In my last blog, vLEI 101 – the Verifiable Legal Entity Identifier, I spoke about the potential of the vLEI. In the brief outline of the wider vLEI eco-system we saw that there were a number of types of Verifiable Credential:
- LE-vLEI: a credential providing LEI data for the organisation
- LE-OOR: a credential providing information about an individual holding a specific formal role within the organisation
- LE-ECR: a credential providing information about an individual who has a ‘user defined’ role in relation to an organisation.
The credentials are issued by a Qualified vLEI Issuer, a QVI, and stored in a wallet. Let’s look at that in a bit more detail to understand what is going on.
The role of the QVI
We started off our last blog assuming a basic understanding of the LEI. The LEI is a 20 digit code that identifies a legal entity and can be used to look up data in real time from the GLEIS, a public database managed by the GLEIF. The LEI itself is issued by an ‘LEI Issuer’ known as an LOU. LOUs are entities that are accredited by the GLEIF and audited yearly to ensure they are perform inline with the defined frameworks.
It is very similar for vLEIs. vLEIs are issued by a ‘Qualified vLEI Issuer’, known as a QVI. An organisation wishing to become a QVI must define processes and systems that adhere to the vLEI governance framework and pass an initial qualification from the GLEIF, and then undertake yearly audits by the GLEIF.
The QVI has to follow a precise process to issue any of the previously listed credentials, which involve the checking of the LEI, the identity assurance of individuals involved and finally the technical issuance process itself.
The GLEIF is still finalising the process definitions but we expect to see initial QVIs launching within the next 6 months or so.
What does an issued credential look like?
As we discussed previously, credentials are designed to be understood by computers. This allows the holder of the credential to present the credential during a transaction to make a statement that can be understood by the ‘computer’ processing the request.
The issued credential is a machine readable format, typically in a json format. They are not meant to be directly read by the holder, instead credentials are accessed, displayed, and ‘used’ by an application, a ‘wallet’.
It should be noted there are a few different formats of credentials which means there are different wallets. On top of this, there are many different ways in which a computer can check the credential and so the wallet must present the credential in the right format for the intended end use, and this can mean a different wallet per use case.
The credential wallet
The various credentials, that you might have, are stored in a wallet. This is an application, often residing on your mobile device, that securely holds the credential data, provides a user interface so you can examine the contents of the wallet, and provides functionality for using the credentials stored within.
Wallets on mobile devices are not new, the iPhone provides a wallet for a variety of items, such as payment cards and boarding passes. The idea is the same, but the iPhone wallet is not a Verifiable Credential wallet.
The wallet residing on your mobile device is actually a significant concept. In ‘classical’ identity systems the claims about ‘you’ are held by an Identity Provider, and when someone wants to access one of those claims they contact that (central) identity provider for the details. This means that the identity provider knows who you are sharing claims with, and in many cases the level of data shared is greater than the need of the person asking. The typical example here is sharing your date of birth as proof you are over 18.
The alternative to this centralised identity is a system where you hold all the information about you and get to decide what information to share in response to any given request. This is known as Self Sovereign Identity and is enabled by the credential wallet.
When a service needs to know some information about ‘you’ it will generate something called a Presentation Request. This is often in the form of a QR code that you scan with the wallet app. The App will decide the request, see what claims are being asked for and then present you with that information and let you choose how to respond using the various items of information you have in the wallet. You are now in control of who is being told what, and you are the central store of the claims. Your bank might have generated the credential you will use, but it has no connection to whoever or whatever you are now sharing that information with, so the recipient cannot track your usage of that information.
All of this is well and good, however there is a challenge here. The credentials are all using strong cryptographic techniques to secure and protect the data, and to give service providers confidence that the claims are un-altered and issued by trusted parties. This strong cryptographic protection requires some complex management to take place, and in the wallet system, as described, this also falls to you, the user, as you are managing your attributes. There is a solution to this, the custodial wallet.
A custodial wallet is where a third party provides a hosted wallet for you and takes care of the cryptographic management. Of course, this ease of maintenance comes with a slight reduction in overall security – another party is controlling your cryptographic keys, but in many instances that trade off is for the best.
This extra dimension increases the number of wallets available; not only do you have differing credential types, differing verification methods, but now also differing providers of wallets.
In the short term you should expect to see a number of wallets appearing, both on your mobile and through cloud services. Over time, the differences will be incorporated, and wallets will become more general purpose and there will be consolidation.
Wallets and vLEI
The vLEI is no different to any other credential and requires a wallet to be issued into. GLEIF are building the wallet capability following the pilot issuance project for the signing of the 2021 accounts. It is likely that the first wallets will be custodial (hosted) and provided by the QVIs to simplify the overall process for the legal entities who are obtaining vLEIs.
In my next blog we will look at how the wider issuance process for the vLEI credentials works. In the meantime, if you would like to know more about the vLEI, about Verified Credentials or about how the world of Verified Credentials interacts with the classical identity world please get in contact with us.