+ {{ content }}
+
+ {{ page.title | escape }}
+
+ {{ content }}
+
+
+The vLEI ecosystem uses authorization credentials issued by Legal Entities to QVIs to authorize the issuance of role credentials to individuals. There are two types of authorization credentials:
+ +EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-EEH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g| Feature | +OOR Authorization | +ECR Authorization | +
|---|---|---|
| Schema SAID | +EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E |
+ EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g |
+
| Issuer | +Legal Entity | +Legal Entity | +
| Recipient | +QVI | +QVI | +
| Purpose | +Authorize OOR credential issuance | +Authorize ECR credential issuance | +
| Role Field | +officialRole |
+ engagementContextRole |
+
| Privacy Disclaimer | +No | +Yes | +
| Use Case | +Permanent organizational roles | +Context-specific engagements | +
sequenceDiagram
+ participant LE as Legal Entity
+ participant QVI as QVI
+ participant Person as Person
+
+ rect rgb(240, 240, 255)
+ Note over LE,QVI: OOR Authorization Flow
+ LE->>QVI: Issue OOR Authorization
+ Note over QVI: Authorizes official role issuance
+ end
+
+ rect rgb(240, 255, 240)
+ Note over LE,QVI: ECR Authorization Flow
+ LE->>QVI: Issue ECR Authorization
+ Note over QVI: Authorizes engagement context role issuance
+ Note over QVI: Includes privacy disclaimer
+ end
+
+ rect rgb(255, 240, 240)
+ Note over QVI,Person: Credential Issuance
+ QVI->>Person: Issue OOR or ECR Credential
+ Note over Person: Based on received authorization
+ end
+This document provides a comprehensive overview of the verifiable Legal Entity Identifier (vLEI) credential ecosystem implemented using KERI (Key Event Receipt Infrastructure) and ACDC (Authentic Chained Data Containers).
+ +The vLEI ecosystem consists of six primary credential types that form a hierarchical trust chain:
+ +EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqaoENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWYEKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-EEBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJyEEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jwEH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14gflowchart TD
+ A[GLEIF<br/>Root Authority] -->|Issues| B[QVI vLEI<br/>Credential]
+ B -->|Authorizes| C[Legal Entity<br/>vLEI Credential]
+ C -->|Enables| D[OOR/ECR<br/>Authorization]
+ D -->|Permits| E[OOR vLEI<br/>Credential]
+ D -->|Permits| F[ECR vLEI<br/>Credential]
+
+ style A fill:#ff9999
+ style B fill:#99ccff
+ style C fill:#99ff99
+ style D fill:#ffcc99
+ style E fill:#ff99ff
+ style F fill:#ccffcc
+sequenceDiagram
+ participant GLEIF
+ participant QVI as Qualified vLEI Issuer
+ participant LE as Legal Entity
+ participant Person as Person/Role Holder
+
+ rect rgb(240, 240, 255)
+ Note over GLEIF,QVI: Foundation Layer
+ GLEIF->>QVI: Issue QVI vLEI Credential
+ Note right of QVI: Schema: EBfdlu8R27Fbx...
+ Note right of QVI: Contains LEI, grace period
+ end
+
+ rect rgb(240, 255, 240)
+ Note over QVI,LE: Legal Entity Layer
+ QVI->>LE: Issue LE vLEI Credential
+ Note right of LE: Schema: ENPXp1vQzRF6...
+ Note right of LE: Chains to QVI credential
+ Note right of LE: Contains entity LEI
+ end
+
+ rect rgb(255, 240, 240)
+ Note over LE,QVI: Authorization Layer
+ LE->>QVI: Issue OOR Authorization
+ Note left of QVI: Schema: EKA57bKBKxr...
+ Note left of QVI: Authorizes role issuance
+
+ LE->>QVI: Issue ECR Authorization
+ Note left of QVI: Schema: EH6ekLjSr8V3...
+ Note left of QVI: For engagement contexts
+ end
+
+ rect rgb(255, 255, 240)
+ Note over QVI,Person: Role Credential Layer
+ QVI->>Person: Issue OOR vLEI Credential
+ Note right of Person: Schema: EBNaNu-M9P5c...
+ Note right of Person: Official organizational role
+ Note right of Person: Chains to OOR Auth
+
+ QVI->>Person: Issue ECR vLEI Credential
+ Note right of Person: Schema: EEy9PkikFcANV1l7...
