Skip to main content

This page has been translated using TexTra by NICT. Please note that the translation may not be completely accurate.If you find any mistranslations, we appreciate your feedback on the "Request form for improving the automatic translation ".

Third meeting to study modernization of Electronic Signatures in Global and National Commerce Act certification standards

Overview

  • Date: Tuesday, November 26, 2024 (2024), from 15:00 to 17:00
  • Location: Online
    Livestream the review meeting (using Microsoft Teams)
    *Live streaming has ended.
  • Proceedings
    1. Opening
    2. Business
      1. Additional discussion on the direction of modernization
      2. About the next meeting
    3. Closing

Material

Minutes

Secretariat (Yamanoe): This is the From now, we will begin the third meeting of the Study Group on Modernization of Electronic Signatures in Global and National Commerce Act Accreditation Standards. Ladies and gentlemen, thank you very much for taking the time out of your busy schedule today. My name is Yamanoe from Digital Agency, and I will serve as the secretariat. Nice to meet you. First, the secretariat will check the materials. There are two types of materials in total. The first one will depend on the article. The other one will be additional discussions on the direction of modernization. Today's materials are also posted on the Digital Agency website, so please check them if you are attending the meeting. As there are many matters and contents to be discussed at today's Study Group, prior to the meeting, I will explain the review of the Study Group so far in accordance with Material 1.

I will explain the survey in each section later, but Directions (1) to (6) were discussed at the first and second review meetings as shown in this document. In addition, in today's review meeting, based on the balance of the remaining issues, the order of discussion will be as follows: (1) (2), then (6), and then (3) (4).

Then, I would like to ask Chairman Matsumoto to proceed with the proceedings after that. Then, Chairman Matsumoto, please take care of it.

Chairman Matsumoto: Now, I would like to begin the proceedings. I would like to ask for active discussions following the first and second meetings. There are five issues, so please explain them one by one, and we will discuss them later. First, I would like to ask the secretariat to explain (1). Thank you.

Secretariat (Yamanoe): This is the Secretariat.

I will explain from page 7 of Appendix 1. Regarding Direction (1), at the first review meeting, there was a discussion that although it is not necessary to revise the law, it is necessary to clearly state the obligation of risk management in the enforcement regulations, and that risk management should be positioned not as a mere security measure but as governance of the entire organization, and that standards related to governance such as ISMAP should be included as a reference. In response to the first review meeting, as additional contents to be discussed at this review meeting, we would like to ask you to discuss the standards that should be included as governance of the entire organization. A table of contents list of each standard and standard is provided on page 9, and the part related to governance is extracted from it and described on page 10. Referring to the outline on pages 11 to 15, when each standard and standard is organized from the viewpoint of organizing the minimum requirements for certified business operators, etc., the secretariat believes that at least two points are common: clarification of responsibilities and authorities, and evaluation and response to risks related to information security.

Based on the above, I would like you to discuss three points regarding direction (1). First, I believe that the two points in common that I mentioned earlier as the secretariat are necessary matters, but are there any other matters that should be requested?

Second, with regard to the clarification of responsibilities and authorities, Article 6, Item 15 (b) of the Enforcement Rules requires that the responsibilities, authorities, chain of command, etc. of those engaged in operations be appropriately defined and operations be implemented. In addition to this, is it necessary to further clarify the responsibilities and authorities related to the Board of Directors, etc. (regulations on IT governance)?

Regarding the third point, regarding the standards to be incorporated as the governance of the entire organization, the standards are shown in blue letters in the second from the bottom on page 16. There are three points, what kind of standards should be used and what kind of investigation methods should be used by the designated investigation agency. That is all the explanation from the secretariat. Thank you.

Chairman Matsumoto: Now, I would like to begin my questions. If you have any questions or comments, please write in the chat section that you would like to speak. I am looking at it for now, so please do so. I would like to ask Commissioner Urushijima for your cooperation.

Committee Member Urushijima: Since the organization seems to be a little too focused, and I thought it would be better to go back to the background of why risk management needs to be additionally regulated and modernized.

For example, EN 319 401 in eIDAS, WebTrust for CA, and CABF's Baseline Requirements, the requirements of such international certification authorities require regular risk assessments, and I think (based on past hearings with Digital Agency's business operators and research and studies) we should have responded to them.

I understand that risk assessments will be conducted as part of governance measures, but if risk assessments are not properly focused, for example, certified business operators will not be able to submit the results of a sloppy risk assessment and say that it is OK because it was conducted. Such a situation needs to be avoided.

For example, I believe that there are some common specific risks for certification authorities, and as I explained a little in Part 1, there are some specific risks, such as the risk that the CP / CPS operation rules stipulate two man operation, but in reality this is not the case. For example, even if users are told to use FIPS-certified key management products, they actually use the ones in the OS keystore and can actually copy keys. Therefore, at a minimum, I think it is necessary to confirm whether or not each certification authority is responding to these specific risks through a certification survey across certification authorities.

