GL1: A Verifiable Digital Licensing Protocol for Gambling Regulation
This paper introduces GL1 (Gambling Licence version 1), an open protocol for machine-readable, cryptographically verifiable digital gambling licences. GL1 enables gambling regulators to issue digitally signed licence credentials that can be independently verified by any party — consumers, Internet Service Providers, payment processors, search engines, app stores, and other gambling regulators — without requiring trust in the operator or real-time access to the issuing authority.
GL1 defines three complementary verification mechanisms built entirely on existing open standards:
.well-known URI (RFC 8615) hosting a signed JSON licence documentTogether, these mechanisms provide defence-in-depth verification that is resistant to forgery, instantly revocable, and designed for adoption by any gambling regulatory authority worldwide.
The protocol addresses a fundamental gap in global gambling regulation: the absence of a standardised, machine-readable mechanism for distinguishing licensed from unlicensed operators. This gap undermines enforcement, enables illegal operators to reach consumers unchallenged, and makes it difficult for payment processors and ISPs to comply with their obligations.
GL1 is published as an open specification. GRAI intends to submit it for standardisation through the IETF and to register the gambling-licence well-known URI suffix with IANA.
Online gambling is a global industry generating over €90 billion annually in gross gaming revenue. Alongside the regulated market, a substantial illegal market operates across jurisdictions, targeting consumers without the oversight, consumer protections, or tax contributions required by law.
Illegal gambling operators:
Despite decades of gambling regulation, there is no standardised, machine-readable protocol for verifying whether an online gambling operator holds a valid licence from a recognised regulatory authority.
Today, licence verification requires:
This process is:
| Stakeholder | Need |
|---|---|
| Consumers | Know whether a gambling site is licensed before depositing money |
| ISPs | Determine which gambling domains to block under court orders or regulatory mandates |
| Payment processors | Verify licence status before processing gambling transactions |
| Card schemes (Visa, Mastercard) | Ensure merchant accounts are held by licensed operators |
| Search engines | Filter or label gambling results based on licence status |
| App stores | Verify licence before approving gambling app submissions |
| Advertising platforms | Only accept gambling ads from licensed operators |
| Other regulators | Verify claims of licensure by operators in their jurisdiction |
| Law enforcement | Quickly assess licensing status during investigations |
| Researchers / media | Analyse the licensed vs unlicensed gambling landscape |
The technical building blocks for solving this problem already exist. Email authentication solved an analogous problem — proving sender legitimacy — using DNS records (SPF, DKIM, DMARC). Certificate transparency solved the problem of verifiable issuance for TLS certificates. Web PKI provides a global trust framework for cryptographic identity.
GL1 applies these proven patterns to gambling licence verification, creating a protocol that is:
Most gambling regulators maintain some form of public registry:
| Regulator | Registry | Machine-Readable | Cryptographic | Real-Time |
|---|---|---|---|---|
| UK Gambling Commission | Public register (web search) | No | No | Partial |
| Malta Gaming Authority | Licensee register (web search) | No | No | Partial |
| Gibraltar Gambling Commissioner | Licensee list (PDF/web) | No | No | No |
| Isle of Man GSC | Licensee list (web) | No | No | No |
| Alderney GCC | Licensee directory (web) | No | No | No |
| Sweden (Spelinspektionen) | Licence register (web) | No | No | Partial |
| Netherlands (KSA) | Licence register (web) | No | No | Yes |
No regulator currently provides a machine-readable, cryptographically signed licence verification mechanism. All rely on human-readable web pages that cannot be programmatically verified at scale.
Licensed operators typically display licence badges or seals on their websites. These are:
| Problem | Solution | Mechanism |
|---|---|---|
| Email sender legitimacy | SPF + DKIM + DMARC | DNS TXT records + cryptographic signatures |
| Website identity | Web PKI (X.509 certificates) | Certificate Authorities + TLS |
| Domain control verification | ACME (Let's Encrypt) | .well-known URI challenges |
| Certificate issuance transparency | Certificate Transparency (CT) | Append-only public logs |
| Code signing authenticity | Code signing certificates | PKI + signature verification |
| API authentication | OAuth 2.0 / OpenID Connect | .well-known discovery + tokens |
GL1 draws directly from these proven approaches.
GL1 is designed around seven core principles:
GL1 uses exclusively open, royalty-free standards. No proprietary protocols, formats, or algorithms. Every component is defined by an existing RFC or open specification. GL1 itself is published as an open specification and will be submitted for IETF standardisation.
Licence credentials are generated and signed by the regulatory authority, not the operator. The operator hosts the signed credential but cannot modify it. This ensures that the authority retains control over licence assertions while distributing verification load.
The primary verification mechanisms (.well-known file and DNS record) do not require real-time connectivity to the issuing authority. A verifier can validate the cryptographic signature against the authority's published public key without contacting the authority's servers. The verification API provides optional real-time confirmation.
Three independent mechanisms provide layered verification:
.well-known URI with signed JSONEach mechanism can function independently. Together, they provide redundancy and resistance to evasion.
When a licence is suspended or revoked, the change must propagate to all verification channels within a bounded time:
.well-known file: Within 4 hours (operator update) or via API fallbackGL1 is not a single-authority protocol. Any gambling regulatory authority can operate as a GL1 issuer using its own signing keys and verification infrastructure. The protocol includes a discovery mechanism that allows verifiers to resolve the issuing authority for any licence credential and obtain the correct public key for verification.