+ Note right of Person: Engagement context role
+ Note right of Person: Chains to ECR Auth
+ end
+All vLEI credentials share a common ACDC structure:
+ +To verify any credential in the ecosystem:
+ +---
+config:
+ layout: elk
+---
+classDiagram
+ class ECRAuthvLEICredential {
+ +string v : Version
+ +string d : Credential SAID
+ +string u : One time use nonce
+ +string i : LE Issuer AID
+ +string ri : Credential status registry
+ +string s : Schema SAID
+ +a : Attributes
+ +e : Edges
+ +r : Rules
+ }
+
+ class ECRAuthAttributes {
+ +string d : Attributes block SAID
+ +string i : QVI Issuee AID
+ +string dt : Issuance date time
+ +string AID : Recipient AID
+ +string LEI : Legal Entity Identifier
+ +string personLegalName : Recipient name
+ +string engagementContextRole : Role description
+ }
+
+ class ECRAuthEdges {
+ +string d : Edges block SAID
+ +LENode le : Legal Entity reference
+ }
+
+ class LENode {
+ +string n : LE credential SAID
+ +string s : Required schema SAID
+ +string o : Operator (I2I)
+ }
+
+ class ECRAuthRules {
+ +string d : Rules block SAID
+ +UsageDisclaimer usageDisclaimer
+ +IssuanceDisclaimer issuanceDisclaimer
+ +PrivacyDisclaimer privacyDisclaimer
+ }
+
+ class UsageDisclaimer {
+ +string l : Legal language
+ }
+
+ class IssuanceDisclaimer {
+ +string l : Legal language
+ }
+
+ class PrivacyDisclaimer {
+ +string l : Privacy considerations text
+ }
+
+ ECRAuthvLEICredential --> "1" ECRAuthAttributes : contains
+ ECRAuthvLEICredential --> "1" ECRAuthEdges : contains
+ ECRAuthvLEICredential --> "1" ECRAuthRules : contains
+ ECRAuthEdges --> "1" LENode : references
+ ECRAuthRules --> "1" UsageDisclaimer : has
+ ECRAuthRules --> "1" IssuanceDisclaimer : has
+ ECRAuthRules --> "1" PrivacyDisclaimer : has
+
+ note for ECRAuthvLEICredential "Schema ID: EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g\nVersion: 1.0.0\nIssued by LE to QVI\nAuthorizes ECR credential issuance"
+
+ note for ECRAuthAttributes "Required fields:\ni (QVI AID), dt, AID (Person),\nLEI, personLegalName, engagementContextRole"
+
+ note for LENode "Links to LE credential\nSchema: ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY\nOperator: I2I (issuer to issuer)"
+
+ note for PrivacyDisclaimer "ECR Auth includes privacy\nconsiderations for IPEX/ACDC usage"
+EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14gi: QVI Issuee AIDdt: Issuance date timeAID: Recipient Person AIDLEI: Legal Entity IdentifierpersonLegalName: Recipient nameengagementContextRole: Engagement context role descriptionENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWYsequenceDiagram
+ participant LE as Legal Entity
+ participant QVI as QVI
+ participant Person as Person
+
+ rect rgb(240, 255, 240)
+ Note over LE,QVI: ECR Authorization Flow
+ LE->>QVI: Issue ECR Authorization
+ Note over QVI: Schema: EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g
+ Note over QVI: Authorizes engagement context role issuance
+ Note over QVI: Includes privacy disclaimer
+ end
+
+ rect rgb(255, 240, 240)
+ Note over QVI,Person: Credential Issuance
+ QVI->>Person: Issue ECR Credential
+ Note over Person: Based on received authorization
+ end
+The ECR Authorization credential includes:
+The privacy disclaimer is unique to ECR Authorization, recognizing that engagement context roles may require additional privacy considerations for context-specific interactions.