For your reference, in the certified timestamps of the Minister for Internal Affairs and Communications, such common risk items are listed by the designated investigation agency, and for example, how to respond to the risk of issuing a wrong timestamp when the time deviates from the standard time, and the risk of operating terminals being manipulated, etc., what kind of risk measures are being taken and what kind of assessment is being conducted for such specific matters, so I thought it would be good to refer to these things.

In addition, the discussion on the authority of responsibility and the separation and clarification of responsibilities is not about risk management. For example, although the authority is defined, I think it is necessary to discuss how risks that have not been complied with are handled. The discussion on the clarification of authority is secured by other items, so I thought it is not necessary to take it up and include it in the risk assessment discussion. That is more than my comments.

Chairman Matsumoto: Next, I would like to ask for Mr. Odajima's comments.

Member ODAJIMA: Odajima. Actually, I would say the same thing as Mr. Urushijima's opinion, but I think we were originally talking about the criteria related to risk assessments. I can see the details of the current issue in a way that is a little specialized in governance. I think the original starting point was that risk assessments were properly conducted within the certification authority, and the results of the assessments were, for example, risk management, or if there is a residual risk, the company should accept it, and the organization should accept the residual risk and document it, so I have the impression that the front and back are reversed.

In that sense, I think it would be good for you to go back to where you were. That's all from me.

Chairman Matsumoto: certified business operators, I believe that Mr. Urushijima and Mr. Odajima talked about the need to include more specific and realistic deficiencies in the certification authority. Next, Mr. Mitsuo, I believe you have a good understanding of these differences in your comments. Thank you very much.

Mitsushio: As you said, Mr. , but based on what you two have just said, my understanding of risk analysis is slightly different. I am talking about the law, so if there is a common risk, it should be stipulated by law, and even if it is not stipulated by law, it should be properly written at the survey level. In that sense, I do not mean to say that common risk analysis should be done in general.

I don't think I can write a risk analysis at the level of laws, rules, and surveys. Recently, various situations have changed. In 2000, we first created a Electronic Signatures in Global and National Commerce Act. At that time, I didn't say much about governance, but we analyzed risks to ensure the governance of each company. I don't mean to say that detailed risk analyses are necessary at all. To come to a conclusion, I think that unknown risks and risks assumed for each company are assumed. In that sense, I think that risk analyses are conducted to a certain extent because risk analyses differ among companies. Rather than risk analyses, ISMAP does not have many regulations on governance. Basically, even if we look at COBIT, etc., governance is all about setting policies, monitoring and evaluating them. In that sense, management policies are clearly indicated, and various risks within them are analyzed and monitored in a risk table.

In that sense, in today's discussion, there was a question about what kind of standard it was. In reality, when it comes to the legal confirmation method, it is not a substantive confirmation. Rather, when it comes to the legal confirmation method, it is whether or not the policy document and other documents for risk analysis are prepared. In terms of whether or not we can truly evaluate each individual case to some extent, I understand that it is difficult. That is all.

Chairman Matsumoto: I see. Next, please go to the Imperial Household Committee.

Imperial Household Committee member: . I would like to make a comment from a slightly different perspective. In the second point shown here, I think there is a discussion about clarifying the responsibilities of directors and others. Basically, first of all, what the board will do about IT governance? Is it a matter of Electronic Signatures in Global and National Commerce Act certification? I have a lot of doubts. Is it a matter of the company as a whole? Basically.

Therefore, I think it is better for the company as a whole to have proper IT governance, but I don't think it is necessary to write it in the certification standards of the Electronic Signatures in Global and National Commerce Act. In addition, when applying for certification, the representative director should have made an institutional decision and made this application, so at least the management has made a certain confirmation, so I don't think it is necessary to write it to this extent. That's all.

Chairman Matsumoto: Certification Authority and the fact that ISMAP and other organizations were deeply involved in the case of Mitsushio, as well as the opinions of the Imperial Household Committee members on legal matters, do you have any other opinions?

What about looking at the CA as an JIPDEC?

Mr. Osawa, JIPDEC: It seems that Mr.
To be honest, from the perspective of the current Electronic Signatures in Global and National Commerce Act, we are not looking at these things in depth, so would it be difficult if you do not clarify a little about what should actually be viewed from what perspective?

Chairman Matsumoto: Will this be combined with other systems such as ISMS, which was discussed last time? We need to move on to the next topic soon, but I don't know if a conclusion has been reached or not. I understand that the direction is to do it, but I think opinions are divided on how to do it. What will the secretariat do? Do you have any views on this?

Secretariat (Tonami): Thank you for your , Committee Member Mitsushio at the latter half, and Professor Miyauchi at the latter half. For example, I believe that the major difference is that there is no need to establish special governance standards because the necessary standards for certification authorities have already been written in the standards of the Electronic Signatures in Global and National Commerce Act, and that there is a difference in the perspective of fitting to the circumstances of each certification authority and circulating the PCDA for assessment of risks there. At this point, I am not sure which one I have in mind. For example, I have some sympathy with the circumstances of each certification authority. For example, I have heard of cases where there has been a major organizational change and education has been neglected. Therefore, I believe that assessment at each certification authority should be conducted as an initiative of each certification authority, regardless of whether it is required as a certification standard of the Electronic Signatures in Global and National Commerce Act.