Operators are required to:
No specialised software, hardware, or expertise is required.
| Role | Description |
|---|---|
| Issuing Authority | Gambling regulatory body that issues licences (e.g., GRAI, UKGC, MGA) |
| Operator | Licensed gambling operator that hosts the credential |
| Verifier | Any party that checks licence validity (ISP, payment processor, consumer, browser, regulator) |
1. LICENCE ISSUED
Authority issues gambling licence to operator
|
v
2. CREDENTIAL GENERATED
Authority generates signed GL1 credential
(JSON document + DNS record content)
|
v
3. CREDENTIAL DISTRIBUTED
Authority transmits credential to operator
via secure channel (API, portal, email)
|
v
4. CREDENTIAL HOSTED
Operator publishes:
- JSON file at /.well-known/gambling-licence
- DNS TXT record at _gambling-licence.{domain}
|
v
5. CREDENTIAL VERIFIED
Verifier checks one or more mechanisms:
- Fetch .well-known file --> verify signature
- Resolve DNS TXT record --> verify signature
- Call verification API --> get authoritative status
|
v
6. CREDENTIAL UPDATED (on change)
Authority issues updated credential when:
- Licence renewed
- Conditions changed
- Licence suspended or revoked
Operator updates hosted credential within SLA
+------------------+
| GL1 Trust |
| Directory |
| (gl1.gamblinglicence.org) |
+--------+---------+
| Lists known authorities
| and their public keys
+--------+--------+
| | |
+-----+--+ +--+---+ +--+------+
| GRAI | | UKGC | | MGA | ... other authorities
|(issuer)| |(issuer)| |(issuer)|
+---+----+ +--+---+ +---+-----+
| | |
| Signs credentials for their licensees
| | |
+----+---+ +---+--+ +---+--+
|Operator| |Op. B | |Op. C |
| A | | | | |
+----+---+ +------+ +------+
|
| Hosts credential at .well-known + DNS
|
+----+---+
|Verifier| (ISP, payment processor, consumer, etc.)
+--------+
Fetches credential --> resolves authority -->
obtains authority public key --> verifies signature
Licensed operators MUST serve a GL1 licence credential at:
https://{operator-domain}/.well-known/gambling-licence
This follows the Well-Known URIs framework defined in RFC 8615.
The document is a JSON object with three top-level members:
| Member | Type | Description |
|---|---|---|
gl1 | string | Protocol version identifier. MUST be "1.0" |
licence | object | Licence details (see 5.3) |
signature | object | Cryptographic signature (see Section 8) |
JSON { "gl1": "1.0", "licence": { "id": "GRL-2026-001234", "type": "remote_gambling", "activities": ["sports_betting", "casino", "poker"], "operator": { "name": "Example Gambling Ltd", "trading_as": "ExampleBet", "registration": "IE-123456", "country": "IE" }, "authority": { "id": "GRAI", "name": "Gambling Regulatory Authority of Ireland", "country": "IE", "uri": "https://www.grai.ie", "verify": "https://verify.grai.ie/api/v1" }, "scope": { "territories": ["IE"], "domains": ["examplebet.ie", "examplebet.com"], "apps": [ {"platform": "ios", "id": "com.examplebet.app"}, {"platform": "android", "id": "com.examplebet.app"} ] }, "validity": { "issued": "2026-04-01", "expires": "2027-03-31" }, "status": "active", "conditions": [], "updated": "2026-04-01T00:00:00Z" }, "signature": { "alg": "ES384", "kid": "grai-licence-signing-2026-01", "x5u": "https://pki.grai.ie/certs/licence-signing-2026.pem", "value": "<base64url-encoded signature>" } }
licence.id — The unique licence identifier assigned by the authority. Format is authority-defined. MUST be globally unique when combined with authority.id.
licence.type — The licence type. Recommended values: remote_gambling, retail_gambling, betting, casino, lottery, bingo, poker, gaming_machine, software_supplier, testing_laboratory. Authorities MAY define additional types.
licence.activities — Array of permitted gambling activities. Allows granular verification of whether a specific activity is licensed.
licence.authority.id — Short identifier for the issuing authority. MUST match the authority's entry in the GL1 Trust Directory (see Section 10).
licence.authority.verify — Base URI for the authority's GL1 verification API. Enables verifiers to perform real-time checks.
licence.scope.territories — ISO 3166-1 alpha-2 country codes where the licence is valid.
licence.scope.domains — All domains authorised to operate under this licence. The .well-known file MUST be served from each listed domain.
licence.status — Current licence status. MUST be one of: active, suspended, revoked, expired, surrendered.
| Requirement | Value |
|---|---|
| Protocol | HTTPS (TLS 1.2+) required |
| Content-Type | application/json |
| Cache-Control | max-age=3600 (1 hour maximum) |
| CORS | Access-Control-Allow-Origin: * (to enable browser-based verification) |
| Availability | MUST be served from every domain in scope.domains |
| Modification | Operators MUST NOT modify the document content |
| Update SLA | Updated credential MUST be deployed within 4 hours of receipt from authority |
Operators MUST publish a DNS TXT record at:
_gambling-licence.{operator-domain}. IN TXT "<GL1 record>"
The GL1 DNS record follows a tag-value format inspired by SPF (RFC 7208) and DMARC (RFC 7489):
v=GL1; a=GRAI; id=GRL-2026-001234; t=remote_gambling; s=active; e=2027-03-31; u=https://verify.grai.ie/api/v1/licence/GRL-2026-001234; sig=<base64url>
| Tag | Required | Description | Example |
|---|---|---|---|
v | MUST | Protocol version | GL1 |
a | MUST | Authority identifier | GRAI |
id | MUST | Licence identifier | GRL-2026-001234 |
t | MUST | Licence type | remote_gambling |
s | MUST | Status | active |
e | MUST | Expiry date (ISO 8601) | 2027-03-31 |
u | MUST | Verification URI | https://verify.grai.ie/... |
sig | MUST | Signature (see Section 8) | <base64url> |
The signature is computed over the concatenation of the non-signature fields in the order they appear in the record, separated by semicolons:
v=GL1;a=GRAI;id=GRL-2026-001234;t=remote_gambling;s=active;e=2027-03-31;u=https://verify.grai.ie/api/v1/licence/GRL-2026-001234
| Requirement | Value |
|---|---|
| TTL | 3600 seconds (1 hour) |
| DNSSEC | STRONGLY RECOMMENDED |
| Update SLA | Record MUST be updated within 4 hours of credential change |
| Multiple records | If operator holds licences from multiple authorities, each publishes a separate TXT record |
The verification API is the authoritative, real-time source of licence status. While the .well-known file and DNS record provide offline-verifiable credentials, the API provides:
Each issuing authority operates its own API at the base URI specified in authority.verify.
