Source Governance Framework

The authoritative source for this definition is the vLEI Ecosystem Governance Framework v3.0, specifically the Glossary v1.3 published by GLEIF (Global Legal Entity Identifier Foundation) on December 15, 2023. This framework establishes the complete governance structure for the verifiable Legal Entity Identifier ecosystem.

Governance Context

Position in vLEI Ecosystem Architecture

Solicited issuance represents one of two primary credential issuance pathways within the vLEI ecosystem, contrasting with unsolicited issuance. This dual-pathway architecture provides flexibility in how credentials enter the ecosystem while maintaining strict governance controls.

The solicited issuance pathway sits within a hierarchical trust structure:

1. Root Authority: GLEIF maintains the root AID and delegates authority to QVIs
2. Intermediate Trust Anchors: QVIs operate under contractual obligations defined in the vLEI Issuer Qualification Agreement
3. QVI Representatives: QARs execute credential issuance on behalf of their QVI
4. Legal Entity Representatives: AVRs request credentials on behalf of their Legal Entity
5. Credential Recipients: Legal Entities and their representatives receive vLEI credentials

GLEIF Governance Role

GLEIF serves as the governance authority for the entire vLEI ecosystem, establishing:

• Qualification procedures for QVIs through Annual and Extraordinary vLEI Issuer Qualification processes
• Contractual frameworks including the vLEI Issuer Qualification Agreement
• Credential frameworks defining requirements for each credential type
• Identity assurance standards that must be met before credential issuance
• Audit and compliance mechanisms to ensure ecosystem integrity

Solicited issuance operates within these governance constraints, ensuring that even request-driven credential issuance maintains the integrity of the vLEI Chain of Trust.

Related Governance Entities

The solicited issuance process involves multiple governance-defined entities:

• Qualified vLEI Issuers (QVIs): Organizations that have undergone formal qualification by GLEIF and are authorized to issue vLEI credentials
• QVI Authorized Representatives (QARs): Individuals authorized by a QVI to execute credential issuance operations
• Legal Entities: Organizations with LEI codes that are the subjects of Legal Entity vLEI Credentials
• Authorized vLEI Representatives (AVRs): Individuals authorized by a Legal Entity to request credential issuance and revocation
• Designated Authorized Representatives (DARs): Legal Entity representatives who can designate/replace AVRs and authorize certain governance actions

Roles & Responsibilities

QVI Authorized Representative (QAR) Responsibilities

In the solicited issuance workflow, the QAR bears primary responsibility for:

1. Request Reception and Validation

   • Receiving fully signed issuance requests from AVRs
   • Verifying the cryptographic signatures on the request
   • Confirming the AVR has proper authorization from the Legal Entity
   • Validating that the request conforms to the applicable credential framework requirements

2. Identity Assurance Verification

   • Ensuring required identity assurance procedures have been completed
   • Verifying identity authentication has been performed according to framework standards
   • Confirming all prerequisite credentials are valid and not revoked

3. Credential Issuance Execution

   • Creating the requested vLEI credential as an ACDC
   • Signing the credential with the QVI's authoritative keys
   • Anchoring the credential issuance to the KEL through interaction events
   • Recording the issuance in the appropriate transaction event log (TEL)

4. Credential Delivery

   • Transmitting the issued credential to the AVR or designated recipient
   • Providing necessary verification information
   • Ensuring secure delivery through appropriate channels

Authorized vLEI Representative (AVR) Responsibilities

The AVR initiates the solicited issuance process and is responsible for:

1. Request Preparation

   • Gathering required information for the credential request
   • Ensuring accuracy and completeness of request data
   • Preparing the request in the format specified by the credential framework

2. Request Signing

   • Cryptographically signing the issuance request with their authoritative keys
   • In multi-signature scenarios, coordinating with other AVRs to obtain required signatures
   • Ensuring the signature meets the signing threshold requirements

