Distributed Trust Architecture and the vLEI Proposition

This paper aims to portray the value of Distributed Trust Architecture (DTA) and the significance of the vLEI initiative taken by GLEIF in the progressive deployment of such an architecture. By avoiding technical descriptions, we want to concentrate on the benefits of improving business efficiency.?

The transformative potential of Distributed Trust Architecture is monumental.

• Presently, industries and businesses rely on exchanging documents to facilitate interoperability.
• However, with Self-Sovereign Identity (SSI) and Verifiable Credentials,?trustable and verifiable identities and qualifications can be exchanged?seamlessly.?

This shift streamlines processes and enhances security, reliability, and transparency across various sectors, promising profound advancements in?establishing and managing?trust in digital interactions.

A solid business case exists for such transformation, aiming at cost reduction, facilitating access to financial resources, protecting against illicit and counterfeit goods, responding to rising demand for sustainability, and better-controlling risks and compliance.

Important Concepts

Private/Public Key

Understanding the Private/Public Key technique to prove one's identity (a Person, a Legal Entity, an Object,...) on a digital network is important. This technique involves using both a Private Key and a Public Key, which are generated by the Identity owner through a cryptographic algorithm.

1. The Private Key is used to sign documents sent and remains under the Identity Owner's control.
2. On the other hand, the receiver requires the Public Key to verify the authenticity of the document received.

Verifiable Credentials

These concepts are the basis of Verifiable Credentials. Credentials are verifiable qualifications or attributes that establish a person's or entity's credibility, expertise, or authority in a particular field or industry.

The World-Wide-Web Consortium (W3C) Verifiable Credential (VC) standard says:

"Credentials play a significant role in our daily lives. We use driver's licenses to prove that we?can operate?a motor vehicle, university degrees to demonstrate our level of education, and government-issued passports to travel between countries.?The Verifiable Credential specification aims to provide a secure and privacy-respecting way to express these types of credentials on the web, which?machines can verify?using cryptography."??

Decentralised Identifiers (DID)

Decentralised Identifiers (DIDs) are a new type of identifier that enables individuals, organizations, and things to have a verifiable, decentralized digital identity. The control of the DID belongs to the holder and can refer to any subject, such as a person, an organization, a data model, an abstract entity, and so on.?

Any entity, be it a person, an organization, or a thing, can self-issue any number of identifiers (DIDs) and associated cryptographic keys that allow them to prove ownership of that particular DID.?

In technical terms, a DID is a string of characters that starts with "did," followed by a DID method (which tells the consumer how to interpret the DID), and then a unique identifier for a given method. E.g.:??

● did:web:abf.gov.au

●?did:webs:w3c-ccg.github.io :user:alice:12124313423 525? ? ?

● did:key:z6MkpTHR8VNsBxYAAWHut2Geadd9jSwuBV8xRoAnwWsdvktH

● did:ion:EiD3DIbDgBCajj2zCkE48x74FKTV9_Dcu1u_imzZddDKfg??

Summary

So, a DID is a unique identifier that functions as a URI that directs to a DID document. The DID document holds vital attributes delineating an entity's identity and credentials. Its authenticity is guaranteed through cryptographic signatures, typically issued by a trusted authority, ensuring trust and integrity in decentralized identity systems. The issuer's public key is typically included in the DID Document itself. Therefore, the receiving party can extract the public key directly from the DID Document and use it to verify the cryptographic signature on the document.

Centralised vs Distributed Trust Systems?

In traditional centralised trust systems, trust is vested in a central authority, like a bank, which verifies participants' identities and manages their credentials. However, this model has limitations, as each entity operates within its?own?trust domain, relying on shared protocols for communication.

In distributed trust systems, participants receive cryptographically secure digital documents that they can use in multiple domains. These documents enable recipients to verify authenticity and access additional information or services.?Distributed trust systems offer selective disclosure capabilities, meaning information visibility depends on governance rules.?This?ensures privacy and security while enhancing trust in transactions.

A simple comparison:?

• Distributed Identity: your passport gives you access to multiple countries, and you can present it at the customs counter and have it verified. A passport is a credential issued to a holder (citizen) by a trusted authority (a government). The holder travels with?his/her passport, presenting it whenever identity verification is requested.?Advanced verifiers, such as border authorities, can extract the data, verify the signature, and compare the traveller's photo with that on the chip.?Less mature verifiers, such as hotel check-in clerks, can just look at the paper document and, if they have a suitable phone app, also verify the chip data.?

A verifiable credential is like an e-passport but for any subject: person or legal entity, trade document,?product description, diploma,?certification, personal or corporate qualifications, business relationships...? ?

• Centralised Identity: you have a user?ID / password?to connect to your Bank. Each Bank is a specific Trust Domain. When initiating a payment, you have to enter the account number and the name of the Payee, potentially in another bank. Still, neither you nor your Bank can verify the Identity of the Payee and the existence of an account relationship, as they?are defined?in another Trust Domain.

Trust Governance Frameworks

Technology is, of course, essential in supporting a Distributed Trust Architecture. Still, the most critical vector remains the Trust Governance Framework. Trust involves human factors and relies on governance frameworks to establish and maintain credibility and reliability.?

Impact of Distributed Trust Architecture

Distributed Trust Architecture (DTA) concepts are going to transform digital relationships. The agents (individuals, corporates, applications,….) will exchange Digital Proofs of Identity and their qualifications, not just text descriptions of the same.?