Licence verification:
GET {authority.verify}/licence/{licence-id}
Domain lookup:
GET {authority.verify}/domain/{domain-name}
Bulk verification:
POST {authority.verify}/verify/bulk Content-Type: application/json {"domains": ["domain1.com", "domain2.com", ...]}
Blacklist:
GET {authority.verify}/blacklist GET {authority.verify}/blacklist?since={ISO-date}
Authority metadata (discovery):
GET {authority.verify}/.well-known/gl1-authority
Returns the authority's public keys, supported algorithms, contact information, and federation membership.
JSON { "gl1": "1.0", "licence": { "id": "GRL-2026-001234", "status": "active", "type": "remote_gambling", "operator": { "name": "Example Gambling Ltd", "trading_as": "ExampleBet" }, "validity": { "issued": "2026-04-01", "expires": "2027-03-31" }, "domains": ["examplebet.ie", "examplebet.com"], "enforcement_actions": [], "last_updated": "2026-04-01T00:00:00Z" }, "authority": { "id": "GRAI", "name": "Gambling Regulatory Authority of Ireland" } }
| Tier | Authentication | Rate Limit | Use Case |
|---|---|---|---|
| Public | None | 100 req/hour | Consumer verification |
| Registered | API key | 10,000 req/hour | Developers, researchers |
| Partner | mTLS certificate | 100,000 req/hour | ISPs, payment processors |
| Regulator | mTLS + MOU | Unlimited | Peer regulatory authorities |
For high-volume consumers, authorities SHOULD provide bulk data feeds:
| Feed | Format | Frequency |
|---|---|---|
| Full licence list | JSON, CSV | Daily |
| Delta updates | JSON (webhook or poll) | Hourly |
| Blacklist | JSON, CSV, RPZ | Real-time (webhook) + hourly batch |
| DNS blocking list | RPZ zone file | Hourly |
GL1 uses ECDSA with the P-384 curve (ES384), as defined in:
ES384 provides 192-bit security strength with compact signatures (96 bytes). It is widely supported in modern cryptographic libraries, endorsed by NIST, and used extensively in JWT/JWS ecosystems. It is the same algorithm class used by the European Digital Identity framework (eIDAS 2.0).
licence object from the GL1 documentsignature.valuesig field| Requirement | Specification |
|---|---|
| Key storage | Hardware Security Module (HSM) — FIPS 140-2 Level 3 or equivalent |
| Key rotation | Signing keys SHOULD be rotated annually |
| Key identifiers | Each key has a unique kid (key identifier) |
| Key publication | Public keys published at {authority.verify}/.well-known/gl1-authority |
| Key history | Previous public keys MUST remain available for verification of unexpired credentials |
| Compromise response | Compromised key revocation and re-issuance of all affected credentials |
1. Obtain GL1 credential (from .well-known, DNS, or API) 2. Extract authority identifier (authority.id or 'a' tag) 3. Resolve authority's public keys: a. Check local cache b. Fetch from GL1 Trust Directory (gl1.gamblinglicence.org) c. Or fetch from authority's .well-known/gl1-authority 4. Select the correct key using 'kid' identifier 5. Reconstruct the signed content: - For .well-known: JCS-canonicalised licence object - For DNS: concatenated non-sig fields 6. Verify ECDSA-P384 signature 7. Check licence status is "active" 8. Check expiry date is in the future 9. Optionally: call verification API for real-time confirmation
GL1's initial algorithm (ECDSA P-384) is vulnerable to quantum computing attacks. Shor's algorithm, executed on a sufficiently capable quantum computer, breaks all elliptic curve cryptography. GL1 is designed as a long-lived international standard and must prepare for the post-quantum era.
A quantum computer running Shor's algorithm could forge GL1 credential signatures, allowing unlicensed operators to create fake licence credentials indistinguishable from genuine ones. While such computers don't yet exist, GL1's standardisation timeline (targeting RFC by 2028) means the protocol will still be in active use when quantum computers are expected to become cryptographically relevant (2030–2035+).
