First meeting of the Committee for Modernization of Electronic Signatures in Global and National Commerce Act Certification Standards

Overview

• Date: Friday, September 20, 2024 (2024), from 13:00 to 15:00
• Location: Online
  Livestream the review meeting (using Microsoft Teams)
  *Live streaming has ended.
• Agenda:
  1. Opening
  2. Mutual election of the chairman
  3. How to proceed with the review meeting
  4. Business
     1. About Electronic Signatures in Global and National Commerce Act
     2. Review of Last Year's Business
     3. Policy and Content of Discussions in the Study Group
     4. The Direction of Modernization Discussions on Issues ① and ②
     5. How to proceed from the next time
  5. Closing

Material

• Agenda (PDF/75KB)
• Document 1: "Guidelines for the Fiscal 2024 Study Group on Modernization of Electronic Signatures in Global and National Commerce Act Certification Standards" (PDF / 92 kb)
• Document 2: "Discussion on the Policies of the Study Group and the Direction of Modernization" (PDF / 602 kb) (updated on October 16, 2024)
• Proceedings (PDF/581KB) (updated October 25, 2024)
• Minutes (PDF/465KB) (updated October 25, 2024)

Minutes

Secretariat (Yamanoe): This is the Now, I would like to begin the first meeting of the Study Group on Modernization of Electronic Signatures in Global and National Commerce Act Accreditation Standards. Ladies and gentlemen, thank you for taking the time out of your busy schedule today. My name is Yamanoe Digital Agency from the secretariat. Nice to meet you. On behalf of the secretariat, I would like to address you, Mr. Kusunoki Director-General, Group of Common Functions for Digital Society Digital Agency.

Secretariat (Kusunoki): I am Kusunoki from Digital Agency, . Thank you very much for taking the time out of your busy schedule to attend this review meeting. On behalf of the secretariat, I would like to say a few words of greeting at the opening of the review meeting on the modernization of Electronic Signatures in Global and National Commerce Act certification standards.

As you are aware, various services are being developed and considered for digitalisation in Japan. Among them is the Act on Electronic Signatures and Certification Business, which came into effect in April 2001 regarding electronic signatures. Members of the Advisory Committee will be able to discuss laws enacted to ensure the smooth use of electronic signatures by citizens and to further promote social and economic activities using networks, including e-commerce, by providing for the presumption of the authenticity of electronic records and certification systems for specified certification services, etc. With this Electronic Signatures in Global and National Commerce Act as a catalyst, provisions for the use of electronic signatures have been established in various laws since then, and I believe that this is a laws and ordinances that can affect various aspects of people's lives and corporate activities. I believe that Electronic Signatures in Global and National Commerce Act is a region that can be affected by various situations in people's lives and corporate activities.

However, with regard to the accreditation system for specified certification services based on this Act, no major revisions have been made to the accreditation criteria since the Act came into effect, and it has been suggested that there is a need to review the criteria in light of recent technological trends and changes in views on security. Last fiscal year, similarly, we had experts discuss issues from multiple perspectives and extracted a wide range of issues from those that can be addressed in the short term to those that require long-term consideration. This fiscal year, rather than waiting for the results of long-term consideration, we would like to have discussions on six main points based on last fiscal year's discussions, so that we can proceed with modernization sequentially from the possible parts. We hope that the committee members will give us their frank opinions and actively consider this matter. Thank you for your cooperation today.

Secretariat (Yamanoe): This is the . With respect to the introduction of the members of the Study Group, I would like to change it to an introduction in accordance with the opening procedures. Next, I would like to decide the chair of the Study Group by mutual vote of the members. As for the secretariat, we would like to ask Mr. Matsumoto to lead the chair. Is that okay?

All: , I have no objections.

Secretariat (Yamanoe): This is the As there were no objections, I would like to ask Professor Matsumoto to chair the Study Group, and I would like to ask Professor Matsumoto to lead the proceedings from now on. Thank you, Professor Matsumoto.

Chairman Matsumoto: Thank you very much, Yes, I am Matsumoto. I will serve as the chairman upon your nomination. I would like to explain the significance of this review meeting before I serve as the chairman.

The Electronic Signatures in Global and National Commerce Act came into effect in 2001, but before 2000, the vision of the electronic society was being talked about, and I recognize that the Electronic Signatures in Global and National Commerce Act was established as a legal system necessary to realize that vision. I myself was hardly involved in the establishment of the Electronic Signatures in Global and National Commerce Act in 2000, but I think the members of this study group remember well what happened in 2000. In 2000, cybersecurity had not yet attracted much attention, and I think the cyber security business had just been launched. In such a situation, I recognize that many of our seniors and predecessors had worked very hard to create a certification standard for the Electronic Signatures in Global and National Commerce Act.

More than 20 years have passed since the establishment of this Electronic Signatures in Global and National Commerce Act, and although the world has changed greatly, there has been almost no discussion on recognition systems and recognition standards after Article 4 of the Electronic Signatures in Global and National Commerce Act. This is not a good thing, as it would waste the efforts of our predecessors.

Another point is that Japanese Electronic Signatures in Global and National Commerce Act, especially the certification systems after Article 4, were greatly influenced by the European Electronic Signatures in Global and National Commerce Act Directive of 1999, and some of them referred to it. However, the European Electronic Signatures in Global and National Commerce Act has already been significantly revised. As you all know, it became the eIDAS Regulation in 2014, which was changed from a Directive to a Regulation. Another point is that in May of this year, the second major revision called eIDAS2.0 was made. In such a situation, I believe that Japanese Electronic Signatures in Global and National Commerce Act is also required to be internationally harmonized. It is often said that we are now in the digital society instead of the electronic society of 2000. I expect that the Study Group on Modernizing Electronic Signatures in Global and National Commerce Act Certification Standards will actively discuss what we can do and what we need to think about in the future in order to make this Electronic Signatures in Global and National Commerce Act contribute to the realization of the Japanese digital society, and I would like to ask for your cooperation.

Then, prior to the meeting, I would like to ask the secretariat to check the materials and explain the proceedings.

