The QAR serves as the operational executor of the QVI's delegated authority. While the QVI organization holds the contractual relationship with GLEIF and the cryptographic authority through its AID (Autonomic Identifier), the QAR is the human representative who performs the actual credential issuance operations.

Relationship to GLEIF Governance

QARs operate under the authority of GLEIF's root governance, which establishes:

1. Qualification Requirements: QVIs must undergo formal qualification processes (Annual vLEI Issuer Qualification) before their QARs can operate
2. Delegation Model: QVI AIDs are delegated from GLEIF's GEDA (GLEIF External Delegated AID)
3. Revocation Authority: GLEIF retains the ability to revoke QVI credentials, which terminates QAR authority
4. Grace Period Management: QARs must manage a 90-day grace period when QVI credentials approach expiration

Multi-Signature Group Participation

QARs typically participate in multi-signature groups that control the QVI AID. According to the governance framework:

• Minimum 2 QARs must form the multi-sig group for a QVI
• 2-of-N signature threshold is required for QVI operations
• Each QAR maintains their own AID and keystore
• QARs must perform OOBI (Out-Of-Band Introduction) exchanges with each other
• Challenge-response authentication is required between QARs using KERI protocols

This multi-signature requirement ensures that no single QAR can unilaterally issue credentials, providing operational security and accountability within the QVI organization.

Roles & Responsibilities

Primary Operational Responsibilities

1. Legal Entity Identity Verification

QARs must verify the identity of Legal Entities requesting vLEI credentials:

• LEI Validation: Verify that the supplied LEI (Legal Entity Identifier) corresponds to the requesting entity
• LEI Status Verification: Confirm LEI Entity Status is Active
• Registration Status Check: Ensure LEI Registration Status is Issued, Pending Transfer, or Pending Archival in the Global LEI System
• No Authentication Required: Notably, identity authentication is not required at the Legal Entity level for credential issuance—only identity assurance

2. Legal Entity Authorized Representative (LAR) Verification

QARs inherit LAR identity assurance and authentication requirements from the Legal Entity vLEI Credential Governance Framework:

• Identity Assurance: Verify LAR identity to at least Identity Assurance Level 2 (IAL2) per NIST 800-63A
• Real-Time OOBI Sessions: Conduct supervised remote sessions with continuous audio/video presence
• Challenge-Response Protocol: Execute cryptographic authentication using unique Challenge Messages
• Manual Credential Verification: Visually verify legal identity credentials during live sessions

3. Role Credential Issuance

QARs issue two types of role credentials:

Official Organizational Role (OOR) Credentials:

• For individuals in official positions (CEO, CFO, Board Members)
• Requires verification of official role within Legal Entity structure
• Must reference OOR Authorization vLEI Credential from LAR

Engagement Context Role (ECR) Credentials:

• For individuals in functional or engagement-specific contexts
• Does not require official organizational position
• Must reference ECR Authorization vLEI Credential from LAR

4. Credential Lifecycle Management

QARs manage the complete credential lifecycle:

• Issuance: Create and sign ACDC (Authentic Chained Data Container) credentials
• Registry Management: Anchor credentials to TEL (Transaction Event Log) registries
• Status Tracking: Monitor credential validity and expiration
• Revocation: Execute credential revocation when authorized by LARs or required by governance

Authority and Permissions

Delegated Authority from QVI

QARs exercise delegated authority from the QVI organization:

• Signing Authority: QARs can sign credential issuance events on behalf of the QVI AID
• Registry Operations: QARs can perform TEL operations for credential status management
• OOBI Publication: QARs can publish OOBIs for QVI discovery
• Witness Coordination: QARs interact with witness pools for KEL (Key Event Log) validation

Multi-Signature Constraints

QAR authority is constrained by multi-signature requirements:

• Threshold Enforcement: QARs cannot act unilaterally—threshold signatures required
• Rotation Authority: QARs participate in key rotation events for the QVI AID
• Delegation Approval: QARs must coordinate with GLEIF Authorized Representatives (GARs) for delegation approval

Interaction with Legal Entities

QARs have specific permissions when interacting with Legal Entities:

• Credential Requests: QARs can receive and process credential issuance requests from LARs
• Identity Verification: QARs can conduct identity assurance procedures
• Authorization Validation: QARs can verify QVI AUTH vLEI Credentials from LARs
• Presentation Acceptance: QARs can accept credential presentations for verification

Limitations and Constraints

Governance-Imposed Limitations

1. No Unilateral Issuance: QARs cannot issue credentials without proper LAR authorization via QVI AUTH vLEI Credentials
2. No Direct Legal Entity Credentials: QARs can only issue credentials to Legal Entities that have contracted with their QVI
3. No Cross-QVI Operations: QARs cannot issue credentials on behalf of other QVIs
4. Grace Period Constraints: QARs must manage credential transitions within the 90-day grace period

Technical Limitations

1. Multi-Sig Dependency: QARs cannot perform QVI operations without threshold signatures from other QARs
2. Witness Requirements: QARs must maintain connectivity to the QVI's witness pool
3. Schema Compliance: QARs must issue credentials conforming to official ACDC schemas
4. Registry Anchoring: QARs must anchor all credentials to appropriate TEL registries