3. Request Submission

   • Transmitting the fully signed request to the appropriate QAR
   • Providing any additional documentation required by the credential framework
   • Responding to any clarification requests from the QAR

4. Credential Management

   • Receiving and verifying the issued credential
   • Distributing the credential to the intended recipient (if different from the AVR)
   • Managing the credential lifecycle including potential future revocation requests

Authority and Permissions

QAR Authority Scope

The QAR operates under delegated authority from their QVI, which in turn operates under authority delegated from GLEIF. This authority includes:

• Issuance Authority: Permission to issue the three credential types (Legal Entity, OOR, ECR) within the solicited issuance pathway
• Verification Authority: Responsibility to verify request validity and completeness
• Rejection Authority: Ability to reject requests that do not meet framework requirements

The QAR does not have authority to:

• Modify credential framework requirements
• Issue credentials without proper requests (except through unsolicited issuance procedures)
• Waive identity assurance requirements
• Issue credentials for Legal Entities not properly registered in GLEIS

AVR Authority Scope

The AVR operates under authority granted by the Legal Entity's DAR. This authority includes:

• Request Authority: Permission to request issuance of specific credential types
• Revocation Request Authority: Ability to request revocation of previously issued credentials
• Representation Authority: Authorization to act on behalf of the Legal Entity in credential matters

The AVR does not have authority to:

• Designate or replace other AVRs (this is a DAR function)
• Modify the Legal Entity's LEI information
• Issue credentials directly (only request issuance)
• Override QAR decisions on request acceptance/rejection

Limitations and Constraints

The solicited issuance process operates under several critical limitations:

1. Credential Type Restrictions: Solicited issuance applies only to:

   • Legal Entity vLEI Credentials
   • OOR vLEI Credentials
   • ECR vLEI Credentials

   Other credential types (such as QVI credentials issued by GLEIF) follow different issuance procedures.

2. Request Signature Requirements: The issuance request must be "fully signed," meaning:

   • All required AVR signatures must be present
   • Signatures must meet the signing threshold defined for the Legal Entity
   • Signatures must be cryptographically valid and verifiable against the KEL

3. Identity Assurance Prerequisites: Credentials cannot be issued through solicited issuance until:

   • Required identity assurance procedures have been completed
   • Identity authentication has been performed
   • All prerequisite credentials are valid and not revoked

4. Temporal Constraints: The solicited issuance process must respect:

   • Credential validity periods defined in the frameworks
   • QVI qualification status (credentials cannot be issued by unqualified QVIs)
   • Legal Entity LEI validity (credentials cannot be issued for lapsed LEIs)

Credential Lifecycle in Solicited Issuance

Issuance Process Flow

The solicited issuance process follows a structured workflow:

Phase 1: Request Preparation

1. Authorization Verification: The AVR confirms their authorization status with the Legal Entity
2. Information Gathering: Required data elements are collected:
   • Legal Entity LEI code
   • Recipient AID (for OOR/ECR credentials)
   • Role information (for OOR/ECR credentials)
   • Credential validity period
   • Any additional attributes required by the credential framework
3. Request Formatting: The request is structured according to the applicable credential framework specification

Phase 2: Request Signing

1. Signature Generation: The AVR signs the request using their authoritative key pair
2. Multi-Signature Coordination (if applicable): Additional AVRs add their signatures to meet threshold requirements
3. Signature Verification: The AVR verifies all signatures are properly attached and valid

Phase 3: Request Submission

1. QAR Selection: The AVR identifies the appropriate QAR for the request
2. Secure Transmission: The fully signed request is transmitted through secure channels
3. Receipt Confirmation: The QAR acknowledges receipt of the request

Phase 4: Request Processing

1. Initial Validation: The QAR performs preliminary checks:
   • Request format compliance
   • Signature validity
   • AVR authorization status
2. Identity Assurance Verification: The QAR confirms required procedures have been completed
3. Prerequisite Verification: Any prerequisite credentials are verified as valid and not revoked
4. Framework Compliance Check: The request is verified against all applicable credential framework requirements

