Unsolicited issuance represents one of two primary credential issuance pathways within the vLEI ecosystem, which is governed by GLEIF as the root authority for the Global Legal Entity Identifier System. The vLEI ecosystem implements a hierarchical trust structure where:

1. GLEIF serves as the root trust anchor, controlling the GLEIF External Delegated AID (GEDA)
2. Qualified vLEI Issuers (QVIs) operate as intermediate trust anchors, authorized by GLEIF to issue vLEI credentials
3. Legal Entities receive vLEI credentials that cryptographically bind their LEI to KERI-based autonomic identifiers (AIDs)
4. Individual representatives of Legal Entities receive role-based credentials (OOR and ECR credentials)

GLEIF Governance Framework Integration

Unsolicited issuance operates within the constraints established by multiple governance documents:

• vLEI Ecosystem Governance Framework (primary governance document)
• vLEI Issuer Qualification Agreement (contractual obligations for QVIs)
• Legal Entity vLEI Credential Governance Framework (specific requirements for Legal Entity credentials)
• Identity Assurance and Identity Authentication procedures (verification requirements)

The unsolicited issuance pathway exists to accommodate scenarios where:

• Third parties (such as business partners, regulators, or ecosystem participants) initiate credential requests on behalf of Legal Entities
• Proactive credential provisioning is necessary for ecosystem onboarding
• Legal Entities may not yet have established their own AVR infrastructure

Relationship to KERI Protocol

While unsolicited issuance is a governance concept, it operates on top of the KERI protocol infrastructure. The actual credential issuance involves:

• ACDC (Authentic Chained Data Container) credentials as the technical format
• KEL (Key Event Log) anchoring for cryptographic verifiability
• TEL (Transaction Event Log) for credential lifecycle management (issuance/revocation state)
• IPEX (Issuance and Presentation Exchange) protocol for credential exchange

However, the governance decision of whether to use solicited vs. unsolicited issuance pathways is independent of these technical mechanisms.

Roles & Responsibilities

QVI Authorized Representative (QAR)

The QAR plays the central role in unsolicited issuance:

Primary Responsibilities:

• Receive and validate requests for Legal Entity vLEI Credentials that originate from third parties
• Conduct required Identity Assurance procedures to verify the Legal Entity's identity and LEI validity
• Notify the Legal Entity's AVR(s) that a credential has been solicited on their behalf
• Issue the Legal Entity vLEI Credential upon completion of verification procedures
• Maintain records of the issuance process for audit and compliance purposes

Authority and Permissions:

• QARs operate under the authority delegated by their parent QVI
• QARs have the authority to issue Legal Entity vLEI Credentials without requiring a fully signed request from AVRs
• QARs must comply with the vLEI Issuer Qualification Agreement and associated governance frameworks

Limitations:

• QARs cannot issue credentials without completing required Identity Assurance procedures
• QARs must provide notification to AVRs before or concurrent with credential issuance
• QARs remain accountable for the accuracy and validity of issued credentials

Authorized vLEI Representative (AVR)

The AVR has a passive but critical role in unsolicited issuance:

Primary Responsibilities:

• Receive notification from the QAR that a Legal Entity vLEI Credential has been solicited
• Review the issued credential and verify its accuracy
• Accept or potentially challenge the credential if it contains errors or was issued inappropriately
• Manage the credential lifecycle after issuance (including potential revocation requests)

Authority and Permissions:

• AVRs are designated by the Legal Entity's Designated Authorized Representative (DAR)
• AVRs have authority to request issuance and revocation of various vLEI credential types
• In unsolicited issuance, AVRs do not initiate the issuance request but retain authority over the credential post-issuance

Limitations:

• AVRs cannot prevent unsolicited issuance once a valid third-party request has been processed
• AVRs must work through QARs for credential lifecycle management
• AVRs' authority is limited to the specific Legal Entity they represent

Legal Entity

The Legal Entity is the subject of the unsolicited issuance:

Primary Responsibilities:

• Maintain valid LEI registration with a Local Operating Unit (LOU)
• Designate appropriate representatives (DARs and AVRs) to manage vLEI credentials
• Ensure accuracy of information in issued credentials
• Comply with vLEI ecosystem governance requirements

Authority and Permissions:

• Legal Entities control their vLEI credentials through their designated representatives
• Legal Entities can request revocation of credentials through their AVRs
• Legal Entities can authorize additional representatives through role-based credentials

Limitations:

• Legal Entities cannot directly issue or revoke credentials (must work through QVIs/QARs)
• Legal Entities must maintain valid LEI status for credential validity
• Legal Entities are bound by the governance frameworks governing their credentials

Third-Party Requestors

While not explicitly defined in the governance documents, unsolicited issuance implies the existence of third-party requestors who:

