Multiple independently valid credentials issued by the same issuer (e.g., a QVI) that have no inherent relationship to each other. While technically possible, issuing redundant credentials and selectively revoking only some instances represents a governance violation in the vLEI ecosystem.
Related Concepts
No related concepts available
Comprehensive Explanation
redundant-credential
Official Definition
A redundant credential occurs when a single issuer, particularly a Qualified vLEI Issuer (QVI), issues multiple instances of the same credential to an entity. Each redundant credential is independently valid and maintains no cryptographic or logical relationship to other credentials issued by the same QVI for the same purpose.
The term "redundant" in this context does not imply backup or failover functionality, but rather describes the problematic scenario where duplicate credential instances exist simultaneously in the vLEI ecosystem. This situation is explicitly identified as a governance issue rather than a technical limitation of the underlying KERI protocol or ACDC credential format.
Source: This definition is documented across multiple governance and technical reference materials within the WebOfTrust terminology framework, specifically addressing vLEI credential management practices.
Official Classification: Governance violation (not recommended practice)
Governance Context
vLEI Ecosystem Role
The concept of redundant credentials exists within the broader vLEI (verifiable Legal Entity Identifier) ecosystem, which is governed by . The vLEI ecosystem provides cryptographically verifiable credentials that attest to the identity and organizational roles of legal entities and their representatives.
Implementation Notes
Governance Compliance
Redundant credentials are a governance violation, not a technical limitation. Organizations implementing vLEI credential systems must:
Establish Issuance Controls: Implement processes to prevent duplicate credential issuance at the organizational level
Monitor Credential Lifecycle: Track all issued credentials to detect potential redundant issuance patterns
Enforce Complete Revocation: When revoking credentials, ensure all instances are revoked, not just selective instances
Audit Regularly: Conduct periodic audits of credential issuance and revocation practices
Report Violations: Establish mechanisms to report suspected redundant credential scenarios to governance authorities
Detection Considerations
While each redundant credential has a unique SAID, detecting redundant credentials requires governance-layer monitoring:
Within this ecosystem, Qualified vLEI Issuers (QVIs) serve as authorized credential issuers who have been qualified by GLEIF to issue specific types of vLEI credentials:
Legal Entity vLEI Credentials: Attest to the identity of legal entities
Official Organizational Role (OOR) vLEI Credentials: Attest to official roles within legal entities
Engagement Context Role (ECR) vLEI Credentials: Attest to functional or contextual roles
The redundant credential problem specifically affects QVIs' credential issuance practices and their adherence to governance framework requirements.
GLEIF Governance Framework
GLEIF maintains comprehensive governance frameworks that define acceptable practices for credential issuance, management, and revocation within the vLEI ecosystem. These frameworks establish:
Issuance policies: Requirements for when and how credentials should be issued
Lifecycle management: Proper handling of credentials from issuance through revocation
Accountability mechanisms: How QVIs are held responsible for their credential management practices
Verification procedures: How verifiers should validate credential status
The redundant credential scenario violates these governance principles by creating ambiguity in credential status and undermining the integrity of the revocation mechanism.
Related Governance Entities
Several entities within the vLEI governance structure interact with the redundant credential issue:
GLEIF: Provides root governance and qualifies QVIs
QVIs: Authorized issuers who must avoid creating redundant credentials
Legal Entities: Recipients of vLEI credentials who may be affected by redundant issuance
Authorized Representatives: Individuals who request and manage credentials on behalf of legal entities
Verifiers: Entities that validate credential status and may encounter confusion from redundant credentials
The Misbehavior Scenario
Problem Description
The governance concern arises from a specific misbehavior pattern:
Duplicate Issuance: A QVI issues two separate instances of the same credential to the same entity
Selective Revocation: The QVI subsequently revokes only one of these credential instances
Ambiguous State: The external world observes one valid credential remaining in circulation while another has been revoked
Verifiers may encounter different credential instances with different validity states
The intent behind the revocation becomes unclear (was it meant to fully revoke the credential or only one instance?)