I have just listened to your opinions, but I would like to ask you again about what you think about each other's opinions based on the direction and difference of your major opinions. I think it will take some time, but I would like to ask for your additional opinions on this point.

Chairman Matsumoto: , Commissioner Mitsushio, please.

Mitsushio: As you said, Mr. Miyauchi. I understand that in the current certification standards for Electronic Signatures in Global and National Commerce Act, only operations are mentioned. Of course, there are actions, or what kind of things should be done, written there, but I understand that there is absolutely nothing about the relationship with the board. As Professor Miyauchi said when I was in the position of the certification business, I am not saying that we should talk about the business of the entire company, but I understand that it is the commitment of the management as a company in the certification business. In that sense, I am of the opinion that how the management will be involved within a limited range is necessary. That is all.

Chairman Matsumoto: I think they are actually doing it, but it is not clearly stated.

Mitsushio: As you said, Mr. .

Chairman Matsumoto: Urushijima.

Committee Member Urushijima: Since the has already been written about here. Rather than the Board of Directors deciding what to do, I think it's more important to consider such things as whether or not internal audits are conducted in an independent system, and the separation of authority of operators when using HSM. I don't think it's a matter of the Board of Directors deciding what to do.

I believe that the risk management table and other risk assessment results tables that Commissioner Mitsushio mentioned need to be properly confirmed as outputs after investigation. In relation to this, for example, in the case of timestamps, in addition to the commonly mentioned risks, individual risks of each company are added and submitted, so I thought that the risk assessment of each company's situation is covered there. Yes, that's all from me.

Chairman Matsumoto: : There is a slight split in opinions, or rather, there are two directions. It might be a good idea to do both, but what do you think?

Member ODAJIMA: Odajima? I don't know the extent of each company's involvement in the current situation, but I am sure that each company conducts its business with the approval of the Board of Directors, in other words, the Board of Management. For example, if there is an incident, we report it to the Board of Directors, and what kind of after-the-fact processing will be done as a result. These things are usually left in the minutes and other documents. At present, I don't think there is any clear indication in the sense of governance that Mr. Mitsushio is talking about in the Ordinance for Enforcement of the Electronic Signatures in Global and National Commerce Act and in laws and ordinances. When it started in 2000 and reached the status of consideration, I don't think it is impossible to see that there is a lack of it.

At the end of the paragraph in the Point of Contention section, a risk assessment on information security will be conducted and a document will be recorded as part of organizational management. If the designated investigative agency can confirm the results of management and governance with regard to the document, I believe it is actually being conducted, although the degree may be different. Therefore, I thought it would not be such a burden. Also, if there is a third party certification, it will be considered that it has been confirmed, and if these are included, there will be no problem.

Chairman Matsumoto: , Imperial Household Committee member Thank you very much.

Imperial Household Committee member: There are a lot of opinions on what to do with the board of directors, but the board of directors and management in the standard referenced in the document are probably pages 12 and 15. First, if you look at page 12, the board of directors is in the middle here. For some reason, I thought it was a very company-wide story about ethical standards and leadership for change.

On page 15, there is a section titled "Executives." This section seems to indicate that the effectiveness of information security activities and other general issues are being addressed in a proper manner. It may be that ISMAP and other such areas are being targeted, but I felt that there was a slight gap between the certification authority and the duties and responsibilities of the board executives mentioned here. If I were to include something like this, I did not think it would be necessary to include anything in the Electronic Signatures in Global and National Commerce Act certification section. That's all.

Chairman Matsumoto: Certification Authority has CP / CPSs. I don't know why, because it is closer to Architecture than general security that follows CP / CPSs. In this regard, I heard that Commissioner Mitsushio wanted to make some kind of written statement rather than going in a direction where there is a burden, and that there are items to be added to the survey sheet, as Commissioner Urushijima said, that are actually not enough in the survey sheet. What is your opinion?

Imperial Household Committee member: I don't mind if I add something like this, but I don't think it would be a good idea to say something like this. I don't think it would be a matter of a board meeting with management. Of course, the rules and internal rules of the company ultimately create the responsibilities of the directors. Therefore, I thought that Article 6, Item 15 (b) of the Enforcement Regulations, which is written here, would be fine without any further effort. In the middle of page 16, in Pochi, it is written in black letters. I said this because I didn't think it was necessary to say that it was the responsibility of the directors to establish this. That's all.

Mitsushio: As you said, Mr. It's probably not a problem when the operation is working well. I think it's probably that when there are various problems in the company's business, for example, when an accident occurs, I want them to cooperate well with the management.

Imperial Household Committee member: I can understand that.