Identity Verification Limitations

1. IAL2 Minimum: QARs cannot issue credentials without meeting minimum IAL2 identity assurance
2. Real-Time OOBI Requirement: QARs must conduct live video sessions—asynchronous verification is insufficient
3. Challenge-Response Mandatory: QARs must execute cryptographic authentication—visual verification alone is insufficient
4. No Delegation of Verification: QARs cannot delegate identity verification to third parties

Credential Lifecycle

QAR Participation in Issuance Process

The credential issuance process involving QARs follows a multi-stage workflow:

Stage 1: LAR Authorization

1. LAR Preparation: Legal Entity Authorized Representatives (LARs) prepare credential requests
2. Identity Assurance: LARs perform identity assurance on role credential recipients (OOR or ECR Persons)
3. Authorization Credential Creation: LARs create and sign QVI AUTH vLEI Credentials authorizing the QAR to issue role credentials
4. Multi-Signature Coordination: For multi-signer Legal Entities, multiple LARs must sign the authorization credential

Stage 2: QAR Verification

1. Authorization Validation: QAR receives and validates the QVI AUTH vLEI Credential from LAR
2. Chain Verification: QAR verifies the credential chain from GLEIF → QVI → Legal Entity → LAR
3. Identity Re-Verification: QAR conducts additional identity verification of the role credential recipient
4. OOBI Exchange: QAR performs OOBI exchange with the recipient's AID
5. Challenge-Response: QAR executes cryptographic authentication with the recipient

Stage 3: Credential Issuance

1. ACDC Creation: QAR creates the ACDC credential with required fields:

   • Issuer AID: QVI's AID
   • Issuee AID: Recipient's AID
   • LEI: Legal Entity's LEI
   • Role Information: Official role or engagement context
   • Schema Reference: SAID of the credential schema
   • Edge References: SAIDs of prerequisite credentials (authorization credential, Legal Entity credential)

2. Multi-Signature Coordination: QAR coordinates with other QARs to obtain threshold signatures

3. Registry Anchoring: QAR anchors the credential to the TEL registry

4. Witness Validation: QAR ensures witnesses have validated the issuance event

Stage 4: Credential Delivery

1. Presentation to Recipient: QAR presents the issued credential to the recipient
2. OOBI Publication: QAR publishes OOBIs for credential discovery
3. Status Verification: Recipient verifies credential status in the TEL registry
4. Acceptance Confirmation: Recipient confirms acceptance of the credential

Verification Procedures

QARs participate in credential verification as issuers rather than verifiers:

1. Issuer Verification: Verifiers validate that credentials were issued by a legitimate QVI with valid QAR signatures
2. Chain Validation: Verifiers trace the credential chain back to GLEIF's root of trust
3. Status Checking: Verifiers query the TEL registry to confirm credential has not been revoked
4. Signature Verification: Verifiers validate QAR signatures against the QVI's AID key state

Revocation Conditions

QARs must revoke credentials under specific conditions:

LAR-Initiated Revocation

1. Revocation Request: LAR submits a signed revocation request
2. Authorization Validation: QAR validates the LAR's authority to request revocation
3. Registry Update: QAR anchors the revocation event to the TEL registry
4. Multi-Signature Coordination: QAR coordinates threshold signatures for the revocation event

Governance-Mandated Revocation

1. QVI Termination: If the QVI's credential is revoked by GLEIF, all credentials issued by QARs of that QVI must be revoked
2. LEI Lapse: If a Legal Entity's LEI lapses or is retired, all credentials for that entity must be revoked
3. Qualification Failure: If a QVI fails Annual vLEI Issuer Qualification, credentials may be revoked
4. Grace Period Expiration: Credentials approaching expiration must be revoked if not renewed

Technical Revocation Process

1. Revocation Event Creation: QAR creates a revocation event in the TEL
2. KEL Anchoring: QAR anchors the revocation event to the QVI's KEL via an interaction event
3. Witness Validation: QAR ensures witnesses have validated the revocation event
4. Status Propagation: Revocation status propagates through the TEL registry

Related Governance Documents

Primary Governance Frameworks

1. vLEI Ecosystem Governance Framework v3.0

   • Establishes overall governance structure for the vLEI ecosystem
   • Defines roles, responsibilities, and relationships
   • Sets information trust policies and security requirements

2. Qualified vLEI Issuer vLEI Credential Governance Framework

   • Defines requirements for QVI credentials
   • Establishes QAR qualification and operational procedures
   • Specifies credential schema and issuance requirements

3. Legal Entity vLEI Credential Governance Framework

   • Defines requirements for Legal Entity credentials
   • Establishes LAR verification procedures that QARs must follow
   • Specifies multi-signature requirements for Legal Entities

4. Legal Entity Official Organizational Role vLEI Credential Governance Framework

   • Defines requirements for OOR credentials
   • Establishes identity verification procedures for OOR Persons
   • Specifies QAR responsibilities in OOR credential issuance

