Comprehensive Explanation

verifiable-legal-entity-identifier

Official Definition

The verifiable Legal Entity Identifier (vLEI) is defined by GLEIF as a digital credential that provides cryptographic proof that information about a legal entity, as linked to its Legal Entity Identifier (LEI), is verifiably authentic, accurate, and up-to-date. These credentials are issued by authorized validation agents called Qualified vLEI Issuers (QVIs) who operate under the governance framework established by the Global Legal Entity Identifier Foundation (GLEIF).

Official Abbreviations:

• vLEI: verifiable Legal Entity Identifier
• LEI: Legal Entity Identifier (ISO 17442)
• GLEIF: Global Legal Entity Identifier Foundation
• QVI: Qualified vLEI Issuer

Source Governance Framework: vLEI Ecosystem Governance Framework v3.0, published by GLEIF

Canonical Definition: Verifiable credentials issued by authorized validation agents (QVIs) under GLEIF governance that provide cryptographic proof that information about a legal entity, as linked to its Legal Entity Identifier (LEI), is verifiably authentic, accurate, and up-to-date.

Governance Context

vLEI Ecosystem Role

The vLEI represents a fundamental evolution of the traditional LEI system, transforming a static identifier into a dynamic, cryptographically verifiable credential ecosystem. Within the vLEI ecosystem, the vLEI credential serves multiple critical functions:

1. Digital Identity Foundation: Establishes the cryptographically verifiable digital identity of legal entities in the KERI ecosystem
2. Trust Chain Anchor: Serves as the root credential from which organizational role credentials (OOR and ECR) are derived
3. Delegation Enabler: Allows legal entities to delegate authority to representatives through chained credentials
4. Interoperability Bridge: Connects traditional LEI infrastructure with modern decentralized identity systems

GLEIF Context

GLEIF operates as the root of trust for the entire vLEI ecosystem. The organization:

• Governs the vLEI Ecosystem Governance Framework
• Qualifies and authorizes QVIs to issue vLEI credentials
• Maintains the GLEIF Root AID as the cryptographic anchor
• Delegates authority through the GLEIF External Delegated AID (GEDA) to QVIs
• Oversees compliance with governance requirements

GLEIF's role extends beyond traditional LEI management to include:

• Establishing technical requirements for KERI infrastructure
• Defining credential schemas and validation rules
• Managing the qualification process for QVIs
• Providing governance for the entire credential lifecycle

Related Governance Entities

The vLEI ecosystem involves several key governance entities:

Qualified vLEI Issuers (QVIs):

• Organizations qualified by GLEIF to issue vLEI credentials
• Operate under contractual obligations defined in the vLEI Issuer Qualification Agreement
• Maintain technical infrastructure meeting GLEIF specifications
• Perform identity verification according to governance requirements

Legal Entities:

• Organizations holding valid LEIs
• Recipients of vLEI credentials from QVIs
• Controllers of their own AIDs in the KERI ecosystem
• Issuers of role credentials to their representatives

Designated Authorized Representatives (DARs):

• Individuals authorized by legal entities to manage vLEI operations
• Authority to execute qualification agreements
• Responsibility for designating Legal Entity Authorized Representatives (LARs)

Legal Entity Authorized Representatives (LARs):

• Representatives authorized by DARs to request credential operations
• Authority to request issuance and revocation of vLEI credentials
• Responsibility for identity verification of role holders

Roles & Responsibilities

Primary Responsibilities

The vLEI credential system establishes clear responsibilities across multiple roles:

GLEIF Responsibilities:

• Root Authority: Maintain the GLEIF Root AID as the cryptographic root of trust
• QVI Qualification: Qualify and authorize organizations to become QVIs
• Governance: Publish and maintain the vLEI Ecosystem Governance Framework
• Technical Standards: Define KERI infrastructure requirements and credential schemas
• Oversight: Monitor QVI compliance with governance requirements
• Delegation Management: Issue QVI credentials through the GEDA

QVI Responsibilities:

• Credential Issuance: Issue Legal Entity vLEI Credentials to qualified legal entities
• Identity Verification: Verify LEI validity and legal entity status
• Infrastructure: Maintain KERI infrastructure meeting GLEIF specifications
• Role Credential Support: Issue OOR and ECR credentials as authorized by legal entities
• Revocation Management: Revoke credentials when required by governance
• Reporting: Present issued credentials to the vLEI Reporting API

Legal Entity Responsibilities:

• AID Management: Maintain control over their KERI AID
• Representative Authorization: Designate and manage authorized representatives
• Credential Lifecycle: Request issuance and revocation of credentials
• Role Delegation: Issue authorization credentials for OOR and ECR roles
• Compliance: Maintain valid LEI status