Mitsushio: As you said, Mr. Therefore, I do not ask for anything drastic in general, and I understand that I have not seen a lot of people making a commitment to CP / CPS and other such projects, such as accreditation and certification work itself, although this may be just a statement. I think they were a little worried about that. If that can be covered, as Mr. Matsumoto and Mr. Odajima have said, we are taking it for granted, and we are doing it, but I understand that it will probably be expressed properly. That is all.

Chairman Matsumoto: Certification Authority has a CP / CPS and operates according to it. If it were operating normally, it would have achieved a very high level of security. However, I believe that Mr. Mitsuo is saying this because he knows about the situation around 2000, and at that time he did not think this point of view was sufficient.

I don't know about the details. Of course, I didn't understand about the timestamps mentioned earlier in 2000, but I have already found the missing points. There is one more point, so I thought that two points were revisions or corrections. What do you think? If we can't investigate, we have no choice. How about the secretariat?

Secretariat (Tonami): Thank you for your I think it would be difficult to summarize the opinions we just received today, but it sounds like there were some common points that we could agree on. Next time, we will summarize the opinions we received this time so that we can see at a glance the options that had a slight difference in direction this time. Then, we will ask for agreement on the common points, and for options, we will continue to discuss them without including them in this year's review. In other words, we will ask you to sort out the points that are not included in the Electronic Signatures in Global and National Commerce Act accreditation criteria from the perspective that has already been implemented.

Chairman Matsumoto: modernization. Please explain about (2) from the secretariat.

Secretariat (Yamanoe): This is the Secretariat. I will explain from page 17 of Handout 1.

Regarding direction (2), at the first review meeting, it was discussed that although it is necessary to update the technical standards for cryptographic equipment to FIPS140-3, there are very few products that are compliant with FIPS140-3, so at present, it is necessary to set the technical standards to be equivalent to or higher than FIPS140-2, and that the timing of the transition to FIPS140-3 should be based on the trend of related products in Japan. In response to the discussions at the first review meeting, we would like to have additional discussions at this review meeting on what kind of technical standards for cryptographic equipment should be moderated. As for the current cryptographic equipment, as described in Section 2. 2. of the Guidelines on Investigation by Designated Investigation Bodies Based on the Electronic Signatures in Global and National Commerce Act, Section 2. 2. (1) was described with Level 3 of FIPS140-1 in mind. This slide provides an overview of the security requirements of FIPS140-2 as reference materials.

Based on the above, I would like to ask you to discuss two main points regarding direction (2). First, is it okay to continue to set the required security level at Level 3 in order to change the security level to equivalent to or higher than FIPS140-2? In addition, if the security level above is required, when revising the policy, I would like to ask you to discuss what are the essential and important requirements for requiring equivalent to or higher than FIPS140-2 Level 3. For example, I can confirm certain changes in physical security and cryptographic key management, but I would like to ask you to discuss to what extent these changes should be incorporated, whether new standards equivalent to mitigation of other attacks should be required, and whether there are any other matters to be required. Thank you in advance.

Chairman Matsumoto: , I would like to start the Q & A session. If you would like to make a statement, please do so in the chat section.

Mr. Urushijima, please.

Committee Member Urushijima: Since the level, I think it is good to continue to be at Level 3 or higher. As for the second bread, it seems that they are trying to confirm something individually, such as physical security, encryption key management, and mitigation of other attacks, but I don't think it is necessary, and if it is already a FIPS-certified product, I don't think it is necessary to make additional confirmation, as these matters have already been confirmed. In addition, if we dare to make additional confirmation, vulnerabilities may be discovered after the product is certified, and due to the specifications of the product, rather than leaving the vulnerabilities as they are, we just need to confirm whether or not it is being used in such a way. I don't think it is necessary to confirm the detailed items in the previous table in the certification investigation. That's all from me.

Chairman Matsumoto: I don't think there is much difference in opinions here, but in the first place, I don't know much about FIPS140-3, and I wonder if the operation will change if it is adopted. I don't think there is, but I think it is compatible, but Mitsushio-san, please.

Mitsushio: As you said, Mr. The point at issue is a little different from what you just said, but as I have told you before, when I asked the members of the Designated Investigative Agency, in the end they confirmed it with the FIPS 140 Level 2 or 3 certificate, they did not write the Electronic Signatures in Global and National Commerce Act in the past, so can't you write it in such a way? Like Mr. Urushijima, the Designated Investigative Agency does not check each item separately, so I wonder if I can write it in total, but I think there is a little technical discussion of legal description, but I have such an opinion. That's all.

Chairman Matsumoto: Is it because there was a lot of consideration that HSM, which was not certified by Japan, could be used? Mr. Urushijima, please answer my question.

Committee Member Urushijima: Since the As for the difference between FIPS 140 Version 2 and 3, I do not think there will be any particular change in operation. Since FIPS 140 Version 3 was released, relatively good consistency with common criteria has been achieved, and it only includes measures to address vulnerabilities. Therefore, I do not think there will be any significant difference in operation. Thank you.

Chairman Matsumoto: products has improved, but the assumed operation is the same, I understand well. Imperial Household Committee Thank you in advance.