+ +| Feature | +ECR Authorization | +OOR Authorization | +
|---|---|---|
| Schema SAID | +EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g |
+ EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E |
+
| Role Field | +engagementContextRole |
+ officialRole |
+
| Privacy Disclaimer | +Yes | +No | +
| Use Case | +Context-specific engagements | +Permanent organizational roles | +
---
+config:
+ layout: elk
+---
+classDiagram
+ class ECRvLEICredential {
+ +string v : Version
+ +string d : Credential SAID
+ +string u : One time use nonce
+ +string i : QVI Issuer AID
+ +string ri : Credential status registry
+ +string s : Schema SAID
+ +a : Attributes
+ +e : Edges
+ +r : Rules
+ }
+
+ class Attributes {
+ +string d : Attributes block SAID
+ +string i : Person Issuee AID
+ +string dt : Issuance date time
+ +string LEI : Legal Entity Identifier
+ +string personLegalName : Recipient name
+ +string engagementContextRole : Engagement role title
+ }
+
+ class Edges {
+ +string d : Edges block SAID
+ +AuthNode auth : Authorization chain
+ }
+
+ class AuthNode {
+ +string n : ACDC SAID reference
+ +string s : Required schema SAID
+ +string o : Operator (I2I)
+ }
+
+ class Rules {
+ +string d : Rules block SAID
+ +UsageDisclaimer usageDisclaimer
+ +IssuanceDisclaimer issuanceDisclaimer
+ }
+
+ class UsageDisclaimer {
+ +string l : Legal language about usage
+ }
+
+ class IssuanceDisclaimer {
+ +string l : Legal language about issuance
+ }
+
+ ECRvLEICredential --> "1" Attributes : contains
+ ECRvLEICredential --> "1" Edges : contains
+ ECRvLEICredential --> "1" Rules : contains
+ Edges --> "1" AuthNode : references
+ Rules --> "1" UsageDisclaimer : has
+ Rules --> "1" IssuanceDisclaimer : has
+
+ note for ECRvLEICredential "Schema ID: EEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw\nVersion: 1.0.0\nIssued by QVI to Engagement Context Representatives"
+
+ note for Attributes "Required fields:\ni, dt, LEI, personLegalName, engagementContextRole"
+
+ note for AuthNode "Links to ECR Auth credential\nSchema: EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g\nOperator: I2I (issuer to issuer)"
+
+ note for Rules "Standard vLEI disclaimers\nSame as other vLEI credentials"
+The ECR vLEI Credential requires an ECR Authorization credential from the Legal Entity. For details on the ECR Authorization structure, see ECR Auth Credential Schema.
+ +engagementContextRole for the role descriptionEEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jwEH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14gsequenceDiagram
+ participant LE as Legal Entity
+ participant QVI as QVI
+ participant Person as Person
+
+ LE->>QVI: Issue ECR Authorization
+ Note over QVI: See ECR Auth Schema documentation
+
+ QVI->>Person: Issue ECR vLEI Credential
+ Note over Person: Schema: EEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw
+ Note over Person: Chains to ECR Auth via edges.auth
+This documentation covers the implementation of the GLEIF vLEI ecosystem using KERI (Key Event Receipt Infrastructure) and ACDC (Authentic Chained Data Containers).
+ +The vLEI ecosystem implements a hierarchical trust model for organizational identity verification:
+ +Some class diagrams render better using ELK but the config doesn’t seem to be picked up by Jekyll.
+ +
---
+config:
+ layout: elk
+---
+classDiagram
+ class LegalEntityvLEICredential {
+ +string v : Version
+ +string d : Credential SAID
+ +string u : One time use nonce
+ +string i : QVI Issuer AID
+ +string ri : Credential status registry
+ +string s : Schema SAID
+ +a : Attributes
+ +e : Edges
+ +r : Rules
+ }
+
+ class Attributes {
+ +string d : Attributes block SAID
+ +string i : LE Issuer AID
+ +string dt : Issuance date time
+ +string LEI : Legal Entity Identifier
+ }
+
+ class Edges {
+ +string d : Edges block SAID
+ +QVINode qvi : QVI reference
+ }
+
+ class QVINode {
+ +string n : Issuer credential SAID
