Comprehensive Explanation

vlei-role-credential

Official Definition

A vLEI role credential is a vLEI credential that cryptographically attests to a role within a legal entity held by an individual or entity. According to the GLEIF vLEI Ecosystem Governance Framework, it provides verifiable proof that the credential holder is authorized to act in that specific role on behalf of the legal entity.

The vLEI ecosystem defines two primary types of role credentials:

1. Official Organizational Role (OOR) vLEI Credentials - issued to individuals serving in official organizational positions within a legal entity
2. Engagement Context Role (ECR) vLEI Credentials - issued to individuals serving in functional or engagement-specific contexts rather than official organizational roles

Both credential types are implemented as ACDCs (Authentic Chained Data Containers) and leverage KERI protocol infrastructure for cryptographic verifiability and key management.

Source Governance Framework: The authoritative governance is established through multiple framework documents:

• Legal Entity Official Organizational Role vLEI Credential Governance Framework
• Legal Entity Engagement Context Role vLEI Credential Governance Framework
• Qualified vLEI Issuer Authorization vLEI Credential Framework

Official Abbreviations:

• OOR: Official Organizational Role
• ECR: Engagement Context Role
• vLEI: verifiable Legal Entity Identifier
• LAR: Legal Entity Authorized Representative
• QVI: Qualified vLEI Issuer
• QAR: QVI Authorized Representative

Governance Context

Position in vLEI Ecosystem

vLEI role credentials occupy a critical position in the hierarchical trust chain of the vLEI ecosystem:

Trust Chain: GLEIF Root → GEDA (GLEIF External Delegated AID) → QVI → Legal Entity vLEI Credential → vLEI Role Credentials (OOR/ECR)

This hierarchical structure enables:

• Horizontal scalability: Multiple role credentials can be issued to different individuals within the same legal entity
• Vertical scalability: Role credentials can reference and chain to legal entity credentials, creating verifiable authorization paths
• Delegated authority: Legal entities can cryptographically delegate specific authorities to individuals through role credentials

GLEIF Governance Structure

GLEIF serves as the root of trust for the entire vLEI ecosystem, operating under a three-tier governance model:

1. Regulatory Oversight Committee (ROC) - 71 regulators and 19 observers from 50 countries providing regulatory oversight
2. GLEIF - Swiss not-for-profit foundation ensuring operational integrity and managing the Global LEI System
3. Qualified vLEI Issuers (QVIs) - Organizations qualified by GLEIF to issue vLEI credentials, including role credentials

vLEI role credentials operate within this governance structure by:

• Requiring issuance through qualified entities (QVIs or authorized legal entities)
• Adhering to identity verification standards defined in governance frameworks
• Maintaining cryptographic chains to parent credentials for verification
• Supporting revocation through Transaction Event Logs (TELs)

Related Governance Entities

Legal Entity Authorized Representatives (LARs): Individuals authorized by a legal entity to request issuance and manage vLEI role credentials. LARs play a critical role in the authorization workflow, particularly for QVI-mediated issuance.

QVI Authorized Representatives (QARs): Individuals authorized by QVIs to perform credential issuance operations. QARs cannot issue role credentials without explicit authorization from LARs through QVI AUTH vLEI Credentials.

OOR Persons and ECR Persons: The individuals who receive and hold role credentials, representing the legal entity in their designated capacities.

Roles & Responsibilities

Primary Responsibilities

vLEI role credentials enable credential holders to:

Represent Legal Entities: Act on behalf of the legal entity in the capacity specified by the role credential. For OOR credentials, this includes official organizational functions such as signing contracts, making financial commitments, or representing the entity in regulatory contexts. For ECR credentials, this includes functional or project-specific activities.

Present Verifiable Proof: Provide cryptographically verifiable proof of their authorization to any verifier that accepts vLEI credentials. This proof is context-independent, functioning equally in in-person, online, and telephonic interactions.