Secretariat (Yamanoe): This is the Then, the secretariat will explain in order from checking the materials. There are three types of materials in total. The proceedings, the outline of the meeting, the policies of the review meeting, and the direction of modernization will be discussed. Today's materials are posted on the Digital Agency website. If you are attending the meeting, please check it. Next, as for the proceedings, they are posted on this website, so I will omit the details. Currently, 3. How to proceed with the review meeting is being explained.

I will explain the details of the event according to Appendix 1. As Mr. Kusunoki of Director-General and Mr. Matsumoto explained earlier, the Act on Electronic Signatures and Certification Business was enforced in April 2001, and there is a certification system for specified certification services based on the law. However, no major revisions have been made to the certification standards since they came into effect, and it has been suggested that the standards need to be updated in light of recent technological trends and changes in views on security. Therefore, the Government will consider updating the certification standards. A total of six items are planned to be examined in this review meeting, and the details will be explained later. In addition, if it is deemed necessary for the progress of the Study Group, the Study Group may invite necessary persons other than committee members and the secretariat to participate in the Study Group as observers and request them to make statements and ask questions. In principle, this review meeting and materials will be made public. In addition, the secretariat will prepare the minutes and summary of the proceedings of the Study Group after receiving confirmation from the members of the Committee. Provided, however, that this shall not apply to the case where the chairperson judges that it is desirable to keep the review meeting, the review meeting materials, and the summary of the meeting private for the protection of corporate information, etc. and obtains the consent of the committee members in advance. In this case, the committee members and observers will be obliged to maintain the confidentiality of the trade secrets they have learned through the Study Group. These guidelines will be revised as necessary. That's all the explanation from the secretariat.

Chairman Matsumoto: Thank you very much, . If you have any questions or comments on the Secretariat's explanation, please let me know.

All: , no opinion

Chairman Matsumoto: Thank you very much, Then, I would like to follow the procedures of the meeting. Next, I would like to start the proceedings. Due to time constraints, I would like to ask the secretariat to explain the proceedings 1 to 3 first. Thank you.

Secretariat (Yamanoe): This is the Secretariat. I will explain along the lines of Appendix 2. The purpose of this Review Meeting is to review the contents of the Review Meetings held in the Electronic Signatures in Global and National Commerce Act and last fiscal year, and to agree on the Review Policies. This time, which will be the first meeting, we will advance discussions on (I) and (ii). Before discussing with the members of the House of Representatives, I would like to explain about the Electronic Signatures in Global and National Commerce Act. The Electronic Signatures in Global and National Commerce Act was enforced in April 2001 with the aim of contributing to the improvement of the lives of the people and the sound development of the national economy by promoting the distribution of electromagnetic records and the processing of information by ensuring the smooth use of electronic signatures by providing for the presumption of the authenticity of electromagnetic records, the certification system for specified certification services, and other necessary matters concerning electronic signatures. It mainly consists of general provisions, the definition of electronic signatures, the presumption of authenticity, and the certification of specified certification services. Regarding the certification standards for electronic signatures to be discussed this time, they are the standards established for a person who intends to be certified as a specified certification service based on the Electronic Signatures in Global and National Commerce Act to be certified by the competent minister, and the members of the committee will discuss this article. As stated, specific certification standards and investigation policies are provided for in the Cabinet and Ministerial Ordinances, etc. Electronic Signatures in Global and National Commerce Act

Next, I would like to give a review of last year's project. In fiscal 2022, the JIPDEC, a designated investigation agency, identified issues that were not in line with the current operation and the latest technological trends, based on inquiries from accredited certification business operators, etc., and discussed the necessity and direction of modernization for the issues identified last year. From page 11 to page 13, the contents of consideration up to last year are described for each issue, and I will explain the points for each issue.

First of all, regarding (1) regulations on risk management related to information security in light of international standards, as a point of issue, it is essential to describe information security risk management in light of international standards, and as a status of consideration last fiscal year, it was discussed that it is necessary to add information on risk management to laws and enforcement regulations or to add risk management requirements to enforcement regulations or policies without amending laws.

Next, regarding the update of the technical standards for cryptographic equipment that manages the private key of the Certificate Authority, as a point of issue, the technical standards for cryptographic equipment HSM remain equivalent to the provisions of FIPS140-1, which is a standard in the United States more than 20 years ago, and do not meet the international standard. As a result, last fiscal year, discussions were held that it is necessary to replace the provisions with those mentioned in FIPS140-2 and ISO / IEC15408 in the policy.

Next, I would like to discuss (iii) security standards that can be expanded to cloud services while meeting international standards. The key issues are that the current enforcement regulations and guidelines require certified business facilities that are installed in an HSM, have an issuer signature code, and issue a server facility electronic certification to be installed in a certified facility room, but they should not be non-compliant just because they are cloud HSMs, so it was discussed that it would be good if the items shown in the policies (hardware management system, etc.) could be examined.

Next, I would like to ask about (iv) the regulations on remote control from outside the Certification Facilities Office and the use of public cloud services. The point of the issue is that the current enforcement regulations and guidelines are interpreted as not conforming to the standards for remote control via electronic communication lines and maintenance work using public cloud services, so we discussed guidelines that allow public cloud services.

Next, I would like to ask about (v) the provision on automation in confirming the authenticity of users. The point of the issue is that the current policy has been interpreted as requiring the preservation of books that record the names of those who have decided to accept or reject the user's application on the premise that people will confirm the authenticity of users, but last fiscal year, a document on automation in confirming the authenticity of users was issued through a designated investigation agency, and it has already been resolved, so it was discussed to revise the policy to clearly state that in the policy.

Lastly, I would like to ask about (vi) the elimination of the difference from the criteria for a person who performs specific certification services and is certified as a signature verifier under the Public Personal Authentication Act. The point of the problem is that the current enforcement regulations do not provide for a method of transmitting a user-signature verification code at the same time as the user applies for it, and it is necessary to make a issue or send a user identification code, which imposes a burden on both the user and the business operator. Therefore, it has been argued that the method should be unified as allowed by the Public Personal Authentication Act.