| Standard | Algorithm | Signature Size | Public Key | Security Level | GL1 Role |
|---|---|---|---|---|---|
| ECDSA P-384 (current) | ES384 | 96 bytes | 48 bytes | 192-bit classical | GL1 v1.0 default |
| FIPS 204 | ML-DSA-65 (Dilithium) | 3,309 bytes | 1,952 bytes | NIST Level 3 | Primary PQC candidate |
| FIPS 204 | ML-DSA-87 (Dilithium) | 4,627 bytes | 2,592 bytes | NIST Level 5 | High-security option |
| FIPS 205 | SLH-DSA (SPHINCS+) | 7,856+ bytes | 32 bytes | NIST Level 1–5 | Backup algorithm (different math basis) |
| Draft FIPS 206 | FN-DSA-512 (FALCON) | ~666 bytes | 897 bytes | NIST Level 1 | Compact option (complex implementation) |
| Mechanism | PQC Impact | Mitigation |
|---|---|---|
.well-known JSON |
No issue ML-DSA-65 sig (~4,412 chars base64url) fits easily in JSON | Direct algorithm substitution in signature.alg |
| DNS TXT record | Problem PQC signatures exceed DNS TXT record limits (~450 bytes) | New sig-uri field pointing to full signature at API; sig-hash for integrity check |
| Verification API | No issue No size constraint on API responses | Direct algorithm substitution |
| X.509 certificates | Manageable Larger certificates; standards in progress | Follow IETF post-quantum certificate work |
GL1 is designed with algorithm agility from day one:
signature.alg — identifies the algorithm. Verifiers MUST read this field, MUST NOT assume ES384.kid — allows multiple active keys with different algorithms during transition./.well-known/gl1-authority publishes all current keys with their algorithms.During transition, GL1 supports dual signatures — classical + post-quantum simultaneously:
Verification rule: valid if either signature verifies (backwards compatibility), but fully verified only if both verify. If either algorithm is broken, the other provides protection.
When PQC signatures exceed DNS TXT limits, the record adapts with new fields:
| Field | Purpose |
|---|---|
sig-alg | Identifies the PQC algorithm used |
sig-hash | SHA-256 hash of the full signature (integrity check against API-fetched sig) |
sig-uri | URI where the full PQC signature can be fetched |
This preserves DNS utility for quick status checks and bulk scanning while delegating full PQC verification to the API layer.
| Phase | Period | Action |
|---|---|---|
| Prepare | 2026–2028 | Deploy GL1 with ES384. Implement algorithm agility in all GL1 software. Monitor NIST PQC maturity and HSM vendor support. |
| Test | 2028–2030 | Pilot hybrid signatures (ES384 + ML-DSA-65) with willing operators and verifiers. Validate DNS adaptation. |
| Transition | 2030–2032 | Mandate hybrid signatures for all new credentials. Encourage verifiers to implement PQC verification. |
| PQC-Only | 2032+ | Deprecate ES384-only credentials. Require PQC signatures (ML-DSA-65 or successor). |
By building algorithm agility into GL1 v1.0 and defining the hybrid signature format now, the protocol can migrate to post-quantum cryptography without a breaking protocol version change. Verifiers implementing GL1 today are already prepared for the quantum transition.
When a licence is suspended or revoked, the change propagates through all three mechanisms:
| Channel | Propagation Time | Mechanism |
|---|---|---|
| Verification API | Immediate | Authority updates database |
.well-known file | 4 hours | Authority issues new credential; operator deploys |
| DNS TXT record | 4 hours | Authority issues new record; operator updates DNS |
If the .well-known file or DNS record shows "status": "active" but the credential is stale (close to or past the updated timestamp + SLA), verifiers SHOULD fall back to the verification API for confirmation.
If the API is unreachable, verifiers SHOULD treat credentials with valid signatures and unexpired dates as provisionally valid, but flag for re-verification.
If an operator fails to update their hosted credential after a suspension or revocation:
.well-known file will eventually expire (based on validity.expires)Authorities MAY issue short-lived credentials (e.g., 24-hour validity) that require frequent renewal. This reduces the revocation window but increases operational burden. Recommended for high-risk operators or during enforcement proceedings.
A critical component of GL1 is the Trust Directory — a registry of recognised gambling regulatory authorities and their public keys. This enables verifiers to resolve the authority for any credential and obtain the correct verification key.
Location: https://gl1.gamblinglicence.org (proposed)
Governance: Operated by an independent body or consortium of founding authorities.
Content:
JSON { "gl1": "1.0", "directory_version": "2026-04-01", "authorities": [ { "id": "GRAI", "name": "Gambling Regulatory Authority of Ireland", "country": "IE", "uri": "https://www.grai.ie", "verify": "https://verify.grai.ie/api/v1", "keys_uri": "https://verify.grai.ie/.well-known/gl1-authority", "status": "active", "joined": "2026-04-01" }, { "id": "UKGC", "name": "UK Gambling Commission", "country": "GB", "verify": "https://verify.gamblingcommission.gov.uk/api/v1", "keys_uri": "https://verify.gamblingcommission.gov.uk/.well-known/gl1-authority", "status": "active", "joined": "2026-09-01" } ] }
To join the GL1 federation, an authority must:
/.well-known/gl1-authorityWhen a verifier encounters a credential from an unfamiliar authority:
authority.id from the credentialThis enables a payment processor in Ireland to verify a Malta Gaming Authority licence, or a UK ISP to verify a GRAI licence — without any prior relationship with the issuing authority.
GL1 is a verification protocol, not a mutual recognition agreement. Verifying that an operator holds a valid MGA licence does not mean Ireland recognises that licence for Irish regulatory purposes. Mutual recognition remains a policy decision for each jurisdiction. GL1 provides the technical infrastructure to support whatever policy framework jurisdictions adopt.