+ +string s : Required schema SAID
+ }
+
+ class Rules {
+ +string d : Rules block SAID
+ +UsageDisclaimer usageDisclaimer
+ +IssuanceDisclaimer issuanceDisclaimer
+ }
+
+ class UsageDisclaimer {
+ +string l : Legal language about usage
+ }
+
+ class IssuanceDisclaimer {
+ +string l : Legal language about issuance
+ }
+
+ LegalEntityvLEICredential --> "1" Attributes : contains
+ LegalEntityvLEICredential --> "1" Edges : contains
+ LegalEntityvLEICredential --> "1" Rules : contains
+ Edges --> "1" QVINode : references
+ Rules --> "1" UsageDisclaimer : has
+ Rules --> "1" IssuanceDisclaimer : has
+
+ note for LegalEntityvLEICredential "Schema ID: ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY\nVersion: 1.0.0\nIssued by QVI to Legal Entity"
+
+ note for Attributes "Can be either:\n- SAID string reference\n- Full object with properties\nRequired: i, dt, LEI"
+
+ note for Edges "Links to QVI credential\nSchema: EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao"
+
+ note for Rules "Can be either:\n- SAID string reference\n- Full object with disclaimers"
+---
+config:
+ layout: elk
+---
+classDiagram
+ class OORAuthvLEICredential {
+ +string v : Version
+ +string d : Credential SAID
+ +string u : One time use nonce
+ +string i : LE Issuer AID
+ +string ri : Credential status registry
+ +string s : Schema SAID
+ +a : Attributes
+ +e : Edges
+ +r : Rules
+ }
+
+ class OORAuthAttributes {
+ +string d : Attributes block SAID
+ +string i : QVI Issuee AID
+ +string dt : Issuance date time
+ +string AID : Recipient AID
+ +string LEI : Legal Entity Identifier
+ +string personLegalName : Recipient name
+ +string officialRole : Role description
+ }
+
+ class OORAuthEdges {
+ +string d : Edges block SAID
+ +LENode le : Legal Entity reference
+ }
+
+ class LENode {
+ +string n : LE credential SAID
+ +string s : Required schema SAID
+ +string o : Operator (I2I)
+ }
+
+ class OORAuthRules {
+ +string d : Rules block SAID
+ +UsageDisclaimer usageDisclaimer
+ +IssuanceDisclaimer issuanceDisclaimer
+ }
+
+ class UsageDisclaimer {
+ +string l : Legal language
+ }
+
+ class IssuanceDisclaimer {
+ +string l : Legal language
+ }
+
+ OORAuthvLEICredential --> "1" OORAuthAttributes : contains
+ OORAuthvLEICredential --> "1" OORAuthEdges : contains
+ OORAuthvLEICredential --> "1" OORAuthRules : contains
+ OORAuthEdges --> "1" LENode : references
+ OORAuthRules --> "1" UsageDisclaimer : has
+ OORAuthRules --> "1" IssuanceDisclaimer : has
+
+ note for OORAuthvLEICredential "Schema ID: EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E\nVersion: 1.0.0\nIssued by LE to QVI\nAuthorizes OOR credential issuance"
+
+ note for OORAuthAttributes "Required fields:\ni (QVI AID), dt, AID (Person),\nLEI, personLegalName, officialRole"
+
+ note for LENode "Links to LE credential\nSchema: ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY\nOperator: I2I (issuer to issuer)"
+EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-Ei: QVI Issuee AIDdt: Issuance date timeAID: Recipient Person AIDLEI: Legal Entity IdentifierpersonLegalName: Recipient nameofficialRole: Official role descriptionENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWYsequenceDiagram
+ participant LE as Legal Entity
+ participant QVI as QVI
+ participant Person as Person
+
+ rect rgb(240, 240, 255)
+ Note over LE,QVI: OOR Authorization Flow
+ LE->>QVI: Issue OOR Authorization
+ Note over QVI: Schema: EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E
+ Note over QVI: Authorizes official role issuance
+ end
+
+ rect rgb(255, 240, 240)
+ Note over QVI,Person: Credential Issuance
+ QVI->>Person: Issue OOR Credential
+ Note over Person: Based on received authorization
+ end
+The OOR Authorization credential includes:
+Note: Unlike ECR Authorization, OOR Authorization does not include a privacy disclaimer as it is intended for official organizational roles that are typically public.
