Skip to main content

This page has been translated using TexTra by NICT. Please note that the translation may not be completely accurate.If you find any mistranslations, we appreciate your feedback on the "Request form for improving the automatic translation ".

Third meeting of the Study Group on Modernizing Electronic Signatures in Global and National Commerce Act Accreditation Standards

Overview

  • Date: November 26, 2024 (2024) (Tue) from 15:00 to 17:00
  • Location: Online
    Live streaming of the review meeting (via Microsoft Teams)
    *Live streaming has ended.
  • Order of business
    1. Opening
    2. Proceedings
      1. Additional discussion on the direction of modernization
      2. About the next meeting
    3. Adjournment

Material

Minutes

Secretariat (Yamanoe): This is the From now on, the third meeting of the Study Group on Modernization of Electronic Signatures in Global and National Commerce Act Accreditation Standards will begin. Ladies and gentlemen, thank you very much for taking the time out of your busy schedule today. My name is Yamanoe from Digital Agency, and I will serve as the secretariat. Nice to meet you. First, the Secretariat will check the materials. There are two types of materials in total. The first one is up to the article. The other one is about the additional discussion on the direction of modernization. Today's materials are also posted on the Digital Agency website, so if you are attending, please check there. Since there are many matters and contents to be discussed at today's Study Group, before the proceedings, I will explain the review of the Study Group so far in accordance with Material 1.

As for the investigation, I will explain it again in each item later, but as for directions (1) to (6), as shown in this document, they were discussed at the first and second review meetings. In addition, in today's review meeting, based on the concentration of the remaining points, the order of discussion will be (1) and (2), followed by (6), and then (3) and (4).

Then, I would like to ask Chairman Matsumoto to proceed with the proceedings from now on. Then, Chairman Matsumoto, thank you for your cooperation.

Chairman Matsumoto: Now, I would like to start the proceedings, and I would like to ask for a lively discussion following the first and second meetings. There are five points, so I would like you to explain them one by one, and I would like to have a discussion later, so first of all, I would like the secretariat to explain (1). Thank you very much.

Secretariat (Yamanoe): This is the Secretariat.

I will explain from page 7 of Material 1. Regarding Direction (1), at the first Review Meeting, there was a discussion that although it is not necessary to revise the law, it is necessary to specify the obligation of risk management in the Enforcement Rules, and that risk management is not just a security measure but should be positioned as governance of the entire organization, and that it should be incorporated with reference to standards for governance such as ISMAP. In response to the first Review Meeting, as an additional content to be discussed at this Review Meeting, we would like to have a discussion on the standards to be incorporated as governance of the entire organization. A table of contents list of each standard and standard is shown on page 9, and an excerpt of the part related to governance is shown on page 10. With reference to the outline on pages 11 to 15, we organize each standard and standard from the viewpoint of organizing the minimum requirements for approved business operators, etc., and the secretariat believes that at least two points, clarification of responsibility and authority, and evaluation and response to risks related to information security, are common points.

Based on the above, I would like you to discuss three points regarding Direction (1). First, as the secretariat, I believe that the two common points I mentioned earlier are necessary, but are there any other matters that should be requested?

Second, regarding the clarification of responsibilities and authorities, Article 6, Item 15 (b) of the Enforcement Rules requires that the responsibilities, authorities, and chain of command, etc. of those engaged in operations be appropriately defined and implemented. In addition to this, is it necessary to further clarify the responsibilities and authorities of the Board of Directors, etc. (regulations on IT governance)?

The third point is, regarding the criteria to be included in the governance of the entire organization, the second from the bottom on page 16, in blue, gives an example of the criteria. The three points are what kind of criteria should be used and what kind of survey method should be used by the designated survey organization. That's all from the secretariat. Thank you in advance.

Chairman Matsumoto: Now, I would like to start the question and answer session. If you have any questions or opinions, please write that you would like to speak in the chat section. I am looking at it, so please go ahead. I would like to thank Mr. Urushijima for his prompt attention.

Committee Member Urushima: Since the organization is a little too focused on, and I think it would be better to go back to the background of why there is a need for additional regulations on risk management and why there is a need for modernization.

For example, EN 319 401 of eIDAS, WebTrust for CA, Baseline Requirements of CABF, and other requirements of international certification authorities require periodic risk assessments, so I think we should have responded to them (based on Digital Agency's past hearings with business operators and research).

Even if governance measures are taken, I understand that risk assessments are conducted as part of governance measures, but I believe that if we do not focus on risk assessments properly, for example, it will probably not be possible for a certified business operator to submit the results of a sloppy risk assessment and say that it is okay to do so because it was conducted. I believe that such a situation needs to be avoided.

For example, I think that there are specific risks common to certification authorities to some extent, and as I explained a little in the first round, for example, there is a risk that the operation of the CP / CPS may be discovered, such as the fact that two man operation is specified in the operation rules, but it did not actually happen. For example, even if users say that FIPS certified products should be used for key management, they actually use things that are in the OS keystore, and the keys can actually be duplicated. There are several specific risks, and I think that it is necessary to confirm whether each of them is responding to each of them at least through a certification survey across certification authorities.

For your reference, in the certified time stamp of the Minister for Internal Affairs and Communications, the designated investigation organization lists such common risk items, for example, how to respond to the risk of issuing a wrong time stamp when the time is different from the standard time, and what kind of risk measures are taken and assessments are made for specific risks such as the risk of unauthorized operation of operating terminals, so I thought it would be good to refer to these.

In addition, I think that the issue of clarifying the authority and separation of responsibilities is not about risk management. For example, although the authority is defined, how do you handle risks that are not observed? So, the issue of clarifying the authority is secured by other items, so I think it is not necessary to take it up in the risk assessment discussion. That is all from my comment.

Chairman Matsumoto: Next, I would like to ask Mr. Odajima's comments.

Odajima: . Actually, I would say the same thing as Mr. Urushijima's opinion, but I think I was originally talking about the criteria for risk assessments. It seems to be a little specialized in governance, and I can see the details of the points I was talking about. If anything, I would say that risk assessments are properly conducted within the certification authority, and the results of the assessments show that risk management, etc., or for example, if there are residual risks, they are accepted as a company and as an organization, and they are documented. I think that was the beginning, so I have the impression that the front and back are reversed.

In that sense, I think it would be good for you to go back to where you were. That's all from me.

Chairman Matsumoto: certified business operators, I think Mr. Urushijima and Mr. Odajima mentioned that we need to add more specific and realistic things to CA. Next, I would like to ask Mr. Mitsushio. I think he understands the differences in this area the best in his comments. Thank you in advance.

Dr. Mitsushio: As Mr. I may be able to confirm half of it, but based on what you two have just said, my understanding of risk analysis is slightly different. I am talking about the law, so if it is a common risk, it should be stipulated by law, and even if it is not stipulated by law, I think it should be properly written at the questionnaire level. In that sense, I don't think it is a matter of asking for common risk analysis in general.

