In my last blog I looked into the high level role of the Qualified vLEI Issuer (QVI) and the wallet technology required to ‘hold’ credentials. In this blog I want to look at the issuance process, how do you get an LE-vLEI or an OOR-vLEI or ECR-vLEI credential, but before we dive into that, we need to talk a little about the wider eco-system and the governance framework.
vLEI Governance Framework
The vLEI eco-system provides both organisations and individual identities to a defined level of assurance. It also provides linkage information, also at a defined level of assurance. These identities and the linkage between them have the potential to provide significant benefit to organisations and the processes they run. The Finnish Government Katso case study published by Ubisecure details the value that can be achieved by linking strong individual and organisation identities .
It is important that the identities and the linkage are determined in a defined way. This definition, or framework, generates the trust in the claims that are provided regarding the identities and the linkage. Each identity eco-system will have a definition of the level of assurance and authentication required and it is this definition that allows a level of trust to be applied. The vLEI eco-system is no different.
The GLEIF have made significant investments into building the governance framework for the vLEI ecosystem. It is this framework that directly gives value to the credentials as third parties can rely on the claims contained within (to the level defined in the governance framework).
You can find all the details of the framework on the GLEIF site.
At the time of writing this, the framework is at version 0.9, and not yet final, however it is sufficiently developed that issuance processes are well understood. We do expect changes to the framework in the coming months – for example in the last blog I said that the GLEIF were providing the wallets and issuance software for QVIs to use, it is now likely that QVIs will have to build their own ‘wallet’ and issuance software.
Identity assurance levels
The vLEI eco-system governance framework defines the assurance levels as follows:
|Organisation||valid, active LEI contained within the GLEIS|
|Linkage||Official public data source (for example business registry)|
The organisation assurance uses the work of LOUs in verifying legal entities as part of the LEI issuance. For the individual identity, NIST-IAL2 requires verification against an official identity document (for example a passport) that can be in-person or remote. The linkage between the individual and the organisation must be evidenced by official public data – such as a director listing in a business registry.
But how do I get a vLEI for my company?
The issuance process is a reflection of the assurance levels required and good practise in key management / usage. Let’s walk through what is needed to obtain an LE-vLEI, it is a little involved so grab a coffee then we can proceed.
Setting up the Representatives for the Legal Entity
The first step in issuance is for a representative to enter a contractual agreement with a QVI to provide the issuance service. The individual from the legal entity that undertakes this contractual signup is known as the Designated Authorised Representative (DAR). The DAR is responsible for contractual signup and the introduction of individuals who will manage the LE-vLEI for the company.
Once the contract is in place, the DAR will provide details of 3 Legal Entity Authorised Representatives (LARs). There can be more or less than three, but the Governance Framework looks for three as the (minimum) ideal. The LARs will between them control the issued LE-vLEI and be required to participate in further usage of the LE-vLEI. They jointly control the signing ability of the LE-vLEI.
Each LAR must have their personal identity assured to a NIST-IAL2 level, and the QVI will have its own defined process for undertaking this. Each LAR will also need a wallet to store their unique identifier and associated signing keys. One of the LARs will be designated as the Lead LAR and responsible for leading the issuance from the LE side.
The individual identity verification process might require a video call, however that is dependent upon the verification process used by the QVI.
Issuing the Credential for the Entity, the LE-vLEI
The issuance process will require a video call and will require the LARs to be present on the call.
From the QVI perspective there will be at least two QVI Authorised Representatives (QARs) involved, a lead and a secondary.
At the start of the issuance call the QARs will ensure that the LEI for the LE is active and is correct for the Legal Entity involved. The QARs must also ensure that the LARs present are the same individuals as have been assured previously. This can be via technical means or via the LARs representing their identification documents on the video call.
Once the LARs have been verified, they must each provide the ‘address’ of their wallets. This happens through sharing a URL known as the Out of Band Introduction (OOBI). The QARs must also share the OOBI for the QVI’s credential.
Each LAR will have a unique ID (AID) held in their wallet. Each LAR must prove that they are in control of the AID by responding to a challenge request. The challenge request is provided by the lead QAR for the LARs and by the lead LAR for the QVI’s credential.
Once control has been proved the Lead QAR can now initiate the LE-vLEI process by capturing the LE details. The details are then wrapped into an LE-vLEI credential which then must be signed by both of the QARs. At this stage a valid LE-vLEI credential will exist and using the OOBI, will be transferred to the LARs wallets.
The LARs are now able to view the new LE-vLEI credential and use it to perform actions that require ‘signing’ by the LE.
Please note that the above description is simplified. The full LE-vLEI issuance process is detailed in the Ecosystem Governance Framework vLEI Credential Governance Framework Legal Entity Official Organizational Role. Also note that in the current documents LARs are referred to as AVRs but this will change in the next release.
Issuing Individual Credentials, OOR-vLEIs and ECR-vLEIs
The chain of trust
Once the Legal Entity has a LE-vLEI it is possible for Official Organisation Roles (OOR) or Engagement Context Roles (ECR) to be issued. The current Governance Framework does not provide a technical linkage between the LE-vLEI and the OOR-vLEIs however a change will shortly be made that requires the LARs to create a credential request credential that is passed to a QVI. The QVI will then use the request credential to issue the OOR or ECR and the system will ensure chaining between the LE-vLEI and the OOR-vLEIs / ECR-vLEIs.
The data subject for the OOR / ECR must be introduced to the QVI by the DAR or a LAR. The individual will go through identity assurance to a NIST-IAL2 level as per the LARs. If an OOR is being issued then the QAR must be able to locate an official public data source that confirms the official role being requested (there is a caveat here for OORs that cannot be proved externally, typically due to timing issues – for example a new company director, it is possible for multiple LARs to vouch for the linkage).
Each credential subject will require a wallet and must have a unique ID created along with the associated signing key pair. This will happen before the issuance process takes place.
As per the LE-vLEI issuance a video call will be required to issue an OOR, the data subject must be verified as must the LARs present on the call. Again, OOBIs must be exchanged and proof of control of the unique IDs must take place.
The QAR ensures that the official role requested exists in the published list of official roles and then proceeds with the issuance.
For ECRs it is permissible for the LE itself to issue the credential, or they can return to a QVI to have the QVI issue the credential. Also note that there is no requirement that the QVI used to issue the LE-vLEI is the same as the QVI used to issue OOR-vLEIs credentials.
As per the LE-vLEI description the above is simplified. The full OOR-vLEIs issuance process is detailed in the Ecosystem Governance Framework vLEI Credential Governance Framework Legal Entity Official Organizational Role. Also note that in the current documents LARs are referred to as AVRs but this will change in the next release.
I hope the coffee was good. One last item to point out is that the entire framework utilises the feature and capabilities of the KERI platform. Our Principal Scientist has been writing about KERI, Verifiable Credentials – how does it work? Understanding key VC principles, but in the meantime if you would like any more information about how vLEIs or LEIs can complement your identity usage please get in touch with us.