Based on the above, I would like to explain the policy and content of the review by the Review Committee. Based on the review so far, the Review Committee discussed the six directions of modernization from the perspective of understanding needs, clarifying requirements, and the degree of impact on operations. As a result, we would like to continue the review from the next fiscal year onward for those that require further review, with the aim of implementing them on April 1, 2025 for those that were decided to be promptly addressed. Here is the definition of the perspective I mentioned earlier. I would like the committee members to discuss from the perspective described here.

A total of three or four meetings are planned, including this review meeting, and we would like to compile a report by the end of the year. That is all the explanation from the secretariat.

Chairman Matsumoto: Thank you very much, . If you have any questions or comments on the secretariat's explanations on agenda items 1 to 3, please let me know. What do you think?

Committee member Miyauchi: I would like to express my opinion on . Nice to meet you. I would like to make a few comments on the direction of the discussion. First of all, the purpose of this meeting was to discuss possible issues and to leave out long-term issues. However, I believe that there are many points that need to be considered in this discussion other than what is discussed here. Therefore, I would like to make a few comments, although they are not necessarily related to this individual issue and may be viewed from a slightly longer perspective.

First, on page 8 of Appendix 2, there is a current list of laws and ordinances. The bottom part of the list is not a public notice but a notice to the designated investigative agency of the JIPDEC. It has been pointed out for some time whether it is acceptable to include important matters here in the future. I am well aware that it cannot be done immediately this time, but I think it is necessary to look at the direction of the overall structure of the laws and ordinances to some extent. Also, in relation to this, regarding technical requirements, I think it would be better to create technical specifications in a separate place and consider a specialized department or agency instead of creating all of them in Digital Agency or other places.

In terms of how to proceed, I believe that what is important for such electronic signatures is that they can be used by AATL, etc. and verified by ordinary tools. Therefore, I believe that we must proceed while considering the relationship with AATL, etc. I would like to receive comments from the secretariat on this point.

The third point is that there was a little talk about remote signing. If the current enforcement regulations remain unchanged, there will be various issues such as the certified authentication service not being able to receive public keys for key pairs generated on the remote signing side by the remote signing server. I would like to know how this conference will proceed in relation to remote signing. These are the three points. Thank you.

Chairman Matsumoto: Thank you very much, Yes, thank you very much. I think there were quite a lot of annoying problems, but if there is anything I can answer from the secretariat, please do so.

Secretariat (Kitainoue): This is the . This is the secretariat. I believe you have just pointed out three main points.

First, there is a notification on page 8. As you pointed out, laws and ordinances is positioned as a cabinet order, a rule, or a public notice under it, and it is one of the administrative methods to set certain conditions by notification. Therefore, the notification may be positioned as technical advice rather than explicit regulation, but if you point out that the current status is extremely problematic, for example, that the notification is too weak (as a basis) when using penalties, I am aware that the discussion of upgrading the notification to a higher level may be in a different field that has nothing to do with digital. Therefore, if there is any appropriate reason for such an upgrade, I do not rule out that it will be considered in the future. However, on the other hand, I believe that it is not necessarily the case at this point.

As for the second point, as you pointed out, I would like to carefully discuss the necessary parts of the relationship with the AATL, and in the next and subsequent documents, I would like to clearly state the points that need to be considered when preparing the documents.

The third and final point is about remote signatures. I am aware that there are various issues from the perspective of promoting remote signatures going forward, and I am aware that such issues were mentioned in last year's discussion. However, as for the overall process, the Study Group's policy is to revise what is possible first and modernize it one by one. Considering that, I am also aware that it is not necessarily the case that remote signatures are an issue that can be solved in the short term. This year, I would like to have discussions focused on what can be solved in the short term, and I have not placed it in (I) to (vi). Of course, I would like to add that Digital Agency recognizes it as an issue. That is all from the secretariat.

Committee member Miyauchi: I would like to express my opinion on I would like to make additional comments. Regarding the first point, I understand that basically this structure does not cause any problems, but basically this structure is based on the premise that the current designated investigation agency does not change or will continue to do this, this notice would be fine, but it is not such a thing in the first place. It should be fine if there are multiple designated investigation agencies, and I don't think it is very good if it is a notice to some agency, and I don't think it is necessarily good for those who are going to be certified in the future, so I hope that they will think about doing something about it in the medium to long term. That's all from me.

Chairman Matsumoto: Thank you very much, Yes, thank you very much. I think it would be good for you to speak at this review meeting about what you can do in the short term, and about future issues in the medium to long term as well. Thank you in advance.

Odajima: . Nice to meet you. I have three questions.

There are some points that overlap with Dr. Miyauchi's, but I just wanted to make sure. I just asked about the remote signing on page 15, and I was told that it was a long-term issue, not a short-term one. On the right, it says that the implementation of policies that need to be considered will be continued from next fiscal year onward. Based on what I just said, I thought that the remote signing would be considered for continuation from next fiscal year onward. Please let me know about that. You don't have to answer today, so you can do it next time.

Regarding the second point, I was of course convinced that the goal was to materialize policies for implementation on page 15. Other than that, for example, I was looking at last year's survey and research in fiscal 2023, and I believe there were other proposals other than these six points. These were also mentioned earlier in the section on the implementation of measures, and I thought that they would be continued in the next fiscal year, for example. I would like to ask you about those points.

Regarding the third point, I would like you to take it up as your opinion. I would like to give it as a premise in the section on "Understanding the Needs" on page 16. I am attending the meeting as a member of the Electronic Certification Council, which is a group of certified certification business operators under the Signature Act. Referring to last year's survey and research report, I asked you to let me know if you have any priorities from (1) to (6), and I heard your opinion in advance. Of course, the priorities are different for each certified certification business operator, but regarding (4), each company had the highest priority. If what was decided to be promptly addressed by this review meeting is considered this year and prioritized according to the schedule of implementation next year, I would like you to make (4) a priority. This is my opinion. These are the three points.

