The Dawn of Decentralized Organizational Identity, Part 1: Identifiers
Thanks to Stephan Wolf, CEO of GLEIF, who co-authored this article, and to Karla McKenna, Managing Director at GLEIF Americas, who contributed significantly, and to dozens of other smart people who contributed their time and insights.
Organizational Identity (OI) Defined:
The ability of a person or thing to prove their authority to represent an organization outside the boundaries of that organization.
We would add “without using identity providers, blockchains, or proprietary/shared platforms”, but it is still possible to accomplish OI using those things (just not as well). OI is powered by the breakthroughs of second-generation verifiable credentials (VCs), described in Part 2.
OI is ultimately about “verifiable authority”, also described in Part 2.
A Glimpse Into the Future
When the authority of a person or thing claiming it can be instantly verified, whether in the physical or digital realm, the world will be different…
- The authenticity of any digital document, agreement, purchase order, filing, or other piece of data will be instantly verifiable;
- Phone calls, texts, email, and other digital communications originating from authorized representatives (or devices) of an organization — or any delegate from that organization — will be instantly verifiable;
- Some documents will prevent signing and some systems won’t be accessible without the expected authority (a parallel to access control lists);
- The authority of every approval, signature, or other digital action in a supply chain will be instantly verifiable by downstream actors, and irrefutably auditable in real-time;
- Authority will be verified before identity in most interactions, and identity not at all in many;
The examples above are B2B, but verifiable authority is equally beneficial B2C:
- Legitimate AI/bots will prove legitimacy by digitally signing all content they produce;
- Phishing will become more rare and difficult for fraudsters, as proving authority becomes nearly impossible for impersonators;
- Citizens and customers will use digital credentials rather than passwords to login to government and industry, and will be instantly authenticated when they call in, walk in, or login;
- Secure, private, decentralized peer-to-peer messaging that’s more secure than Signal will replace most email and phone calls between individuals and organizations (or their operators/delegates), with each side using the messaging platform of their choice;
- Irrefutable digital receipts will become ubiquitous;
- A car (and its driver) will wirelessly verify the authority of approaching law enforcement or emergency vehicles;
And on and on, limited only by one’s imagination. To put it simply: soon any person or thing will be able to prove the scope of their authority to represent an organization — anywhere — and it will be instant, expected, and commonplace.
And importantly, this future doesn’t require intermediaries: ‘identity providers’ (IDPs), blockchains, proprietary platforms, or shared platforms. Like email, we’ll need services that we can build ourselves or buy from someone else, but everyone will make this choice for themselves, without the need for or involvement of ‘trusted’ or ‘shared’ intermediaries.
Why People and Things?
If this new market category is called organizational identity, why is the definition about people and things?
Because organizations don’t act, people and things do (and that includes AI and bots).
Organizations don’t enter into agreements, send messages, make filings… people and things do, as authorized representatives for an organization. Imagine a CEO saying: “None of us did that, we didn’t know a thing about it, the company did that.” It’s nonsensical. People derive authority from an organization’s founding documents, then they delegate and use that authority. The organization may not disclose which representatives authorized a particular action, which makes it appear like the organization acted for itself, but there is always someone whose authority is responsible for the action.
With OI, an org’s representatives will be able to instantly prove that authority anywhere, no matter how many levels deep in the organization they may be.
Of course the first aspect of organizational identity (OI) is literally the identity of the organization, but that’s just the beginning; the thing that justifies OI as an important new category of digital identity is that it’s now possible to instantly verify the authority of an organization’s representatives outside the boundaries of the organization, which simply wasn’t possible until recently with the advent of verifiable credentials (VCs).
And OI is predicated on knowing precisely for which organization authority is being claimed, which is not as easy as it sounds. More on that later.
Why Only Legal Entities?
Many kinds of organizations may not technically be legal entities but are fully capable of being uniquely identified and issuing verifiable credentials to their members. These include government organizations, clubs, associations, syndicates, NGOs, mutual funds, tribes, family offices, and other groups that may not have legal status but are organizations in the truest sense of the word.