5. Legal Entity Engagement Context Role vLEI Credential Governance Framework

   • Defines requirements for ECR credentials
   • Establishes identity verification procedures for ECR Persons
   • Specifies QAR responsibilities in ECR credential issuance

6. Qualified vLEI Issuer Authorization vLEI Credential Governance Framework

   • Defines requirements for QVI AUTH vLEI Credentials
   • Establishes LAR authorization procedures that QARs must validate
   • Specifies multi-signature requirements for authorization credentials

Technical Specifications

1. vLEI Ecosystem Governance Framework Technical Requirements Part 1: KERI Infrastructure

   • Establishes KERI specification version requirements
   • Defines witness pool and backer management requirements
   • Specifies key management infrastructure requirements
   • Defines cryptographic strength requirements (approximately 128 bits)

2. Trust Assurance Framework

   • Maps governance requirements to ISO 20000 certification
   • Establishes vLEI Issuer Qualification Program standards
   • Defines vLEI software specifications
   • Specifies security policies and incident management procedures

3. ACDC (Authentic Chained Data Container) Specification

   • Defines credential data structure requirements
   • Establishes SAID (Self-Addressing Identifier) protocols
   • Specifies graduated disclosure mechanisms
   • Defines edge chaining for credential graphs

4. KERI (Key Event Receipt Infrastructure) Specification

   • Defines AID creation and management
   • Establishes KEL (Key Event Log) structure
   • Specifies witness agreement algorithms (KAACE)
   • Defines delegation mechanisms

5. IPEX (Issuance and Presentation Exchange) Specification

   • Defines credential issuance protocols
   • Establishes presentation exchange workflows
   • Specifies OOBI exchange procedures
   • Defines challenge-response authentication protocols

Policy Documents

1. vLEI Issuer Qualification Agreement

   • Contractual obligations between GLEIF and QVIs
   • Defines QAR qualification requirements
   • Establishes performance standards and service levels
   • Specifies termination conditions and grace periods

2. vLEI Issuer Qualification Program Checklists

   • Annual qualification requirements for QVIs
   • Extraordinary qualification procedures
   • QAR training and certification requirements
   • Compliance verification procedures

3. Information Trust Policies

   • Regulatory compliance requirements (GDPR, ISO/IEC 27001)
   • Privacy policies for personal data protection
   • Data protection standards (Swiss Federal Data Protection Act minimum)
   • Security policies meeting industry best practices

Operational Context

Software Tools and Infrastructure

QARs utilize specific software tools for credential operations:

1. KERIpy (Python KERI Implementation)

   • Command-line interface (KLI) for AID management
   • Keystore management for private key storage
   • KEL and KERL management
   • Witness coordination and OOBI exchange

2. KERIA (KERI Agent in the Cloud)

   • Cloud-based agent for QAR operations
   • REST API for credential issuance and management
   • Multi-tenant support for multiple QARs
   • Hab (Habitat) management for AID keystores

3. SignifyTS (TypeScript KERI Client)

   • Browser-compatible wallet functionality
   • Credential presentation and exchange
   • IPEX protocol implementation
   • OOBI exchange in web contexts

4. Sally (Verification Service)

   • Purpose-built for vLEI ecosystem
   • Accepts credential presentations
   • Integrates with GLEIF Reporting API
   • Validates credential chains and status

Multi-Signature Coordination

QARs must coordinate multi-signature operations:

1. Group Formation: QARs perform OOBI exchanges to establish the multi-sig group
2. Threshold Configuration: QARs configure signing thresholds (typically 2-of-N)
3. Event Coordination: QARs coordinate to sign KEL events (inception, rotation, interaction)
4. Witness Agreement: QARs ensure witnesses achieve consensus on events

Identity Verification Workflows

QARs follow structured identity verification workflows:

1. Video Call Setup: Establish live video session with credential recipient
2. Manual Verification: Visually verify legal identity credentials on camera
3. OOBI Exchange: Exchange AIDs using QR codes or live chat
4. Challenge Generation: Generate unique Challenge Messages
5. Signature Verification: Verify cryptographic signatures on challenge responses
6. Documentation: Record verification results for audit purposes

Credential Schema Management

QARs must work with specific ACDC schemas:

1. QVI Credential Schema: EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao
2. Legal Entity Credential Schema: ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY
3. OOR Authorization Credential Schema: EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E
4. ECR Authorization Credential Schema: EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g
5. OOR Credential Schema: EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy
6. ECR Credential Schema: EEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw

QARs must ensure all issued credentials conform to these schemas and include all required fields.

Conclusion

The QVI Authorized Representative (QAR) role is a critical operational position within the vLEI ecosystem, serving as the human executor of QVI credential issuance authority. QARs bridge the gap between GLEIF's governance requirements and the technical implementation of KERI-based verifiable credentials. Through rigorous identity verification procedures, multi-signature coordination, and adherence to governance frameworks, QARs ensure the integrity and trustworthiness of the vLEI credential ecosystem.