A single authority (e.g., GRAI) deploys GL1 for its licensees:
Multiple European authorities adopt GL1:
IAGR coordinates global adoption:
| Threat | Attack | Mitigation |
|---|---|---|
| Credential forgery | Unlicensed operator creates fake GL1 credential | Cryptographic signature verification against authority's public key in Trust Directory |
| Key compromise | Authority's signing key stolen | HSM protection (FIPS 140-2 L3); key rotation; compromise response procedure |
| Replay attack | Attacker re-uses expired credential | Expiry date checking; real-time API verification |
| Credential tampering | Operator modifies signed credential | Signature verification detects any modification |
| DNS spoofing | Attacker forges DNS TXT record | DNSSEC validation; signature verification independent of DNS integrity |
| Man-in-the-middle | Attacker intercepts .well-known fetch | HTTPS enforcement; optional certificate pinning |
| Trust Directory compromise | Attacker adds rogue authority to directory | Governance controls; peer review; signing of directory entries |
| Revocation delay | Suspended operator's credential still shows active | Short cache TTLs; API fallback; short-lived credentials option |
| Denial of service | DDoS against verification API | CDN protection; offline-first design (sig verification works without API) |
| Domain squatting | Attacker registers similar domain with GL1 record | Scope checking: credential's domains list must include the serving domain |
| Property | Achieved By |
|---|---|
| Authenticity | ECDSA signature by authority's HSM-protected key |
| Integrity | Any modification invalidates signature |
| Non-repudiation | Authority cannot deny having issued a credential (signed with their key) |
| Freshness | Expiry dates, update timestamps, API real-time verification |
| Revocability | Multi-channel revocation with bounded propagation time |
| Decentralisation | Any authority can issue; any party can verify; no single point of failure |
GL1 credentials contain only information that is already publicly associated with a gambling licence:
No personal data about consumers, employees, or beneficial owners is included in GL1 credentials.
The .well-known and DNS mechanisms provide verifier-private verification: the verifier fetches the credential from the operator's infrastructure or public DNS, not from the authority. The authority does not learn who is verifying which licence.
The verification API does reveal verification activity to the authority. Authorities SHOULD:
GL1 credentials contain no personal data as defined by GDPR Article 4(1). The operator and company information in credentials is corporate data already in the public domain. No GDPR data subject rights apply to GL1 credential contents.
| Participant | Estimated Cost | Frequency |
|---|---|---|
| Issuing authority | API development, key management, credential generation infrastructure | One-time + annual operations |
| Licensed operator | Host a static file; publish a DNS record | Negligible marginal cost |
| ISP | Integrate GL1 check into DNS resolver or proxy | One-time integration |
| Payment processor | Integrate GL1 check into merchant onboarding and transaction processing | One-time integration |
| Trust Directory | Operate a simple, highly-available JSON endpoint | Annual operations |
| Beneficiary | Value |
|---|---|
| Consumers | Instant, reliable verification of licence status before depositing funds |
| Licensed operators | Clear differentiation from unlicensed competitors; reduced regulatory friction |
| Regulators | Scalable enforcement; automated detection of unlicensed operators |
| ISPs | Automated compliance with blocking obligations; clear, machine-readable blocking criteria |
| Payment processors | Automated due diligence; reduced regulatory risk |
| Tax authorities | Better identification of taxable gambling activity |
| Approach | Machine-Readable | Cryptographic | Real-Time | Multi-Authority | Open Standard |
|---|---|---|---|---|---|
| Regulator web registry | No | No | Partial | No | N/A |
| Operator self-assertion (badges) | No | No | No | No | N/A |
| Clickable badge → registry | Partial | No | Partial | No | N/A |
| Blockchain-based licence | Yes | Yes | Depends | Possible | Varies |
| GL1 | Yes | Yes | Yes | Yes | Yes |
Blockchain-based approaches have been proposed for various credential verification use cases. GL1 does not use blockchain because:
gambling-licence as a well-known URI suffix with IANA (per RFC 8615 Section 3.1)GL1 is a practical, implementable solution to a real and growing problem. We invite:
Ed Campbell
Security Consultant to the Gambling Regulatory Authority of Ireland (GRAI)
Email: ed.campbell@grai.ie
GL1 was conceived, designed, and authored by Ed Campbell. The protocol concept — applying .well-known URI standards (RFC 8615), DNS TXT record verification, and PKI-based cryptographic licensing to gambling regulation — is Campbell's original work, developed under his consultancy engagement with GRAI.
Intellectual Property: The GL1 protocol concept and design are the original work of Ed Campbell. IP ownership and licensing terms between Campbell and GRAI are governed by the consultancy engagement. This white paper is published under CC BY 4.0 with attribution to Ed Campbell.
Commissioned by: Gambling Regulatory Authority of Ireland (GRAI)
Website: https://www.grai.ie
GL1 Specification Repository
[To be established — proposed: gl1-protocol organisation on GitHub]
Defensive patents, open pledge, and licensing framework for GL1
GL1 is an open protocol designed for global adoption by gambling regulators, operators, and intermediaries. The IP strategy must balance two objectives:
The combination of specific GL1 innovations — the three-mechanism defence-in-depth approach to licence verification (well-known URI, DNS TXT, and API), the authority-issued/operator-hosted credential model, and the federated Trust Directory for multi-authority key discovery — may be patentable as a system and method. If GRAI does not secure defensive protection, a commercial entity could potentially patent aspects of the protocol and impede adoption.
| Option | Description | Pros | Cons |
|---|---|---|---|
| A. No patent | Publish the specification and rely on prior art to prevent others from patenting | Simplest approach; no filing costs; clear public domain intent | Prior art defence is reactive, not proactive; a well-resourced entity could still file and force GRAI to challenge; prior art must be proven in each jurisdiction |
| B. Defensive patent only | File patent application, but never assert it against implementers; hold it solely to block others | Strongest legal protection against third-party patent trolls; clear ownership; can be used to invalidate competing patents | Filing and maintenance costs; must be accompanied by a clear pledge to prevent chilling effect on adoption |
| C. Defensive patent + irrevocable royalty-free pledge | File patent, then immediately publish an irrevocable, royalty-free patent pledge granting all parties the right to implement GL1 | Maximum legal protection against trolls; irrevocable pledge provides implementer confidence; well-established model (Google, Microsoft, IBM use this for web standards) | Filing and maintenance costs; requires careful drafting of pledge |
A defensive patent should be filed covering the GL1 protocol, with an irrevocable, royalty-free patent pledge published immediately. This is the approach used by major technology companies when contributing protocols to open standards.