LAR Responsibilities:

• Identity Verification: Verify identity of OOR and ECR persons
• Authorization: Issue QVI AUTH credentials authorizing role credential issuance
• Credential Management: Request issuance and revocation of role credentials
• OOBI Sessions: Conduct supervised identity verification sessions

Authority and Permissions

The vLEI ecosystem implements a hierarchical authority structure:

GLEIF Authority:

• Exclusive authority to issue QVI credentials
• Exclusive authority to qualify QVIs
• Ultimate authority over governance framework
• Delegated authority through GEDA to QVIs

QVI Authority:

• Delegated authority from GLEIF to issue Legal Entity credentials
• Conditional authority to issue role credentials (requires LAR authorization)
• Revocation authority for credentials they issued
• Verification authority for credentials in their scope

Legal Entity Authority:

• Control authority over their AID
• Authorization authority for role credentials
• Delegation authority to representatives
• Revocation authority for role credentials they authorized

LAR Authority:

• Request authority for credential operations
• Verification authority for role holder identities
• Authorization authority through QVI AUTH credentials

Limitations

The vLEI system imposes specific limitations:

GLEIF Limitations:

• Cannot issue credentials directly to legal entities (must use QVIs)
• Cannot bypass governance framework requirements
• Cannot unilaterally change governance without stakeholder process

QVI Limitations:

• Cannot issue role credentials without LAR authorization
• Cannot issue credentials to entities without valid LEIs
• Must maintain qualification status to continue operations
• Cannot modify credential schemas

Legal Entity Limitations:

• Cannot issue vLEI credentials to other entities
• Cannot authorize role credentials without valid Legal Entity credential
• Must maintain valid LEI to keep credentials active

LAR Limitations:

• Cannot issue credentials directly (must request through QVI)
• Cannot bypass identity verification requirements
• Authority limited to their specific legal entity

Credential Lifecycle

Issuance Process

The vLEI credential issuance process follows a structured workflow:

Phase 1: QVI Qualification

1. Organization applies to GLEIF for QVI qualification
2. GLEIF evaluates against qualification criteria
3. GLEIF issues QVI credential to qualified organization
4. QVI establishes required KERI infrastructure

Phase 2: Legal Entity Credential Issuance

1. Legal entity contracts with QVI for vLEI services
2. QVI verifies LEI validity in Global LEI System
3. QVI verifies LEI has Active Entity Status
4. Legal entity creates AID (single-sig or multi-sig)
5. QVI and legal entity exchange OOBIs
6. QVI issues Legal Entity vLEI Credential
7. QVI presents credential to vLEI Reporting API

Phase 3: Role Credential Authorization

1. Legal entity identifies individual for role credential
2. LAR performs identity verification (IAL2 minimum)
3. LAR conducts supervised OOBI session with role holder
4. LAR issues QVI AUTH credential to QVI
5. QVI verifies authorization credential

Phase 4: Role Credential Issuance

1. QVI verifies QVI AUTH credential validity
2. QVI issues OOR or ECR credential to role holder
3. QVI presents credential to vLEI Reporting API
4. Role holder can present credential to verifiers

Verification Procedures

Verification of vLEI credentials involves multiple validation steps:

Cryptographic Verification:

• Verify ACDC SAID integrity
• Verify issuer AID signatures
• Verify credential chain integrity
• Verify edge references to parent credentials

Status Verification:

• Check Transaction Event Log (TEL) for revocation status
• Verify credential is within validity period
• Verify issuer credential is still valid
• Verify LEI status in Global LEI System

Chain Verification:

• Verify QVI credential chains to GLEIF Root
• Verify Legal Entity credential chains to QVI
• Verify role credential chains to Legal Entity
• Verify authorization credentials for role credentials

Infrastructure Verification:

• Verify KEL integrity for all AIDs in chain
• Verify witness receipts for key events
• Verify OOBI resolution for discovery
• Verify registry anchoring for TEL

Revocation Conditions

vLEI credentials may be revoked under specific conditions:

QVI Credential Revocation:

• QVI fails Annual vLEI Issuer Qualification
• QVI fails to remediate qualification issues
• QVI's LEI lapses or is retired
• QVI voluntarily terminates services
• GLEIF determines governance violation

Legal Entity Credential Revocation:

• Legal entity's LEI lapses or is retired
• Legal entity requests revocation
• QVI determines credential was issued in error
• Legal entity loses Active Entity Status

Role Credential Revocation:

• Role holder leaves organization
• Legal entity requests revocation
• Authorization credential is revoked
• Parent Legal Entity credential is revoked
• QVI determines credential was issued in error

Grace Period: The vLEI system includes a 90-day grace period for credential transitions, allowing time for:

