ECR credentials, QVIs follow an authorization-based workflow:

Authorization Phase

1. Authorization Credential Request: Legal Entity (via LARs) creates authorization credential:
   • QVI OOR AUTH vLEI Credential for official roles
   • QVI ECR AUTH vLEI Credential for engagement roles
2. Authorization Content: Specifies:
   • QVI AID being authorized
   • Individual's AID who will receive role credential
   • Individual's legal name
   • Role description
3. Multi-Sig Signing: LARs sign authorization credential with Legal Entity's multi-sig threshold
4. Authorization Delivery: Legal Entity transmits authorization to QVI

Role Credential Issuance Phase

1. Authorization Verification: QVI verifies:
   • Authorization credential signatures match Legal Entity AID
   • Authorization chains to valid Legal Entity vLEI Credential
   • Authorization has not been revoked
2. Individual Identity Verification: QVI performs IAL2 identity verification of individual
3. Role Credential Creation: QVI creates OOR or ECR credential with:
   • Individual's AID
   • Legal Entity's LEI
   • Individual's legal name
   • Role description
   • SAID reference to authorization credential (establishing authorization chain)
4. Credential Delivery: Role credential transmitted to individual via IPEX

Verification Procedures

When a verifier receives a vLEI credential, they follow this verification workflow:

Cryptographic Verification

1. SAID Verification: Verify credential's SAID matches computed digest of credential content
2. Signature Verification: Verify issuer's signature using issuer's AID public keys
3. Schema Validation: Verify credential conforms to official vLEI schema

Chain of Trust Verification

1. Issuer Credential Verification: For Legal Entity credentials, verify QVI holds valid QVI vLEI Credential
2. Delegation Verification: Verify QVI AID is properly delegated from GLEIF GEDA
3. Authorization Verification: For role credentials, verify authorization credential exists and chains to Legal Entity credential

Status Verification

1. TEL Query: Query QVI's TEL for credential status
2. Revocation Check: Verify credential has not been revoked
3. Timestamp Validation: Verify credential issuance timestamp is reasonable

Revocation Conditions

QVIs must revoke credentials under specific conditions:

Automatic Revocation Triggers

QVI Credential Revocation: When a QVI's credential is revoked by GLEIF:

• All Legal Entity credentials issued by that QVI must be revoked
• All role credentials issued by that QVI must be revoked
• Legal Entities must obtain new credentials from a different QVI

LEI Lapse: When a Legal Entity's LEI lapses or is retired:

• The Legal Entity vLEI Credential must be revoked
• All role credentials issued based on that Legal Entity credential must be revoked

Discretionary Revocation

Contractual Termination: When a Legal Entity terminates its contract with a QVI:

• QVI may revoke credentials after a 90-day grace period
• Grace period allows Legal Entity to transition to a new QVI
• During grace period, credentials remain valid but are considered "ghost credentials"

Role Changes: When an individual no longer holds a role:

• Legal Entity (via LARs) requests revocation from QVI
• QVI revokes the role credential
• Individual can no longer present that credential

Security Compromise: If credential keys are compromised:

• Credential holder requests revocation
• QVI revokes credential immediately
• New credential can be issued with new keys

Related Governance Documents

Primary Governance Framework

vLEI Ecosystem Governance Framework v3.0: The overarching governance document that establishes:

• Core policies applicable to all ecosystem participants
• Stakeholder roles and responsibilities
• Trust chain architecture
• Governance principles and objectives

QVI-Specific Governance Documents

vLEI Issuer Qualification Agreement: The contractual agreement between GLEIF and QVIs that establishes:

• Qualification requirements and procedures
• Operational obligations and service levels
• Financial terms and fee structures
• Termination conditions and remediation procedures

vLEI Issuer Qualification Program Manual (Appendix 2): Operational guide detailing:

• Qualification application procedures
• Required documentation and evidence
• Review and approval processes
• Timeline requirements

vLEI Issuer Qualification Program Checklist (Appendix 3): Comprehensive checklist covering:

• Organizational requirements
• Technical infrastructure requirements
• Security and privacy policies
• Operational procedures
• Financial sustainability evidence

Qualified vLEI Issuer Service Level Agreement (Appendix 5): Defines:

• Availability targets for vLEI services
• Performance metrics and monitoring
• Incident response procedures
• Reporting requirements