However… the problem with extending the definition of OI to include non-legal entities comes when attempting to verify a credential they’ve issued: until some vetting resource exists that can strongly attest to the existence of a non-legal organization to help verifiers differentiate it from imposters — like proxy identifiers do for legal entities globally, described in detail further down — we see no way for a verifier to be sure that an issued credential came from the organization claimed.
Until that time, OI — and the verifiable authority it enables — should be limited to strongly vetted legal entities.
Organizations and their representatives have existed for centuries, so why is now the ‘dawn’ of organizational identity?
It’s one thing to claim to represent an organization, quite another to prove it. Being ‘digital’ is not enough; many things are digital today but we still don’t have “B2B ID”, a way for representatives from one organization to instantly verify the digital claims, signatures, messages or other digital objects from another. We don’t have “B2C ID” either, where people can verify representatives of organizations rather than just the other way around. This ‘verifiable authority’ is now feasible through the use of organizational credentials (OCs), described in Part 2.
But first things first: before authority can be strongly verified, its source must first be strongly identified; it does no good to prove representation of an organization without first uniquely identifying who that organization is.
Organizational Identity (OI) Components
OI has two components:
- Unique identifiers for the org and its representatives (described here, in Part 1);
- Authority credentials for representatives (described later, in Part 2).
The first component, Identifiers, includes two kinds:
- Legal Entity Identifier — An unambiguous and unique identifier of a legal entity externally assigned after a rigorous vetting process.
- Unique Identifiers for Individual Representatives — Unique (within the entity) internally assigned identifiers for representatives.
From this foundation of identifiers, Organizational Credentials (OCs) are now possible. OCs are what bring OI to life in the digital (and sometimes physical) realm: they’re how an organization’s representatives can instantly and digitally prove their authority to act on its behalf.
Strongly Vetted Legal Entity Identity
The first type of identifier — for the legal entity — is straightforward: it is a unique, unambiguous, usually alphanumeric identifier resulting from the strong vetting of an organization legally established somewhere in the world. It can be globally unique if it is a “proxy” identifier (described below) or it may be nationally or regionally unique if it is an “official” identifier, but in either case it must be strongly vetted.
Why? Because if the vetting isn’t done in a reliably consistent and rigorous manner, we cannot be sure, especially in the digital realm, that we’re dealing with the entity we think we are. And if a regionally unique identifier attempts to be used nationally or internationally, we could run into the same problem.
“Official” and “Proxy” Entity Identifiers
There are two types of legal entity identifiers: official and proxy.
Official identifiers are issued and required by government and cannot be replaced or substituted. These are the official identifiers entities need to pay taxes, register for programs, make regulatory filings, and so on. They are issued either regionally or nationally and are unique within the scope of their issuance, but may not be globally unique as they aren’t required to be.
Though required for use for official purposes, official identifiers can be problematic for use outside their intended scope, for several reasons:
- They may not be unique;
- They do not cover all types of legal entities;
- The associated data may not be current (moves, mergers, name changes, etc.);
- There are over 1,000 official registries around the world, it can be difficult to know which one to verify against;
- Each registry comes with own allocation rules (not consistent);
- Records are in local language, making it difficult to use them in cross-border scenarios;
- Not all official registries have strong tools for accessing their data;
- Some registries charge for data access;
- Multiple registries may have conflicting data for the same entity.
Proxy identifiers are additional identifiers issued from reputable issuers for a given purpose (see the next section for a list of top issuers and purposes). Proxy identifiers may confirm and utilize data found in official, publicly available registries, but also may rely on self-attested data, depending on the purpose. Proxy identifiers are intended to be globally unique, unambiguous and useful across both regional and national borders.
Proxy identifiers are not official or authoritative; unlike official identifiers there is no authority behind them that can levy taxes or penalties or impose legal or regulatory requirements on the entity. Proxy identifiers are reference identifiers, enabling their users to uniquely refer to a particular entity within their intended purpose, though some proxy identifiers are required by regulators in specific industries, such as the BIC in banking, the GLN in supply chain, the TIN in customs, and the LEI in financial transactions.