Maintain Credential Validity: Ensure their credential remains valid by:

• Maintaining control over their AID (Autonomic Identifier)
• Ensuring the parent legal entity's LEI remains active
• Responding to verification challenges using their private key infrastructure
• Cooperating with revocation procedures when roles change or terminate

Authority and Permissions

The authority granted by vLEI role credentials is precisely scoped:

OOR vLEI Credentials grant authority to:

• Act in official organizational capacities as defined by the officialRole field
• Sign documents and commitments on behalf of the legal entity
• Represent the entity in regulatory and compliance contexts
• Authorize subordinate role credentials (in some governance models)

ECR vLEI Credentials grant authority to:

• Act in functional or engagement-specific contexts as defined by the engagementContextRole field
• Perform project-specific activities on behalf of the legal entity
• Represent the entity in defined engagement contexts
• Execute tasks within the scope of the engagement context

Cryptographic Authority: Both credential types provide:

• Non-repudiable proof of authorization through digital signatures
• Verifiable binding to the credential holder's AID
• Cryptographic chain to the issuing legal entity's credential
• Tamper-evident credential structure through SAIDs

Limitations

vLEI role credentials have explicit limitations:

Scope Boundaries: Credentials only authorize actions within the defined role scope. An ECR credential for "Project Manager - Infrastructure" does not authorize financial commitments unless explicitly included in the role definition.

Temporal Constraints: Credentials may include validity periods and are subject to:

• Expiration based on issuance date and governance policies
• Revocation when roles change or terminate
• Invalidation if the parent legal entity credential is revoked
• Invalidation if the legal entity's LEI lapses or is retired

Jurisdictional Limitations: While vLEI credentials are globally verifiable, their legal enforceability varies by jurisdiction. The vLEI Risk Assessment identifies legal enforceability across jurisdictions as a medium-high impact risk.

Non-Transferability: Role credentials are cryptographically bound to specific AIDs and cannot be transferred to other individuals. The binding to holder principle ensures that proof requests can only be satisfied by the legitimate credential holder.

Credential Lifecycle

Issuance Process

The issuance process for vLEI role credentials follows a rigorous workflow designed to ensure identity assurance and proper authorization:

Identity Verification Requirements

Identity Assurance: Before issuance, the identity of the OOR Person or ECR Person must be verified to at least Identity Assurance Level 2 (IAL2) as defined in NIST 800-63A. This involves:

• Evidence validation (government-issued identity documents)
• Attribute validation (confirming identity attributes)
• Address confirmation

Alternatively, identity assurance can be satisfied through presentation of valid digital identity credentials from approved schemes:

• European eIDAS schemes (High or Substantial Level of Assurance)
• Asian schemes: Australia myGov, India Aadhaar, Singapore SingPass, etc.
• Latin American schemes: Brazil e-CPF

Identity Authentication: The authentication process requires a real-time OOBI (Out-Of-Band Introduction) session with:

• Continuous audio and video presence of all parties
• Prohibition of video filters and avatars
• Manual verification of legal identity credentials
• AID exchange using OOBI protocols (QR codes or live chat)
• Challenge-response authentication using unique Challenge Messages
• Cryptographic signing and verification of challenges

This process effectively incorporates IAL3 requirements for supervised remote in-person sessions, even when using IAL2 as the baseline.

Authorization Workflow

For QVI-mediated issuance, the workflow involves:

1. LAR Authorization: A Legal Entity Authorized Representative creates a QVI AUTH vLEI Credential that explicitly authorizes the QVI to issue a specific role credential to a specific individual (identified by their AID).

2. Multi-Signature Requirements:

   • For legal entities with multiple signers, the QVI AUTH credential must be signed by LARs matching the signing threshold of the legal entity's AID
   • For sole employee legal entities, a single LAR signature is required

3. QAR Issuance: Upon receiving the properly authorized QVI AUTH credential, the QVI Authorized Representative issues the role credential to the OOR Person or ECR Person.