I don't think I can write about asking you to analyze risks in individual situations. In laws, regulations, and survey sheets. I mean, recently, various situations have been changing. In 2000, we first created a Electronic Signatures in Global and National Commerce Act. At that time, we didn't say much about governance, but to ensure the governance of each company, we analyze risks. I don't mean to say that detailed risk analysis is necessary at all. In conclusion, I think we assume unknown risks, risks that are assumed by each company individually. In that sense, I think risk analysis is done to a certain extent because risk analysis is different in each company. In ISMAP, rather than risk analysis, there are not many regulations on governance. Basically, even if you look at COBIT, etc., governance consists of setting policies, monitoring them, and evaluating them. In that sense, management policies are clearly shown, and various risks are analyzed in the risk table, and such things are monitored.

In that sense, what kind of standards were there in today's discussion? But even here, in reality, when it comes to the legal confirmation method, it is not a substantive confirmation, but rather, when it comes to the legal confirmation method, it is whether documents such as policy statements and other content of risk analysis are prepared. Whether we can really evaluate completely within each individual, there may be cases where we can evaluate to some extent, but my understanding is that it is difficult. That is all.

Chairman Matsumoto: I see. Next, please go to the Imperial Household Committee.

Imperial Household Commissioner: . I would like to make a comment from a slightly different perspective. In the second part shown here, I believe there is a discussion on clarifying the responsibilities of directors, etc., but basically, what the board will do about IT governance is whether it is about Electronic Signatures in Global and National Commerce Act certification or not, and I have a lot of doubts about it, so is it a company-wide discussion?

Therefore, I think that it is better for the company as a whole to properly conduct IT governance, but I don't think it is necessary to write that in the certification criteria of the Electronic Signatures in Global and National Commerce Act. In addition, when applying for certification, the representative director's institutional decision has probably been made, and this application has been made, so at least a certain amount of confirmation has been made by the management, so when I think about it, I don't think it is necessary to write this much. That's all.

Chairman Matsumoto: Certification Authority and Mr. Mitsushio said that ISMAP and others were deeply involved. Mr. Miyauchi also expressed his opinion on legal matters. Do you have any other opinions?

How about looking at a certificate authority from the perspective of an JIPDEC?

Mr. Osawa, JIPDEC: Mr. Urushijima
To be honest, from the perspective of the current Electronic Signatures in Global and National Commerce Act, we are not looking deeply into these matters, so it will be difficult unless you clarify what we should actually look at from what perspective.

Chairman Matsumoto: Will it be combined with other systems such as ISMS, which was also discussed last time? Time has come for us to move on to the next topic, but it seems that some conclusions have been reached or not. I understand that it will be done in the direction, but there are some opinions that are divided on how to do it. What will the secretariat do? Do you have any views on this?

Secretariat (Tonami): The opinions received from Committee Members Urushijima and Odajima in the first half, Committee Member Mitsushio in the second half, and Dr. Miyauchi in the second half, for example, the major difference is that the necessary standards for certification authorities have already been written in the Electronic Signatures in Global and National Commerce Act standards, so the common parts have already been written, so there is no need to establish special governance standards, and I think there is a difference in the point of view that the PCDA for risk assessment should be passed according to the circumstances of each certification authority. It is not clear which way the Secretariat is thinking at this point, but for example, there are some who agree with the circumstances of each certification authority, and for example, there have been cases where education has been neglected due to major organizational changes, so I think that assessment at each certification authority should be done as an initiative of each certification authority, regardless of whether it is required as an accreditation standard for Electronic Signatures in Global and National Commerce Act.

So, I have just listened to your opinions, and based on the direction and difference of your major opinions, I would like to ask you again what you think of each other's opinions. I think it will take a little more time, but I would like to hear your additional opinions on this point.

Chairman Matsumoto: , Member of the Committee

Dr. Mitsushio: As Mr. , I thought a little about one thing. I understand that in the current Electronic Signatures in Global and National Commerce Act's accreditation criteria, only operations are mentioned. Of course, it says what should be done, but I understand that there is absolutely nothing about the relationship with the board. As Dr. Miyauchi said when I was in charge of accreditation work, I am not saying that we should talk about the business of the entire company, but I understand that it is a commitment by the management of the company related to accreditation work. In that sense, I am of the opinion that how the management is involved within a limited range is necessary. That is all.

Chairman Matsumoto: I think that it is practically done, but it is not clearly stated.

Dr. Mitsushio: As Mr. .

Chairman Matsumoto: , to be a member.

Committee Member Urushima: Since the has already been written here. Rather than what the board of directors does, for example, whether internal audits are conducted in a properly independent system and the separation of authority of operators when using HSM are more important, I think. I think the separation of authority is not something that the board of directors does or does not do.

I believe that it is necessary to confirm the results of the risk assessment, such as the risk management table that Mr. Mitsushio mentioned, as an output after the investigation. Regarding this, for example, in the case of time stamps, in addition to the common risks, each company's individual risks are also added and submitted, so I think that the judgment of the risks of individual companies is covered there. Yes, that's all from me.

Chairman Matsumoto: There is a slight split in opinion, but there are two directions. It may be good to do both, but what do you think?

Odajima: ? At present, I do not know to what extent, but I believe that each company always obtains the approval of the Board of Directors, in other words, the management team, and conducts its operations. For example, if there are any accidents, it is reported to the Board of Directors, and how to deal with the consequences afterwards, etc. are usually recorded in the minutes, etc. I believe that the Ordinance for Enforcement of the Electronic Signatures in Global and National Commerce Act and laws and ordinances do not clearly state governance as Mr. Mitsushio mentioned. I believe it is possible to understand that it is not enough when it started in 2000 and reached the status of consideration.

In the first part of the paragraph that is written in the details of the issues, we will conduct a risk assessment related to information security and keep a record of documents as organizational management. If the designated investigation agency can confirm the results of management and governance related to the documents, it may be different to some extent, but I think it is what they are actually doing. Therefore, I thought it would not be such a burden. Also, regarding the fact that it can be confirmed if there is third party certification, I think there is no problem as long as those are included.

Chairman Matsumoto: , Member of the Imperial Household Committee

Imperial Household Commissioner: Board of Directors, but the standards listed in the document that refer to the Board of Directors and management are probably on pages 12 and 15. First of all, if you look at page 12, there is the Board of Directors in the middle here. For some reason, I think the ethical code and leadership for change are very company-wide.

As you can see on page 15, the top management seems to be fairly thorough in terms of the effectiveness of information security activities, and it may be that they are aiming at ISMAP and other such things. However, I felt that there is a bit of a gap between what the certification authority is about and the duties and responsibilities of the top management of the board, which I am talking about here, so if I were to include something like this, I thought it would not be necessary to include anything in the Electronic Signatures in Global and National Commerce Act certification. That's all.