Secretariat (Tonami): Secretariat. I have received your three opinions.
The first point, remote signatures, is not concrete at this point, but as this document states that it will continue to be considered from next fiscal year onward, I recognize that it is an ongoing issue to be considered, including how it will be handled in the future, whether it will be handled within the certification standards of the Electronic Signatures in Global and National Commerce Act, or whether it will be handled outside the system, including the points to be discussed by the Study Group.

The second point is that in the last fiscal year's survey and research conducted by Digital Agency, there were proposals other than the six points. We are still at the stage of conducting the last fiscal year's survey, and we have not yet been able to closely examine what needs to be worked on, such as a detailed understanding of needs, or the scope of the impact, so we will continue to consider these matters.

Lastly, in terms of understanding the needs, the use of cloud services was the most needed by the certification authorities. However, in terms of the use of cloud services, the needs are particularly high and the hurdles are also high in terms of how to ask the designated investigation bodies to conduct investigations, so I would like to hear the opinions of the committee members, including those with high hurdles, at this review meeting. Thank you.

Odajima: . As for remote signatures, I think that whether to do it inside or outside the Signature Act is certainly one of the discussions, so I think it will be a continuing issue for consideration from next fiscal year. In addition to identification, please try to understand the needs and make it a subject for consideration from next fiscal year.

Regarding (iv), which was a high need, I think it is a very difficult point how to confirm it at a designated investigation agency. I looked at last year's investigation report and it was based on various specific cases, so I think this will be the next time, but I would like to discuss it including the viewpoints of experts other than me. That's all from me. Thank you very much.

Chairman Matsumoto: Thank you very much, Yes, thank you very much. As for the cloud, I believe it will be the next meeting, but I believe there will be various issues this time, so please take care of them as well. Next, Commissioner Mitsushio said that he would like to ask two questions in a progressive manner. Thank you.

Dr. Mitsushio: I would like to ask a question to the , I believe that the structure of the overall Electronic Signatures in Global and National Commerce Act was written on page 6. I understand that the accreditation and certification work is written from Chapter 3, but I would like to ask the secretariat about what other discussions will be held in the future, or if there is a timing at which opinions can be expressed somewhere. In particular, I have been watching it for several years and I am concerned about the Electronic Signatures in Global and National Commerce Act written in the Japan-U. S. Digital Trade Agreement, so I would like to talk about it somewhere. Please tell me the timing.

The other point is that I am a member of the committee that has been studying the standards for accreditation and certification services at the time of their implementation in 2001. Of course, I understand the contents, but compared to that time, I think the speed with which technology changes every day has increased considerably. There may be discussions on remote signing, cloud computing, and AI later, but as an individual theme, I am not at all opposed to studying the accreditation standards for accreditation and certification services this time, but I thought it would be better to exchange opinions at some point on whether to continue with the scheme of accreditation standards, so please tell me your thoughts on that. That's all.

Chairman Matsumoto: Thank you very much, . This is an increasingly substantive question, and it may be difficult for the Secretariat to answer, but I would appreciate your cooperation.

Secretariat (Kitainoue): This is the Secretariat. Thank you for your comments and suggestions.

As stated in the title of the Study Group, the Study Group may consider modernizing the certification standards. In particular, the primary purpose and goal of the Study Group is to first work on areas that can be improved in the short term. Therefore, we will first focus our discussions on those issues, and at the end, at the timing of summarizing the discussions, if possible, we would like to consider setting up a forum to discuss the overall issues. I am sorry, but I would like the Study Group to focus its discussions on modernizing the certification standards in the short term. That is all.

Dr. Mitsushio: I would like to ask a question to the Yes, I understand very well, and I would like you to make it at least at the end. I have no intention of interrupting the current discussion. Thank you very much.

Chairman Matsumoto: Thank you very much, For example, with regard to Specific Certification Services in Article 2, I would like to ask whether there are no standards for Specific Certification Services that are not accreditation. You are talking about standards for accreditation, but standards are actually important even if there is no accreditation. It would be good if such standards are widely used in various places, but I myself have a lot of thoughts about it. I would like to discuss the standards with these points in mind.

Next, I would like to request an explanation from the Secretariat on (1) and (2) concerning the direction of modernization in section 4 of the agenda.

Secretariat (Yamanoe): This is the Secretariat. I will explain from page 18 of Handout 2. First, I will explain Task 1. Regarding the content of last year's review, as I mentioned earlier, in light of the specific criteria, there was a discussion that the criteria for accreditation of specified certification services should also include the concept of a management system that evaluates risks related to information security and implements appropriate management measures, and that it is necessary for each certification business operator to conduct its own assessment and implement measures based on the results.

As a policy for discussion in this Study Group in response to this, from the perspective of crisis management, etc., we consider that risk management related to information security may exist in the current regulations. In addition, since it is necessary to organize the contents that should be specified as risk management standards, we would like to clarify two requirements for Issue 1.

The first point is whether risk management is included in the scope delegated by Article 6, Paragraph 1, Item (3) of the Act, although it is considered that there are already provisions on crisis management in the current Enforcement Rules. Specifically, based on Article 6, Paragraph 1, Item (3) of the Act, considering that matters related to crisis management are prescribed in Article 6, Paragraph 1, Item (15), Sub-item (g) of the Enforcement Rules, whether risk management related to information security can be interpreted as being included in the scope delegated by the Act, and whether matters related to crisis management in the Enforcement Rules can be interpreted as including the meaning of risk management.

The second point is that ETSI requires TSPs to assess and evaluate risks in the standard, but what kind of content should be included as a standard for risk management required for business operators? To be specific, as I have just mentioned, ETSI requires business operators to assess and evaluate risks, take mitigation measures, periodically review, and document and record them in the standard, but what items should be included in the Electronic Signatures in Global and National Commerce Act and what other contents should be included? From the above, regarding Issue 1, I would like the committee members to discuss this issue in detail.

