Comprehensive Explanation

vlei-ecosystem-governance-framework

Official Definition

The vLEI Ecosystem Governance Framework is defined in the official GLEIF documentation as a governance framework document that serves as the authoritative policy specification for the Verifiable LEI (vLEI) ecosystem. It defines comprehensive Information Trust Policies covering:

• Information security requirements and standards
• Privacy protections and compliance
• Availability guarantees for vLEI services
• Confidentiality protocols for sensitive data
• Processing integrity policies for data handling

These policies apply universally to all vLEI Ecosystem Members, establishing a consistent governance model across the entire ecosystem.

Canonical Definition Source

The framework is governed by GLEIF (Global Legal Entity Identifier Foundation) and was first published as part of the draft vLEI Ecosystem Governance Framework Glossary in February 2022. The current version is v3.0, with the primary document finalized on August 30, 2023, and component frameworks updated through April 2025.

Official Abbreviations

• vLEI EGF: verifiable LEI Ecosystem Governance Framework
• EGF: Ecosystem Governance Framework (when context is clear)

Governance Context

Position in vLEI Ecosystem

The vLEI Ecosystem Governance Framework operates as a Layer Four Ecosystem Governance Framework within the Trust over IP Foundation (ToIP) architecture. GLEIF serves dual roles as both Governing Authority and Administering Authority, consolidating governance control while maintaining the public-private partnership model that has characterized the Global LEI System since its inception following the 2008 financial crisis.

The framework establishes a hierarchical trust structure centered around GLEIF as the root authority:

1. GLEIF Root of Trust: GLEIF occupies the apex position with the GLEIF Root AID serving as the cryptographic anchor
2. Delegated GLEIF AIDs: Two primary delegated identifiers extend GLEIF's authority:
   • GIDA (GLEIF Internal Delegated AID): For internal GLEIF operations
   • GEDA (GLEIF External Delegated AID): For external ecosystem interactions, particularly with QVIs
3. Qualified vLEI Issuers (QVIs): Intermediate trust anchors that have undergone formal qualification
4. Legal Entities: Organizations receiving Legal Entity vLEI Credentials
5. Role Holders: Individuals receiving OOR or ECR credentials

GLEIF's Governance Role

GLEIF, with LEI 506700GE1G29325QX363, exercises the highest duty of care in generating and administering all AIDs within the ecosystem, recognizing these identifiers as the security foundation. The framework mandates that GLEIF must:

• Maintain the GLEIF Root AID as the cryptographic root of trust
• Qualify and authorize Qualified vLEI Issuers
• Publish and maintain all governance framework documents
• Conduct annual qualification reviews of QVIs
• Manage the transition of Legal Entities between QVIs when necessary
• Ensure compliance with ISO 20000 certification requirements

Related Governance Entities

The framework defines multiple stakeholder categories:

Primary Stakeholders:

• GLEIF: Operates and manages the Global LEI System (GLEIS)
• LEI Issuers: Organizations accredited by GLEIF for LEI validation and registration
• Qualified vLEI Issuers (QVIs): Organizations qualified to issue various types of vLEI credentials
• Legal Entities: Organizations eligible for LEI registration under any jurisdiction
• Official Organizational Role Persons (OOR Persons): Individuals representing legal entities in official capacities
• Engagement Context Role Persons (ECR Persons): Individuals representing legal entities in functional roles
• vLEI Users: Any party utilizing vLEI credentials across applicable use cases

Representative Roles:

• Designated Authorized Representatives (DARs): Legal Entity representatives with highest authorization level
• Legal Entity Authorized Representatives (LARs): Representatives authorized to manage credential operations
• QVI Authorized Representatives (QARs): QVI representatives authorized to perform credential issuance
• GLEIF Authorized Representatives (GARs): GLEIF representatives authorized to qualify QVIs

Framework Structure and Components

The vLEI Ecosystem Governance Framework v3.0 consists of multiple interconnected documents that together establish comprehensive governance:

Primary Framework Document

The vLEI Ecosystem Governance Framework v3.0 Primary Document (v1.1, August 30, 2023) establishes:

• Stakeholder ecosystem definitions and roles
• Trust chain architecture from GLEIF through QVIs to end entities
• Localization policies (American English as official language, G20 translations required)
• Core principles applicable across all component frameworks
• Governance structure and authority delegation

Information Trust Policies

The vLEI Ecosystem Information Trust Policies (v1.2, April 16, 2025) establish baseline requirements for:

Regulatory Compliance: All stakeholders MUST comply with governmental regulations including:

• EU GDPR (General Data Protection Regulation)
• ISO/IEC 27001 Information Security Management standards
• Local data protection legislation in applicable jurisdictions

Privacy Policies: Requirements for protecting personal data of credential holders, with minimum compliance to Swiss Federal Data Protection Act where local legislation does not exist.