Chairman Matsumoto: Certification Authority has a CP / CPS. Rather than following the CP / CPS, which is a general security system, it is closer to Architecture, so I don't know why that is. I heard that Mr. Mitsushio would like to have some kind of written document rather than going in the direction of a separate burden, and that there are actually some items to be added to the survey table, as Mr. Urushijima said, but what do you think?

Imperial Household Commissioner: It's okay to add, but I think it's probably best not to write about things that are being done by the company as a whole, as you see here. I don't think it's a matter of a board meeting with management. Of course, the company's rules and bylaws ultimately make the directors responsible. Therefore, I thought Article 6, Item 15 b of the Enforcement Regulations written here would be fine without working any harder. It's the part written in black letters in the middle of page 16. I said it was decided by this because I didn't think it was necessary to write that it was the responsibility of the directors to decide it. That's all.

Dr. Mitsushio: As Mr. Probably, there is no problem when it is operating well. Probably, when there are various problems in the company's business, for example, when an accident occurs, I think it is a desire to have them cooperate well and properly with the management.

Imperial Household Commissioner: I can understand that.

Dr. Mitsushio: As Mr. Therefore, in general, there is no need to make a big deal out of it, and I understand that I have not seen many people make a commitment to the CP / CPS and other such projects, and to the certification work itself, though it may be only a word, until now. I think I was a little concerned about that. If I can cover that, as Mr. Matsumoto and Mr. Odajima said, it is something that I do as a matter of course, but I understand that I will have them express it properly. That is all.

Chairman Matsumoto: Certification Office has CP / CPS and operates in accordance with it. If it operates normally, I think it has achieved a very high level of security, but I think you are saying this because you know about Mr. Mitsushio around 2000, and I think this point of view was not enough at that time.

In terms of details, of course, there is one more point that was not understood at the time of 2000, such as the time stamp mentioned earlier, and there is one more point that has been found, so I thought there were two points that should be revised or revised. What do you think? If we can't investigate, it can't be helped. What do you think of the secretariat?

Secretariat (Tonami): I think it would be difficult to summarize the opinions I have just received here today, but it sounds like we were able to reach a mutual agreement on some of the common points. Next time, I will summarize the opinions I have received this time and summarize the options that were slightly different in direction this time so that they can be seen at a glance, and I will ask for agreement again on the common points, and I will continue to discuss options without including them in this year's review, and I will ask for the clarification of those that are not included in the Electronic Signatures in Global and National Commerce Act's accreditation criteria from the viewpoint that they have already been implemented.

Chairman Matsumoto: modernization. Please explain (2) from the secretariat.

Secretariat (Yamanoe): This is the Secretariat. I will explain from page 17 of Handout 1.

Regarding direction ②, at the first review meeting, it was discussed that it is necessary to update the technical standard of cryptographic equipment to FIPS140-3 itself, but since there are very few products that comply with FIPS140-3, it is necessary to make it at least equivalent to FIPS140-2 at this point, and it is also necessary to consider the trend of related products in Japan when to move to FIPS140-3. In response to the first review meeting, at this review meeting, as an additional content to be discussed, we would like to have a discussion on what kind of content should be moderated regarding the technical standard of cryptographic equipment. Regarding the current cryptographic equipment, as described in Section 2 2. of the Policies on Investigations by Designated Investigative Organizations Based on the Electronic Signatures in Global and National Commerce Act, Section 2 2. (1) of our Guidelines was described with Level 3 of FIPS140-1 in mind. This slide shows an overview of the security requirements of FIPS140-2 as a reference material.

Based on the above, I would like to ask you to mainly discuss two points regarding the direction ②. The first point is, when changing the security level to FIPS140-2 or higher, is it OK to continue to set the required security level to Level 3? In addition, if the above security level is required, when revising the policy, what are the essential requirements for requiring FIPS140-2 Level 3 or higher? For example, we can confirm certain changes in physical security and cryptographic key management, but I would like you to discuss to what extent these changes should be incorporated, whether new standards equivalent to the reduction of other attacks should be required, and whether there are any other requirements. Thank you in advance.

Chairman Matsumoto: , I would like to start the question-and-answer session. If you would like to make a statement, please do so in the chat section.

Commissioner Urushijima, please.

Committee Member Urushima: Since the level, I think it's okay to continue to be at Level 3 or higher. As for the second bread, it seems that we are trying to confirm something individually, such as physical security, encryption key management, and reduction of other attacks, but I don't think this is necessary, and if it is already a FIPS-certified product, I think that these matters have already been confirmed, and additional confirmation is not necessary. Also, if we dare to make additional confirmation, vulnerabilities may be discovered after obtaining the certification of the product, and it is only necessary to confirm that the vulnerabilities are not left as they are in the specifications of the product, or that they are not used in such a way, and I don't think that it is necessary to confirm the detailed items in the previous table in the certification investigation. That's all from me.

Chairman Matsumoto: I don't think there is much disagreement on this point, but I am not familiar with FIPS140-3 in the first place, and I would like to ask if there are any changes in its implementation if it is adopted. I don't think there are any, but I think it is compatible, so please go ahead, Mitsushio.

Dr. Mitsushio: As Mr.

Chairman Matsumoto: Did it come from the fact that there was a lot of consideration that HSM, which has not been certified by Japan, can be used? Mr. Urushijima, please answer my question.

Committee Member Urushima: Since the As for the difference between FIPS140-2 and FIPS140-3, I don't think there will be any particular change in the operation. Since FIPS 2003 - 3, things like consistency with common criteria have been achieved, and it only includes measures to address vulnerabilities, so I don't think there will be such a big difference in the operation. Thank you.

Chairman Matsumoto: You mentioned that the security of the product has improved, but I understand that the expected operation is the same. Mr. Miyauchi: Thank you very much.

Imperial Household Commissioner: , I'm sorry to tell you something different, but the problem is that if you have a FIPS of 140-2 or 3, which is level 3, there is no problem at all, but the point is probably that it is equivalent. Therefore, I think that it is easiest to stop the equivalent when it comes to how to have the JIPDEC do the work of confirming whether it is equivalent or not. What do you all think? Now that we have stopped the equivalent, it is actually written in the policy that even if it is not a device, it may be safe in the room as a whole, but I am beginning to think that we need to think a little about what to do about it, so I would like to hear your opinion. That's all.

Chairman Matsumoto: certified business operators only use virtually certified products, but I would like you to be a member of Committee Odajima.

Odajima: Individually, I don't know what the accredited certification business operators are using, so if there are certification business operators that are affected by this considerable amount being taken, I think we have to treat them a little carefully. However, considering the current security, I am aware that basically it is inevitable that a considerable amount will be taken. Also, I think it is as Mr. Urushijima said earlier, if the Secretariat has confirmed it, FIPS140-3 states that the specifications of the target technology for attacks for which test requirements are not currently in place in response to other attacks, and I would like to know what exactly this refers to. This is because we have not yet responded to that extent, but I think SP800-140F of NIST is the target, but we have not finished reading it, so I would be grateful if the Secretariat could look it up. That is all the intention of the question. That is all.