• Initiate credential requests on behalf of Legal Entities
• May include business partners, ecosystem participants, or regulatory bodies
• Must provide sufficient information for QARs to conduct Identity Assurance
• Do not receive direct authority over the issued credentials

Credential Lifecycle in Unsolicited Issuance

Issuance Process

The unsolicited issuance process follows these governance-mandated steps:

1. Third-Party Solicitation

• A third party identifies a need for a Legal Entity to have a vLEI credential
• The third party contacts a QVI or QAR with the request
• The request includes the Legal Entity's LEI and relevant identifying information

2. Identity Assurance Procedures

• The QAR conducts Identity Assurance procedures as defined in the Legal Entity vLEI Credential Governance Framework
• This includes verifying:
  • The Legal Entity's LEI is valid and current
  • The Legal Entity exists and is properly registered
  • The information provided matches authoritative sources
• The QAR may need to contact the Legal Entity directly for verification

3. AVR Notification

• The QAR identifies the Legal Entity's AVR(s)
• The QAR sends notification that a Legal Entity vLEI Credential has been solicited on the entity's behalf
• This notification may occur before or concurrent with credential issuance

4. Credential Issuance

• Upon successful completion of Identity Assurance, the QAR issues the Legal Entity vLEI Credential
• The credential is issued as an ACDC and anchored to the QVI's KEL
• The credential's issuance state is recorded in a TEL (Transaction Event Log)
• The credential cryptographically binds the Legal Entity's LEI to a KERI AID

5. Credential Delivery

• The credential is made available to the Legal Entity's AVRs
• The credential may be delivered through IPEX protocol exchanges
• The Legal Entity gains control over the credential through its designated representatives

Verification Procedures

Once issued through unsolicited issuance, the credential undergoes the same verification procedures as any vLEI credential:

Technical Verification:

• Verifiers validate the credential's cryptographic signatures
• The credential's SAID (Self-Addressing Identifier) ensures content integrity
• The credential's anchoring to the QVI's KEL provides provenance
• The credential's TEL entry confirms current issuance/revocation state

Governance Verification:

• Verifiers confirm the issuing QVI is qualified by GLEIF
• Verifiers check that the credential conforms to the Legal Entity vLEI Credential Governance Framework
• Verifiers validate that the Legal Entity's LEI is current and valid

Revocation Conditions

Credentials issued through unsolicited issuance can be revoked under the same conditions as solicited credentials:

Mandatory Revocation Triggers:

• The Legal Entity's LEI becomes invalid or lapses
• The Legal Entity ceases to exist (dissolution, merger, etc.)
• Material errors are discovered in the credential content
• The QVI's qualification is revoked by GLEIF

Discretionary Revocation:

• The Legal Entity requests revocation through its AVRs
• The QVI determines the credential was issued in error
• Governance framework requirements change in ways that invalidate the credential

Revocation Process:

• AVRs submit a revocation request to the QAR
• The QAR validates the revocation request
• The QAR updates the credential's TEL to reflect revoked status
• The revocation is cryptographically anchored to the QVI's KEL
• Verifiers can detect the revoked status through TEL queries

Comparison with Solicited Issuance

Understanding unsolicited issuance requires contrasting it with solicited issuance:

Solicited Issuance Characteristics

Solicited issuance occurs when:

• AVR(s) of a Legal Entity submit a fully signed issuance request to a QAR
• The request is initiated by the Legal Entity's authorized representatives
• The QAR issues the credential in direct response to this request

Credential Types:

• Legal Entity vLEI Credentials
• OOR vLEI Credentials (Official Organizational Role)
• ECR vLEI Credentials (Engagement Context Role)

Key Differences

Governance Rationale

The vLEI ecosystem supports both pathways because:

Solicited issuance provides:

• Direct Legal Entity control over credential issuance
• Clear authorization chain from entity to credential
• Explicit consent for credential creation

Unsolicited issuance enables:

• Ecosystem-driven onboarding of Legal Entities
• Third-party facilitation of vLEI adoption
• Proactive credential provisioning for business relationships
• Reduced friction in ecosystem participation

Both pathways maintain the same cryptographic security and governance compliance requirements, differing only in the initiation mechanism.