Security Policies: Mandatory IT security policies including:

• Annual review and maintenance requirements
• Designation of Information Security Manager
• Formal governance and revision management
• Employee training and compliance
• Incident reporting and management procedures

Availability Targets: Defined service level requirements for credential issuance and verification infrastructure.

Developer Security: Software update and implementation procedures to maintain security posture.

Technical Requirements

The Technical Requirements Part 1: KERI Infrastructure (v1.3, April 16, 2025) establishes:

KERI Specification Management:

• 18-month backward compatibility requirement for previous versions
• 12-month implementation window for new versions
• Breaking change restrictions during transition periods

Backer Management:

• Witness Pool Configuration: Minimum 5 witnesses using KAACE sufficient majority threshold
• Discovery Mechanisms: Publication via well-known URIs, search engines, KERI DHT, and DID resolvers
• Ledger Registrar Requirements: GLEIF-approved DID methods with appropriate security guarantees

Key Management Infrastructure:

• Cryptographic Strength: Approximately 128 bits for key generation and storage
• AID Requirements: Both issuer and issuee AIDs must be transferable
• Pre-rotation Security: Highest level protection for next/pre-rotated keys
• Multi-sig Requirements: At least 3 signers with threshold of 2 for QVIs

GLEIF-Specific Infrastructure:

• Root AID Requirements: Minimum 3 notaries as witnesses with documented social media publication
• Witness Network: GLEIF must maintain its own witness pool with redundancy
• Delegation Structure: Formal delegation from Root AID to GEDA to QVI AIDs

Credential Frameworks

The framework includes separate governance documents for each credential type:

Qualified vLEI Issuer vLEI Credential Framework: Governs credentials issued by GLEIF to QVIs, enabling them to issue downstream credentials.

Legal Entity vLEI Credential Framework (v1.4, April 16, 2025): Governs credentials issued by QVIs to Legal Entities, establishing organizational digital identity.

Legal Entity Official Organizational Role vLEI Credential Framework (v1.4, April 16, 2025): Governs credentials for individuals in official organizational positions (CEO, CFO, Board Members, etc.).

Legal Entity Engagement Context Role vLEI Credential Framework (v1.4, April 16, 2025): Governs credentials for individuals in functional or engagement-specific roles.

Qualified vLEI Issuer Authorization vLEI Credential Framework (v1.3, April 16, 2025): Governs authorization credentials that enable LARs to instruct QVIs to issue or revoke role credentials.

Supporting Documents

Glossary (v1.3, December 15, 2023): Authoritative definitions for all First Letter Capitalized terms used throughout the framework.

Risk Assessment (v1.2, December 15, 2023): Comprehensive risk analysis using 5x5 risk matrix across Ecosystem, Credential, and Utility layers.

Trust Assurance Framework (v1.5, April 16, 2025): Compliance matrix mapping governance requirements across vLEI EGF, ISO 20000 Certification, vLEI Issuer Qualification Program, and vLEI Software specifications.

GLEIF Identifier Governance Framework (v1.0, December 16, 2022): Specific governance for GLEIF's Root AID and delegated AIDs (GIDA and GEDA).