Chairman Matsumoto: , Member of the Certification Committee, has made a comment. He says that it is not appropriate, and he is in full agreement, but I think that the JIPDEC who is conducting the investigation is the most troubled by the so-called appropriate. I think that it will be even more troubled if it is said to be appropriate, especially when FIPS140-3 is reached. What do you all think? It may be necessary to touch on what the current Certification Authority is doing.

Dr. Mitsushio: As Mr. I'm not sure if each company is using FIPS at the moment, so I think it's a final confirmation, but I think most of the people in the current certification business are using FIPS, so I think it doesn't have to be FIPS. On the other hand, the last issue here is from the perspective of industry promotion. From that perspective, originally, the upper rules are quite reasonable, but the lower ones are currently only this, so I think we may have to consider additional cases separately, so I think I can escape a little technically. If we make everything legally less reasonable, I think there will be a little less industrial promotion, so I'm a little concerned about it. I think that's how the rules of the law are written. That's my opinion.

Chairman Matsumoto: In FIPS140, for example, if you try to include domestic cryptography, you have to remove it from FIPS mode, and so on. Commissioner Urushijima, please comment on the equivalent.

Committee Member Urushima: Since the . For example, regarding the inspection and certification of FIPS products, HSM experts can judge whether they are compliant or not. For example, since the JIPDEC probably does not think he is an HSM expert, I think it is difficult to make a proper judgment in light of the FIPS standards. In addition, since the new FIPS regulations require products to be renewed for certification every five years, I think it is necessary to think again about how to make a judgment after five years when there is no such thing as a reasonable matter. In that sense, I think it is relatively difficult for the JIPDEC to conduct an inspection on HSM products, and I think it would be good to leave the standards of reasonableness to a professional organization.

Chairman Matsumoto: That's true, but the JCMP evaluation system for cryptographic modules, which can be expected as a specialized organization, has been discontinued, so there is probably a separate question as to whether there is an organization that can do it professionally in Japan. As for the system, I would like to state that it is not appropriate. Earlier, I mentioned the ability to foster industry, but in the first place, HSM is extremely important from now on, so I thought I had to pay attention to that as well. In terms of the JIPDEC, it would be quite troublesome to be appropriate.

Mr. Osawa, JIPDEC: Mr. Urushijima equivalent I'm in trouble.

Chairman Matsumoto: Principles are permitted in some form.

Imperial Household Commissioner: As Mr. Matsumoto has just said, it is probably the rule to leave the principle as it is, and to set something separately in some way. But actually, it is the policy that has been decided, so I would like the Secretariat to think about whether it is possible to say such a thing in the policy. For example, if it is written in the Enforcement Regulations, it is fine that it is decided by the Minister separately, but I would like the Secretariat to think a little about what can be done in the policy. That is all from me.

Chairman Matsumoto: I believe that all of the opinions have been presented, but what do you think of the secretariat?

Secretariat (Kita-Inoue): This is the Secretariat. Thank you for your discussion. As you said, FIPS140-2 was discussed because most of the HSMs will use certified products.

On that basis, I would like to say that there are various discussions on whether it is a rule or a policy to be established by us. As you discussed in the first round of the previous meeting, there are some difficulties in writing standards such as "FIPS accreditation". Therefore, as we have now, I understand that the current policy is to pick up and write down only the necessary requirements. When that happens, I think it will probably be the same sort of arrangement this time, and I think there are still some legal and technical questions about whether it is possible to write something like using FIPS140-2 products in the policy. At such a time, there are still some questions about how to express 140-2 in the policies. As you have discussed so far, what we need to confirm in reality is to use products that have FIPS140-2 and to confirm with designated investigation organizations, including JIPDEC. As the secretariat, we are currently struggling with how to express the difference from 140-1 to 140-2 in the policies, and we would be grateful if you could give us your wisdom on such points. That's all from the secretariat for now.

Chairman Matsumoto: In the end, FIPS 140 / 1, which was abandoned for 20 years, is a bit of a misnomer, but I don't know what to do about it, so in a sense, it's probably just as it is. Originally, something like the Japanese JCMVP would have worked, and it would have been nice if it had set the standard and referred to it, but it doesn't seem to have happened. It will continue to be updated, so I feel like we are dealing with difficult issues such as how to follow it and how to reflect the system of following it in the law, but as for the certification authority, I will repeat it a little, but I am most happy to go straight to it without much. It seems that a problem has emerged that the designated investigation agency like JIPDEC, in response to it, is not the standard established in Japan.

Odajima: Investigation Table, as the Secretariat has said. In the case of a compliance example, the answer is "How many FIPS are used by the Certification Authority?", so I don't think we can reach a conclusion on how to do it, so I think we have no choice but to make some adjustments. In reality, I think it is unavoidable that it is more than 140-2, as mentioned earlier.

Chairman Matsumoto: I think we have basically reached an agreement, but we may not have reached a conclusion on how to write it. Is that all right?

Mr. Osawa, JIPDEC: Mr. Urushijima If I were to say a few words, I would like to ask for a statement that is easy to investigate or confirm and that is reflected in the policy. Therefore, I would like to ask for a statement that can be clearly judged in various ways without being reasonable.

Chairman Matsumoto: In the end, FIPS140-2 is the basis for operations, so even if there are things that can be covered by facilities such as operations, it is practically difficult if the repertoire becomes too large. FIPS140-2 is clearly defined by the specifications required by the product, so it can be operated, or it can be decided, so when it becomes considerable, it will be scattered again, so I felt that it would be practically difficult to conduct research. While it is the most peaceful to have no substantial HSM, I thought that there is a need to develop such a place as a Japanese industry because HSM will be used in various places from now on.

Dr. Mitsushio: As Mr. Secretariat can't write, so I'm just asking, can't this be written in ISO?

Chairman Matsumoto: ISO was also in the direction of being compatible. In the case of 3. There is no 2.

Dr. Mitsushio: As Mr. Is it difficult?

Secretariat (Kita-Inoue): This is the Secretariat. First of all, I believe that there were no major objections to Level 3 of 140-2. After that, setting aside the substantial part and the operation of confirmation itself, we would like to continue to think about how to write it as a standard. If you don't mind, I would like to hear from you again. If there are no additional opinions, I would like to move on to the next issue. That is all.

Chairman Matsumoto: (6).

Secretariat (Yamanoe): This is the Secretariat. Regarding Direction (6), at the 2nd Study Group, there was a discussion that it would be better to unify the Public Personal Authentication Act and the Electronic Signatures in Global and National Commerce Act standards, but the difference in specifications from the My Number Card needs to be considered. In addition, there was a discussion that it was necessary to search for a method to accurately confirm the intention of the user and the confirmation of the valid electronic certification that has not expired, as they will be proved by the application log and database.

In response to the 2nd Review Meeting, we would like to have an additional discussion at this Review Meeting. In the case of modularization, we would like to have a discussion on which matters should be confirmed when certifying specific certification business of Electronic Signatures in Global and National Commerce Act.