In the DTA, every interaction?is fortified?by?digital proofs, verifiable credentials that confirm identity?and qualifications without relying on central authorities.?This?empowers individuals to securely prove who they are, what they know, and their capabilities,?enabling them to navigate the digital landscape with confidence and?control.

For businesses, DTA opens new horizons of possibility. It streamlines processes, enhances security, and fosters trust among partners and customers. Companies can effortlessly demonstrate their qualifications and accreditations, building credibility and confidence in every transaction.

DTA paves the way for a more efficient and transparent digital ecosystem, from seamless onboarding to frictionless transactions.

LEI and vLEI

The vLEI is among the first components of such a Distributed Trust Architecture.

LEI

The Legal Entity Identifier (LEI) system provides a unique identifier for legal entities. GLEIF manages the LEI system globally, ensuring its accuracy and reliability.

A LEI is an identifier. As such, it allows for retrieving harmonised information about a legal entity. An identifier is helpful to reference a complex concept. In the case of the LEI, the complex concept is a Legal Entity. The GLEIF framework allows the collection and harmonisation of "legal entity" concepts and data.

vLEI

The vLEI initiative builds upon this foundation by offering a mechanism to verify and authenticate LEI?data.

?A vLEI is more than a simple identifier; it adds value to the initial LEI.?

1. Unlike traditional identifiers (such as the LEI), vLEI serves as a pointer to a comprehensive document detailing the Identity of a legal entity.?
2. The Document contains the data elements describing the Identity of the legal entity and the Public Key.
3. The legal entity is the vLEI's controller, and owns the?Private Key.

When a Qualified vLEI Issuer (QVI) issues a vLEI for a Legal Entity, the Legal Entity is asked to generate a Private and a Public Key using a cryptographic algorithm. The Public Key is stored in the vLEI document exposed by the QVI.

In simple terms, a vLEI looks like a URL pointing to a vLEI Document, and this vLEI document contains the Public Key.

Benefits of vLEI?

1. Enhancing Trust and Security in Digital Transactions

Legal entities can digitally sign their documents, adding an extra layer of authenticity to their communications. Receivers of these documents can then verify the signature and ensure the authenticity of the received information. vLEI streamlines processes by simplifying identity verification and authentication. Legal entities can efficiently prove their Identity and credentials across various digital platforms, reducing friction in transactions and compliance procedures.

2. Expanding the Role of vLEI in Issuing Verifiable Credentials

Beyond its foundational role in verifying the Identity of legal entities, vLEI can offer a gateway to a broader ecosystem of trust and transparency through the issuance of Verifiable Credentials. These credentials can serve as digital attestations of qualifications, accreditations, and compliance with standards, further enhancing the credibility and integrity of legal entities in the digital sphere.

For example, an authorised party, such as a certification body, could utilise the vLEI to issue verifiable credentials proofing a legal entity's compliance with ISO-14000 environmental standards. By associating the vLEI of the accredited entity with these credentials, a secure and immutable link?is established?between the entity's verified Identity and its environmental compliance.

Verifiable Credentials can simplify trading and financial processes by providing secure and transparent attestations of various qualifications, accreditations, and compliance statuses.

The Future Digital Trading Landscape

https://unece.org/sites/default/files/2023-08/WhitePaper_VerifiableCredentials-CrossBorderTrade_September2022.pdf

This UN-Cefact document is an informative piece that provides a detailed analysis of the benefits of digitalizing trading activity. It describes various use cases and introduces the concept of "trust graphs" to illustrate the trust relationships between business partners.

A Certification Agency (the Issuer) issue an ISO-14000 environment certificate (the Verifiable Credential) to a Producer (the Subject).?There is also a need to identify the legal entities: The Identity of the Certification Agency and the Identity of?the Producer?must be verifiable.?This?can be done?by integrating their vLEI in the ISO-14000 Certificate.

The diagrams from UN-CEFACT provide a?good?overview of the complexities involved in the trading processes and the advantages of exchanging trusted and verified documents.

The Green line describes the verification process a bank needs to perform.?It?is currently done?on paper or electronic documents that are not necessarily?trustworthy?and cannot be verified automatically.??

The Yellow line describes the verification to be performed by the Importer.

This illustrates the complexity of replacing trade documents with Verifiable Credentials, but the benefits in terms of cost reduction and security enhancement are enormous.

Tentative Conclusion

The transformative potential of Distributed Trust Architecture is vast. Still, the transformation process and the pace of the transformation are also very challenging.

• Interoperability is crucial, and global standardization is necessary to facilitate it.?
• Technology must mature and address technical interoperability.
• Semantic interoperability remains a challenge as the data content of each credential must be clearly understood by multiple participants. This has been a long-standing issue, and although several solutions have been developed, they are still siloed (e.g. UN-Cefact, Schema.org , ISO20022 in Finance, Fpml, FIXML, etc.). The vision of the Semantic Web needs to be revisited. Using standardized formats and languages such as RDF (Resource Description Framework) and OWL (Web Ontology Language), the Semantic Web allows the creation of structured, machine-readable data interconnected via explicit relationships. Various representations of the concepts, such as XML, JSON, CBOR, etc., can be derived from the RDF model.
• Governance frameworks play a crucial role in the verification process. The trustworthiness relies on the verifier's knowledge and trust in the issuer.?