The GL1 protocol was conceived and designed by Ed Campbell, security consultant to GRAI. As the inventor, Campbell is named on any patent filing. The ownership and licensing arrangements between Campbell and GRAI are governed by the terms of the consultancy engagement.
Options for patent ownership structure:
Regardless of ownership structure, Campbell must be named as inventor on the patent filing, as this is a legal requirement in all major patent jurisdictions.
Filing a defensive patent serves the public interest because:
| Organisation | Protocol/Standard | Patent Approach |
|---|---|---|
| VP8/VP9 video codecs | Defensive patent + irrevocable royalty-free licence | |
| Microsoft | C# / .NET / Open XML | Open Specification Promise (irrevocable, royalty-free) |
| IBM | 500+ patents (2005 pledge) | Irrevocable royalty-free pledge for open source / open standards |
| Tesla | Electric vehicle patents | "Good faith" open patent pledge |
| W3C | All W3C Recommendations | Royalty-free patent policy required for all contributors |
| IETF | Internet standards | RFC 8179: reasonable and non-discriminatory (RAND) or royalty-free |
The holder(s) of [Patent No. TBD] covering the GL1 Gambling Licence Verification Protocol, invented by Ed Campbell, hereby grant an irrevocable, worldwide, royalty-free, non-exclusive licence to any person or entity to make, use, sell, offer to sell, import, and otherwise exploit any implementation of the GL1 protocol as defined in the GL1 Specification (version 1.0 and all subsequent versions published at gamblinglicence.org).
This pledge is irrevocable. It applies to all current and future claims in the GL1 Patent that are necessarily infringed by a conformant implementation of the GL1 Specification. This pledge is not contingent on reciprocity. It survives any transfer, assignment, or change of ownership of the patent.
This pledge does not extend to implementations that are not conformant with the GL1 Specification, nor to patent claims that are not necessarily infringed by a conformant implementation.
The patent should be filed in:
| Item | Estimated Cost | Frequency |
|---|---|---|
| Patent drafting (specialist IP counsel) | €15,000 – €25,000 | One-time |
| EPO filing and prosecution | €8,000 – €15,000 | One-time |
| USPTO filing and prosecution | €10,000 – €20,000 | One-time |
| PCT application (optional) | €5,000 – €10,000 | One-time |
| Annual maintenance fees (EPO + USPTO) | €3,000 – €5,000 | Annual |
| Total (Year 1) | €38,000 – €70,000 |
These costs are modest relative to the value of protecting an international enforcement protocol from encumbrance.
| Artefact | Licence | Rationale |
|---|---|---|
| GL1 White Paper | CC BY 4.0 | Allows sharing, adaptation, and commercial use with attribution |
| GL1 Specification | CC BY 4.0 | Consistent with IETF and W3C practice for specification documents |
JSON Schema (gl1-schema.json) | CC BY 4.0 | Schema definitions should be freely reusable |
OpenAPI Specification (gl1-openapi.yaml) | CC BY 4.0 | API definitions should be freely reusable |
| Reference implementations (code) | Apache 2.0 or MIT | Permissive open-source licences; Apache 2.0 includes explicit patent grant |
| Validation libraries | Apache 2.0 | Apache 2.0 preferred due to patent grant clause |
| Trust Directory software | Apache 2.0 | Operational infrastructure should be freely deployable |
For reference implementations, Apache 2.0 is preferred over MIT because Apache 2.0 includes an explicit patent grant (Section 3) that provides additional legal clarity for implementers. This is particularly important for GL1, where the defensive patent strategy means there are known patents that implementers need assurance about.
| Action | Timeline | Owner |
|---|---|---|
| Engage IP counsel with standards experience | Q2 2026 | GRAI Legal / CISO |
| Draft patent application | Q2–Q3 2026 | IP Counsel |
| File EPO and USPTO applications | Q3 2026 | IP Counsel |
| Publish irrevocable patent pledge | Simultaneously with filing | GRAI CEO |
| Notify IETF of patent pledge (per RFC 8179) | With Internet-Draft submission | GRAI Technical |
| File PCT (if additional jurisdictions needed) | Within 12 months of priority filing | IP Counsel |
GL1 Gambling Licence Credential — Complete Field Definitions
The GL1 credential schema is published at:
https://verify.grai.ie/schemas/gl1/v1/credential.json
Schema draft: JSON Schema 2020-12. The credential is a JSON object with three required top-level properties. All fields are fully defined below.
| Property | Type | Required | Description |
|---|---|---|---|
gl1 | string (const: "1.0") | Yes | GL1 protocol version. MUST be "1.0" for this specification. |
licence | Licence object | Yes | The licence details. This object is the input to the signature computation (canonicalised via JCS/RFC 8785). |
signature | Signature object | Yes | Cryptographic signature over the licence object. |
additionalProperties: false — no other top-level properties are permitted.
