Digital Organizational Identity With the Verifiable Legal Entity Identifier (vLEI)

Oh, hello everybody. My name is Christoph Schneider, head of IT development and operations at the global e I Foundation. And today we're talking about digital organizational identity with the award-winning verifiable legal entity identifier.

So again, we are really grateful to having received this, this award and especially all to our partners who have worked with us to make this possible. It's, it's not something that life would have achieved alone.

All right, so a quick question to those here. Please raise your hands. Who knows what a legal entity identifier is?

Okay, about half of you who knows what the global I system is and which role the global I Foundation plays within this system. Few less and who knows what a verifiable legal entity identifier is.

Okay, in Morgan, okay. It is important to understand what an EI and what the global EI system is to understand the V ei. And that's why we're starting with a short introduction to the system. The global EI system has been created by the three 20 liters. The original idea came from 2011 as a reaction to the 2008 financial crisis, but the system is not limited at all to the financial area. And the three main components of the system are a regulatory oversight committee.

This is the public sector who makes policy decisions, the global EI foundation who manages the system and makes legal, technical and operational rules. And many organizations that are called local operating units or we also call them L e i issuers as a federated system for legal entity identifier, issuance and management. And glyph itself is a Swiss non-for-profit foundation. The rock oversees it and exists out of 71 regulators, 19 observers from over 50 countries. And Glyph itself has a board of directors which are coming from the private sector.

These are 18 persons who who support the foundation directly. I mentioned already the EI issuing organizations who have currently 39 of these who offer EI services on in the whole world. There is no country where you cannot get an ei. And to this date, we have more than 2.3 millions issued. At this point I usually show life how a legal entity identifier looks, but I just have the slides here. But if you're interested, just use your phones and go to search.live.org and look up your own organization.

If, if you find your legal entity, identify and if you don't find it, please get an ei. It's required to have a V ei, Yes, N D L E I is a a lifelong identifier that is owned by the legal entity. It is never replaced, it is never reused. Even if the entity ceases to exist, the anti the entity identifier stays in the database and just chose that status and is a truly unique identifier connected to the identifier. There are very important reference data like the name of an organization addresses or business register information and the L E I is an ISO standard that is continuously maintained.

Now I think at eic I do not have to explain in detail why there is a need for organizational identity in a secure certain and verifiable way. And I think you also know what happens if we don't have that, which is identity impersonation, fraud, social engineering, phishing, smishing, who knows what smishing is. So SMISHING is SMS phishing. I think you have all experienced it getting text messages on your phones and being asked to click on a link to confirm something that's just a new way of phish and robo calls. That seems to be a big issue in the United States. Not so much here in Germany.

And our first V e I issuer a company called Provenance in the United States has exactly a use case in this area and we'll talk about that a bit. So the EI was originally created just to identify organizations.

Again, the reason was the financial crisis 2008, but we think it can do much more if it comes with a digital representation and we will see how this can be done. Now sometimes you would think, okay, how are we actually existing today?

I mean, we're living, we're making payments, we're enacting with each other and somehow everything works, right? So what's the problem? There are existing solutions and approaches to deal with with the today's world. Some are listed here. So we have digital certificates, we have four logins, we have multifactor authentication, we have passwords, we have all these these functions. We have barometric verification and all of that. And we also have verifiable credential solutions.

But it's not only about the technology, it's also about the governance and the process to establish identity before the technology is used. And while we do have solutions today, there's still a lack in these and it comes with some downsides and that is usually workarounds, double checks, costly and and error-prone verifications. So we think this can be improved with an end verifiable organizational identity in the form of a verifiable legal entity identifier. And for the V L E I, we propose that the real world is represented in a credential with just three pieces of information.

That is first of all the organization represented by the legal entity identifier, the person acting for an organization and the role that that person has for their organization. And that is put into a verifiable credential, put into a wallet controlled only by the person that is represented by this, by this credential. And that can then be used to interact in various, in various contexts.

The second important thing I talked already about the governance is that the strong governance of the legal entity identifier system can be leveraged here because for the V E I, we have created a root, a root of trust that is live and that is connected via a chain of trust with the role credential that we have trust introduced. So you can see in this visualization on the right hand side persons representing organizations at the very bottom, these are these role credentials that I have trust explained, and they are connected cryptographically with their organizational identity.

The organizational identity is connected with the we issuer and the federated system of the global AI system. And that again, links back to life. And what that enables is that when you as a verifier receive such a role credential that you can verify not only the correctness of the credential, the person, the role, and the organization, but also that is a valid we I credential because it connects back to the root of trust life. Can you back up one that up? Go ahead Drummond. Perfect. All right. And life has designed two different kinds of role credentials for various use cases.

So the first one of these role credentials would be an official organizational role credential. And that represents roles that can be verified against public business registers such as a CEO or a CFO or a board member role. And these credentials can can be requested by legal entities. Why are the we issuer? Because the WEI issuer performs a third party verification against a public source for even more reliability of the correctness of these official organizational roles.

And an example would be again, a CEO credential here that can be used to carry out official duties because these roles usually also come with certain rights, for example, signatory powers and things like that or also internally to to carry out policies and duties and tasks and stuff. The second type of credentials we call engagement context role credentials. And these are more flexible credentials.

These are not only for the non-official roles for employees of an organization, but these could also be issued to non-employees of an organization basically to any person that is in any way related to an organization. So we have here two examples on that slide. One would be indeed probably an employee, a procurement manager could receive an e an engagement context role credential that entitles him to make purchases up to a certain threshold of money. For example, everything up to 10,000 euros and above they need a an additional authorization.