Global Proxy Entity Identifier Registries
There are many regional and national official identifier registries, but only a few proxy identifier systems attempt global scale. This is where proxy identifiers really shine, each with a distinct makeup and purpose appropriate for how it’s used:
Legal Entity Identifier (LEI), ISO 17442, managed by GLEIF
- Purpose: strongly, consistently vet and uniquely identify legal entities in all jurisdictions that can participate in financial transactions and international trade
Global Location Number (GLN), ISO 6523, managed by GS1
- Purpose: uniquely identify physical locations, operational locations, legal entities, and business functions primarily in supply chain and international trade
Data Universal Numbering System (DUNS), managed by Dun & Bradstreet
- Purpose: for businesses associated with a D&B Live Business Identity (proprietary) for evaluation of the credit-worthiness
Business Identifier Code (BIC), ISO 9362, managed by SWIFT
- Purpose: addressing messages, routing business transactions and identifying business parties — “operations parties”, not necessarily legal entities — primarily in financial transaction messaging
Trader Identification Number (TIN), managed by the World Customs Organization
- Purpose: to uniquely identify exporters/economic operators in a country (the TIN uses official national identifiers as a prefix for uniqueness)
One of These is Not Like the Others: GLEIF’s LEI
Unique in Purpose
Each of these identifiers is useful for precisely the purpose it was designed, but the LEI is best suited as a root of trust for Organizational Identity because it is focused exclusively on the core attribute necessary to make Organizational Credentials authoritative: legal authority.
That is not a knock against other proxy identifiers, they are suited well for their stated purposes, but GLEIF’s purpose is directly aligned with the needs of OI: all legal entities that can participate in financial transactions — nothing more, nothing less.
Unique in Structure
GLEIF does not and has not issued any of the 2.3 million issued LEIs; they’ve all been issued by independent Local Operating Units (LOUs) who typically offer other, often adjacent products and services. GLEIF collects all LEIs and associated data from the LOUs, the decentralized origin of LEI data who must also publish it on their websites.
GLEIF is closer to a standards body, a keeper of the rigorous, detailed rules by which entities must be vetted before an LOU can issue an LEI to a legal entity.
Unique in Transparency
All LEI data for all 2.3 million issued LEIs is publicly available and can be used for any purpose and without the need to inform GLEIF, free of any copyright or intellectual property restrictions. The data is also available barrier-free on the GLEIF website as complete files or via API.
GLEIF also publishes two other critical things: the rules for entity vetting and the processes for maintaining data quality over time. Without published rules for entity vetting — which we’ve been so far unable to find for other proxy entity identifier systems — it would be unknown how it’s done or to what standard of rigor. GLEIF’s independent Local Operating Units (LOUs) are measured on how well they adhere to these published rules and are accredited for compliance, with the results aggregated into published data quality reports.
GLEIF also publishes 3,250+ forms (types) of legal entities in over 175 jurisdictions. The list contains legal forms/types in their native language, such as limited liability companies (Ltd), Gesellschaft mit beschränkter Haftung (GmbH) or Société Anonyme (SA).
GLEIF Has No Authority Over Entities
As with all proxy identifiers, GLEIF has no authority to create, change, or influence any legal entities; it has authority only over its own LOUs and Qualified vLEI Issuers (QVIs). Regulatory or other authorities can and often do require LEIs for legal entities under their purview, but that is completely independent of GLEIF.
When an LEI is obtained by an entity, it is literally owned by that entity, permanently; it may be listed as ‘lapsed’ if the associated data is not annually maintained, but it will never be recycled and it cannot be revoked, by mandated the rules of the Regulatory Oversight Committee, which was formed by the G20 to oversee GLEIF. Owning an LEI does not give an organization any additional authority, it simply represents an attestation from a credible third party that their legal entity exists.
In contrast, identifiers issued by state-controlled authorities have all the power and authority of the government, from legal existence to taxes to rules of operation and more.
Unique In Neutrality
GLEIF is neutral, it favors no country, no industry, no company — it is the ‘Switzerland’ of proxy identifier systems, literally headquartered in Switzerland — and well suited as a foundational and globally acceptable root of trust for Organizational Identity.