• Renewal of credentials
• Transfer to new QVI
• Resolution of temporary issues
• Orderly credential lifecycle management

Related Governance Documents

Primary Governance Framework

vLEI Ecosystem Governance Framework v3.0

• Primary document: vLEI Ecosystem Governance Framework v3.0 Primary Document
• Establishes overall governance structure
• Defines core policies and principles
• Specifies stakeholder roles and responsibilities

Technical Requirements

Part 1: KERI Infrastructure

• Document: Technical Requirements Part 1 - KERI Infrastructure
• Specifies KERI protocol requirements
• Defines witness and watcher configurations
• Establishes key management standards
• Mandates cryptographic strength requirements

Part 2: vLEI Credentials

• Document: Technical Requirements Part 2 - vLEI Credentials
• Defines ACDC implementation requirements
• Specifies credential schemas
• Establishes SAID and signature requirements
• Mandates IPEX protocol compliance

Part 3: Credential Schema Registry

• Document: Technical Requirements Part 3 - Credential Schema Registry
• Establishes schema versioning requirements
• Defines SAID-based schema identification
• Specifies JSON Schema compliance
• Mandates semantic versioning

Credential-Specific Frameworks

QVI Credential Framework

• Document: Qualified vLEI Issuer Identifier Governance Framework and vLEI Credential Framework
• Defines QVI qualification requirements
• Establishes QVI credential structure
• Specifies delegation requirements
• Mandates multi-signature configurations

Legal Entity Credential Framework

• Document: Legal Entity vLEI Credential Framework
• Defines Legal Entity credential requirements
• Establishes identity verification procedures
• Specifies multi-signature requirements
• Mandates LEI validation procedures

OOR Credential Framework

• Document: Legal Entity Official Organizational Role vLEI Credential Framework
• Defines OOR credential requirements
• Establishes identity verification procedures
• Specifies authorization requirements
• Mandates OOBI session procedures

ECR Credential Framework

• Document: Legal Entity Engagement Context Role vLEI Credential Framework
• Defines ECR credential requirements
• Establishes identity verification procedures
• Specifies authorization requirements
• Mandates OOBI session procedures

Authorization Credential Framework

• Document: Qualified vLEI Issuer Authorization vLEI Credential Framework
• Defines QVI AUTH credential requirements
• Establishes authorization procedures
• Specifies multi-signature requirements
• Mandates identity verification procedures

Supporting Documents

Information Trust Policies

• Document: vLEI Ecosystem Information Trust Policies
• Establishes security requirements
• Defines privacy policies
• Specifies availability requirements
• Mandates confidentiality policies

Risk Assessment

• Document: vLEI Ecosystem Risk Assessment
• Identifies ecosystem risks
• Establishes mitigation strategies
• Defines risk management procedures
• Specifies monitoring requirements

Trust Assurance Framework

• Document: vLEI Ecosystem Trust Assurance Framework
• Establishes compliance requirements
• Defines audit procedures
• Specifies certification requirements
• Mandates reporting procedures

Glossary

• Document: vLEI Ecosystem Governance Framework Glossary
• Defines all capitalized terms
• Establishes canonical terminology
• Provides authoritative definitions
• Ensures consistent interpretation

Qualification Documents

QVI Qualification Agreement

• Contractual document between GLEIF and QVI
• Establishes legal obligations
• Defines service level requirements
• Specifies termination conditions
• Mandates compliance requirements

QVI Qualification Program Checklist

• Appendix to Qualification Agreement
• Defines qualification criteria
• Establishes verification procedures
• Specifies documentation requirements
• Mandates certification requirements

Non-Disclosure Agreement

• Appendix to Qualification Agreement
• Establishes confidentiality requirements
• Defines protected information
• Specifies disclosure restrictions
• Mandates breach notification

Implementation Significance

The vLEI represents a transformative approach to organizational digital identity by:

1. Bridging Traditional and Decentralized Systems: Connecting the established LEI infrastructure with modern KERI-based decentralized identity
2. Enabling Automated Verification: Providing machine-verifiable credentials that eliminate manual verification processes
3. Supporting Regulatory Compliance: Offering cryptographically verifiable proof of organizational identity for regulatory reporting
4. Facilitating Cross-Border Transactions: Enabling trusted digital interactions across jurisdictions
5. Protecting Privacy: Supporting selective disclosure and graduated revelation of organizational information
6. Ensuring Portability: Allowing credentials to be used across different platforms and applications
7. Maintaining Governance: Preserving GLEIF's oversight while enabling decentralized operations

The vLEI ecosystem demonstrates how traditional identity infrastructure can be enhanced with cryptographic verifiability while maintaining governance, compliance, and regulatory oversight.