Next, I would like to talk about Task ②. As for the content of last year's review, as I mentioned earlier, there was an argument that the current policy should be replaced with provisions referring to FIPS140-2 and ISO / IEC15408 because the technical standards for cryptographic equipment are equivalent to the standards of the United States more than 20 years ago. In response to this, as a policy of discussion in this Study Group, if it is an update to FIPS140-2, updating the cryptographic standards itself is not considered to be a barrier to new entry, but it is necessary to consider whether it should be consistent with FIPS140-2 or FIPS140-3 and in light of the transition of FIPS140 series, so we would like you to discuss the clarification of requirements and the impact on operation. First of all, to clarify the requirements, regarding the FIPS140 Series, the timing and content of modernization should be implemented. To be more specific, the current technical standards for cryptographic equipment are equivalent to FIPS140-1 issued in 1994, and FIPS140-2 was issued in the month following April 2001, when the Electronic Signatures in Global and National Commerce Act came into force. In addition, FIPS 2019 - 3 was issued in 140, but the technical standards have not been revised. However, as described in the Suspension of Issues section, FIPS140-2 will expire on September 21, 2026, and a full transition to FIPS140-3 will begin on September 22. On the other hand, according to a desk study, although the number of products certified as FIPS 140-3 compliant has increased to a certain degree since the beginning of this year, it is limited to a few providers, and the number of products is only about 1 / 6 compared to FIP140-2, so it may take a certain period of time to migrate and spread.

Next, regarding the impact on operations, what is the impact of specific authentication operations if the encryption standard is adjusted to either FIPS140-2 / 3? From the above, I would like to ask the committee members to discuss the issue (2) in detail. That is all for the explanation from the secretariat. Thank you.

Chairman Matsumoto: Thank you very much, Yes. Thank you very much. There are (1) and (2), but the contents are quite different, so I think the people who will speak are also somewhat different. First of all, I would like to discuss (1) first. I would appreciate it if you have any comments.

Urushijima: Thank you, The first point is whether or not risk management is included in the current laws, guidelines, and enforcement regulations. I think it is unreasonable to say later that risk management was included in the current laws, guidelines, and enforcement regulations, as I said that risk management has not been implemented in light of the current laws, guidelines, and enforcement regulations. Even if the law is not changed, I think it would be good to add an addition to the guidelines and enforcement regulations, and clearly state that it is not just risk management but information security management that is covered this time, and make it mandatory. This is the first point.

Second, I feel uncomfortable about the discussion that ETSI's risk management should be considered because it is mentioned in the document. From the perspective of general information security management and from the perspective of ISMS, I think it is necessary to say that it is necessary to conduct risk management in light of international ISMS standards, not because it follows ETSI.

The third and final point, which I have been concerned about for a long time, is that information security risk management is said to be carried out, but I am very concerned that the ability to carry out risk management and the ability to assess risks may vary depending on the business operator. For example, I am concerned that there may be wild arguments such as that vulnerability scanning is not necessary because a firewall has been installed. Regarding risk assessment methods and response methods, ISMS and NIST guidelines define risk assessment methods, response methods, and judgment criteria, so I think it would be better to take measures based on these.

The fourth point is about information security risks in the certification business. For example, I believe that there are risk factors common to all business operators, such as errors in the management of keys for CAs, keys for users, and the issuance of certificates, and errors in identity verification. From that perspective, I believe that it would be good for business operators to check whether they are doing this and that under the same standards as each company. Among those risks, I do not think it is necessary to take measures for those that have already been taken and covered by the enforcement regulations and guidelines, but I think it is necessary to properly check risks that are not covered by them. I have four points.

Secretariat (Kitainoue): This is the . I would like to give a supplementary answer on the first point. As you say, there will be no revision at all, and we will continue to request it because it has been requested so far. I do not mean to say that we will not change anything, including the guidelines and policies. Considering the current situation of the provisions and rules of the law, perhaps, rather than changing the law, even if we make a request by revising the rules and the guidelines and policies below the rules, especially since there are matters related to crisis management in the enforcement regulations, the secretariat thinks that it is possible to firmly define the necessary parts in the subordinate provisions below the rules. Therefore, there will be no revision at all, and since we have been requesting risk management so far, I do not intend to say at this point that it has been a certification standard for business operators, so I would like to give a supplementary answer on that point. That is all from our secretariat.

Chairman Matsumoto: Thank you very much, . ISMS, or rather, the Electronic Signatures in Global and National Commerce Act was 2000 and it was before ISMS in the first place, so all the international standards for IT-BCP after that were after the Electronic Signatures in Global and National Commerce Act, so if measures are incorporated if they are added later, I think there are probably some parts that are lacking. Also, ETSI has been revising its standards one after another when there has been an incident with a certification authority, so I heard that the problem was that there was no such framework itself.

Secretariat (Tonami): Urushijima. I believe that the second and subsequent comments are as Committee Member Urushijima and Chairman Matsumoto said. When we talk about the standards of the certification authority, we often refer to the standards of ETSI. In particular, I would like to hear and reflect Committee Member Urushijima's knowledge of WebTrust and other certification systems in this way, so I would appreciate your comments in the future as well. In addition, regarding the last point that you commented on, whether or not there are already standards for information security risk management that are covered by the existing standards for certification operations, and whether or not measures should be taken for those that are not covered, it does not have to be this time, but we would like to investigate candidates that may have been omitted from this, so if you could give us advice on such points, it would be very helpful for the secretariat to make our work easier. Thank you in advance.

Chairman Matsumoto: Thank you very much, Designated Investigative Agency, may I speak to you next?

Mr. Osawa, JIPDEC: First of all, I would like to answer Mr. Mitsushio cyberattacks today, I believe that taking measures for critical infrastructure has become much more common than when the Electronic Signatures in Global and National Commerce Act was first established.

Regarding certified commercial facilities, although they are not currently included in the category of critical infrastructure, the fact is that we are aware of the problem of the need to conduct risk management from the perspective of ensuring security.

As Mr. Urushijima mentioned earlier that the ISMS Conformity Assessment System based on ISO / IEC27001 may be applied in light of international standards, I would like to propose that the results of the ISMS Conformity Assessment System based on ISO / IEC 14001 be used as one of the materials for determining compliance with the investigation requirements. This is all I have to say about this matter. Thank you.

Chairman Matsumoto: Thank you very much, . I thought it was very close to what Commissioner Urushijima was told.

