Top reasons TLS/SSL Certs can benefit from Legal Entity Identifiers

From removal of the EV indicators in the browser UI to the shortened lifetime of Certificates, the product makeup of TLS/SSL Certs has changed considerably in the last six months. Now that the Certificate lifetime process aligns closely with the Legal Entity Identifier, we started thinking about even more reasons why TLS/SSL Certs can benefit from closer ties to LEIs.

1. The LEI is designed to be the global identifier: The LEI is standardised across all jurisdictions. It is endorsed by the G20 and the Financial Stability Board and regulated by the Global LEI Foundation (GLEIF).
2. The LEI is already widely supported with a significant install base. Over 1.5m LEIs have been issued.
3. The LEI is already a source of Know Your Customer (KYC) for b2b onboarding in an extensive vendor network and is the primary connector between all the regional, or private sector identifiers. By connecting multiple sources and formats of identity, it is possible to conclude a more trustworthy identity assertion.
4. Both humans and machines can verify the LEI. The GLEIF database of issued LEIs is open and searchable via its web interface, full dataset download, or API.
5. The LEI code is a live reference to an identity record. An LEI record does not have name length restrictions and can be updated to represent an accurate organisation identity when corporate details change without the need to issue a new code.
6. The LEI must be renewed annually to remain active, and renewal requires revalidation of corporate details. This aligns with Apple’s view (and likely the view of other browser vendors) that the validity of TLS/SSL Certs must not exceed one year.
7. The LEI is the only identifier to connect parent and children organisations publicly. Known as Level 2 data, LEIs provide transparency into the “who owns whom” aspect of organisation identity.
8. The LEI is formed using a standardised, consistent identity data reference schema that includes Entity Legal Forms (ELF) codes (Ltd, GmbH, etc). The unambiguous ELF data provides an improved user experience by categorizing legal entities providing clear insight into the global market place.
9. The LEI payload (the twenty-digit LEI number itself) is smaller than most Subject Distinguished Names (DN), and certainly smaller than the DN within OV and EV Certificates. Smaller certificates are better.
10. LEIs can list multiple “Doing Business As” names and previously incorporated names, giving a historical audit trail to counterparties.
11. LEIs support multiple languages for names and addresses. Local language support provides a better localised understanding of, and reliance upon, identity data.
12. The data quality of the LEI system is open and transparent. LEI reference data can be challenged. A defined, publicly accessible process exists within the ecosystem to openly challenge identity data if a counterparty believes it to be inaccurate.
13. LEIs are already supported by XBRL (the open international standard for digital business reporting). Both human-readable and machine-readable LEIs can be embedded in XBRL documents as the standardized organisation identifier.
14. The use of LEIs is well researched as a tool for cost saving in KYC/Onboarding. See the GLEIF ebook for an example of how the banking sector is using LEIs.
15. LEIs will soon be included in the new ISO payment standards as the organisation identifier in SWIFT transactions.
16. The implementation of LEIs into Digital Certificates will soon be standardised through the draft ISO 17442-2 and ETSI TS 119 412-1.

So there we have it. So many strong reasons why and how LEIs and Digital Certificates should become more closely allied.

Author: Steve Waite (CMO, Ubisecure)