As I explained at the previous Study Meeting, in the first place, when users create key pairs by themselves, even if they send a user-signature verification code to an approved business operator through a telecommunications line together with a paper application form, residence certificate, and seal registration certificate at the time of application for use, they cannot create a electronic certification unless the approved business operator can identify the users. Therefore, in June 2003, it was revised by adding Item 3-2 after Article 6, Item 3 of the Enforcement Rules. After deliberation and confirmation, the approved business operator creates a user identification code and sends it to users. By sending the identification code and user information at the same time as the users send the user-signature verification code, the approved business operator can identify the users and send the electronic certification. Later, in April 2004, the method of confirming the authenticity of users by electronic signatures related to the electronic certification issued in Japanese Public Key Infrastructure was newly added as Article 5, Paragraph 1, Item 2 of the Enforcement Rules. Although it is possible to apply, confirm the authenticity of the person, and identify the users only electronically, it is still necessary to identify users by sending and receiving user identification codes, and both users and approved business operators are burdened.

At the previous Second Review Meeting, there was an opinion that, while the method permitted by the Public Personal Authentication Act should be considered as the method permitted by the Electronic Signatures in Global and National Commerce Act, if users send a user-signature verification code at the same time as they apply for use of the electronic certification, it is necessary to sort out in advance the handling of measures such as linking the issuance application form with the user-signature verification code and preventing falsification. Accordingly, it is necessary to discuss what the approved business operator needs to confirm by what method in response to the above opinion and what the designated investigation organization needs to arrange for the investigation by what method.

Based on the above, I would like you to discuss three points regarding the direction (6). First, assuming that the application for issuance of the electronic certification and the user-signature verification code are sent at the same time, how should the association between the application for issuance and the user-signature verification code and measures to prevent tampering be secured? Second, with the unification of certification standards, what standards should be established for electronic signatures attached to applications? Are there any other matters to be established as certification standards? Third, what should be confirmed when conducting surveys related to the certification of Electronic Signatures in Global and National Commerce Act? And what are the three methods? That is all from the secretariat. Thank you in advance.

Chairman Matsumoto: users. On the other hand, it seems that the spread of Japanese Public Key Infrastructure and My Number Card has already spread to almost all the people of Japan, and if we make use of that, the way we have been doing things is not very reasonable. I think there will be some discussions, but if you also have opinions, please chat with us. Mr. Miyauchi: Thank you very much.

Imperial Household Commissioner: I think it is necessary to establish standards for electronic signatures, but basically it is the JPKI or authorized certification business that is currently in operation, and the address, etc. is properly written on the certificates. No one will probably object to it, and I think I will do it from the beginning. What I don't understand a little is that even though it is tamper-proof, you need to sign it, right? If you put the application form and the user-signature verification code together, put them together in some format, and sign it, I think you can prevent tampering and make a connection, but I don't think I am trying to do something so difficult. In addition, regarding the second arrow mark in the middle of page 27, the first arrow mark is that it is good if it has been properly proven that it has not been tampered with. Regarding the second arrow mark, whether it can be said to be the person himself, it is already in Article 5-1-2 of the Enforcement Rules that it is possible to do it with the signature of JPKI, so I think it is too late to say that identity verification will be done. I think that Article 5-1-2 of the Enforcement Rules has been made on the premise that this can be said, so I think there is no need to worry about it. That's all from me.

Chairman Matsumoto: Rather than this time, it is closer to the point that the current method is the same because the environment of the signer has not been defined. In fact, JPKI signatures are done with certificates, so I think it is tamper-proof. What do you think? In the sense of the same level as now, I don't think there are any problems.

Dr. Mitsushio: As Mr. In that sense, I believe that the rule in 2000 did not really assume the use of smartphones. This time, I believe that JPKI and others are mostly assuming the use of smartphones, but if we discuss in detail, we will have to consider various complicated threats.

Chairman Matsumoto: : I think there is a threat itself.

Dr. Mitsushio: As Mr. I believe there is to some extent. I am not denying that. However, at the same level, or in that sense, I think it is okay to remain at the same level for now. So, in that sense, I think it is of course necessary to continue to pay attention and watch what kind of threats there are, including JPKI, but now, I think it is at the level where it can be used at the same level, including at the so-called smartphone level. That is all.

Chairman Matsumoto: More deeply rooted than this story, in comparison with Europe, the QSCD mentioned in Europe was not defined in Japan, and it is outside the scope of the Signature Act, so it is a problem including the environment where users make key pairs, so there was originally a risk. On the other hand, this new one is equivalent. How about the issue of whether we can investigate? Is it the same? From the certification business side, what we can do is probably the same? Odajima-san, isn't this issue discussed at the certification authority meeting?

Odajima: There are not many cases where users make their own private and public keys. Rather, it is CA that makes them and sends them safely, so it is not a very prominent discussion.

Chairman Matsumoto: However, it seems that it will come out in the future when dealing with smartphones. In the end, the trend in the world is toward putting certificates into smartphones, so there is a possibility that this way of issuing certificates for smartphones will be taken, but in fact, at this time, a key pair was generated by the security module in the smartphone, and in fact, such a way should probably be considered.

Odajima: , I believe what Dr. Miyauchi said earlier is correct, and I believe that if we create a key pair and digitally sign it in electronic certification, My Number Card, and associate all of them, it is the currently accepted method, so I think that is fine. Therefore, I would like to continue to confirm what kind of risks there are, including social trends, as Mr. Mitsushio mentioned earlier.

Mr. Osawa, JIPDEC: Mr. Urushijima . Exactly what Dr. Miyauchi said is what I agree with. If I were to follow up on the request I made in the document from the Secretariat, from the perspective of information storage, to what extent certified business operators need to store the evidence of JPKI certification, and to what extent we designated investigative agencies need to see it, the requirements for how OCSP response results need to be stored are not written on the survey table, in the policies, or anywhere else. However, if I were to step into that, rather than a new discussion, I felt that this discussion needs to be settled from a different perspective, and that is a new issue to be addressed this time.

Chairman Matsumoto: Trail because we haven't done it before.

Odajima: . I thought that we would need to keep books and documents, so when we sign documents and receive them at the CA, we always verify signatures, and if the results of the verification of signatures are to be kept as evidence, that would be subject to the 10-year validity period. Am I correct in understanding that the results of the verification of signatures that Mr. Osawa mentioned are subject to the 10-year validity period?

Mr. Osawa, JIPDEC: Mr. Urushijima Yes, of course it will be kept for 10 years in the end, but there are a certain number of examples of the results of verification when digital signatures are signed with certificates of certified certification operations, and it is a fact that we have actually confirmed them during the investigation. However, regarding the results of verification of JPKI certificates, I believe that there are places where we have not finished boiling down in terms of what we have to leave as a business operator and what we have to leave as a trail specifically.

Odajima: I see. I understand.