4. Credential Anchoring: The issuance event is anchored to the issuer's KEL (Key Event Log) through an interaction event, creating a verifiable record of issuance.

For direct legal entity issuance (ECR credentials only), the workflow is simplified:

1. LAR as Issuer: The LAR directly issues the ECR credential without QVI intermediation
2. Identity Verification: The LAR performs the required identity assurance and authentication
3. Credential Creation: The LAR creates the ACDC credential with appropriate chaining to the legal entity credential
4. Issuance Anchoring: The issuance is anchored to the legal entity's KEL

ACDC Structure and Chaining

Role credentials are implemented as ACDCs with specific structural requirements:

Attributes Block: Contains:

• i: Person issuee AID
• dt: Issuance date-time (ISO 8601 format)
• LEI: Legal Entity Identifier (ISO 17442 format)
• personLegalName: Recipient's legal name from identity verification
• officialRole (OOR) or engagementContextRole (ECR): Role description

Edges Block: Establishes cryptographic chains:

• auth edge: Links to the QVI AUTH vLEI Credential (for QVI-mediated issuance) or Legal Entity vLEI Credential (for direct issuance)
• le edge: Links to the Legal Entity vLEI Credential
• Operator: Uses I2I (Issuer-to-Issuee) operator to enforce that the issuer of the role credential must be the issuee of the parent credential

This chaining creates a verifiable directed acyclic graph (DAG) of credentials, enabling verifiers to trace authorization chains back to the GLEIF root of trust.

Verification Procedures

Verification of vLEI role credentials involves multiple cryptographic and governance checks:

Cryptographic Verification

1. SAID Verification: Verify that the credential's SAID (Self-Addressing Identifier) matches the cryptographic digest of the credential content, ensuring tamper-evidence.

2. Signature Verification: Verify the issuer's signature on the credential using the issuer's public key from their KEL.

3. AID Control Verification: Verify that the credential holder controls the AID specified in the credential through a challenge-response protocol.

4. Chain Verification: Verify the cryptographic chains in the edges block:

   • Verify the auth edge links to a valid QVI AUTH credential or Legal Entity credential
   • Verify the le edge links to a valid Legal Entity vLEI Credential
   • Verify that edge operators (I2I) are satisfied

Governance Verification

1. Issuer Qualification: Verify that the issuer is either:

   • A qualified QVI with a valid QVI vLEI Credential
   • A legal entity with a valid Legal Entity vLEI Credential (for ECR credentials)

2. LEI Status Verification: Verify that the legal entity's LEI has:

   • Active Entity Status in the Global LEI System
   • Appropriate Registration Status (Issued, Pending Transfer, or Pending Archival)

3. Revocation Status: Check the credential's status in the TEL (Transaction Event Log) registry specified in the ri field to ensure the credential has not been revoked.

4. Temporal Validity: Verify that the current date-time falls within the credential's validity period (if specified).

Context-Independent Verification

The context independence principle ensures that verification procedures work identically across:

• In-person presentations: Using QR codes or NFC for OOBI exchange
• Online presentations: Using web-based OOBI protocols
• Telephonic presentations: Using voice-based challenge-response with out-of-band AID exchange

This universal verifiability is enabled by KERI's end-verifiable architecture, which allows any party to verify credentials without requiring trusted intermediaries.

Revocation Conditions

vLEI role credentials may be revoked under several conditions:

Mandatory Revocation Triggers

1. Role Termination: When the individual's role within the legal entity ends (employment termination, role change, contract completion)

2. Parent Credential Revocation: When the legal entity's vLEI credential is revoked, all dependent role credentials must be revoked

3. LEI Status Change: When the legal entity's LEI:

   • Lapses (not renewed)
   • Is retired
   • Changes to Lapsed or Retired status

4. Authorization Withdrawal: When the legal entity withdraws authorization for the individual to act in the specified role