Imperial Household Committee member: I'm sorry to tell you a different story, but the problem is that there is no problem at all as long as Level 3 of FIPS 140-2 and 3 is taken, but the point is probably that it is equivalent. Therefore, I think it would be easiest to stop being equivalent in terms of how to JIPDEC the work of confirming whether it is equivalent or not. What do you think? Now that it is no longer equivalent, in fact, the policy says that it is okay to keep it safe as a whole in the room, not as a device, but I actually started to think that I have to think a little about what to do about it, so I would like to ask for your opinion. That's all.

Chairman Matsumoto: certified business operators only use certified products, but I would like to ask Commissioner Odajima.

Member ODAJIMA:

Chairman Matsumoto: Urushijima, a committee member. He said, "No, I'm all for it," but I think the JIPDEC conducting the survey would be the most troubled by the so-called "reasonable." In particular, I think it would be even more troublesome if it was said "reasonable" when it became FIPS140-3. What do you think? I may need to touch on what the current certification authority is doing.

Mitsushio: As you said, Mr. I don't know much about whether or not each company is using a considerable amount of money at the moment, so I think it's a confirmation in the end, but I think most of the people in the current accreditation and certification business are using FIPS, so I don't think there is a considerable amount of money in that case. On the other hand, the last problem here is from the viewpoint of industrial development. From that point of view, it should be a considerable amount in the upper rule, but in the lower rule, it is only this now, so in the case of an addition, I think it will be considered separately, so I think I can escape from the technical aspect a little. I feel that if everything is made reasonable by law, there will be no industrial development, so I am a little concerned. I feel that it will be a way of writing the rules of the law. That is my opinion.

Chairman Matsumoto: In FIPS140, for example, if you want to include domestic cryptography, you have to turn off FIPS mode, and so on. Commissioner Urushijima, please give us your comments on what is appropriate.

Committee Member Urushijima: Since the 's products. For example, in the case of FIPS product inspection and certification, HSM experts will be able to judge whether the products are compliant or not. For example, I believe that JIPDEC is not an HSM specialist, so it will be difficult for JIPDEC to make a proper judgment based on the FIPS standards. Also, the new FIPS regulations require product certification to be renewed every five years, so I think it will be necessary to think about how to make a judgment after five years when there is no appropriate response. In that sense, I think it will be relatively difficult for Linux to conduct inspections on HSM products, and I think it would be good to leave the appropriate standards to a specialized agency.

Chairman Matsumoto: That's true, but the JCMP's evaluation system for cryptographic modules, which can be expected from a specialized agency, has been discontinued, so there is probably a separate issue of whether there is a specialized agency in Japan that can do it. As for whether it is OK to write "reasonable" as a system, although I mentioned industrial development capabilities earlier, in the first place, HSM will be very important in the future, so I thought that I had to consider that as well. In terms of JIPDEC, "reasonable" is quite a problem.

Mr. Osawa, JIPDEC: It seems that Mr. .

Chairman Matsumoto: Principles.

Imperial Household Committee member: As Mr. Matsumoto just said, it is probably a standard practice to leave the principle at a reasonable level, but the policy is actually decided, so I would like the secretariat to consider whether it is possible to say such a thing in the policy. For example, if it is written as an enforcement regulation, it is fine to say that it is decided by the minister separately, but I would like the secretariat to consider how it can be done in the policy. That's all from me.

Chairman Matsumoto: , I think we have all of our opinions. What do you think about the secretariat?

Secretariat (Kita-Inoue): This is the Secretariat. Thank you very much for your discussion. As you said, among HSM, most of the FIPS140-2 will use certified products in the first place, so I think you discussed it.

If I were to say anything further, I would say that there are various discussions on whether this is a rule or a policy to be established by the Government of Japan. As discussed in the previous meeting, I understand that the current policy is to select and write down only the requirements that are necessary. In that case, considering that the same sort of arrangement will probably be made this time as well, I think that whether it is possible to write something like using FIPS140-2 products in the policy is somewhat questionable in terms of legal and technical matters. At such a time, there are still some doubts about how to express the 140. 0-2 in the policies. As discussed so far, what I would like to confirm as a matter of fact is to use products that have FIPS 140. 0-2 and to have them confirmed by a designated investigation agency, including JIPDEC. What kind of content should I write as a standard before having it confirmed? How to express the difference from 140. 0-1 to 140. 0-2 in the policies is something that we as the secretariat are currently struggling with, and I would appreciate it if you could give us some wisdom in that regard. That's all from the secretariat for now.

Chairman Matsumoto: In the end, it is a bit of a misnomer to say that it was abandoned for 20 years under FIPS140-1, but I don't know what to do about it, so in a sense, it is probably left as it is. Originally, something like the Japanese JCMVP would have worked, and it would have been better if it had been set as a standard and referred to it, but it didn't seem to have happened. It will be updated in the future, so I feel that I am facing difficult problems such as how to follow it and how to reflect the system of following it in the law. As a certification authority, I will repeat it a little bit, but I am most happy to just go as it is without much significance. I feel that a designated investigation agency like JIPDEC has also come up with a problem that is not a standard created in Japan.