Roles & Responsibilities

GLEIF's Responsibilities

As the Governing and Administering Authority, GLEIF's responsibilities include:

Root of Trust Management:

• Generate and maintain the GLEIF Root AID with highest duty of care
• Manage GIDA (internal operations) and GEDA (external ecosystem interactions)
• Ensure cryptographic strength of at least 128 bits for all root entropy
• Maintain witness pools with appropriate redundancy and security

QVI Qualification and Management:

• Conduct vLEI Issuer Qualification Program for candidate QVIs
• Perform Annual vLEI Issuer Qualification reviews
• Issue Qualified vLEI Issuer vLEI Credentials to qualified organizations
• Manage QVI transitions when Legal Entities change service providers
• Revoke QVI credentials for non-compliance or qualification failures

Framework Governance:

• Publish and maintain all governance framework documents
• Establish and enforce information trust policies
• Define technical requirements for KERI infrastructure
• Manage schema registry for vLEI credential types
• Conduct risk assessments and maintain trust assurance frameworks

Ecosystem Oversight:

• Monitor compliance with governance requirements
• Investigate reported incidents and breaches
• Coordinate ecosystem-wide updates and migrations
• Provide guidance and support to ecosystem participants

QVI Responsibilities

Qualified vLEI Issuers have specific obligations under the framework:

Credential Issuance:

• Issue Legal Entity vLEI Credentials to qualified Legal Entities
• Issue OOR vLEI Credentials to verified official representatives
• Issue ECR vLEI Credentials to verified engagement context representatives
• Maintain credential registries using TEL infrastructure

Identity Verification:

• Perform identity assurance to at least IAL2 standards per NIST 800-63A
• Conduct supervised real-time OOBI sessions for authentication
• Verify control of AIDs through challenge-response protocols
• Validate LEI status in Global LEI System

Operational Requirements:

• Maintain ISO 20000 certification or equivalent
• Implement comprehensive IT security policies
• Designate Information Security Manager
• Conduct annual reviews of privacy and security implementations
• Report incidents to GLEIF within defined timeframes
• Maintain service availability per defined SLAs

Compliance:

• Adhere to all vLEI Ecosystem Governance Framework requirements
• Comply with applicable data protection regulations (GDPR, local laws)
• Participate in annual qualification reviews
• Remediate identified issues within specified timeframes
• Maintain audit trails and documentation

Legal Entity Responsibilities

Legal Entities holding vLEI credentials must:

Credential Management:

• Designate Designated Authorized Representatives (DARs)
• Authorize Legal Entity Authorized Representatives (LARs)
• Maintain valid LEI with Active Entity Status
• Manage credential lifecycle (issuance, updates, revocation)
• Ensure multi-signature requirements are met (minimum 2-of-3 when multiple LARs exist)

Representative Authorization:

• Issue QVI AUTH vLEI Credentials to authorize QVIs to issue role credentials
• Perform identity assurance for OOR and ECR persons
• Conduct supervised OOBI sessions for representative authentication
• Maintain records of authorized representatives

Privacy and Security:

• Implement privacy policies protecting credential holders
• Comply with applicable data protection legislation
• Protect private keys and maintain key management infrastructure
• Report suspected breaches or incidents

Individual Credential Holder Responsibilities

OOR Persons and ECR Persons must:

Credential Custody:

• Maintain secure wallet infrastructure
• Protect private keys associated with their AID
• Present credentials only when authorized
• Revoke credentials when role changes or terminates

Identity Verification:

• Participate in identity assurance processes
• Provide required identity documentation
• Complete supervised OOBI sessions
• Respond to challenge messages during authentication

Compliance:

• Use credentials only for authorized purposes
• Comply with usage disclaimers and terms
• Report lost or compromised credentials
• Maintain credential validity through periodic updates

Technical Foundation

KERI Protocol Integration

The vLEI Ecosystem Governance Framework is fundamentally built on KERI (Key Event Receipt Infrastructure) technology, representing a significant architectural shift from traditional PKI-based systems to self-sovereign identity infrastructure.

Autonomic Identifiers (AIDs):

• All identifiers in the vLEI ecosystem must be self-certifying identifiers
• Specifically KERI Autonomic Identifiers (AIDs)
• Verification must be possible using cryptography alone
• No reliance on external certificate authorities or trust registries

Key Event Logs (KELs):

• Each AID maintains a KEL recording all key events
• Provides cryptographic proof of key state history
• Enables key rotation and recovery from compromise
• Supports both establishment and non-establishment events

Pre-rotation Mechanism:

• Transferable AIDs utilize KERI's pre-rotation mechanism
• Two key sets: current signing keys and pre-committed rotation keys
• Highest protection level required for pre-rotated keys
• Enables recovery from key compromise