Another thing is that it is not a critical infrastructure. In the NIS2 Directive in Europe, there is a sector called digital infrastructure, and trust services are included in it. Since trust services are included in the framework of the NIS2 Directive, trust services are regarded as a critical infrastructure in Europe. Therefore, there are requirements for certification authorities as a critical infrastructure, and in a sense, I thought it was an international trend. Thank you very much.

The ISMS is a general information system, but the certification authority has a clear Architecture. I think it has an inherent mechanism to be protected. In that sense, the Electronic Signatures in Global and National Commerce Act standards established in 2000 are quite comprehensive. On the other hand, I think there are some parts that are missing. Thank you very much.

Next, Mitsushio-san, thank you. Thank you for your comments on (1).

Dr. Mitsushio: I would like to ask a question to the . First of all, I have one question. Are you going to talk about including risk management? Or, according to my understanding, introducing something like governance standards.

First of all, I'm sorry, I don't fully understand last year's discussion, but is it clearly about risk management?

In short, in my image, risk management is included in the governance standards. On the other hand, when I say risk management, if you ask me whether PDCA mentioned earlier is really included, I think there is a possibility that the flow of risk management is not included to that extent, so it is more like a governance standard, isn't it?

Chairman Matsumoto: Thank you very much, Please give us your comments. Indeed, I think that it refers to IT-BCP.

Secretariat (Tonami): As you pointed out, as described in this document, ETSI also uses the term risk assessment, and we are aware that there are some parts that are pulled by that term. We understand that risk management is actually included in governance, and that there is no point in introducing risk management without governance. That part of the criteria this time has not been clearly discussed, so we would like to consider it at the secretariat based on this discussion. I would also like to hear comments from members of the Diet on whether governance should be built in the certification authority and whether it should be the certification standard.

Dr. Mitsushio: I would like to ask a question to the I understand. Then, I would like to comment on a few points based on the image of governance.

One is a historical background or a matter of timing. The Electronic Signatures in Global and National Commerce Act came into effect in 2001, and as Chairman Matumoto mentioned, the ISMS was implemented in 2001. Around that time, as I also participated, the COBIT governance standard has been organized since the 1990s, so in that sense, I honestly think that the concept of governance was not really incorporated when this Electronic Signatures in Global and National Commerce Act was created, so I think it would be better to include it. As a technical matter, I remember that in Article 6, Item 3 on page 20, equipment requirements, identity verification process requirements, and others were included in others, so I think it would be possible to interpret it as including governance and not to revise the law. However, as I mentioned earlier, governance is becoming more important now, so if possible, I think it would be better to exclude governance as a matter of law enforcement.

As for the standards, I agree with other people. Rather than referring to ETSI's individual auditing standards, ISMS and ISMAP, in which I am involved, also use the terms governance standards, management standards, and control measures standards as a summary. In that sense, I think those management standards are mostly applicable. In addition, METI's system Electronic Signatures in Global and National Commerce Act standards also organize items related to governance, so I think it would be good to refer to those. That's all.

Chairman Matsumoto: Thank you very much, .

Mr. Mitsushio, from the Electronic Signatures in Global and National Commerce Act in 2000, you all know about the ISMS at that time, but I think that our juniors are already getting confused if we don't say why there is such a thing or why there is not such a thing, so I think it would be good if you could make various comments here and fix what needs to be fixed.

Is that OK? Let's move on to the next step. There are 3 comments from Mr. Odajima about (1). Thank you for your cooperation. As the position of the Electronic Certification Authority, it will cost a lot and there will be various things, so thank you for your cooperation.

Odajima: First of all, on page 24, I would like to ask whether it is included in the scope of the Act, but Article 6, Paragraph 1, Item 15 of the Act is basically limited to matters related to the compromise of the private key of the certification authority from the content of the investigation by the designated investigation agency. In that case, I would say it is called risk management or risk assessment, and it may be better to say it is governance, but I don't think it strictly includes such matters.

On the other hand, I understand that it is difficult to revise the law, so I will try to make it as easy as possible for Mr. Digital Agency, but I understand that it is not included in reality, so I think it is better to reflect it, regardless of the method of revision. That is the one point.

Second, after something is reflected, the certification authority and the designated investigation agency will be in a position to implement or investigate it. What kind of things should be done at that time, as the chairman said earlier, I think we need a method to reduce the cost as much as possible for both sides. I would like to ask you to consider that as well, and I would appreciate it if other members of the committee other than me could give us their knowledge.

It's hard to say, but ETSI 319 and ETSI 401, which I mentioned earlier, are similar to what Mr. Mitsushio said earlier, and I think they are doing something a little close to governance. For example, as you wrote in the handout, for example, risks are divided into four categories, and how they should be handled, and management, in the end, where risks are allowed, it should be approved at the top level of the company, and such things are included. In the end, if ISMS alone does not include such things, I think it would be better to include them. These are the three points. This is a comment, so I don't want to ask for any comments.

Chairman Matsumoto: Thank you very much, You said there were no particular questions, but do you have anything from the secretariat? If you have any comments, please do so. Is that okay? Now, let's move on.

I have one comment from the Imperial Household Committee member. Thank you in advance.

Committee member Miyauchi: I would like to express my opinion on Point 1-1. First of all, from the conclusion, there is no need to change the law, but I think it would be better to change the enforcement regulations.

First of all, I would like to explain the reason why there is no need to change the law. As written here, what corresponds to Article 6, Paragraph 1, Item 3 of the Act is Article 6, Paragraph 1 of the Enforcement Regulations Act. There are Items 1 to 15, and Item 15 is further subdivided, but among them, audit accidents and various other things are included a lot, and Paragraph 1, Item 3 includes a very wide range of checks on the business related to the application as specified by the competent ministry, so I think it will be included even if we try to include risk management in Paragraph 1, Item 3. Therefore, I don't think there is a need to change the law itself, but in the Enforcement Regulations, the provisions related to Item 15, G fall under Paragraph 4, Item 8, (3) of the Policy, but in fact, it only describes exposure. Therefore, it seems that the current crisis management is understood relatively narrowly, so it is better not to leave it as it is, but to revise the phrase that risk management or governance is included here, or to make H next to G to clearly state that risk management, etc. is included, and to change the Enforcement Regulations to clearly state matters related to risk management, etc. in either way. That's all from me.