Member ODAJIMA: Survey Sheet, as the Secretariat said, I think it is true that it cannot be directly stated. If anything, as an answer to the compliance example, the Certification Authority is checking and investigating with the expression of how many FIPS are used, so I don't think we can reach a conclusion for now, so I think we have no choice but to devise a little. As a matter of fact, I think it is unavoidable that it is 140-2 or more.

Chairman Matsumoto: I think we have all of our opinions, but we may not have a conclusion on how to describe it. Is that OK?

Mr. Osawa, JIPDEC: It seems that Mr. If I were to say in a word, I would like to ask you to write in a way that is easy to investigate or confirm and that is reflected in the policy. Therefore, I would like to ask you to write in a way that allows you to make various clear judgments without saying that it is appropriate.

Chairman Matsumoto: In the end, since the operation has been decided on the premise of FIPS140-2, even if there are things that can be covered by the operation and facilities, it will be substantially difficult if the repertoire becomes too large. As for FIPS140-2, since the required specifications have been clearly decided by the product, the operation can be done or decided, so when it becomes considerable, it will be different again, so I felt that it was substantially difficult to investigate. In reality, no considerable is the most peaceful, but since HSM will be used in various places in the future, I thought that there was probably an aspect that such places had to be nurtured as a Japanese industry.

Mitsushio: As you said, Mr. Secretariat can't write it, so I just have a question. Can't this be written in ISO?

Chairman Matsumoto: ISO was also in the direction of being compatible. In the case of 3. There is no 2.

Mitsushio: As you said, Mr. difficult?

Secretariat (Kita-Inoue): This is the Secretariat. First of all, I believe that there were no major objections to Level 3 of 140-2. After that, leaving aside the appropriate points and the operation of confirmation itself, we would like to continue to think about how to write it as a standard, so if you don't mind, I would like to ask for your advice again. If there are no additional comments, I would like to move on to the next point. That's all.

Chairman Matsumoto: ⑥ from the secretariat.

Secretariat (Yamanoe): This is the Secretariat. Regarding Direction ⑥, at the 2nd Review Meeting, it was discussed that it would be better to unify the standards of the Public Personal Authentication Act and the Electronic Signatures in Global and National Commerce Act, but the difference in specifications from the My Number Card needs to be considered. In addition, there was a discussion that it would be necessary to find a way to accurately confirm the user's intention and the confirmation of the valid electronic certification that has not expired, as they would be certified by the application log and database.

In response to the second review meeting, we would like to have additional discussions at this review meeting on what matters should be confirmed when certifying specific certification operations for Electronic Signatures in Global and National Commerce Act in the case of monitoring.

As I explained a little in the previous review meeting, in the first place, when users create key-pairs themselves, even if the user-signature verification code is sent to the certified business operator through telecommunication lines together with the paper application form, residence certificate, and certificate of seal registration at the time of application for use, if the certified business operator cannot identify the users, it is impossible to create a electronic certification. Therefore, in June 2003, the revision was made by adding Item (3) - 2 after Item (3), Article 6 of the Enforcement Regulations. After deliberation and confirmation, the certified business operator creates a user identification code and sends it to the users. At the same time when the users transmit the user-signature verification code, the certified business operator is allowed to transmit the identification code and user information to identify the users and send the electronic certification. Later, as Item (2), Paragraph 1, Article 5 of the Enforcement Regulations, a method of confirming the authenticity of users by electronic signatures related to the electronic certification issued in Japanese Public Key Infrastructure in April 2004 was newly added, and even though it is possible to apply, confirm the authenticity of the person, and identify the users only electronically, it is still necessary to identify the users by sending and receiving the user-identification code, and both users and certified business operators are burdened.

At the previous meeting of the Second Study Group, there was an opinion that while the methods allowed under the Public Personal Authentication Act should be considered in the Electronic Signatures in Global and National Commerce Act, it is necessary to organize in advance the handling of measures such as linking the application for issuance with the user-signature verification code and preventing falsification in the case where users send the user-signature verification code at the same time as the application for use of the electronic certification. Therefore, it is considered necessary to discuss what the certified business operator needs to confirm in response to the above opinion and what methods the designated investigation institution needs to investigate.

Based on the above, I would like to ask you to discuss the following three points regarding direction ⑥. The first point is, if the application for issuance of the electronic certification and the verification code are sent at the same time, how should the association between the application for issuance and the verification code be ensured and how should measures be taken to prevent falsification? The second point is, in line with the unification of certification standards, what standards should be established for electronic signatures attached to applications? Are there any other matters to be established as certification standards? The third point is, what should be confirmed when conducting a survey related to the certification of Electronic Signatures in Global and National Commerce Act? What methods are available? That's all the explanation from the secretariat. Thank you.

Chairman Matsumoto: users. On the other hand, the spread of Japanese Public Key Infrastructure and My Number Card seems to have already spread to almost all Japanese citizens, and if we take advantage of that, I think there will be discussions, including the issue that the way things have been done so far is not very reasonable. If you have any other opinions, please chat with us. Thank you, Imperial Household Committee.