But perhaps the second example is even more interesting and it doesn't come directly to mind. An organization could also issue such credentials to their suppliers and ask them to sign all invoices that they submit to the organization and the organization could then accept only signed invoices with such ECR credentials and otherwise not even look at the invoices and thus avoid fraud in in invoicing. And you can think of many more use cases of that dis sky is the limit of these applications. Just last year life has created an example. What also can be done with B L E I role credentials.

We have used our annual report that we are obliged to file anyway once a year to the Swiss authorities in an X B B L format and have digitally signed that by various people of the organization including external auditors. And the, the real cool feature here is partial signing that is possible with the V E I. So what we did is that not only the whole report was signed, for example by the CEO and the chairman of the board, but certain parts of the report were assigned by certain responsible people for that content.

So the financial statement specifically was signed by the CFO of life and by our external auditors and that is very nicely visualized here. Again, I cannot show that here, but I think you will all receive the slides and if you're interested, check it out. It is really nicely visually done so you can see with colors which representative has signed which part of the report and even if multiple people have signed a part of the report, then there's a rainbow scheme and it's a really nice user interface. We have heard so much this week about the importance of user experience and user interfaces.

I think this is a nice example how this can really work and that where S S I can be made available in a easy consumable way for human beings without having to understand all the details. Yeah, the V L I system went live last year in December and that included the qualification of the very first V L I issuer also mentioned provenance already on a previous slide and AI in the telecommunications space and what they're dealing with is fraud in telecommunications marketing.

So when you receive calls or messages from a marketing exercise and somebody claims to be for example Coca-Cola, yeah, in today's world you don't know whether that's that's true, whether that's a valid campaign and the use case that PROVENA is looking at here is using the verifiable legal entity identifier to basically sign these campaigns so that down to the receiver of the communication it can be verified whether this is authentic or whether this, whether this is actually a scam. Yeah.

And on Wednesday already we have talked in the trust over IP panel about the ecosystem governance framework and I mentioned how important governance is. So Glyph has created to be l e i ecosystem governance framework based on the trust over IP standards. In total we have 24 documents currently which are publicly available on the website that define the operational model for the we EI including what glyph has to do, what we I issuers have to do also what the, the holders of Weis have to do. And that makes basically the strong foundation for the whole system.

When we looked first at the V i I think 3, 4, 5 years ago, we thought how could it be implemented from a technical perspective And we were running several proofs of concepts with existing blockchain based systems. For example a Hyperledger in the implementation also Ethereum application and one or two others. And that worked actually nicely up until the point when a participant would not be on that very system. So the functionality ended at the border of the, of the specific system.

And that is something that we wanted to overcome and that's why we thought the we I system should be a network of networks that basically allows everybody to interact with the l I credentials. So what we have here is the GLY controller network and with the potential to connect to existing networks and exclude nobody, we are currently actively working on the bridge to Hyperledger Indie so that a existing Hyperledger Indian network participants can use v i credentials and can verify them with their existing areas wallets or that there is no gap between the the indie credentials and and AV L E i.

The underlying protocol that we have decided to use is carry the key event receipt infrastructure for for strong key management and many of the functions that have been postulated also this week. Also in the trust of IP session that there was on Wednesday. Some of these functionalities are coming with Carrie and it is an open source project that life has contributed to and built to the part that the BLE I system could go live last year and we are continuing working on it. And there is currently also work undergoing to, to make it an I T F standard in this context.

There's another standard called authentic chain data containers. That's the credential format for BS which allows B to be connected to each others and chained up in that chain of trust. And that is also going to be standardized in I tf. And the threat standard in this context is csar composable event streaming representation that actually provides a very nice way to translate between a human readable format, for example adjacent credential and a binary presentation for efficient network transportation. And it comes with another nice thing which is csar proof signatures.

And that is the technical foundation that allowed these partial signings that I have explained of the live annual report. So that's a really nice additional feature and that marks the end of the presentation. Thank you very much for listening and I think we have two and a half minutes for questions if there are any. Perfect. Thank you so much Christoff, everyone a round of applause and that's correct. We have two minutes for questions and we already have a question here. Thank you very much. I learned a lot today Christoph for revocation down at the level of the roles. How is that managed?

So you know, I'm no longer the procurement manager that's connected up the chain to a legal identifier who, who controls that revocation and how is that done? Thank you that, can you hear me?

Test, test. Is this off now?

Yeah, you can hear me. Can you hear me?

Okay, thank you Judith. Excellent question and there are many answers to that. So the obvious answer is perhaps that the legal entity itself can revoke any credentials that they have issued to employees or persons connected to their entity, either themselves if that were ECR credentials that they have issued themselves or via a service of the V issuer for the OR credentials or if they have outsourced that. So the control is with the legal entity for the role credentials for the situation where a person would not have their role anymore or would move role.

But because we have that chain of trust there, there are also additional functionalities. For example, imagine a company ceases to exist, then this credential would also automatically remove so the the organization level credential but removed and because of the chaining all downstream credentials automatically also get removed. So if a company doesn't exist anymore, also nobody can play a role in that company anymore. And that's a strong feature of the trust chain. Perfect. We have one more question.

So Christa, we just heard a lot about ees two and, and the role that trustless will play there. What, how do you envision that the V L E I ecosystem might I operate or work within the EI DES two trustless framework? That's also a super good question and I have no final answer yet, but Glyph is participating in one of these four large scale pilots, the European Wallet Consortium that just kicks up these days. And this is exactly what we also find to find out how Glyph can play a role there because the, the European Wallet Consortium is beside two other things about organizational identity.

So we think life has an important role to play there. Perfect. That brings us towards the end of this session. Thank you so much, Christoph. Next up we have lunch break. So.