Chairman Matsumoto: Thank you very much, . I think this is an important point of view. I have heard that the law itself must be changed to the way it should be, or I will not be able to understand the situation as time passes. Thank you.

Lastly, Mr. Urushijima would like to make another comment, but I don't have any time to spare, so please do so.

Urushijima: Thank you, . Mr. Mitsushio, who was mentioned earlier, commented that it would be a good idea to include this in governance. When we think about things like international mutual recognition, for example, WebTrust or ETSI standards, I think it is important to clearly state that risk management is being implemented. From that point of view, I think it would be good if the certification of the Electronic Signatures in Global and National Commerce Act is something that shows that risk management is being properly implemented, whether it is the enforcement regulations or whatever.

Regarding governance, rather than including it in the wording, for example, looking at the CP / CPS as a whole, it is written about governance and scattered, so I feel that it is difficult to write a word about governance somewhere. That is all my comments.

Chairman Matsumoto: Thank you very much, . Although it is not within the scope of this meeting, the reality is that an international Harmonize is being demanded, and I feel that the background of this discussion is what to do in order to meet this demand, so I think it is a reasonable story.

I believe that the majority of the members of the Imperial Household Committee are of the opinion that it is necessary to revise certain laws and regulations, such as the Enforcement Regulations, as mentioned earlier.

Now, the second item on the agenda. It's quite a different story, but I'd like to discuss FIPS140.

If you have any comments on this, please write in the chat. But this is terrible, isn't it? It is still amazing that it is 140-1. Thank you very much. First of all, I would like to ask Commissioner Urushijima who is very knowledgeable about HSM.

Urushijima: Thank you, . First of all, regarding HSM, I think we are currently in a transitional period of transition from FIPS 140-2 to 140-3. I have the impression that 140-3 products have not been fully developed yet, so for now, I think it would be good to approve 140-2 or 140-3 products.

In addition, I think there are some points that should be clarified and clearly stated in various aspects. First of all, there is a high possibility that the FIPS Active status expires every five years, including FIPS and Common Criteria, so I think we must design the system with that in mind. For example, if FIPS becomes Historical, what should we do with it? In principle, I don't think it's OK, but in that case, at what point of time should FIPS Active status be required, and whether this is at the time of application or under investigation, or what should we do if it expires during the operation process, I think we need to clarify these things.

Also, if a defect is found in the HSM function required for the certificate authority, it can't be helped if it becomes Revoked, but I think there are cases where it becomes Revoked or Historical for unrelated reasons.

For example, a defect was found in the implementation of AES encryption and it was revoked. In such a case, it is not related to the operation of the certification authority, so if it is not related, it is OK to continue using it. If this is clarified as a standard, the situation can be eased and I think it is good.

Lastly, this is not written in the document, but I think it is necessary to clarify the level. For example, Level-3 or higher in the case of FIPS 140, or EAL4 + or higher in the case of Common Criteria. I think it would be good if the standards describe what to do with such a level. That is all my comments.

Chairman Matsumoto: Thank you very much, , but cloud service providers are the ones who buy the most HSM nowadays. In a sense, they are used everywhere, so I was wondering how everyone, not just certification authorities, are doing. Thank you.

Next is Commissioner Manshio. Thank you for your help.

Dr. Mitsushio: I would like to ask a question to the Designated Investigation Agency. My question is whether it is correct to understand that the FIPS certification is confirmed at the time of the examination. I mean, first of all, my understanding is that it is not written as FIPS, but it is written in Japanese. At that time, around 2001, I heard that there was only such a way. Earlier, as Dr. Urushijima mentioned, I think it is OK to write XX Level or higher and the certification, so in that sense, I think it is better to write it explicitly.

However, I have also heard that FIPS is not a Japanese system, so I understand that. If it can be written in ISO or other formats, it will be available, and I would like to say that these should be improved. That is all.

Secretariat (Tonami): Secretariat. First of all, I think it would be good to accept both FIPS 140 (2) and (3) in the current situation, and the Secretariat was concerned about that, so thank you for your opinion.

Mr. Mitsushio also expressed his opinion that it would be better to clarify, clarify, and clarify the FIPS standards. However, I believe it is a valuable opinion that there is such a demand, including the fact that it is the U.S. standards, and that it would be difficult to directly write such a statement in the certification standards.

We also think that if it is necessary and if we can use such expressions, it would be better to do so. As you said, it is the U.S. standard, so whether it is better to draw it as the standard of the Japanese certification authority or to quote it is a discussion that does not appear at this time.

If there are any other opinions, I would like to hear them.

Chairman Matsumoto: Thank you very much, is well aware of this, but in 2000, there were Japanese HSM manufacturers. They said they needed to accept it, which was not a very good thing, but they all withdrew. In an CRYPTREC this summer, Dr. Tsutomu Matsumoto deplored the lack of Japanese HSM manufacturers. As an industrial policy, the fact that there are no Japanese HSM manufacturers is very bad in many ways, and it is very undesirable to have a situation where various trust anchors are connected to them. On the other hand, from the viewpoint of certification authorities, the fact that they have FIPS140, which is close to the de facto standard, has become the de facto standard worldwide. Certification authorities are not in much trouble, or rather, there is no need to consider it, but I thought they should be reminded once again that HSM is quite important.

Yes. Next, Osawa-san from JIPDEC, who knows the current situation very well, please take care of it.

Mr. Osawa, JIPDEC: First of all, I would like to answer Mr. Mitsushio . To be honest, we have confirmed the certification results of FIPS 140-1 and 140-2. As for the opinion of the designated investigation agency on this matter, there is currently a so-called guideline that was last revised in 2020, but unfortunately that guideline does not mention the technical standards for cryptographic equipment. The designated investigation agency has confirmed the reliability of cryptographic equipment based on the policies indicated to the designated investigation agency in the form of on-the-spot investigation policies, such as Mr. Digital Agency's De Company No. 5 or Mr. Ministry of Justice's Minsho No. 157.