Imperial Household Committee member: electronic signatures. Basically, do you mean JPKI or accredited certification services that are currently in use, with addresses and other information written on certificates? I believe that no one is opposed to that, and I intend to do it from the beginning. What I don't understand a little is that even if you say tamper-proof, you need to sign, right? If you put the application form for issuance and the user signature verification code together, put them together in some kind of format, and sign them, I think you can prevent tampering and make a connection, but I don't think you are trying to do something that difficult. Also, the second and first arrow mark in the middle of page 27 means that it would be good if there is a proper proof that it has not been tampered with. The second point is whether or not the person can be said to be the person himself. I feel that it is only now that Article 5, paragraph 1, item 2 of the Enforcement Regulations already states that identity verification is possible because it is a method that can be done with the signature of JPKI. I believe that Article 5, paragraph 1, item 2 of the Enforcement Regulations has been established on the premise that this can be said, so there is no need to worry about it here. That's all from me.

Chairman Matsumoto: It's not about this time, but it's more like the current way of doing things is the same because the environment of the signer is not defined in the first place. In fact, the JPKI signature is done with certificates, so I think it is said that it is tamper-proof. What do you think? In the sense that it is the same level as now, I feel there is no problem.

Mitsushio: As you said, Mr. In that sense, I believe that the rules in 2000 did not assume the use of smartphones. This time, I believe that JPKI and others are also assuming the use of smartphones, etc., but if we discuss in detail, we will have to consider various complex threats.

Chairman Matsumoto: itself.

Mitsushio: As you said, Mr. I think there are some. I don't deny that either. However, in that sense, I think it is OK to keep the same level for now. In that sense, I think it is necessary to continue to pay attention and watch what kind of threats there are, including JPKI, but now I think it is at a level where it can be used at the same level, including the level of so-called smartphones. That is all.

Chairman Matsumoto: In comparison with Europe, which is more deep-rooted than this story, the QSCD mentioned in Europe was not defined in Japan, so it was outside the scope of the Signature Act, and it was a problem including the circumstances in which users created key pairs, so it was originally a risk. On the other hand, this new one is equivalent. How about the problem of whether it can be investigated? Is it the same? From the certification business side, what can be done is probably the same? Odajima-san, isn't this discussed at the certification authority meeting?

Member ODAJIMA: users create their own private and public keys. Rather, CAs create them and send them safely, so it's not a very prominent discussion.

Chairman Matsumoto: However, it is possible that it will appear in the future when dealing with smartphones. In the end, the current trend in the world is toward putting it in smartphones, so there is a possibility that this way of doing things will be taken when talking about issuing certificates for smartphones, but in reality, such things as generating a key pair in the security module in the smartphone at this time should probably be considered.

Member ODAJIMA: , I think this is exactly what Dr. Miyauchi just said, and if you create a pair of keys, digitally sign them at electronic certification in My Number Card, and associate all of them, I think this is the currently accepted method, and I think it will be fine. Therefore, I thought that we should continue to confirm what risks there are, including what is happening in the world, as Mr. Mitsushio mentioned earlier.

Mr. Osawa, JIPDEC: It seems that Mr. Designated Investigative Agency. You said that you are absolutely right and agree with what Dr. Miyauchi said. However, if I were to follow up on the point I requested in the materials from the secretariat, from the perspective of information storage, to what extent do accredited certification business operators need to store the evidence of JPKI's verification by OCSP, and to what extent do we Designated Investigative Agencies need to look at it, the requirements for how the OCSP response results must be stored are not written on the survey sheet, in the policies, or anywhere else. However, if we are to go into that, rather than a slightly new discussion, we have to discuss it from a different perspective, and I felt that this time we should sort it out as a new issue.

Chairman Matsumoto: Trail before, I understand it well.

Member ODAJIMA: . I thought that books and documents would have to be kept, so I thought that if signatures are always verified when they are signed and when they are received by CAs, and the results of the signature verification are kept as evidence, it would be subject to the expiration date of 10 years. Is it correct to understand that the results of the signature verification that Mr. Osawa mentioned are in that category?

Mr. Osawa, JIPDEC: It seems that Mr. Yes, of course, I think it will be stored for 10 years in the end, but there are certain examples of the results of verification when certificates of certified certification services are digitally signed, and it is a fact that we have actually confirmed it in the investigation. However, regarding the results of verification of JPKI certificates, I believe that there are some points that have not been fully resolved in terms of what the business operator must leave and what we must leave as a concrete evidence.

Member ODAJIMA: I see. I understand.

Chairman Matsumoto: Even if I tried to follow this way, I recognized that there are things that I have not checked out yet due to the investigation.

In terms of the direction, it seems that JPKI will be considered to be included in the enforcement regulations of the Electronic Signatures in Global and National Commerce Act as it is, but I recognized that there are still some points that need to be considered in such a case, such as the investigation. Please explain the following point of contention (iii) from the secretariat.