5. Compromise: When the credential holder's private keys are compromised or suspected of compromise

Revocation Process

Revocation is implemented through the TEL infrastructure:

1. Revocation Event Creation: The issuer (QVI or legal entity) creates a revocation event in the credential's TEL

2. KEL Anchoring: The revocation event is anchored to the issuer's KEL through an interaction event, creating a verifiable record

3. Witness Confirmation: The revocation event is confirmed by the issuer's witnesses, ensuring distributed consensus

4. Registry Update: The credential's status in the TEL registry is updated to "revoked"

5. Grace Period: For certain revocation scenarios (e.g., QVI termination), a 90-day grace period may be implemented to allow credential holders to transition to new issuers

Revocation Verification

Verifiers must check revocation status by:

1. Querying the TEL registry specified in the credential's ri field
2. Verifying the revocation event's anchoring to the issuer's KEL
3. Confirming witness signatures on the revocation event
4. Rejecting credentials with revoked status

The TEL infrastructure provides real-time revocation checking without requiring centralized revocation lists, maintaining the decentralized architecture of the vLEI ecosystem.

Related Governance Documents

Primary Governance Frameworks

vLEI Ecosystem Governance Framework v3.0: The overarching governance document that establishes GLEIF as the governing and administering authority, defines core policies, and establishes the trust framework for the entire vLEI ecosystem.

Legal Entity Official Organizational Role vLEI Credential Governance Framework: Defines requirements for OOR vLEI Credentials issued to official representatives of legal entities, including:

• Issuer qualification requirements
• Identity verification procedures
• Credential schema specifications
• Holder and verifier policies

Legal Entity Engagement Context Role vLEI Credential Governance Framework: Defines requirements for ECR vLEI Credentials issued to representatives in functional or engagement contexts, including:

• Dual issuer model (QVI-mediated and direct legal entity issuance)
• Identity verification procedures
• Credential schema specifications
• Holder and verifier policies

Qualified vLEI Issuer Authorization vLEI Credential Framework: Defines the QVI AUTH vLEI Credential mechanism that enables LARs to authorize QVIs to issue role credentials, including:

• Authorization workflow requirements
• Multi-signature requirements
• Challenge-response authentication protocols
• Credential schema specifications for both OOR and ECR authorization variants

Supporting Governance Documents

vLEI Ecosystem Governance Framework Glossary: Provides authoritative definitions for all First Letter Capitalized terms used throughout the vLEI ecosystem documentation, ensuring consistent interpretation.

vLEI Risk Assessment: Identifies and evaluates risks across the vLEI ecosystem, including risks specific to role credentials such as:

• Credential issuance without proper verification
• Legal enforceability across jurisdictions
• Operational risks for QVIs and legal entities

vLEI Trust Assurance Framework: Maps governance requirements to implementation standards including ISO 20000 certification, vLEI Issuer Qualification Program standards, and vLEI software specifications.

Technical Specifications

ACDC Specification: Defines the Authentic Chained Data Container format used for all vLEI credentials, including role credentials.

KERI Specification: Defines the Key Event Receipt Infrastructure protocol that provides the cryptographic foundation for vLEI credentials.

CESR Specification: Defines the Composable Event Streaming Representation encoding used for KERI events and ACDC credentials.

IPEX Specification: Defines the Issuance and Presentation Exchange protocol used for vLEI credential issuance and verification workflows.

vLEI JSON Schemas: Technical schema definitions hosted in the GLEIF-IT/vLEI-schema repository:

• legal-entity-official-organizational-role-vLEI-credential.json
• legal-entity-engagement-context-role-vLEI-credential.json
• oor-authorization-vlei-credential.json
• ecr-authorization-vlei-credential.json

Policy Documents

vLEI Issuer Qualification Agreement: Contractual agreement between GLEIF and QVIs that establishes:

• Qualification requirements and procedures
• Annual and extraordinary qualification processes
• Operational requirements and service level agreements
• Termination conditions and grace period management