However, regarding this policy, rather than specific technical standards for cryptographic equipment, as you just explained the background, it was interpreted that it was written by extracting the security requirements of the U.S. Federal Information Processing Standard in 2001, so-called FIPS140-1, and it has been interpreted to this day.

As stated in the materials compiled by Mr. Digital Agency, and as also stated by Mr. Urushijima, certification authorities around the world are already in the transition phase from FIPS 140 Version 2 to FIPS 140 Version 3. In regard to this issue, as I have been saying to the competent ministries and agencies and at meetings of various multi-brand display area organizations, I understand that the JIPDEC will review the certification criteria as soon as possible so that they can be clearly read in the guidelines, but I hope that the urgency will revise the certification criteria as soon as possible. That's all from me.

Chairman Matsumoto: Thank you very much, . Does the secretariat have anything to say about what Mr. Osawa said?

Secretariat (Tonami): It's okay.

Chairman Matsumoto: Thank you very much, Yes. Next is Commissioner Odajima. I heard that there are three comments, and I think it is the position of the certification authority, but I appreciate your cooperation.

Odajima: . I have three questions about (2).

As I mentioned in the document earlier, I don't know if it's appropriate to say that FIPS140-2 and 140-3 are not good times, but the certification authority is also in trouble. If we choose 140-2, we know that it will be a bad result in the future, but I have also heard that 140-3 is difficult to obtain easily now.

This is not a direct transaction, but a multi-step transaction. For example, the reality is that it is difficult for the vendors who provide CA systems to deal with the situation. It is quite difficult at the moment, and as you mentioned earlier about the CRYPTREC, in the fall of 2028, the certification authority is preparing for the next-generation cryptographic transition as an event. If the HSM can be easily changed, of course, it will be responded to immediately, but it is not such a situation. In fact, it is difficult to make an easy decision. For example, there is a talk that the amendment will be implemented as soon as possible next year, but I think the reality is that it is not easy to make a decision on the second point. In particular, as you mentioned earlier about the history, I talked about domestic manufacturers in the 2000s. There are virtually no domestic products now, and only a limited number of companies can place orders. In fact, there are cases where inquiries are not easily answered. In general, in terms of modernizing technical standards, I think amendments should be made, but I would like you to look at the reality and finally ask the competent ministries and agencies to make a decision.

Regarding the third point, I would like to share with you the perspective of business continuity of accredited certification business operators. In the past, there were some new business operators who came in and left in the middle. Most of the withdrawals are costs. I believe that the cost is a significant impact from the perspective of business continuity. Regarding (1) and (2) this time, of course, I recognize that they are very important from the perspective of modernization, but on the other hand, I believe that the business continuity of accredited certification business operators is also important, so I would like you to be aware of this, and if it costs money, it will of course affect the signatories and users, so from that perspective, I think it is important from the perspective of the economy of the people. It is difficult to say, but I made a comment on the point of view of accredited certification business operators. I do not ask for a response. That is all, thank you very much.

Chairman Matsumoto: Thank you very much, . I believe that you are most familiar with the actual situation of the members of the Electronic Certification Council, such as Mr. Odajima, and Mr. Osawa, the designated investigative organization, and that there is a need to coordinate the standards in response to this. However, I think that the broad view is that it is not at the level of FIPS140-1. Thank you.

In general, I think we have all agreed on (2). I would like to move on to the last agenda. Regarding agenda item 5, please explain from the secretariat.

Secretariat (Yamanoe): This is the Secretariat. I will explain about page 28 of Handout 2. For the second meeting, we plan to have a review of today's discussion and a face-to-face discussion on issues ③ to ⑥. We will contact the committee members later about the venue and date of the review meeting. Based on the review status of the second review meeting, the third review meeting will be held in late November, and the fourth review meeting will be a review of the review based on the report. Thank you for your cooperation. This concludes the explanation from the secretariat.

Chairman Matsumoto: Thank you very much, . Do you have any comments? I feel that (iii) to (vi) in the next meeting will be heavier. Today's (I) and (ii) will raise the standards, and as Commissioner Odajima mentioned earlier, they are close to a costly method, but (iii) to (vi) are more about trying to issue certificates to certification authorities in a more reasonable manner in the future. If this is done, it will be difficult to evaluate it, and I feel that it is a very troublesome issue, but if this is not done properly, the competitiveness of certification authorities themselves and Japan will be lost in the first place, so I feel that it will be a very important discussion in the next meeting.

Odajima: First of all, in terms of the schedule, you mentioned that the fourth round will be implemented around December, or as early as April next year. I would like to confirm the schedule up to that point. For example, I believe there are public comments, but if you are actually going to undergo an investigation by a designated investigation agency, please tell me if you have any assumptions about the timing and duration of the amendment of the questionnaire. If all the content this time is, for example, not only the content of the questionnaire is changed, but it may also affect the amount of money and investigation fees of the investigation agency, so I would like to confirm it.

I would like to add one more point. We do not completely agree on governance, but Article 6, Item 15 (b) of the Enforcement Regulations states "the responsibilities, authority, and chain of command of those engaged in business operations." This is a rather narrow description, but I thought it might be appropriate from the perspective of governance. That's all.

Chairman Matsumoto: Thank you very much, . As for the first question, it may be related not only to this time, but also to the next agenda, but if you have any comments, please do so.

Secretariat (Kitainoue): This is the Secretariat. I would like to answer the first question. Regarding the flow after the fourth meeting, as you pointed out, I believe that it is basically possible to revise the rules and regulations this time, and if such a case is considered, if it is actually revised, we will make a public comment. In that process, I have not been able to consult with the designated investigation agency in detail about the specific costs of the investigation, so I do not have a place to answer at this time, but I would like to consider it at an appropriate time and give a sufficient advance notice. I am sorry that I did not give a clear answer. That is all.

Chairman Matsumoto: Thank you very much, . If you have any other ideas or suggestions on how to proceed from the next meeting, please let me know. If there are no special questions, I would like to close the first meeting here. I look forward to working with you next time. Thank you very much for today.

Or more