Chairman Matsumoto: Even if I tried to go as I did, I realized that there were still some things that had not been fully investigated in relation to the investigation.

As for the direction, it seems that consideration will be given to including JPKI as it is in the enforcement regulations of the Electronic Signatures in Global and National Commerce Act, but I recognized that there are still some points that need to be considered, such as investigations. Regarding the following point (iii), please explain from the secretariat.

Secretariat (Tonami): Secretariat. On pages 30 and 31, we have reproduced the materials that were used at the previous review meeting. Regarding the third point, it is about the use of Cloud HSM, and I am aware of the discussion that we received last time that it may be difficult to make the use of Cloud HSM within the scope of certification for the use of CSP and the use of Cloud HSM services in public clouds provided by HSM vendors. However, regarding the use of HSM installed in private clouds and the use of network-type HSM, for example, it is possible for us, the competent ministries and agencies, such as designated investigation organizations, to conduct on-site investigations, and we are aware of the discussion that there may be some issues to be covered.

This time, with regard to these two points, the use of HSMs installed in private clouds and the use of network-type HSMs, I would like you to continue discussions on whether or not these can be approved, and what criteria are necessary if they are approved. On page 34, I have listed the opinions I received regarding this issue (iii) at the previous second review meeting. I do not have time this time, so if there are any amendments to my comment or any misunderstanding, I would like you to comment later.

Regarding the points in bold on this page, we recognize that it is necessary to pay attention in the discussion on the use of HSM and the use of network-type HSM, which we would like to convey to the private cloud this time. This time, the points described in this part are also reproduced in this page 35, but we would like you to limit the scope of discussion to HSM / network-type HSM installed in the private cloud, while taking advantage of the opinions you gave us last time. That is all.

Chairman Matsumoto: It's quite difficult to discuss. Last time, there was a discussion about whether Net HSM and Cloud HSM are different. I would like to ask for your cooperation.

Committee Member Urushima: Since the In the table, the HSMs installed in the private cloud and the network-type HSMs are grouped together, but I felt that this was a little rough. For example, there are probably cases where the network-type HSMs are used in the authentication facility room. For example, there are cases where the network-type HSMs are used and operated from outside the authentication facility room, so I thought that we had to sort them out properly.

When there is a possibility of HSM operation from outside the certification facility via the maintenance PC, I think it is necessary to properly confirm the usage environment of the maintenance PC. In the environment where the maintenance PC is used, for example, whether entry and exit management is properly performed using an IC card, whether or not it is possible to prevent peeping, whether or not there is something to prevent unauthorized operation, and whether or not operation records are kept, I think it is necessary to make a series of confirmations such as these. I don't think such strange things will happen if it is in the certification facility room, but if there is a case where maintenance is performed remotely from home, for example, there is no way that entry and exit records can be kept, so I think it is necessary to consider such things in various ways. That's all from me.

Chairman Matsumoto: It's difficult. This is not about the Net HSM alone. It's about the environment in which the Net HSM is located. In addition, it's not about the usual issue of certificates. It's about key ceremonies, key backups, etc. It's about what kind of environment can be done.
Are there any other opinions on point ③? It is true that the Internet HSM cloud operator and the private cloud are imaged as the same operator.

Secretariat (Tonami): , Committee member.

Even if it is a network-type HSM, we received opinions such as whether it is used from inside the certification facility or from outside the certification facility, and how it is used for maintenance. I am very sorry, but the secretariat has not yet been able to sort it out based on that. However, the secretariat's attitude and way of thinking is that there are high demands from business operators, and there is a gap in certification standards other than Electronic Signatures in Global and National Commerce Act, such as that it is already recognized but not recognized by Electronic Signatures in Global and National Commerce Act standards. We would like to take measures as soon as possible. Regardless of whether it is for maintenance inside or outside the facility, if there is a particularly high demand for the current general form of operation of certification stations, and if there is such a use, we would like to hear comments on the needs.

In addition, regarding the maintenance part, I think that we will have a little discussion not only in point ③ but also in point ④. Regarding the maintenance part, the HSM also has a LAN port that is open for maintenance, and I think that it is necessary to sort out that it may be possible to move it out, so it is difficult to mix points ③ and ④, but I would like you to comment on the first need.

Mr. Osawa, JIPDEC: Mr. Urushijima seems to have agreed with me, but in order to clarify what Mr. Urushijima is concerned about, there is a table in Slide 47 where the Reita is appropriately organized, and among these facilities, to what extent will the use of cloud computing or remote control be allowed, and if we proceed with this discussion, it will be a little easier to organize, so I wrote a little.

Chairman Matsumoto: I think it is more about how to handle the work that needs to be done in a check-and-balance manner in the certification facility room, including inspections and audits, rather than the most difficult work from the beginning. Who is familiar with this point? As mentioned last time, we need to discuss what requirements there are for using cloud HSM in the future in some form, but I understand that we are not in a situation where we can discuss it to that extent. I think it is about a new HSM, so this member alone may not be enough in that sense.

Odajima: I think that the increase in various options itself is a blessing for certification authorities. It may not be easy to go to public clouds, but at least non-public, private clouds or network HSMs have concerns that Mr. Urushijima, Mr. Osawa, and others mentioned earlier, so I would appreciate if you could sort it out after increasing the resolution. That's all.

Chairman Matsumoto: It can probably be said that the more shared services become, the more difficult the investigation becomes in a sense.

Dr. Mitsushio: As Mr. Looking at this, what I just thought is that the level of private cloud and network HSM alone does not seem to be effective for judgment. I think Mr. Urushijima probably mentioned this, but if we do not lower the image of where the network is connected and operated in the network configuration, we will determine the criteria for that.

Chairman Matsumoto: 's question. In the case of HSMs that are not Net-HSMs, I think that the HSMs have two ports, one for key ceremonies and the other for signing. This port is isolated, and when you operate another port, you have to enter the certification equipment room. How do you operate Net-HSMs?

Committee Member Urushima: Since the I don't think it will change that much.

Chairman Matsumoto: In this network diagram, that part is not completely written.

Committee Member Urushima: Since the That's right. So it's either directly connected to the CA server by PCMCIA or by Ethernet. Usually, when using the Net HSM and the CA server, a firewall is installed in the front stage where a strange device cannot be connected.

Chairman Matsumoto: is the highest When you talk about security, it depends on the Architecture of the HSM, which is not easily explained. Since the RA is remote, you can remotely request a signature with the HSM, but you cannot update the key, such as backing up the signature key. I think the structure is such that you cannot update the key unless there are enough people. I don't know much about it, but there is a DNSSEC root zone key update that does similar things. In the past, all the authorized people went to the site to update the key, but now it seems to be done remotely. By doing so, it can be done without everyone being there. It seems to be done without everyone being there. I wonder how such a mechanism is done.

Committee Member Urushima: Since the For example, the HSM is connected to the network in this diagram, and the network-type HSM has an operation numeric keypad, and several people operate it by pointing it with a dongle or typing a key code.