The core licence details. All required fields MUST be present.
authority.id."GRL-2026-001234"["sports_betting", "casino", "poker"]"2026-04-01T00:00:00Z"| Property | Type | Required | Description | Example |
|---|---|---|---|---|
name | string | Yes | Legal name of the entity | "Example Gambling Ltd" |
trading_as | string | No | Trading name(s) | "ExampleBet" |
registration | string | No | Company registration number | "IE-123456" |
country | string (pattern: ^[A-Z]{2}$) | Yes | ISO 3166-1 alpha-2 country code of incorporation | "IE" |
| Property | Type | Required | Description | Example |
|---|---|---|---|---|
id | string | Yes | Short identifier. MUST match Trust Directory entry. | "GRAI" |
name | string | Yes | Full name of the Authority | "Gambling Regulatory Authority of Ireland" |
country | string (pattern: ^[A-Z]{2}$) | Yes | ISO 3166-1 alpha-2 country code of jurisdiction | "IE" |
uri | string (format: uri) | No | URI of the Authority's website | "https://www.grai.ie" |
verify | string (format: uri) | Yes | Base URI of the Authority's GL1 verification API | "https://verify.grai.ie/api/v1" |
| Property | Type | Required | Description | Example |
|---|---|---|---|---|
territories | array of string (pattern: ^[A-Z]{2}$, minItems: 1) | Yes | ISO 3166-1 alpha-2 country codes where the licence is valid | ["IE"] |
domains | array of string (format: hostname, minItems: 1) | Yes | FQDNs authorised to operate under this licence | ["examplebet.ie", "examplebet.com"] |
apps | array of App | No | Mobile applications authorised under this licence | See App Object |
| Property | Type | Required | Description | Example |
|---|---|---|---|---|
platform | string (enum: ios, android) | Yes | Mobile platform | "ios" |
id | string | Yes | Bundle identifier (iOS) or package name (Android) | "com.examplebet.app" |
| Property | Type | Required | Description | Example |
|---|---|---|---|---|
issued | string (format: date) | Yes | ISO 8601 date of licence issuance | "2026-04-01" |
expires | string (format: date) | Yes | ISO 8601 date of licence expiry | "2027-03-31" |
| Property | Type | Required | Description | Example |
|---|---|---|---|---|
alg | string (const: "ES384") | Yes | Signature algorithm. MUST be "ES384" (ECDSA P-384). | "ES384" |
kid | string | Yes | Key identifier for the signing key | "grai-licence-signing-2026-01" |
x5u | string (format: uri) | No | URI of the signing certificate (X.509) | "https://pki.grai.ie/certs/licence-signing-2026.pem" |
value | string | Yes | Base64url-encoded ECDSA-P384 signature over the JCS-canonicalised licence object | (base64url string) |
The full JSON Schema document (gl1-schema.json):
JSON Schema 2020-12 { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://verify.grai.ie/schemas/gl1/v1/credential.json", "title": "GL1 Gambling Licence Credential", "type": "object", "required": ["gl1", "licence", "signature"], "additionalProperties": false, "properties": { "gl1": { "type": "string", "const": "1.0" }, "licence": { "$ref": "#/$defs/Licence" }, "signature": { "$ref": "#/$defs/Signature" } }, "$defs": { // Licence, Operator, Authority, Scope, App, // Validity, Signature definitions as above // See gl1-schema.json for complete definitions } }
GL1 Gambling Licence Verification API v1.0.0
Public API for verifying gambling licence credentials issued under the GL1 protocol. Each Issuing Authority operates its own instance of this API. This specification defines the common interface that all GL1-conformant authorities MUST implement.
https://verify.grai.ie/api/v1
GRAI Production — Gambling Regulatory Authority of Ireland
| Tier | Method | Rate Limit | Use Case |
|---|---|---|---|
| Public | None required | 100 req/hour | Consumer verification, casual lookups |
| Registered | API key via X-GL1-API-Key header | 10,000 req/hour | Developers, researchers |
| Partner | Mutual TLS (mTLS) certificate | 100,000 req/hour | ISPs, payment processors |
| Regulator | mTLS + Memorandum of Understanding | Unlimited | Peer regulatory authorities |
Returns the current status and details of a specific gambling licence. This is the authoritative, real-time source of licence status.
| Name | Type | Required | Description |
|---|---|---|---|
| licenceId | string | Yes | The licence identifier (e.g., GRL-2026-001234) |
| Status | Description |
|---|---|
200 | Licence found — returns LicenceResponse |
404 | Licence not found — returns ErrorResponse |
429 | Rate limit exceeded — includes Retry-After header |
JSON { "gl1": "1.0", "licence": { "id": "GRL-2026-001234", "status": "active", "type": "remote_gambling", "activities": ["sports_betting", "casino", "poker"], "operator": { "name": "Example Gambling Ltd", "trading_as": "ExampleBet", "country": "IE" }, "validity": { "issued": "2026-04-01", "expires": "2027-03-31" }, "domains": ["examplebet.ie", "examplebet.com"], "enforcement_actions": [], "last_updated": "2026-04-01T00:00:00Z" }, "authority": { "id": "GRAI", "name": "Gambling Regulatory Authority of Ireland" } }
Returns the licence associated with a gambling domain. If the domain is covered by a valid GL1 licence, returns the licence details. If no licence covers the domain, returns 404.
| Name | Type | Required | Description |
|---|---|---|---|
| domainName | string (hostname) | Yes | The fully qualified domain name to look up (e.g., examplebet.ie) |
| Status | Description |
|---|---|
200 | Domain is covered by a valid licence — returns LicenceResponse |
404 | No licence covers this domain |
JSON { "gl1": "1.0", "error": { "code": "DOMAIN_NOT_FOUND", "message": "No GL1 licence covers the domain 'unlicensed-site.com'" } }
Search for licensed operators by name, trading name, or registration number.
| Name | Type | Required | Description |
|---|---|---|---|
| q | string (minLength: 2) | Yes | Search query (operator name, trading name, or registration number) |
| country | string (pattern: ^[A-Z]{2}$) | No | Filter by operator country (ISO 3166-1 alpha-2) |
| status | string (enum) | No | Filter by licence status: active, suspended, revoked, expired, surrendered |
| limit | integer (1–100, default: 20) | No | Maximum results to return |
| offset | integer (min: 0, default: 0) | No | Offset for pagination |
| Status | Description |
|---|---|
200 | Search results — returns OperatorSearchResponse (array of LicenceResponse with pagination) |
Verify licence status for multiple domains in a single request. Designed for ISPs and payment processors performing bulk compliance checks.