Phase 5: Credential Creation

1. ACDC Construction: The QAR creates the credential as an ACDC:
   • Attributes section populated with credential data
   • Edges section linking to prerequisite credentials
   • Rules section including legal disclaimers
   • SAID computed for each section and the credential as a whole
2. Credential Signing: The QVI's authoritative keys sign the credential
3. KEL Anchoring: The credential issuance is anchored to the QVI's KEL through an interaction event
4. TEL Recording: The issuance is recorded in the appropriate transaction event log

Phase 6: Credential Delivery

1. Credential Packaging: The issued credential is packaged with necessary verification information
2. Secure Transmission: The credential is delivered to the AVR or designated recipient
3. Delivery Confirmation: Receipt is confirmed through appropriate mechanisms

Verification Procedures

Once issued through solicited issuance, credentials undergo verification by validators and verifiers:

1. Signature Verification: The QVI's signature on the credential is verified against their KEL
2. SAID Verification: All SAIDs in the credential are recomputed and verified for integrity
3. Chain Verification: The credential chain is verified through the edges section:
   • Legal Entity vLEI Credential links to QVI credential
   • OOR/ECR credentials link to Legal Entity credential
4. Status Verification: The credential's revocation status is checked in the TEL
5. Temporal Verification: The credential's validity period is verified against current time

Revocation Conditions

Credentials issued through solicited issuance may be revoked under several conditions:

1. AVR-Requested Revocation: The AVR submits a fully signed revocation request to the QAR
2. Prerequisite Revocation: If a prerequisite credential in the chain is revoked, dependent credentials may be automatically revoked
3. LEI Lapse: If the Legal Entity's LEI code lapses or is invalidated, associated credentials are revoked
4. QVI Disqualification: If the issuing QVI loses qualification, their issued credentials may be revoked
5. Governance Violation: Credentials may be revoked if governance framework violations are discovered

Revocation is recorded in the TEL and anchored to the QVI's KEL, making the revocation end-verifiable and duplicity-evident.

Comparison with Unsolicited Issuance

Understanding solicited issuance requires contrasting it with unsolicited issuance:

Solicited Issuance Characteristics

• Initiation: Legal Entity initiates through AVR request
• Control: Legal Entity has direct control over timing and content
• Signature Requirement: Requires fully signed request from AVR(s)
• Use Cases: Preferred for planned credential needs, role assignments, and proactive identity management
• Credential Types: Legal Entity, OOR, and ECR credentials

Unsolicited Issuance Characteristics

• Initiation: QAR initiates with notice to AVR(s)
• Control: QVI has more control over timing
• Signature Requirement: Notice provided but full request signature not required upfront
• Use Cases: Useful for bulk issuance, initial ecosystem onboarding, or time-sensitive situations
• Credential Types: Primarily Legal Entity vLEI Credentials

Both pathways maintain equivalent security and governance standards, differing primarily in workflow initiation and control.

Related Governance Documents

Primary Governance Framework

vLEI Ecosystem Governance Framework v3.0 (December 2023)

• Establishes overall governance structure for the vLEI ecosystem
• Defines roles, responsibilities, and procedures for all participants
• Specifies credential frameworks and issuance pathways
• Available through GLEIF official channels

Credential Framework Documents

Legal Entity vLEI Credential Framework

• Details requirements for Legal Entity vLEI Credentials
• Specifies identity assurance procedures
• Defines credential schema and attributes
• Establishes issuance and revocation procedures

Legal Entity Official Organizational Role vLEI Credential Framework

• Governs OOR credential issuance
• Defines official role types and requirements
• Specifies relationship to Legal Entity credentials
• Establishes verification procedures for official roles

Legal Entity Engagement Context Role vLEI Credential Framework

• Governs ECR credential issuance
• Defines engagement context role types
• Specifies functional role requirements
• Establishes procedures for context-specific authorizations

