A vLEI credential is a verifiable credential concerning a Legal Entity Identifier that resides in the Global LEI System (GLEIS) and complies with one or more GLEIF governance frameworks, providing cryptographically verifiable proof of legal entity information and organizational roles.
Related Concepts
No related concepts available
Comprehensive Explanation
vlei-credential
Official Definition
A vLEI credential (verifiable Legal Entity Identifier credential) is formally defined as a credential that:
Resides in the GLEIS (Global Legal Entity Identifier System)
Must be compliant with one or more GLEIF governance frameworks
The vLEI represents the cryptographically secure digital counterpart of the traditional Legal Entity Identifier, providing organizations and their representatives with verifiable digital identities. According to GLEIF's official documentation, vLEI credentials are based on the Trust over IP Authentic Chained Data Container (ACDC) specification and utilize the KERI protocol as the underlying infrastructure.
Implementers must carefully select the appropriate vLEI credential type for their use case:
QVI Credentials: Only for organizations qualified by GLEIF to issue vLEI credentials
Legal Entity Credentials: For organizations with valid LEIs requiring verifiable organizational identity
OOR Credentials: For individuals in official organizational roles (CEO, CFO, Board Members)
ECR Credentials: For individuals in functional or engagement-specific roles (consultants, project managers)
Authorization Patterns
The vLEI ecosystem implements a cooperative authorization pattern where Legal Entities must explicitly authorize QVIs to issue role credentials. This requires:
Legal Entity issues OOR/ECR Authorization credential to QVI
Authorization credential specifies the individual and role
QVI can then issue the actual role credential to the individual
This pattern ensures Legal Entities maintain control over who receives credentials representing their organization.
Multi-Signature Requirements
Organizational identifiers (Legal Entity AIDs, QVI AIDs) should use multi-signature configurations:
Minimum 3 signers recommended when possible
2-of-N threshold required when multiple signers exist
Single signature acceptable only for sole proprietorships or single-employee entities
This provides enhanced security and distributed control over organizational identifiers.
Identity Verification Obligations
All vLEI credential issuers must perform rigorous identity verification:
Minimum IAL2 compliance per NIST 800-63A
Real-time OOBI session with audio/video presence
Manual verification of legal identity credentials
Cryptographic challenge-response to verify AID control
These requirements ensure the integrity of the vLEI ecosystem but represent significant operational overhead.
Grace Period Management
QVI credentials include a 90-day grace period for managing transitions. During this period:
Credentials remain technically valid
Legal Entities can transition to new QVIs
vlei-credential - vLEI.wiki | KERI Knowledge Base - vLEI.wiki
QVI: Qualified vLEI Issuer
OOR: Official Organizational Role
ECR: Engagement Context Role
Governance Context
vLEI Ecosystem Role
The vLEI credential system operates within a hierarchical trust architecture governed by GLEIF, the supra-national non-profit established by the G20 and Financial Stability Board. The ecosystem implements a four-tier structure:
Maintains the GLEIF Root AID and delegated AIDs (GEDA and GIDA)
Oversees the entire vLEI ecosystem governance
Tier 2: Qualified vLEI Issuers (QVIs)
Organizations qualified by GLEIF through formal qualification processes
Authorized to issue Legal Entity vLEI credentials
Operate under contractual obligations defined in the vLEI Issuer Qualification Agreement
Must maintain compliance with GLEIF's governance framework policies
Tier 3: Legal Entities
Organizations holding valid LEIs from the Global LEI System
Receive Legal Entity vLEI credentials from QVIs
Can issue authorization credentials to QVIs for role credential issuance
Serve as the root credential for organizational role credentials
Tier 4: Role Holders
Individuals holding Official Organizational Role (OOR) credentials
Individuals holding Engagement Context Role (ECR) credentials
Authorized representatives acting on behalf of Legal Entities
GLEIF Context
GLEIF operates as the Governing and Administering Authority for the vLEI ecosystem, consolidating governance control while maintaining the public-private partnership model that has characterized the Global LEI System since its inception following the 2008 financial crisis. The vLEI system extends GLEIF's traditional LEI infrastructure into the digital realm by combining:
GLEIF's established governance: Leveraging the globally recognized LEI system with rigorous identity verification standards
ACDC's verifiable credentials: Enabling machine-verifiable identity attestations with automatic validation
The vLEI Ecosystem Governance Framework operates as a Layer Four Ecosystem Governance Framework within the Trust over IP Foundation (ToIP) architecture, establishing comprehensive policies for security, privacy, availability, confidentiality, and processing integrity across all vLEI ecosystem stakeholders.