Authentication required: Partner or Regulator tier (mTLS or API key).
JSON { "domains": [ "examplebet.ie", "examplebet.com", "unlicensed-site.com", "another-operator.ie" ] }
Maximum 1,000 domains per request.
JSON { "gl1": "1.0", "results": [ { "domain": "examplebet.ie", "licensed": true, "licence_id": "GRL-2026-001234", "status": "active", "authority": "GRAI" }, { "domain": "unlicensed-site.com", "licensed": false, "licence_id": null, "status": null, "authority": null } ], "total": 4, "licensed_count": 3, "unlicensed_count": 1 }
Returns the list of identified unlicensed gambling operators. Supports delta queries via the since parameter.
| Name | Type | Required | Description |
|---|---|---|---|
| since | string (format: date) | No | Return only entries added or updated since this date |
| format | string (enum: json, csv, rpz; default: json) | No | Response format. rpz returns a DNS Response Policy Zone file suitable for direct loading into ISP DNS resolvers. |
| limit | integer (1–10,000, default: 1,000) | No | Maximum entries to return |
| offset | integer (min: 0, default: 0) | No | Offset for pagination |
| Field | Type | Description |
|---|---|---|
domain | string | The unlicensed domain |
identified | date | Date the domain was first identified as unlicensed |
operator_name | string? | Name of the operator (if known) |
jurisdiction | string? | Where the operator appears to be based |
enforcement_actions | array | Actions taken: warning, blocking_order, payment_disruption, prosecution_referral |
blocking_status | string | One of: pending, ordered, active, expired |
Returns the Authority's metadata, current signing public keys, and federation membership. This is the primary discovery endpoint for Verifiers to obtain the Authority's public keys for credential signature verification.
JSON { "gl1": "1.0", "authority": { "id": "GRAI", "name": "Gambling Regulatory Authority of Ireland", "country": "IE", "uri": "https://www.grai.ie", "contact": "enforcement@grai.ie" }, "keys": [ { "kid": "grai-licence-signing-2026-01", "alg": "ES384", "use": "sig", "x5c": ["MIIBxTCCAWugAwIBAgI...base64-cert"], "valid_from": "2026-01-01", "valid_until": "2027-01-01" } ], "federation": { "trust_directory": "https://gl1.gamblinglicence.org", "member_since": "2026-04-01" } }
| Code | HTTP Status | Description |
|---|---|---|
LICENCE_NOT_FOUND | 404 | The specified licence ID does not exist |
DOMAIN_NOT_FOUND | 404 | No GL1 licence covers the specified domain |
INVALID_REQUEST | 400 | Malformed request parameters |
RATE_LIMIT_EXCEEDED | 429 | Rate limit exceeded for the current authentication tier |
INTERNAL_ERROR | 500 | Server-side error |
The GL1 Verification API specification is published under CC BY 4.0 (Creative Commons Attribution 4.0 International).
IETF Internet-Draft and IANA Registration Requests
draft-grai-gl1-gambling-licence-00
A formal IETF Internet-Draft has been prepared for submission to the Applications and Real-Time Area (ART) of the IETF. The draft formalises the GL1 protocol specification as defined in this white paper, with the precision and structure required by the IETF standards process.
| Field | Value |
|---|---|
| Title | The GL1 Gambling Licence Verification Protocol |
| Draft name | draft-grai-gl1-gambling-licence-00 |
| Intended status | Proposed Standard |
| IETF Area | Applications and Real-Time (ART) |
| Author | Ed Campbell, Security Consultant to GRAI |
| Format | RFC XML v3 (per RFC 7991) |
The Internet-Draft requests two IANA registrations:
| Field | Value |
|---|---|
| URI suffix | gambling-licence |
| Change controller | IETF |
| Reference | draft-grai-gl1-gambling-licence-00, Section 5 |
| Status | Permanent |
| Related information | Per RFC 8615 Section 3.1; serves a JSON document containing a cryptographically signed gambling licence credential. |
| Field | Value |
|---|---|
| Label | _gambling-licence |
| Change controller | IETF |
| Reference | draft-grai-gl1-gambling-licence-00, Section 6 |
| RR Type | TXT |
| Related information | Per RFC 8552 (Scoped DNS); carries a compact, signed gambling licence assertion in tag-value format. |
| Milestone | Target Date | Notes |
|---|---|---|
| Internet-Draft -00 submission | Q3 2026 | Initial submission after GRAI reference deployment operational experience |
| IETF presentation (ART area) | IETF 118 or 119 | Request for working group adoption |
| Working group last call | 2027 | Following implementation experience from multiple authorities |
| IESG evaluation | 2027–2028 | Standards-track review |
| RFC publication | 2028 | Proposed Standard |
Per RFC 8179, an IPR disclosure will be filed with the IETF at the time of Internet-Draft submission, noting the defensive patent (see Part II), the inventor (Ed Campbell), and the irrevocable, royalty-free patent pledge. This satisfies the IETF's requirement that contributors disclose known patent claims on standards-track protocols.