ACDC Credential Structure

All vLEI credentials are implemented as ACDCs (Authentic Chained Data Containers):

Standard ACDC Fields:

• 'v': Version string
• 'd': Credential SAID (Self-Addressing Identifier)
• 'u': One-time use nonce
• 'i': Issuer AID
• 'ri': Registry identifier for revocation tracking
• 's': Schema SAID
• 'a': Attributes block (can be compact or expanded)
• 'e': Edges block (credential chaining)
• 'r': Rules block (legal disclaimers)

Graduated Disclosure:

• Credentials support compact disclosure (SAID only)
• Selective disclosure of individual attributes
• Full disclosure when required
• Progressive revelation based on verifier requirements

Credential Chaining:

• Edges create cryptographic links between credentials
• Forms directed acyclic graph (DAG) structure
• Enables verification of authorization chains
• Supports I2I (Issuer-to-Issuee) operator for strict chains

Multi-Signature Architecture

The framework implements sophisticated multi-signature requirements:

QVI Multi-sig:

• Minimum 3 QARs recommended
• 2-of-N signature threshold required
• Protects against single point of compromise

Legal Entity Multi-sig:

• Minimum 3 LARs recommended when possible
• 2-of-N threshold for credential operations
• Single signature acceptable only for sole proprietorships

GLEIF Root Multi-sig:

• Minimum 3 GARs as witnesses
• Highest security requirements for root operations
• Social media publication of witness identifiers

Witness and Watcher Infrastructure

Witness Requirements:

• Minimum 5 witnesses per AID
• KAACE sufficient majority threshold
• Access control independent of Controller keys
• Publication via multiple discovery mechanisms

Watcher Networks:

• Watchers provide ambient duplicity detection
• Operate in promiscuous mode
• Enable end-verifiable validation
• Support zero-trust architecture

Identity Verification Standards

The framework establishes rigorous identity verification requirements aligned with international standards:

Identity Assurance Levels

NIST 800-63A IAL2 Compliance:

• Minimum identity assurance level for all credential holders
• Evidence and attribute validation required
• Real-time supervised sessions for remote verification
• Essentially incorporates IAL3 requirements through OOBI sessions

Alternative Digital Identity Credentials:

• European eIDAS: High or Substantial Level of Assurance
• Asian schemes: Singapore SingPass, India Aadhaar, Australia myGov
• Latin American schemes: Brazil e-CPF
• Must provide equivalent or higher assurance than IAL2

Authentication Protocols

OOBI Session Requirements:

• Continuous web meeting with audio and video presence
• Manual verification of legal identity credentials
• Bidirectional exchange of AIDs via QR codes or live chat
• Challenge-response protocol for cryptographic proof of key control
• All steps completed within same supervised session

Challenge-Response Protocol:

• Verifier generates random challenge message
• Holder signs challenge with private key
• Verifier validates signature against holder's AID
• Proves cryptographic control without revealing private key

Entity-Specific Verification

Legal Entity Verification:

• LEI validity check in Global LEI System
• Active Entity Status required
• Appropriate Registration Status (Issued, Pending Transfer, or Pending Archival)
• Verification of authorized signatories

DAR Verification:

• Highest level identity assurance required
• Authority to act on behalf of Legal Entity
• Documentation of authorization from Legal Entity governance

LAR Verification:

• Identity assurance per Legal Entity vLEI Credential Framework
• Authorization by DAR
• Multi-signature coordination when multiple LARs exist

OOR/ECR Person Verification:

• Identity assurance by LAR or QAR (depending on issuance path)
• Role verification against organizational records
• Supervised OOBI session for authentication
• Challenge-response proof of AID control

Credential Lifecycle Management

Issuance Workflows

The framework defines multiple issuance pathways:

QVI Credential Issuance (GLEIF to QVI):

1. Organization applies to vLEI Issuer Qualification Program
2. GLEIF conducts qualification assessment
3. Organization signs vLEI Issuer Qualification Agreement
4. GLEIF issues QVI vLEI Credential via GEDA
5. QVI establishes credential registry

Legal Entity Credential Issuance (QVI to Legal Entity):

