Scalability issue for supervised remote in-person OOBI sessions

[nkongsuwan]

Document

Qualified-vLEI-Issuer-Identifer-vLEI-Credential-Governance-Framework

Section Name

-

Row number

-

Question/Comment

The document implies that a QAR is a representative of a QVI that either has a signing and/or rotation authority over the multisig group AID of the QVI, i.e. the key that the QAR control must be present in the key event log of the QVI’s AID. Here are some questions that I have:

• Can a QAR have only signing authority, i.e., no rotation authority, or vice versa?
• Is it possible for a DAR to assign a QAR that does not take part in the multisig group AID?

If the above interpretation is correct, I have a concern about the workloads for QARs since QARs are required to perform identity authentication for all LARs and OOR persons either in person or web meetings, i.e., supervised remote in-person. Although this is optional for ECR persons, I also have a concern about how we can ensure that LARs properly authenticate their ECR persons, see Issue 10. My opinion is that this requirement may cause a bottleneck for the issuance of vLEI at scale.

I propose that the vLEI ecosystem governance framework adds an option for QARs to assign other people to perform web-meeting real-time OOBI sessions in their place. For example, a QVI may outsource its identity authentication process to a third-party service provider that performs supervised remote in-person OOBI sessions and submits the results to the QVI. The QVI then verifies the results and subsequently issues vLEIs to those who have been authenticated.

[nkongsuwan]

Reading the current framework, I imagine it will be very difficult for a single QVI to issue a few hundred vLEIs in the same month and possibly impractical to issue a thousand.

To issue vLEI at that scale, a QVI probably needs to recruit and designate an army of 10+ QARs, who must be verified and authenticated by GLEIF. These newly appointed QARs are most likely low-level employees of the QVI, which may have a high turnover rate. As a result, the QVI may appoint and fire new QARs on a monthly basis, which also significantly increases the workload for the GLEIF personnel to verify them.

Let's say there are 20 QVIs and each appoints 2 new QARs monthly. That is already 40 people for GLEIF to verify.

[nkongsuwan]

There is an insightful comment from a member of the KERI community that I would like to add here.

"When I'm reviewing these documents I think that the identity assurance doesn't have to be done by the QAR themselves. You could have a bunch of other people do the identity assurance through a process, provide all the documents to the QAR and then the QAR after validating to the controls can issue the certificate. At that point, the QAR just becomes like a notary-type position that just reviews the documents and then issues or doesn't issue based on the information provided. The QAR only has to be part of the process for the actual issuance for the web meeting or whatever it was that a LAR has to go through, but you can have the low-level employees act as a filter to make sure all the ducks are in a row before the QAR has to be brought in."

[kmckenna-gleif]

Nuttawut, I provided a response to this issue but the response showed only in the response to issue #10. Here is the response to this issue #11 copied to be recorded for issue #11. Thank you Nuttawut for raising this issue. The outsourcing of services in the first 'part' of Identity Verification process (Identity Assurance or Proofing) is allowed within the vLEI EGF to be outsourced to third-parties by the QVI. However, the second part of the Identity Verification process, the Identity Authentication session which involves a continuous remote in-person OOBI session is expected to be performed unbroken in process by the Qualified vLEI Issuer Authorised Representatives (QARs) who both would complete the exchange of identifiers, Challenge-Response process, verification of signatures and required 'maker-checker' approval of issuance of the vLEI credentials. So this requirement will remain unchanged in the vLEI EGF. GLEIF will monitor the scalability implications on the QARs and GLEIF as the activity increases in the vLEI ecosystem.

[nkongsuwan]

@kmckenna-gleif Thank you. I appreciate your response.