Credential Framework Documents

Qualified vLEI Issuer vLEI Credential Governance Framework: Establishes requirements for:

• QVI credential structure and schema
• Issuance procedures by GLEIF
• Delegation requirements
• Grace period management (default 90 days)

Legal Entity vLEI Credential Governance Framework: Defines:

• Legal Entity credential requirements
• Identity verification procedures for Legal Entities
• LAR qualification and verification
• Credential schema and required fields

Legal Entity Official Organizational Role vLEI Credential Framework: Specifies:

• OOR credential structure and requirements
• Identity verification for OOR persons
• Authorization credential requirements
• Role mapping to GLEIF OOR code system

Legal Entity Engagement Context Role vLEI Credential Framework: Details:

• ECR credential structure and requirements
• Identity verification for ECR persons
• Authorization credential requirements
• Engagement context role definitions

Qualified vLEI Issuer Authorization vLEI Credential Framework: Governs:

• QVI OOR AUTH vLEI Credential requirements
• QVI ECR AUTH vLEI Credential requirements
• Multi-signature requirements for authorization
• Authorization workflow procedures

Technical Requirements Documents

vLEI Ecosystem Governance Framework Technical Requirements Part 1: KERI Infrastructure: Establishes:

• KERI specification version requirements
• Witness and watcher pool configurations
• Key management infrastructure requirements
• Cryptographic strength requirements (minimum 128 bits)
• Multi-signature architecture requirements

vLEI Ecosystem Governance Framework Technical Requirements Part 2: vLEI Credentials: Defines:

• ACDC specification compliance
• CESR encoding requirements
• IPEX protocol implementation
• Credential schema requirements

vLEI Ecosystem Governance Framework Technical Requirements Part 3: vLEI Credential Schema Registry: Specifies:

• Official schema publication procedures
• SAID-based schema identification
• Semantic versioning requirements
• Schema validation procedures

Policy Documents

vLEI Ecosystem Information Trust Policies: Establishes:

• Regulatory compliance requirements (GDPR, ISO/IEC 27001)
• Privacy protection standards
• Data protection requirements (Swiss Federal Data Protection Act as minimum)
• Security policy requirements
• Incident management procedures

vLEI Ecosystem Risk Assessment: Documents:

• Identified risks across ecosystem layers
• Risk mitigation strategies
• Security controls and safeguards
• Monitoring and review procedures

vLEI Ecosystem Trust Assurance Framework: Provides:

• Compliance matrix mapping requirements to implementations
• Audit procedures and evidence requirements
• Certification and attestation requirements
• Continuous monitoring frameworks

Supporting Documents

Non-Disclosure Agreement (Appendix 1): Protects confidential information exchanged during qualification process

vLEI Ecosystem Governance Framework Glossary: Provides canonical definitions for all First Letter Capitalized terms used throughout governance documents

vLEI Q&A Document: Addresses common questions about vLEI ecosystem, QVI role, and operational procedures

These governance documents collectively establish a comprehensive framework ensuring QVIs operate consistently, securely, and in alignment with GLEIF's vision for a global, interoperable organizational digital identity ecosystem.

Authorization-Based Role Credentials

For OOR/ECR credentials, implement two-phase workflow:

Phase 1 - Authorization:

• Legal Entity (via LARs) creates QVI OOR AUTH or QVI ECR AUTH credential
• Authorization specifies QVI AID, individual AID, legal name, and role
• LARs sign with Legal Entity multi-sig threshold
• Authorization transmitted to QVI

Phase 2 - Issuance:

• QVI verifies authorization credential validity and chain to Legal Entity credential
• QVI performs IAL2 identity verification of individual
• QVI creates role credential with SAID reference to authorization credential
• Role credential delivered to individual via IPEX

Revocation Management

Implement revocation procedures:

• TEL Updates: Record revocation events in QVI's TEL anchored to KEL
• Grace Period: Allow 90-day grace period for contractual terminations
• Cascade Revocation: When QVI credential is revoked, all downstream credentials must be revoked
• Status Queries: Provide TEL query endpoints for verifiers to check credential status

Annual Re-Qualification

QVIs must complete annual re-qualification:

• Documentation Review: Submit updated evidence of continued compliance
• Audit Procedures: Participate in GLEIF audit processes
• Remediation: Address any identified deficiencies within specified timeframes
• Credential Renewal: Receive renewed QVI vLEI Credential upon successful re-qualification