1. Legal Entity contracts with QVI
2. QAR verifies LEI status and Legal Entity identity
3. DAR designates LARs
4. LARs establish multi-sig AID (if multiple LARs)
5. QVI issues Legal Entity vLEI Credential
6. Legal Entity establishes credential registry

OOR Credential Issuance (Two Pathways):

QVI-Mediated Path:

1. LAR performs identity assurance of OOR Person (IAL2)
2. LAR conducts supervised OOBI session with OOR Person
3. LAR issues QVI OOR AUTH vLEI Credential to QVI
4. QAR conducts additional verification
5. QVI issues OOR vLEI Credential to OOR Person

Direct Legal Entity Path:

1. LAR performs identity assurance of OOR Person
2. LAR conducts supervised OOBI session
3. LAR directly issues OOR vLEI Credential (for sole proprietors)

ECR Credential Issuance (Similar dual pathway):

• QVI-mediated path for multi-employee entities
• Direct Legal Entity path for sole proprietors
• Same identity verification requirements as OOR

Verification Procedures

Verifiers must follow standardized procedures:

Credential Presentation:

1. Verifier requests credential presentation via IPEX
2. Holder presents credential (compact, selective, or full disclosure)
3. Verifier validates credential structure against schema

Cryptographic Verification:

1. Verify credential SAID matches content
2. Validate issuer signature on credential
3. Check credential chain (edges) to parent credentials
4. Verify issuer's AID in their KEL
5. Validate witness signatures on key events

Status Verification:

1. Query credential registry via TEL
2. Check revocation status
3. Verify credential within validity period
4. Confirm issuer's credential remains valid

Authorization Verification:

1. For role credentials, verify AUTH credential exists
2. Validate authorization chain to Legal Entity
3. Confirm Legal Entity's LEI remains active
4. Check QVI's qualification status

Revocation Conditions

Credentials must be revoked under specific conditions:

QVI Credential Revocation:

• Failure to complete Annual vLEI Issuer Qualification
• Non-remediation of qualification issues
• QVI's LEI lapses or is retired
• Voluntary termination of QVI services
• Material breach of vLEI Issuer Qualification Agreement

Legal Entity Credential Revocation:

• LEI becomes inactive or retired
• Legal Entity requests revocation
• QVI determines credential was issued in error
• Legal Entity changes QVI (grace period applies)

Role Credential Revocation:

• Individual no longer holds the role
• Legal Entity requests revocation
• Individual's employment/engagement terminates
• Legal Entity's credential is revoked (cascading)
• Individual requests revocation

Grace Periods:

• QVI credentials include grace period (default 90 days)
• Allows Legal Entity transition to new QVI
• Prevents service disruption during QVI changes
• Credentials remain valid during grace period

Related Governance Documents

The vLEI Ecosystem Governance Framework references and integrates with multiple external standards and specifications:

KERI Protocol Specifications

Core KERI Specification:

• Trust over IP Foundation KERI Specification
• Repository: https://github.com/trustoverip/tswg-keri-specification
• Defines AID, KEL, KERL, witness, watcher infrastructure

ACDC Specification:

• Trust over IP Foundation ACDC Specification
• Repository: https://github.com/trustoverip/tswg-acdc-specification
• Defines credential structure, chaining, disclosure patterns

CESR Specification:

• Composable Event Streaming Representation
• Repository: https://github.com/trustoverip/tswg-cesr-specification
• Defines encoding for primitives, SAIDs, signatures

IPEX Specification:

• Issuance and Presentation Exchange Protocol
• Repository: https://github.com/WebOfTrust/ietf-ipex
• Defines credential exchange workflows

International Standards

ISO 17442: Legal Entity Identifier (LEI) standard

ISO 20275: Entity Legal Forms code list

ISO 5009: Official Organizational Roles code list

ISO 20000: IT Service Management certification

ISO/IEC 27001: Information Security Management

NIST 800-63A: Digital Identity Guidelines - Identity Assurance

Regulatory Frameworks

EU GDPR: General Data Protection Regulation

Swiss Federal Data Protection Act: Minimum data protection standard

eIDAS: European electronic identification and trust services regulation

vLEI-Specific Documents

vLEI Issuer Qualification Agreement: Contract between GLEIF and QVIs

vLEI Issuer Qualification Program Manual: Detailed qualification procedures

vLEI Issuer Qualification Program Checklist: Application requirements

Service Level Agreements: Availability and performance requirements

Non-Disclosure Agreements: Confidentiality requirements

Trustmark Usage Terms: Branding and marketing guidelines

Schema Registry

All vLEI credential schemas are published in the official schema registry:

Repository: https://github.com/GLEIF-IT/vLEI-schema

Schemas:

• Qualified vLEI Issuer vLEI Credential
• Legal Entity vLEI Credential
• Legal Entity Official Organizational Role vLEI Credential
• Legal Entity Engagement Context Role vLEI Credential
• OOR Authorization vLEI Credential
• ECR Authorization vLEI Credential

Each schema includes:

• JSON Schema (draft-07) specification
• Schema SAID for version identification
• Semantic versioning for backward compatibility tracking
• Required and optional field definitions
• Validation rules and constraints

Compliance and Enforcement

The framework establishes clear compliance requirements and enforcement mechanisms:

Compliance Monitoring

Annual Qualification Reviews:

• All QVIs undergo annual re-qualification
• Assessment against current framework requirements
• Review of operational performance and incident reports
• Verification of continued ISO 20000 certification

Incident Reporting:

• QVIs must report security incidents within defined timeframes
• Formal Incident Reports required for privacy breaches
• GLEIF investigates reported incidents
• Remediation plans required for identified issues

Audit Requirements:

• QVIs must provide audit reports from internal/external auditors
• Documentation of compliance with framework requirements
• Evidence of security policy implementation
• Proof of employee training and compliance

Enforcement Actions

Remediation Requirements:

• QVIs must remediate identified issues within specified timeframes
• Failure to remediate may result in qualification termination
• GLEIF provides guidance and support during remediation

Credential Revocation:

• GLEIF may revoke QVI credentials for non-compliance
• Cascading revocation of downstream credentials
• Grace period allows Legal Entity transition to new QVI

Qualification Termination:

• Voluntary termination by QVI
• Involuntary termination for material breach
• Failure to complete annual qualification
• Non-remediation of critical issues

Legal Framework

Contractual Obligations:

• vLEI Issuer Qualification Agreement establishes binding obligations
• Legal Entity contracts with QVIs for services
• Authorization credentials create verifiable authorization chains

Liability and Disclaimers:

• Usage disclaimers in credential rules sections
• Issuance disclaimers regarding accuracy and care
• Limitations on GLEIF liability
• QVI liability to Legal Entities per contracts

Dispute Resolution:

• Contractual dispute resolution mechanisms
• GLEIF as arbiter for ecosystem-level disputes
• Legal recourse per applicable jurisdictions

Evolution and Versioning

The framework includes provisions for evolution and updates:

Version Management

Semantic Versioning:

• Major version changes for backward-incompatible updates
• Minor version changes for backward-compatible additions
• Patch version changes for corrections and clarifications

Transition Periods:

• 18-month support for previous versions
• 12-month implementation window for new versions
• Breaking changes delayed until adoption period completion

Document DIDs:

• Each framework document has a DID URL
• Enables cryptographic verification of document authenticity
• Version-specific DIDs for historical reference

Schema Evolution

Schema Versioning:

• Each schema version has unique SAID
• Backward compatibility tracked through semantic versioning
• JSON Schema composition operators enable compatible extensions

Schema Registry Management:

• GLEIF maintains official schema registry
• Publication of new schemas and versions
• Deprecation notices for obsolete schemas
• Migration guidance for schema updates

Governance Updates

Framework Revisions:

• GLEIF publishes updated framework documents
• Stakeholder consultation for major changes
• Implementation guidance for ecosystem participants
• Training and support during transitions

Policy Clarifications:

• Interpretive guidance for ambiguous requirements
• Best practice recommendations
• Lessons learned from operational experience
• Community feedback integration

The vLEI Ecosystem Governance Framework represents a comprehensive, technically sophisticated governance model that successfully bridges traditional organizational identity systems (LEI) with cutting-edge decentralized identity infrastructure (KERI/ACDC). By establishing clear roles, responsibilities, technical requirements, and compliance mechanisms, the framework enables a global, interoperable ecosystem for verifiable organizational identity that maintains the highest standards of security, privacy, and trust.