Related Governance Entities
The vLEI ecosystem involves several key governance entities:
GLEIF Authorized Representatives (GARs): Representatives of GLEIF authorized to perform identity verification requirements for issuing QVI credentials.
Designated Authorized Representatives (DARs): Representatives of Legal Entities authorized to:
Authorize vLEI Issuer Qualification Program Checklists
Legal Entity Authorized Representatives (LARs): Representatives authorized by Legal Entities to provide secure instructions to QVIs for credential issuance and revocation.
QVI Authorized Representatives (QARs): Representatives of QVIs authorized to conduct QVI operations with GLEIF and interface with Legal Entities.
Authorized vLEI Representatives (AVRs): Representatives authorized by DARs to request issuance and revocation of various vLEI credential types.
Roles & Responsibilities
Primary Responsibilities
vLEI credentials serve multiple critical functions within the organizational identity ecosystem:
vlei-verifier: Service for cryptographic verification of vLEI credentials
sally: vLEI Audit Reporting Agent for credential presentation verification
KERIA: Cloud agent for AID and credential management
SignifyTS/SignifyPy: Client libraries for credential operations
Revocation Conditions
vLEI credentials may be revoked under various conditions:
QVI Credential Revocation:
QVI fails Annual vLEI Issuer Qualification
QVI fails to remediate qualification issues
QVI's LEI lapses or is retired
QVI violates vLEI Issuer Qualification Agreement
GLEIF terminates QVI relationship
Legal Entity Credential Revocation:
Legal Entity's LEI becomes inactive
Legal Entity requests credential revocation
QVI determines credential issued in error
Legal Entity fails to maintain compliance
OOR/ECR Credential Revocation:
Individual no longer holds specified role
Legal Entity revokes authorization
Legal Entity credential is revoked (cascading revocation)
Individual requests credential revocation
Credential issued in error or fraudulently
Revocation Process:
Authorized party initiates revocation request
Revocation event created in TEL
Revocation event anchored to issuer's KEL
TEL state updated to reflect revocation
Grace period may apply (default 90 days for QVI credentials)
Verifiers can query TEL for current status
Ghost Credentials:
During the grace period, credentials exist in a "ghost" state where they remain technically valid but are pending revocation. This allows for managed transitions when QVI relationships are terminated.
These schemas are immutable and versioned, with any changes requiring new schema SAIDs and version numbers following semantic versioning principles.
Implementation Considerations
While vLEI credentials are primarily governance constructs, implementers should understand:
Governance Compliance: All implementations must strictly adhere to GLEIF governance frameworks. Deviation from specified procedures, schemas, or policies may result in invalid credentials or ecosystem exclusion.
Multi-Party Coordination: vLEI credential workflows involve multiple parties (GLEIF, QVIs, Legal Entities, individuals) requiring careful coordination and clear communication channels.
Identity Verification: The IAL2 identity assurance requirements with OOBI sessions represent significant operational overhead but are mandatory for ecosystem participation.
Cryptographic Infrastructure: Proper KERI infrastructure (witnesses, agents, key management) is essential. The multi-signature requirements for organizational identifiers require careful key management and operational procedures.
Privacy Management: ECR credentials containing PII require additional privacy protections. Graduated disclosure mechanisms and chain-link confidentiality must be properly implemented.
Status Monitoring: Continuous monitoring of credential status through TELs is essential for verifiers. Cached credential status can lead to acceptance of revoked credentials.
Grace Period Management: The 90-day grace period for QVI credential transitions requires careful planning when changing QVI relationships or managing QVI qualification issues.
Existing credentials continue to function
New credential issuance may be restricted
Proper planning for QVI transitions is essential to avoid service disruptions.