What is vLEI and What Problems Does It Solve?

Digital certificates are today’s internet standard for keeping data/messages private and secure. Certificate Authorities (CA) issue digital certificates to organisations and people after verifying them. If there are problems with the certificate itself or it’s later discovered that a fraudulent actor has managed to dupe the CA, the certificates can be revoked. Yet, today’s system does not work.

I’ve already touched on the why in this older post but let me analyse this question in more detail here.

Currently, digital certificates come in a few forms; SSL Certificates for web server communication, S/MIME Certificates for email communication, Code Signing Certificates to verify code such as apps, Digital Signatures to sign and verify documents online. There are also many levels at which an organisation can be verified and approved for a digital certificate. In the case of an SSL, the CA only has to prove that the applicant controls the domain they wish to secure with an SSL. At much higher levels, regulations like eIDAS require the use of Qualified Certificates to sign legal documents and process cross-border transactions. These require organisational checks, looking at business registries and in some cases, verifying the applicant’s ability to order on behalf of the organisation.

As many of you reading this will already know, business registry data can be out-of-date. Companies in different countries can have the same name and therefore duplicate certificates can exist in the ecosystem. Fraudsters can hack into a web server or create lookalike domains to secure phishing sites and emails, making them look legitimate. And when any of these issues occur, the process to get the certificates revoked is not always straightforward.

If we want to exist in a digital world, we need to be able to trust each other online and so far, digital certificates have not enabled a full transition to a digital model. The Global Legal Entity Identifier foundation (GLEIF) has sought to fix this issue with the Verifiable LEI or vLEI for short.

What is the vLEI?

To answer this question we must first ask, what is a verifiable credential? The answer has been defined by W3C here. If you aren’t bothered to read the full description, I can give you a brief summary.

What are verifiable credentials?

Verifiable credentials are simply credentials (such as a photo, driving license or business registration number) that are made more tamper-proof and trustworthy when usage is combined with digital signature technology.

The use of verifiable credentials began in the area of Self Sovereign Identity (SSI). The idea with SSI is to let people control their own credentials. When a company needs to verify a person or a business, the individual who controls the identity will give permission for access to various credentials and they can revoke that access when it is no longer needed. People having control over their own personal information is exactly where we want to be, but we’re not there yet. New initiatives like the vLEI are steps on that road.

The vLEI works on the same principles as a digital certificate. In the case of digital certificates, the issuer or CA is the root of trust; in the case of vLEI, the root of trust is the GLEIF. The GLEIF gives the ability for a Local Operating Unit or LOU to issue certificates on their behalf and these LOUs issue Legal Entity Identifiers (LEIs) to organisations. If you need more information on Legal Entity Identifiers, read our introductory guide here.

1 – Source

The GLEIF has described the process of issuing an LEI as:

• GLEIF is the Root of Trust.
• GLEIF issues vLEIs to vLEI Issuers as attestation of trust.
• In our example, the vLEI Issuer is an organization qualified by GLEIF.
• Every Verifiable Credential is created by an issuer.
• The issuer cryptographically signs the credential with its private key.

This way, the GLEIF has created a system where the LEI represents the organisation identity and a person who works for that organisation (represented by legal name and the role they play for that organisation. Within the LEI itself, data also exists for company hierarchy so ownership structures are also transparent.

The LEI is already a ISO 17742 standard while the vLEI standard ISO 5009 is in development. Examples of organisation and roles that can be verified include:

• Legal Entity – CEO
• Legal Entity – Board Chair
• Legal Entity – Other Employees
• Hospital/Physician’s practice – Patients
• Community/Ecosystem/Exchange/Registered Member
• Trusted Supplier/Provider/Registered Member

The GLEIF says:

“The vLEI will give government organisations, companies and other legal entities worldwide the capacity to use non-repudiable identification data pertaining to their legal status, ownership structure, authorised representatives and employees in a growing number of digital business activities. This includes approving business transactions and contracts, onboarding customers, transaction within import/export and supply chain business networks and submitting regulatory filings and reports. GLEIF already is engaged in research partnerships and technical trials with stakeholders across the pharmaceutical, healthcare, telecom, automotive and financial services sectors.”

Why We Need a vLEI

I’ve already touched on this point but put simply – trust. Trust is the foundation of business and if we want to work in a global, digital economy, we need that trust to translate into ones and zeros. That means having a credential that can’t be repudiated so, if I’m doing business with Techcorp thousands of miles away, I can quickly and easily ensure that the person I am speaking to, does indeed work for Techcorp and does have the responsibility required to conduct a transaction with me.

The use cases for vLEI are endless. A government entity can issue driving licenses under its vLEI to citizens. This could pave the way for a verifiable and trustworthy mobile driving license. Hospitals can issue vLEIs to their patients and give patients more control over the sharing of data with third-party healthcare providers. Banks could issue vLEIs to customers so that loans and mortgages can be approved within minutes instead of days. Procurement contracts and public tender frameworks can also be made secure and trustworthy with a vLEI. Invoices, declarations, IP and other sensitive documents travelling to and from internet or mail servers can also be signed and secured with vLEIs.

All of these activities would tie the vLEI to the digital certificates which cryptographically creates integrity and authenticity.

Blockchain and SSI

While Self Sovereign Identity and blockchain are in their youth (as in, the average person is still not able to use these technologies seamlessly), the ability for vLEI to become a standard framework within these technologies is far reaching. Digital payment wallets, cryptocurrency, digital art and digital trading are use cases that have already been explored.

Simon Wood, CEO of Ubisecure discussed these potential opportunities with Seth Goldstein and Kaliya Young in the PSA Today podcast. You can listen here.

What’s in It for You?

Most organisations are not yet evaluating the benefits that the LEI can have for them. Yes, the first organisations to adopt this technology will get ahead of their competitors. Why? The reason is simple – LEIs improve the customer experience. A customer who can be onboarded faster, have quicker approvals, trust the organisation more, have more control over their own data and complete transactions more efficiently, is a happy customer. Whether that customer is a citizen, a user, a supplier, vendor, technology partner, government or legal entity.

While vLEIs are not being issued just yet, they’re almost here. Now is the time to start developing your frameworks and thinking about where the vLEI can improve your customer lifecycle.

In the meantime, you can still apply for an LEI for your business or contact us to discuss the potential vLEI has for your business.