Chairman Matsumoto: However, rather than making this area more complicated with hosting, the more shared the service, the more difficult the research will probably be.

Dr. Mitsushio: As Mr. As you mentioned earlier, for example, in this network diagram, you said that the key ceremonies and other events will probably remain the same, so I don't think you wrote this down, but I think the key ceremonies and other events will be held in a proper place. If we sort those things out a little, to be honest, I feel that they won't change much, but I haven't seen all of them, so I think it is necessary to sort them out so that we can clearly see where the differences really are. That's all.

Chairman Matsumoto: It is a little difficult to explain with only this diagram how to keep a trail even in the case of distributed backup of keys, etc. This is rather close to the diagram during normal operation.

Odajima: Certainly, Mr. Matsumoto is right, and I think it is a diagram of normal operation. There is no backup such as key update with the CA's issuer signature code.

Chairman Matsumoto: Actually, the best security is the key update. Are there any other points to be discussed? This was mentioned last time, but it raised the issue of what to do to operate CA in the cloud, and I think that something that can be done is being considered, but I think that there is a possibility that HSM will have to be made for it.

Secretariat (Tonami): In addition to this figure, in the case of the key ceremony, in the case of the general case, and in this figure as well, it is not a diagram in which only one line comes out from the HSM, but it is for maintenance, and I think that the lines at the time of key generation should be distinguished properly. This is what I have heard from you.

The members of the Secretariat do not have any knowledge on how to use the HSM, so we would like you to add your knowledge on how the HSM is actually used. In some cases, we would appreciate it if you could share your image of the HSM with the Secretariat by e-mail so that we can better understand it. However, I would like you to continue to comment on what you will talk about in the open forum of the Study Group and what I would like to say here today as a reference for compiling the future policy.

Chairman Matsumoto: I think there are still a lot of things to consider, including HSM for private clouds.

Regarding the following issue (iv), I would like to ask for an explanation from the secretariat. This is also a bit wide in scope, so the discussion may diverge, but thank you for your cooperation.

Secretariat (Tonami): Secretariat. Regarding the point (iv), as I reprinted the materials last time, A, B, C, and D were to bring the certification authority equipment to the cloud respectively. Also, the point was how far remote control should be allowed for this.

I have divided this discussion into A, B, C, and D, and I have received discussions from several viewpoints. Among them, there are some points that can be sorted out as discussions progress a little, and there is still a lack of early discussions to determine the direction. This time, I would like to advance discussions in the form shown on page 40, taking into account that the needs are high or low, and discussions are progressing or not progressing.

Specifically, I would like you to first confirm the arrangement regarding the use of the certification authority's repository, which is in high demand, and then confirm and supplement the arrangement regarding the investigation and examination methods such as the ISMAP and ISMS cloud certification systems. After that, if you have time, I would like you to continue the discussion from the opinions of the second review meeting regarding the use of the certification authority for maintenance and operation and other points.

The secretariat will explain the theme of use (A) of the repository, so I will return it here for now, and after the discussion on 4-1 of (A), I will explain the rest. 4-1 Regarding the use of the repository of the certificate authority, the previous discussion was in the direction that the repository of the certificate authority is basically required to be available, and the risks related to confidentiality and integrity are limited, and it was said that there are few problems in the use of the public cloud. Below this, I wrote confirmation matters, and I would like to clarify these two points in the direction of using the public cloud service in the repository of the certificate authority.

With regard to the first point, I would like to ask whether there is really no problem in a way that does not require the safety of such cloud services, such as ISMAP and ISO 27017, which are systems related to the security of such cloud services, because only the availability is required. With regard to the second point, I would like to ask whether it is necessary to require the standard of availability, such as redundancy, when using the cloud, as such things have been done on a voluntary basis, such as backup servers, in the operation work of the certification authority. This is the point that I would like to confirm as the secretariat, so if there are any additional points that need to be discussed in recognizing the use of the repository of the certification authority, please comment on them separately. That is all.

Chairman Matsumoto: Regarding this, the needs are a little high and the risks are limited, so I would like to come to a conclusion as close as possible today. Please give us your comments, Dr. Odajima.

Odajima: First of all, regarding priorities, (A) is the highest in the opinions of each certification business operator. Regarding availability, I believe that the use of the cloud is such an intention in the first place, so I have no particular objection to that. In terms of matters to be confirmed, I think that it may not be necessary to require ISO27017, such as ISMAP, for public cloud services. I think that the repository is not required to that extent. On the other hand, since the information necessary for signature verification is posted on the repository, I think that the certification authority is fully aware of the importance of the repository. That is all.

Chairman Matsumoto: Would you like anything else? Thank you very much, Mr. Urushima.

Committee Member Urushima: Since the I think it's OK that such security certification is not necessary, such as ISMAP, but at that time, for example, for highly confidential logs, such information, for example, encryption measures are taken, and I think some security measures are necessary separately. I thought it would be better to confirm that during the investigation. Thank you.

Chairman Matsumoto: : I would like to thank you for your cooperation.

Dr. Mitsushio: As Mr. Is this A? In short, is it all right to understand that Mr. Urushijima's log will not be included? As I have commented before, it may be the second time, but as you know, ISMAP management standards are not required for non-confidential parts of the NISC's unified standards, and in that sense, I think it would be better to do so.

Regarding the second one, it is certainly better to ask for redundancy and availability, but my understanding is that cloud vendors probably do not set SLAs for availability, so even in the cloud, there are quite a few levels of redundancy, such as availability zones, regions, and using multiple different clouds, so I have no intention of asking for such a difficult thing at all, but at least I thought it would be okay to write something at the level of asking for ordinary things like creating two availability zones. That's all.

Chairman Matsumoto:
For the certification business operator, the availability of the repository is really the most important thing, so I thought it is normal to ask for availability from the perspective of how to realize it rationally in terms of cost, but do you have any other opinions?

Secretariat (Tonami): Secretariat. The first point is, regarding the security certification system for security cloud services, I believe that you are currently discussing the direction that it is not necessary to require it, but I believe that there are measures that have been implemented by general certification authorities until now, even if it is not explicitly required under the current standards. I believe that such a point is quite safe for the use of major CSPs, but if there are no such standards, I believe that there are cases where very low-level services are used, and whether there is a risk in such cases, I would like to receive a little comment again, and the Secretariat will decide the standards and direction after being relieved about that. I would like you to discuss this point a little more.

Chairman Matsumoto: How about this one? Mr. Mitsushio, please.

Dr. Mitsushio: As Mr. You are absolutely right. The first one does not require it at all. Rather, security is CIA, so in that sense, (A) should be required. That is not equal to ISMAP. In that sense, I also wrote the second one in small letters, but as for the level, I think it is natural to assume a minimum of multiple availability zones, so there is a question of whether it is at that level, but in my opinion, (A) around that should be required. That is all.