+ +---
+config:
+ layout: elk
+---
+classDiagram
+ class OORvLEICredential {
+ +string v : Version
+ +string d : Credential SAID
+ +string u : One time use nonce
+ +string i : QVI Issuer AID
+ +string ri : Credential status registry
+ +string s : Schema SAID
+ +a : Attributes
+ +e : Edges
+ +r : Rules
+ }
+
+ class Attributes {
+ +string d : Attributes block SAID
+ +string i : Person Issuee AID
+ +string dt : Issuance date time
+ +string LEI : Legal Entity Identifier
+ +string personLegalName : Recipient name
+ +string officialRole : Official role title
+ }
+
+ class Edges {
+ +string d : Edges block SAID
+ +AuthNode auth : Authorization chain
+ }
+
+ class AuthNode {
+ +string n : ACDC SAID reference
+ +string s : Required schema SAID
+ +string o : Operator (I2I)
+ }
+
+ class Rules {
+ +string d : Rules block SAID
+ +UsageDisclaimer usageDisclaimer
+ +IssuanceDisclaimer issuanceDisclaimer
+ }
+
+ class UsageDisclaimer {
+ +string l : Legal language about usage
+ }
+
+ class IssuanceDisclaimer {
+ +string l : Legal language about issuance
+ }
+
+ OORvLEICredential --> "1" Attributes : contains
+ OORvLEICredential --> "1" Edges : contains
+ OORvLEICredential --> "1" Rules : contains
+ Edges --> "1" AuthNode : references
+ Rules --> "1" UsageDisclaimer : has
+ Rules --> "1" IssuanceDisclaimer : has
+
+ note for OORvLEICredential "Schema ID: EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy\nVersion: 1.0.0\nIssued by QVI to Official Representatives"
+
+ note for Attributes "Required fields:\ni, dt, LEI, personLegalName, officialRole"
+
+ note for AuthNode "Links to Auth credential\nSchema: EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E\nOperator: I2I (issuer to issuer)"
+
+ note for Rules "Standard vLEI disclaimers\nSame as other vLEI credentials"
+---
+config:
+ layout: elk
+---
+classDiagram
+ class QualifiedvLEIIssuerCredential {
+ +string v : Version
+ +string d : Credential SAID
+ +string u : One time use nonce
+ +string i : GLEIF Issuee AID
+ +string ri : Credential status registry
+ +string s : Schema SAID
+ +a : Attributes
+ +r : Rules
+ }
+
+ class Attributes {
+ +string d : Attributes block SAID
+ +string i : QVI Issuee AID
+ +string dt : Issuance date time
+ +string LEI : LEI of Legal Entity
+ +int gracePeriod : Allocated grace period (default: 90)
+ }
+
+ class Rules {
+ +string d : Rules block SAID
+ +UsageDisclaimer usageDisclaimer
+ +IssuanceDisclaimer issuanceDisclaimer
+ }
+
+ class UsageDisclaimer {
+ +string l : Legal language about usage
+ }
+
+ class IssuanceDisclaimer {
+ +string l : Legal language about issuance
+ }
+
+ QualifiedvLEIIssuerCredential --> "1" Attributes : contains
+ QualifiedvLEIIssuerCredential --> "1" Rules : contains
+ Rules --> "1" UsageDisclaimer : has
+ Rules --> "1" IssuanceDisclaimer : has
+
+ note for QualifiedvLEIIssuerCredential "Schema ID: EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao\nVersion: 1.0.0\nIssued by GLEIF to QVIs"
+
+ note for Attributes "Can be either:\n- SAID string reference\n- Full object with properties\nRequired: i, dt, LEI"
+
+ note for Rules "Can be either:\n- SAID string reference\n- Full object with disclaimers"
+---
+config:
+ layout: elk
+---
+classDiagram
+ class QVICredential {
+ +string v : Version
+ +string d : Credential SAID
+ +string u : One time use nonce
+ +string i : GLEIF Issuee AID
+ +string ri : Credential status registry
+ +string s : Schema SAID
+ +Attributes a : Attributes block
+ +Rules r : Rules block
+ }
+ class LECredential {
+ +string v : Version
+ +string d : Credential SAID
+ +string u : One time use nonce
+ +string i : QVI Issuer AID
+ +string ri : Credential status registry
+ +string s : Schema SAID
+ +Attributes a : Attributes block
+ +Edges e : Edges block
+ +Rules r : Rules block
+ }
+ class OORCredential {
+ +string v : Version
+ +string d : Credential SAID
+ +string u : One time use nonce
+ +string i : QVI Issuer AID
+ +string ri : Credential status registry
+ +string s : Schema SAID
+ +Attributes a : Attributes block
+ +Edges e : Edges block
+ +Rules r : Rules block
+ }
+ class OORAuthCredential {
+ +string v : Version
+ +string d : Credential SAID
+ +string u : One time use nonce