Information Trust Policies: Comprehensive policies addressing:

• Regulatory compliance (GDPR, ISO/IEC 27001)
• Privacy policies and data protection
• Security policies and incident management
• Employment verification and background checks

Implementation Considerations

While vLEI role credentials are primarily governance constructs, several implementation considerations are critical for developers and system integrators:

KERI Infrastructure Requirements

Witness Pool Configuration: Role credential issuers must maintain witness pools with:

• Minimum 5 witnesses using KAACE sufficient majority threshold
• Discovery mechanisms via well-known URIs, search engines, KERI DHT, and DID resolvers
• Appropriate security guarantees for ledger registrars (if using DLT backers)

AID Management: Credential holders must:

• Maintain control over their AIDs through secure key management
• Implement pre-rotation for key recovery
• Support multi-sig configurations for organizational AIDs
• Maintain approximately 128 bits of cryptographic strength for key generation and storage

KEL and TEL Management: Issuers must:

• Anchor issuance and revocation events to their KELs
• Maintain TEL registries for credential status tracking
• Ensure witness confirmation of all events
• Support KERL (Key Event Receipt Log) queries for verifiers

Identity Verification Integration

OOBI Session Implementation: Systems must support:

• Real-time audio/video conferencing with recording capabilities
• QR code generation and scanning for AID exchange
• Challenge message generation and cryptographic signing
• Verification of challenge responses
• Session recording and audit trail maintenance

Digital Identity Credential Verification: Systems should integrate with:

• European eIDAS infrastructure for high/substantial LoA credentials
• Asian digital identity schemes (myGov, Aadhaar, SingPass, etc.)
• Latin American schemes (e-CPF)
• NIST 800-63A IAL2 verification procedures

Credential Presentation and Verification

IPEX Protocol Implementation: Applications must support:

• Credential presentation requests and responses
• CESR encoding/decoding for credential exchange
• ACDC parsing and validation
• Edge traversal for chain verification
• TEL registry queries for revocation checking

Context-Specific Presentation: Applications should support:

• QR code-based presentation for in-person scenarios
• Web-based OOBI for online scenarios
• Voice-based challenge-response for telephonic scenarios
• Consistent verification logic across all contexts

Interoperability Considerations

Schema Compliance: Implementations must:

• Validate credentials against official JSON schemas from GLEIF-IT repository
• Support both compact (SAID-only) and full (expanded) attribute representations
• Handle both QVI-mediated and direct legal entity issuance patterns
• Support both OOR and ECR credential variants

Ecosystem Integration: Systems should:

• Support discovery of QVIs and legal entities through OOBI mechanisms
• Integrate with GLEIF's Global LEI System for LEI validation
• Support credential chaining and DAG traversal
• Implement caching strategies for frequently verified credentials

Security and Privacy

Key Management: Implementations must:

• Use HSMs or TEEs for high-value keys
• Implement key stretching for password-derived keys
• Support partial rotation for custodial scenarios
• Maintain separation between signing authority and rotation authority

Privacy Protection: Systems should:

• Implement selective disclosure where appropriate
• Support compact disclosure to minimize information leakage
• Use chain-link confidentiality for sensitive attributes
• Implement graduated disclosure workflows

Audit and Compliance: Implementations must:

• Maintain audit trails of all credential operations
• Support compliance reporting for governance frameworks
• Implement incident response procedures
• Support forensic analysis of credential chains

Conclusion

vLEI role credentials represent a sophisticated governance and technical framework for organizational identity and authorization. By combining rigorous identity verification procedures, cryptographic verifiability through KERI infrastructure, and comprehensive governance frameworks, vLEI role credentials enable legal entities to issue verifiable, tamper-evident credentials to their representatives. These credentials provide context-independent proof of authorization, supporting diverse use cases from regulatory compliance to business transactions while maintaining the decentralized, self-sovereign principles of the KERI protocol.