Contractual Documents

vLEI Issuer Qualification Agreement

• Contractual agreement between GLEIF and QVIs
• Establishes QVI obligations and responsibilities
• Defines qualification maintenance requirements
• Specifies audit and compliance procedures

Technical Specifications

ACDC Specification (Authentic Chained Data Container)

• Defines the technical structure of vLEI credentials
• Specifies SAID computation and verification
• Establishes chaining mechanisms through edges
• Available through Trust Over IP Foundation

KERI Specification (Key Event Receipt Infrastructure)

• Defines the underlying identifier and key management infrastructure
• Specifies KEL structure and verification
• Establishes witness and watcher protocols
• Available through IETF and Trust Over IP Foundation

CESR Specification (Composable Event Streaming Representation)

• Defines encoding for cryptographic primitives
• Specifies text and binary domain representations
• Establishes composability requirements
• Available through IETF and Trust Over IP Foundation

Policy Documents

vLEI Ecosystem Information Trust Policies

• Defines information security requirements
• Establishes privacy and confidentiality standards
• Specifies data processing integrity requirements
• Governs availability and reliability standards

Identity Assurance Procedures

• Details required identity verification steps
• Specifies acceptable evidence types
• Establishes verification standards for different credential types
• Defines identity authentication requirements

Technical Implementation Considerations

While solicited issuance is primarily a governance concept, its implementation relies on several technical mechanisms:

Request Structure

The issuance request submitted by AVRs is structured as a cryptographically signed message containing:

• Credential type identifier
• Required attribute values
• Recipient AID (for OOR/ECR credentials)
• Requested validity period
• AVR signatures meeting threshold requirements

Signature Verification

The QAR verifies request signatures by:

1. Extracting the AVR AIDs from the signatures
2. Retrieving the current key state from each AVR's KEL
3. Verifying signatures against the current authoritative keys
4. Confirming the signature set meets the Legal Entity's signing threshold

Credential Anchoring

Issued credentials are anchored to the QVI's KEL through interaction events that include seals referencing the credential SAID. This anchoring provides:

• Temporal ordering of credential issuance
• Cryptographic binding to the issuer's key state
• End-verifiable proof of issuance
• Duplicity-evident issuance records

Status Management

Credential status (issued, revoked) is managed through transaction event logs (TELs) that:

• Record issuance events
• Record revocation events
• Provide verifiable status history
• Enable efficient status queries by validators

Ecosystem Benefits

The solicited issuance pathway provides several benefits to the vLEI ecosystem:

Legal Entity Control

Legal Entities maintain direct control over their credential lifecycle, enabling:

• Proactive identity management
• Planned role assignments
• Coordinated credential deployment
• Responsive credential revocation

Audit Trail

The fully signed request requirement creates a clear audit trail showing:

• Who requested the credential
• When the request was made
• What information was included in the request
• Which QAR processed the request

Governance Compliance

The structured request-response workflow ensures:

• All framework requirements are met
• Identity assurance procedures are completed
• Authorization chains are properly established
• Credential issuance is properly documented

Scalability

The solicited issuance pathway scales effectively because:

• Requests can be processed asynchronously
• Multiple QARs can process requests in parallel
• Automated validation reduces manual processing
• Clear requirements minimize back-and-forth communication

Conclusion

Solicited issuance represents a fundamental credential issuance pathway in the vLEI ecosystem, providing Legal Entities with direct control over their credential lifecycle while maintaining strict governance standards. By requiring fully signed requests from Authorized vLEI Representatives, the solicited issuance process ensures that credentials are issued only when explicitly requested by authorized parties, creating clear audit trails and maintaining the integrity of the vLEI Chain of Trust.

The solicited issuance pathway complements unsolicited issuance to provide flexibility in credential deployment while ensuring all issuance activities remain within the governance framework established by GLEIF. Understanding solicited issuance is essential for Legal Entities, QVIs, and other ecosystem participants who need to navigate the credential issuance process effectively.