+ +string i : LE Issuer AID
+ +string ri : Credential status registry
+ +string s : Schema SAID
+ +Attributes a : Attributes block
+ +Edges e : Edges block
+ +Rules r : Rules block
+ }
+ class ECRAuthCredential {
+ +string v : Version
+ +string d : Credential SAID
+ +string u : One time use nonce
+ +string i : LE Issuer AID
+ +string ri : Credential status registry
+ +string s : Schema SAID
+ +Attributes a : Attributes block
+ +Edges e : Edges block
+ +Rules r : Rules block
+ }
+ class QVIAttributes {
+ +string i : QVI Issuee AID
+ +string dt : Issuance date time
+ +string LEI : LEI of the requesting Legal Entity
+ +int gracePeriod : Allocated grace period
+ }
+ class LEAttributes {
+ +string i : LE Issuer AID
+ +string dt : issuance date time
+ +string LEI : LE Issuer AID
+ }
+ class OORAttributes {
+ +string i : Person Issuee AID
+ +string dt : Issuance date time
+ +string LEI : LEI of the Legal Entity
+ +string personLegalName : Recipient name as provided during identity assurance
+ +string officialRole : Official role title
+ }
+ class AuthAttributes {
+ +string i : QVI Issuee AID
+ +string dt : Issuance date time
+ +string AID : AID of the intended recipient of the ECR credential
+ +string LEI : LEI of the requesting Legal Entity
+ +string personLegalName : Requested recipient name as provided during identity assurance
+ +string role : Requested role description
+ }
+ class QVIEdge {
+ +string n : Issuer credential SAID
+ +string s : SAID of required schema of the credential pointed to by this node
+ }
+ class LEEdge {
+ +string n : Issuer credential SAID
+ +string s : SAID of required schema of the credential pointed to by this node
+ }
+ class AuthEdge {
+ +string n : Issuer credential SAID
+ +string s : SAID of required schema of the credential pointed to by this node
+ +string o : Operator for this edge
+ }
+ class Rules {
+ +UsageDisclaimer usageDisclaimer : Usage Disclaimer
+ +IssuanceDisclaimer issuanceDisclaimer : Issuance Disclaimer
+ +PrivacyDisclaimer privacyDisclaimer : Privacy Disclaimer
+ }
+ QVICredential --> QVIAttributes : contains
+ QVICredential --> Rules : has
+ LECredential --> LEAttributes : contains
+ LECredential --> QVIEdge : chains to
+ LECredential --> Rules : has
+ OORCredential --> OORAttributes : contains
+ OORCredential --> AuthEdge : authorized by
+ OORCredential --> Rules : has
+ OORAuthCredential --> AuthAttributes : contains
+ OORAuthCredential --> LEEdge : chains to
+ OORAuthCredential --> Rules : has
+ ECRAuthCredential --> AuthAttributes : contains
+ ECRAuthCredential --> LEEdge : chains to
+ ECRAuthCredential --> Rules : has
+ LECredential ..> QVICredential : requires - QVI must exist
+ OORCredential ..> OORAuthCredential : requires - needs authorization
+ OORAuthCredential ..> LECredential : requires - LE must exist
+ ECRAuthCredential ..> LECredential : requires - LE must exist
+ note for QVICredential "QVI vLEI Credential<br/>Schema: EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao<br/>Issued by: GLEIF → QVI"
+ note for LECredential "Legal Entity vLEI Credential<br/>Schema: ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY<br/>Issued by: QVI → LE"
+ note for OORCredential "Official Organizational Role<br/>Schema: EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy<br/>Issued by: QVI → Person"
+ note for OORAuthCredential "OOR Authorization<br/>Schema: EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E<br/>Issued by: LE → QVI"
+ note for ECRAuthCredential "ECR Authorization<br/>Schema: EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g<br/>Issued by: LE → QVI"
+
+sequenceDiagram
+ participant GLEIF
+ participant QVI as Qualified vLEI Issuer
+ participant LE as Legal Entity
+ participant Person as Person/Role Holder
+
+ rect rgb(240, 240, 255)
+ Note over GLEIF,QVI: Foundation Layer
+ GLEIF->>QVI: Issue QVI vLEI Credential
+ Note right of QVI: Schema: EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao
+ end
+
+ rect rgb(240, 255, 240)
+ Note over QVI,LE: Legal Entity Layer
+ QVI->>LE: Issue LE vLEI Credential
+ Note right of LE: Schema: ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY
+ Note right of LE: Chains to QVI credential
+ end
+
+ rect rgb(255, 240, 240)
+ Note over LE,Person: Authorization Layer
+ LE->>QVI: Issue OOR Authorization
+ Note left of QVI: Schema: EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E
+ Note left of QVI: Authorizes role issuance
+
+ LE->>QVI: Issue ECR Authorization
+ Note left of QVI: Schema: EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g
+ Note left of QVI: Authorizes context role
+ end
+
+ rect rgb(255, 255, 240)
+ Note over QVI,Person: Role Credential Layer
+ QVI->>Person: Issue OOR vLEI Credential
+ Note right of Person: Schema: EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy
+ Note right of Person: Chains to OOR Auth
+ QVI->>Person: Issue ECR vLEI Credential
+ Note right of Person: Schema: EEEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw
+ Note right of Person: Chains to ECR Auth
+ LE->>Person: Issue ECR vLEI Credential
+ Note right of Person: Schema: EEEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw
+ end
+---
+config:
+ layout: elk
+---
+graph TD
+ %% Define nodes with schema IDs
+ GLEIF["GLEIF<br/>Root Authority"]
+ QVI["QVI vLEI Credential<br/>Schema: EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao<br/>Issued by: GLEIF"]
+ LE["Legal Entity vLEI Credential<br/>Schema: ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY<br/>Issued by: QVI"]
+ OORAuth["OOR Authorization Credential<br/>Schema: EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E<br/>Issued by: Legal Entity"]
+ ECRAuth["ECR Authorization Credential<br/>Schema: EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g<br/>Issued by: Legal Entity"]
+ OOR["OOR vLEI Credential<br/>Schema: EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy<br/>Issued by: QVI"]
+ ECR["ECR vLEI Credential<br/>Schema: [ECR Schema]<br/>Issued by: QVI"]
+ Person["Person/Role Holder"]
+
+ %% Define dependencies
+ GLEIF -->|issues| QVI
+ QVI -->|issues| LE
+ LE -->|authorizes via| OORAuth
+ LE -->|authorizes via| ECRAuth
+ OORAuth -->|enables issuance of| OOR
+ ECRAuth -->|enables issuance of| ECR
+ QVI -->|issues with auth| OOR
+ QVI -->|issues with auth| ECR
+ OOR -->|held by| Person
+ ECR -->|held by| Person
+
+ %% Edge dependencies (credential chaining)
+ LE -.->|edges.qvi references| QVI
+ OORAuth -.->|edges.le references| LE
+ ECRAuth -.->|edges.le references| LE
+ OOR -.->|edges.auth references| OORAuth
+
+ %% Styling
+ style GLEIF fill:#e1f5fe
+ style QVI fill:#fff3e0
+ style LE fill:#e8f5e9
+ style OORAuth fill:#fce4ec
+ style ECRAuth fill:#fce4ec
+ style OOR fill:#f3e5f5
+ style ECR fill:#f3e5f5
+ style Person fill:#e0e0e0
+| Credential Type | +Schema SAID | +Issuer | +Required Dependencies | +Edge References | +
|---|---|---|---|---|
| QVI vLEI | +EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao |
+ GLEIF | +None (Root) | +None | +
| Legal Entity vLEI | +ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY |
+ QVI | +QVI Credential | +edges.qvi → QVI Schema | +
| OOR Authorization | +EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E |
+ Legal Entity | +LE Credential | +edges.le → LE Schema | +
| ECR Authorization | +EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g |
+ Legal Entity | +LE Credential | +edges.le → LE Schema | +
| OOR vLEI | +EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy |
+ QVI | +OOR Authorization | +edges.auth → OOR Auth Schema | +
| ECR vLEI | +EEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw |
+ QVI | +ECR Authorization | +edges.auth → ECR Auth Schema | +
Each credential (except QVI) contains an edges block that references “chained” (directed edge) credentials:
"edges": {
+ "chainedCredentialType": {
+ "n": "chained credential SAID",
+ "s": "chained schema SAID (constant)"
+ }
+}
+sequenceDiagram
+ participant LE as Legal Entity
+ participant QVI as QVI
+ participant P as Person
+
+ Note over LE,QVI: Authorization Phase
+ LE->>QVI: Issue OOR/ECR Authorization
+ Note right of QVI: Contains: AID, LEI, personLegalName, role
+
+ Note over QVI,P: Issuance Phase
+ QVI->>P: Issue OOR/ECR Credential
+ Note right of P: Must reference authorization in edges
+To validate any credential, verifiers must:
+