LEI Solutions > Certificate Authorities

LEIs for Digital Certificates

The ISO 17422 standard paves the way to enhance Public Key Infrastructure (PKI) Digital Certificates with Legal Entity Identifiers for universal, verified, and regularly updated Legal Entity reference data – giving verified details of who is who, and who owns whom to relying parties.

CONTACT US TO PARTICIPATE

Certificate Authority LEI

LEI included in Digital Certificate

The LEI is a persistent unique key to verifiable level 1 “who is who” business data and level 2 “who owns who” parental structures. Organizations like Certificate Authorities can gain significant value from the LEI. LEIs and their live, freely accessible, and frequently updated entity reference data will always offer an improved alternative to reliance on static  reference data encoded within Digital Certificates.

RapidLEI is driving the adoption of LEIs in the Certificate Authority ecosystem:

  • The ISO 17422 standard defines the standard approach for Certification Authorities to embed LEIs within Digital Certificates (finalized 08/20).
  • CA technology partners including DigiCert, FirmaPro, and Certum, and global SSL resellers including GoGetSSL, PSW Group, TurSign, Trustcubes, and more now also sell LEIs alongside SSL.
  • Through the RapidLEI partner network it is possible to buy SSL Certificates incorporating LEIs.
  • Along with the GLEIF we are working with the CA/B Forum to standardize how Certificate Authorities can utilize LEI reference data during validation processes.

Read: How x.509 Certs can benefit from LEI

Members of the LEI Program for CAs

Certum logo

DigiCert

Envers logo

Firmapro logo

Advantages of Live Company Data

Users relying on company identity data for any online use case need several things. Relying Parties need it to be:

Live

Live & Accurate
Representative of the company at the time of relying on the reference data

Regulated

Regulated & Consistent
Held to a credible standardized validation workflow of identity data

Verifiable

Verifiable
Published to a publicly accessible and verifiable open database

User friendly

User Friendly
Doing Business As should be supported where complicated group holding names would otherwise confuse users (KLM vs Koninklijke Luchtvaart Maatschappij N.V.)

Detailed

Detailed when needed
As well as providing the ‘who is who’ aspect of company identity, when needed give insight into ‘who owns whom’ for corporate structure understanding

Quality

Transparent Quality
Relying parties should be able to check the data accuracy quality from the issuer and if inaccuracy is suspected, there should be a protocol to challenge

Browsers and Certificate Authorities are ideally placed to use and display live LEI data to their stakeholders of businesses and consumers alike, extracting them from the underlying Digital Certificate underpinning the encrypted communications channel.

Announcing support for the GLEIF Validation Agent (VA) Framework

GLEIF Accredited RapidLEI“By simplifying and accelerating the LEI issuance process, the new Framework also paves the way for FIs to expand their usage of the LEI beyond capital markets to encompass all banking business lines, an opportunity anticipated to save the industry U.S.$2-4 billion annually in client onboarding costs alone.”
GLEIF – LEI VA Framework eBook

WHAT IS THE VA FRAMEWORK?

The VA framework is a new role in the Global LEI System (GLEIS). It enables FIs, Banks, & Trust Service Providers to leverage and enhance existing validation processes to consolidate the usually separate workflows for KYC, AML & LEI issuance. VAs realise a variety of cost, efficiency and customer experience benefits by leveraging existing KYC and AML processes by obtaining an LEI for customers when verifying a client’s identity during initial onboarding or during a client refresh.

VIEW GLEIF VA eBOOK

HOW THE VA FRAMEWORK WORKS WITH RAPIDLEI?

The RapidLEI platform and its API can be integrated into existing KYC and AML workflows to automate both the validation of legal entity validation data and the subsequent registration of the LEI with the GLEIS, all in real-time. This unique approach ensures VAs gain entity data validation enhancements and register only accurate LEIs that meet GLEIS data quality requirements. VAs using RapidLEI with the VA framework enhance the overall reliability of KYC data in general.

REQUEST VA ACCESS

Stephan Wolf

“The Global LEI Foundation encourages all Certification Authorities to consider integrating LEIs within digital certificates as a matter of priority, to expedite the associated benefits. We warmly welcome industry engagement and stand ready to serve the best interests of LEI stakeholders.”
Stephan Wolf, CEO Global LEI Foundation

LEI KYC Integration

CURRENT BEST PRACTICE DEFINITIONS

As we work closer with Certificate Authorities (CAs) on building LEI information into Digital Certificates a standard implementation schema is necessary. As of February 2019 the following definitions are considered best practice:


LEI
DEFINITIONS IMPLICIT TAGS ::= BEGIN

ub-leiRole-length INTEGER ::= 100

Lei     ::= SEQUENCE {
        leiCode         PrintableString(SIZE(20)),
        leiRole [0]     EXPLICIT PrintableString(SIZE(1..ub-leiRole-length))
                        OPTIONAL
         }

EXTENSION       ::= CLASS {
         &id     OBJECT IDENTIFIER UNIQUE,
         &ExtnType }
WITH SYNTAX {
         SYNTAX  &ExtnType,
         IDENTIFIED BY &id
         }

lei     OBJECT IDENTIFIER ::= {1 3 6 1 4 1 5222266 1}

leiExtension    EXTENSION ::= {
         SYNTAX  Lei,
         IDENTIFIED BY lei
         }

Extension ::= SEQUENCE {
         extnId  EXTENSION.&id({ExtensionSet}),
         critical        BOOLEAN DEFAULT FALSE,
         extnValue       OCTET STRING
         (CONTAINING EXTENSION.&ExtnType({ExtensionSet}{@extnId})
                 ENCODED BY der),
         ...
         }

der     OBJECT IDENTIFIER ::=
    {joint-iso-itu-t asn1(1) ber-derived(2) distinguished-encoding(1)}

ExtensionSet    EXTENSION ::= {leiExtension,...}

END

Reference & Further Reading

Standards

ISO 17442 – LEI Application in Digital Certificates

 

Ubisecure / RapidLEI:

All LEI blogs and announcements from Ubisecure

Top reasons TLS/SSL Certs can benefit from Legal Entity Identifiers

Apple policy change highlights the value for Legal Entity Identifiers support in Org Validated SSL/TLS Certs

Why the Certificate Authority world should embrace Legal Entity Identifiers (part i)

Why the Certificate Authority world should embrace Legal Entity Identifiers (part ii)

Widening the scope of best practice for LEIs for SSL/TLS identity

 

Object Identifier Details

Embed identity data into the Subject Distinguished Name of a Digital Certificate via the Object Identifier (OID): https://www.oid-info.com/get/1.3.6.1.4.1.52266.1

GLEIF (Global Legal Entity Identifier Foundation):

The Rise of Digital Technology in KYC: Using the LEI to Ease the Process

The role of the LEI Issuer and registration Agents, validating the registrant data against authoritative sources

Data quality – established program for validation rules

 

Partner Announcements:

Connecting the Legal Entity Identifier (LEI) ecosystem to the SSL/TLS Certificate world

Starting to extend the Legal Entity Identifier (LEI) to the SSL reseller network

>