Unique in Decentralization
Anyone familiar with cryptocurrencies and other Web3 innovations — NFTs, smart contracts, DAOs, blockchains — has undoubtedly heard a lot about the ideal of decentralization: the diluting of authority from one central actor to many participants in a given system.
The key word here is “authority”.
If LEIs conveyed or imbued some kind of authority, then it mIght be considered antithetical to the goals of decentralization; but LEIs are referencial, not authoritative. As mentioned above, GLEIF has no authority over any entity that has an LEI; it is simply a third-party attester that an entity exists, similar to how Onfido or Jumio vets identity for individuals, albeit a globally credible one by virtue of its neutral standing as a Swiss non-profit creation of the G20.
Actual authority begins not with GLEIF but with the entity’s own top-level representatives. Tracing an OC (Organizational Credential) back to an LEI simply references from which entity authority is derived, whose authority to exist comes from the state or province of registration, not from a third party like GLEIF who looks at the official government registry after registration has already occurred.
(Going forward, for simplicity we will refer only to the LEI, though other proxy or official identifiers may be used. Learn more about the unique short history of GLEIF and current LEI adoption in a separate post, here.)
Unique Identifiers for Representatives
Who is It?
Now that we’ve identified the legal entity, we must also uniquely identify its vessels of authority: its representatives. These are the people (and things) authorized to represent the organization in interactions and transactions with others, such as entering into a contract, authorizing a payment, servicing a customer or constituent, declaring goods and services, and more.
Unique identifiers for representatives can be as simple as a name (e.g., “Steve Smith”) or as sophisticated as a digital identity number or code conferred under legal terms by government: eIDAS certificates in Europe, SingPass in Singapore, Aadhaar card in India, ICN or Identificação Civil Nacional in Brazil, and many more.
“Unique” is relative to what an organization requires. A person’s given name is a semi-unique identifier meant initially to be unique only within a family, and is usually unique enough within small companies. Uniqueness is also achieved with combinations of identifiers like name and number, name and title, multiple numbers, etc. ‘Unique’ may also have a time constraint: what is unique today might not have been in the past or will be in the future, a trait called “unambiguous”, which may or may not be required depending on the use case.
When the authorized representative is an inanimate object or location, such as an AI bot or process on a server, the GLN, GTIN and other identifiers from the GS1 family of identifiers have no equal. GS1 is the originator and global administrator of bar codes, used to uniquely identify products worldwide. Over 2 million companies utilize GS1 Standards and 100 million products carry GS1 barcodes. When combined with the verifiable LEI or “vLEI”, GS1 identifiers could form a powerful global root of trust for cryptographically verifying both the provenance and authority of any person or thing representing or produced by an organization.
Identifiers Don’t Prove Anything
Identifiers are not ‘authenticators’ or ‘authorizers’, they’re just alphanumeric strings. Unique identifiers tell you precisely who or what someone or something claims to be, but alone provide no way to verify the authenticity of the claim. A hierarchical chain of identifiers is also no more verifiable than a lone identifier, though it does provide more information: a claim of a relationship between them.
Alone, the LEI and GLN are identifiers like Social Security Numbers, birthdays, or any other number that can be easily written onto a piece of paper: they must be verified separately and manually (when they must be verified at all, which is not always the case in physical space).
Binding People to Entities
Many governments globally provide strong identity binding for citizens with unique ID cards equipped with a RFI-ready chip. This way a natural person could prove his/her identity across many boundaries, but they cannot prove authority; national ID cards do not convey any bindings between entities and their representatives. For example, you could prove that Steve Smith is Steve Smith, but not that he works for ACME Inc. or that he’s the CFO, authorized to sign financial statements on behalf of the organization.
An easily verifiable binding between actor, action, and authority is a serious need for many use cases in physical space, but a critical need in cyberspace for B2B and B2C interactions if we want to end the too-easy impersonation of organizational representatives by fraudsters who steal billions annually. We also need to speed up or eliminate innumerable tedious verification processes that cost significant time and money.
What if people acting on behalf of an organization could instantly prove it? What if software or devices or equipment deployed by an organization could reliably prove their provenance, to undoubtedly signify from where they derive their claimed authority?
(continued in The Dawn of Decentralized Organizational Identity, Part 2: Credentials)