Related Governance Documents

Primary Governance Framework

vLEI Ecosystem Governance Framework v3.0 (December 15, 2023)

• Establishes overall governance structure for the vLEI ecosystem
• Defines roles, responsibilities, and processes for all ecosystem participants
• Provides the authoritative context for unsolicited issuance procedures
• Source: GLEIF official documentation

Credential-Specific Frameworks

Legal Entity vLEI Credential Governance Framework

• Details specific requirements for Legal Entity vLEI Credentials
• Establishes Identity Assurance and Identity Authentication procedures
• Defines credential content requirements and validation rules
• Applies to credentials issued through both solicited and unsolicited pathways

Legal Entity Official Organizational Role vLEI Credential Governance Framework

• Governs OOR credentials for official representatives
• Note: OOR credentials are issued through solicited issuance only
• Provides context for the broader credential ecosystem

Legal Entity Engagement Context Role vLEI Credential Governance Framework

• Governs ECR credentials for functional representatives
• Note: ECR credentials are issued through solicited issuance only
• Demonstrates the credential hierarchy within Legal Entities

Contractual and Operational Documents

vLEI Issuer Qualification Agreement

• Contractual agreement between GLEIF and QVIs
• Establishes QVI obligations, including proper handling of unsolicited issuance
• Defines accountability and liability for credential issuance
• Includes audit and compliance requirements

Qualified vLEI Issuer vLEI Credential Governance Framework

• Governs the credentials issued by GLEIF to QVIs
• Establishes the authority chain enabling QVIs to issue Legal Entity credentials
• Defines QVI qualification and ongoing compliance requirements

Technical Specifications

While unsolicited issuance is a governance concept, it relies on technical specifications:

ACDC Specification (Authentic Chained Data Container)

• Defines the technical format for vLEI credentials
• Establishes SAID-based content integrity
• Provides selective disclosure and graduated disclosure capabilities
• Source: Trust Over IP Foundation

IPEX Specification (Issuance and Presentation Exchange)

• Defines protocols for credential issuance and presentation
• Establishes KERI-based authentication mechanisms
• Provides the technical foundation for credential exchange between QARs and AVRs
• Source: Trust Over IP Foundation

KERI Specification (Key Event Receipt Infrastructure)

• Provides the underlying identifier and key management infrastructure
• Establishes KEL-based identifier control
• Enables witness-based consensus for key events
• Source: IETF KERI Working Group

Governance Implications and Considerations

Trust Model Implications

Unsolicited issuance introduces specific trust considerations:

For Legal Entities:

• Must trust that QARs will conduct proper Identity Assurance
• Must trust that third-party requestors have legitimate reasons for solicitation
• Must monitor for unauthorized or erroneous credential issuance
• Retain ultimate control through AVR-initiated revocation

For Verifiers:

• Can trust that credentials issued through unsolicited issuance undergo the same verification as solicited credentials
• Should verify credential status through TEL queries
• Can rely on the same cryptographic guarantees regardless of issuance pathway

For QVIs/QARs:

• Must maintain consistent Identity Assurance standards across both pathways
• Must ensure proper notification to AVRs
• Bear accountability for credential accuracy regardless of initiation source

Privacy and Consent Considerations

Unsolicited issuance raises important privacy questions:

Consent Model:

• Legal Entities do not explicitly consent to unsolicited issuance
• Notification to AVRs provides awareness but not prior consent
• Legal Entities retain control through post-issuance revocation rights

Data Minimization:

• Credentials should contain only necessary information
• Selective disclosure capabilities enable privacy-preserving presentations
• Legal Entities control how credentials are presented to verifiers

Regulatory Compliance:

• Must comply with data protection regulations (GDPR, etc.)
• Legal Entities must be able to exercise data subject rights
• QVIs must maintain appropriate data processing agreements

Operational Considerations

For QVIs implementing unsolicited issuance:

• Must establish clear procedures for accepting third-party requests
• Must implement robust Identity Assurance processes
• Must ensure reliable AVR notification mechanisms
• Must maintain audit trails for compliance verification

For Legal Entities receiving unsolicited credentials:

• Should establish monitoring for credential issuance notifications
• Should implement procedures for reviewing and validating unsolicited credentials
• Should train AVRs on appropriate responses to unsolicited issuance
• Should maintain policies for when to accept vs. revoke unsolicited credentials

Ecosystem Evolution and Future Directions

The unsolicited issuance pathway reflects the vLEI ecosystem's maturation:

Current State:

• Defined in governance frameworks since early versions
• Enables ecosystem-driven adoption
• Supports business relationship facilitation

Potential Evolution:

• May expand to additional credential types beyond Legal Entity credentials
• Could incorporate more sophisticated consent mechanisms
• May integrate with automated business relationship establishment
• Could enable programmatic credential provisioning for ecosystem onboarding

Governance Challenges:

• Balancing ecosystem growth with Legal Entity autonomy
• Ensuring appropriate safeguards against abuse
• Maintaining consistent quality across issuance pathways
• Adapting to evolving regulatory requirements

The unsolicited issuance pathway demonstrates the vLEI ecosystem's flexibility in accommodating diverse business needs while maintaining rigorous governance and cryptographic security standards.