The credential holder retains valid credentials despite apparent revocation action
Technical Feasibility vs. Governance Prohibition
Critically, the source documents emphasize that redundant credentials represent a governance issue rather than a technical impossibility. The underlying KERI protocol and ACDC credential format do not inherently prevent a QVI from:
Selectively revoking individual credential instances through their respective TELs
The phrase "it can be done this way" in the source documents acknowledges this technical capability while simultaneously marking it as not recommended practice. This distinction is important because it means:
Prevention requires governance enforcement, not just technical constraints
Detection mechanisms must be implemented at the governance layer
Accountability frameworks must address this specific misbehavior pattern
Auditing processes should monitor for redundant credential issuance
Credential Lifecycle Implications
Normal Credential Lifecycle
Under proper governance, a vLEI credential follows a clear lifecycle:
Issuance: QVI creates a single credential instance with a unique SAID
Active Period: The credential remains valid and verifiable
Revocation (if needed): A single revocation event updates the TEL to mark the credential as revoked
Post-Revocation: The credential is no longer valid for verification purposes
Corrupted Lifecycle with Redundant Credentials
When redundant credentials are issued, this lifecycle becomes corrupted:
Duplicate Issuance: Multiple credential instances (Credential A and Credential B) exist simultaneously
Independent TELs: Each credential has its own TEL tracking its status
Selective Revocation: Only Credential A's TEL is updated with a revocation event
Ambiguous State: Credential B remains valid while Credential A is revoked
Verification Confusion: Different verifiers may encounter different credential instances
Intent Uncertainty: The purpose of the revocation becomes unclear
Verification Procedures
For verifiers encountering potential redundant credentials:
SAID Verification: Each credential instance has a unique SAID derived from its content
TEL Checking: Verifiers must check the specific TEL associated with the credential instance they received
Issuer Validation: Verify that the credential was issued by an authorized QVI
Status Confirmation: Confirm the current status (issued, revoked, etc.) in the relevant TEL
Governance Compliance: Report suspected redundant credential scenarios to governance authorities
The challenge is that verifiers may not know whether other instances of the same credential exist, making it difficult to detect the redundant credential scenario without additional governance-layer monitoring.
Revocation Conditions
Proper revocation under vLEI governance should:
Affect all instances: If a credential needs to be revoked, all instances should be revoked
Be unambiguous: The revocation intent should be clear and complete
Be auditable: Revocation actions should be traceable and explainable
Maintain integrity: The revocation mechanism should not be undermined by redundant issuance
The redundant credential scenario violates these principles by allowing partial revocation that leaves valid credentials in circulation.
Related Governance Documents
vLEI Ecosystem Governance Framework
The primary governance document addressing credential management practices is the vLEI Ecosystem Governance Framework, which establishes:
Information security policies for credential handling
Privacy requirements for credential data
Availability and integrity standards for credential systems
Processing integrity policies for credential lifecycle management
This framework applies to all vLEI ecosystem members, including QVIs, and defines the policies that redundant credential issuance violates.
QVI-Specific Governance Documents
Several governance documents specifically address QVI responsibilities:
Qualified vLEI Issuer vLEI Credential Governance Framework: Details requirements for QVIs to issue, verify, and revoke credentials properly
vLEI Issuer Qualification Agreement: Contractual obligations that QVIs accept when becoming qualified issuers
Legal Entity vLEI Credential Governance Framework: Requirements for issuing credentials to legal entities
Legal Entity Official Organizational Role vLEI Credential Governance Framework: Requirements for OOR credential issuance
Legal Entity Engagement Context Role vLEI Credential Governance Framework: Requirements for ECR credential issuance
Each of these frameworks implicitly prohibits redundant credential issuance by establishing clear, singular credential lifecycle expectations.
Technical Specifications
While redundant credentials are a governance issue, several technical specifications provide the foundation for proper credential management:
Effective Enforcement: Mechanisms to detect and address violations
Transparent Communication: Clear communication about governance expectations
Continuous Improvement: Evolution of governance frameworks to address emerging issues
Conclusion
Redundant credentials represent a significant governance challenge in the vLEI ecosystem. While the underlying KERI and ACDC technologies do not technically prevent this scenario, it is explicitly identified as not recommended practice that violates governance principles. The selective revocation of redundant credential instances creates ambiguity, undermines the integrity of the revocation mechanism, and erodes trust in the credential verification process.
Effective governance requires clear policies prohibiting redundant credential issuance, robust detection mechanisms to identify violations, and strong accountability measures to enforce compliance. As the vLEI ecosystem matures, both governance frameworks and technical implementations should evolve to prevent this misbehavior pattern and maintain the integrity of the credential lifecycle.
The distinction between technical capability and governance prohibition is crucial: just because redundant credentials can be issued does not mean they should be issued. Maintaining this governance discipline is essential for the long-term success and trustworthiness of the vLEI ecosystem.
Technical Constraints: Explore technical mechanisms to prevent duplicate issuance at the protocol level
Automated Detection: Implement automated systems to detect redundant credential patterns
Linked Revocation: Consider systems that automatically revoke all instances when any instance is revoked
Enhanced Accountability: Strengthen accountability measures for QVIs that issue redundant credentials
Transparency Mechanisms: Provide visibility into credential issuance patterns to enable community oversight