Chairman Matsumoto: From the standpoint of certified business operators, as Mr. Odajima mentioned earlier, I believe that certified business operators probably think that using existing cloud services will increase the availability. Since it is a shared service rather than creating a system that does not stop at all for 365 days by ourselves, we basically think that cloud services are easier to maintain availability, so it is a bit of a misnomer to say that it will be worse than now, but I understand that there is a high need for (A) with such an idea. Is it okay?

Odajima: , and I believe that cloud computing is higher in terms of availability than on-prem, so you mentioned earlier that there is a possibility of choosing a low-quality one, but that doesn't make sense, so I don't think that will happen.

Chairman Matsumoto: From the certification business operator's point of view, the confidentiality of the facility for the operation of the certification authority mentioned earlier is generally higher than that of the cloud. Conversely, the availability of the cloud is higher than that of the cloud, and it is probably behind the fact that services should be able to be provided by combining them well.

Odajima: , you are absolutely right. At the very least, I think that the information on the verification of signatures is very important. Furthermore, I think that if it is linked to government public key infrastructure, there is also responsibility.

Chairman Matsumoto: I see. I thought there was no room for discussion here, but I think there are still things such as how to put it into the text, but I think the direction is almost the same. Is that OK?

JIPDEC Mr. Osawa: , may I ask you one question from the standpoint of investigation? I apologize for my lack of insight, but what should I use to confirm that I told you that I would take multiple availability zones? If it is an Amazon Web Services, is such a thing written in the specifications? Is that correct?

Committee Member Urushima: Since the specifications probably do not tell us, I think we will check based on the system design documents such as where the certified business operator uses the availability zone.

Odajima: I can't say for sure because I haven't used it yet, but I think it's as Mr. Urushijima said now.

Dr. Mitsushio: As Mr. , I think it is at the level of asking to see the setting screen. I think there is a design document at the previous level. Eventually, after that, we will believe in the cloud, but I understand that if there is a setting screen, that is fine. That is all.

Imperial Household Commissioner: , I think you are generally right, but that is the case with AWS, but is it okay if it is a cloud that Miyauchi personally operates, and is it okay not to worry about such things?

Dr. Mitsushio: As Mr. On the contrary, I don't think there is anything that cannot be confirmed at all. It can be a command line, or it doesn't have to be a pretty GUI like the settings screen, but if you can't see something, you can't actually configure it.

Imperial Household Commissioner: is a necessary condition, but I am saying that is a sufficient condition. Even though there is a setting screen, I don't think it is possible to know how things are operated in the Imperial Household according to it.

Dr. Mitsushio: As Mr. You are right, you believe in the cloud if it is really set on the back of the setting screen.

Imperial Household Commissioner: It's all right to believe, but I asked you a question because I was wondering what it was like.

Dr. Mitsushio: As Mr. I think it is an important matter. It is difficult.

JIPDEC Mr. Osawa: It is very difficult for a difficult burden to come here.

Dr. Mitsushio: As Mr. I am fully aware of that. I will think about it for a while, but please ask someone for a while.

JIPDEC Mr. Osawa: If there is a minimum requirement that needs to be confirmed, such as taking multiple availability zones, and if there is specific information that can be confirmed in this way, I think that consideration will deepen here as well. Thank you.

Chairman Matsumoto: I think that it will become more visible when it is actually designed.

Dr. Mitsushio: As Mr.

Chairman Matsumoto: It is a little painful to discuss here. I think it is just a matter of making such a choice.

Secretariat (Tonami): mentioned, I think there is a problem in the fact that the definition of the term cloud service has not been determined in the first place. I believe that you have discussed this even assuming the use of general cloud service providers, but I would like you to comment a little more on what should be done when you bring in cloud services that are not general, whether they should be rejected as inappropriate, and what are the criteria for rejecting them. What do you think?

I don't have much time, so for the rest of the points, I would like you to send me an email later, or I would like to hear from the secretariat individually, so I will not discuss the rest of the points today, and the secretariat will contact you again, so please wait for that. I would like you to finish it clean to some extent only about this, and then finish it today.

Chairman Matsumoto: that some kind of accountability is guaranteed in this way.

Dr. Mitsushio: As Mr. Matumoto said, I feel that it is only a statement, and no matter how much I dig, what happens to IT at the end will be the same as the story of the world at the highest level of CC, so it is not realistic. Then, as expected, it will be a declarative story, and it will be a story of who makes a declaration, and it will be a story of how to say a declaration properly at the top management level as an organization, and in that sense, even if we narrow down the details, there are too many variations in the way of certification these days, and I feel that there is not much final answer, and then, as expected, a certain degree of basket closing, including the first story, where the management clearly declares that they will do it seriously, I think it comes down to that. That is all.

Chairman Matsumoto: Availability is also a trade-off with cost, so I think that generally in the world, the point of arrival is determined by the trade-off with cost in a certain way.

Odajima: Once again, I believe that we have the necessary obligations for repositories, especially for signature verification environments. When it comes to taking things to the cloud, at least in order to seek availability, I don't have any intention of using the cloud, which is regrettable, and I think that we are basically preparing things that can be used. As Mr. Mitsushio said earlier, I believe that we are in a bottomless swamp, so basically, I think that we will calm down by having certification authorities confirm that they are doing this as a declaration. That's all.

Chairman Matsumoto: It sounds like you are going to declare an SLA.

Odajima: If you have set an SLA, I think you can say that the SLA is about this much, but if you ask for it too strictly, it will become a real quagmire, so I think you should stop doing that.

Secretariat (Tonami): Thank you very much. As for today's discussion, I am aware that there is no problem in the direction that the use of the repository of this certification authority will continue to be approved, and in that, requiring a certain level of availability itself.

So, I think there are some points that need to be worked out a little more in terms of how the competent ministries and agencies and designated investigative organizations will confirm this as a trail. For example, I think we will confirm the self-declaration, SLA, and operational performance of the cloud service that we are going to use as a trail, as Commissioner Odajima mentioned earlier. Regarding this point, I would like to ask for your continued wisdom in working out the specific standards. In addition, after the direction of this report is finalized, I may need to consult with you during the work to be worked out, so I would appreciate it if you could do so. Finally, I would like the secretariat to explain the schedule after this.

Chairman Matsumoto: , regarding agenda 2, I would like the secretariat to explain the schedule for the next meeting.

Secretariat (Yamanoe): This is the Secretariat. I will explain from page 52 of Handout 1. Based on today's review meeting, the Secretariat is thinking of setting the fourth review meeting for January 17. The time is tentatively scheduled from 10 a.m. to 12 a.m., and the Secretariat is thinking of sending the review meeting materials again, so I would like to share them with you as needed, thank you. That's all the explanation from the Secretariat. Thank you.

Chairman Matsumoto: Yes, I don't think it's particularly meaningful, so I'd like to call it a day. Thank you very much for your active discussion today as well. Now, I'd like to close today's third meeting of the Study Group on Modernizing Electronic Signatures in Global and National Commerce Act Certification Standards. Thank you very much.