Secretariat (Tonami): Thank you for your Secretariat. On pages 30 and 31, we have reprinted the materials that were used in the previous review meeting. Regarding point (iii), regarding the use of cloud HSM, I am aware that the last time we received your opinion, you discussed that the use of cloud HSM is a CSP and the use of cloud HSM services in public clouds provided by HSM vendors is still difficult to be within the scope of certification. However, regarding the use of HSM installed in private clouds and the use of network-type HSM, we are aware that some of the issues may be covered because we, the competent ministries and ministers, such as designated investigation agencies, can conduct on-site investigations.

Regarding the use of HSM installed in private clouds and the use of networked HSM, I would like to ask for continued discussions on whether or not these two points can be accepted and what criteria are necessary if they can be accepted. On page 34 here, I am listing the opinions on this point of contention (3) from the previous second review meeting. I do not have much time this time, so if there are any corrections to this comment or any misunderstanding, I would like to ask for your comments later.

Regarding the points in bold on this page, we recognize that we need to pay attention to the discussion on the use of HSM and the use of networked HSM, which we would like to convey to the private cloud this time. This time, we have included the points in this section, and we have excerpted and republished them on page 35, but while the previous opinion is superior, we would like to limit the scope of the discussion to the HSM / networked HSM installed in this private cloud. That is all.

Chairman Matsumoto: It is quite difficult to discuss. Last time, there was a discussion about whether Net HSM and Cloud HSM are different, but Commissioner Urushijima, please take care of it.

Committee Member Urushijima: Since the table, the HSM installed in the private cloud and the network-type HSM are grouped together, but I felt that this was a little rough. For example, there are probably cases where the network-type HSM is used in the certification facility room. For example, there are cases where the network-type HSM is used and operated from outside the certification facility room, so I thought that we should separate them properly and organize them.

When there is a possibility of HSM operation from outside the certification facility through the maintenance PC, I think it is necessary to confirm the usage environment of the maintenance PC. I think it is necessary to confirm a series of things such as whether the maintenance PC is used in an environment that prevents unauthorized operations, such as whether it is possible to properly manage entry and exit using an IC card, whether it is possible to prevent snooping, and whether it has operation records. I don't think such strange things will happen in the certification facility room, but if there is a case where maintenance is performed remotely from home, for example, there is no way to record entry and exit, so I thought it is necessary to consider such things in various ways. That's all from me.

Chairman Matsumoto: It is difficult. This is not about the Net HSM alone, but about the environment in which the Net HSM is located, or for that matter, not about the normal issue of certificates, but about the environment in which it can be done, such as key ceremonies and key backups.
Do you have any other opinions on Point (3)? It is true that the cloud operator of Net HSM and the private cloud, this is the same operator in either case.

Secretariat (Tonami): Thank you for your .

Even if it is a network-type HSM, we have received opinions on whether it should be used from inside the certified facility or operated from outside the certified facility, and how it should be used for maintenance. We are very sorry, but the secretariat has not been able to sort out the situation based on that. However, as for the secretariat's stance and way of thinking, regarding the high demand from business operators and the gap between certification standards other than Electronic Signatures in Global and National Commerce Act that have already been recognized and those of Electronic Signatures in Global and National Commerce Act that have not been recognized, we would like to see it addressed as soon as possible. Regardless of the point mentioned earlier that it is used for maintenance inside or outside the facility, if there is a particular high demand in the current general operation of certification authorities and if it is used in this way, we would like to hear your comments on the needs.

In addition, regarding the maintenance section, I believe that we will discuss not only point (iii) but also point (iv). Regarding the maintenance section, HSM also has a LAN port for maintenance, and I believe that it is necessary to sort out whether it is okay to take it out. Although it is difficult to mix points (iii) and (iv), I would like to hear your comments on the initial needs.

Mr. Osawa, JIPDEC: It seems that Mr. Urushijima agreed, but in order to clarify what Mr. Urushijima is worried about, there is a table on slide 47 that shows the appropriate organization of the Reita. Among these facilities, to what extent the use of the cloud or remote control is allowed, and if we proceed with this discussion, the organization will be a little faster, so I wrote a little.

Chairman Matsumoto: Rather than the most difficult task in the first place, I think it is how to handle the work that must be done in a check-and-balance manner in the certification facility room, including inspections and audits. Who is familiar with this point? As I mentioned last time, we need to discuss what kind of requirements there are for using something like cloud HSM in some form in the future, but I understand that we are not in a situation where we can discuss that much yet. I think it is about a new HSM, so in that sense, this member alone may not be enough.

Member ODAJIMA: I think it is a blessing for certification authorities to have more choices. It may not be easy to reach public clouds, but at least private clouds or network HSMs that are not public There are concerns that Mr. Urushijima, Mr. Osawa and others mentioned earlier, so I would appreciate it if you could improve the resolution and organize them. That's all.

Chairman Matsumoto: Shared Service becomes, the more difficult the investigation becomes.

Mitsushio: As you said, Mr. When I was looking at this, I just felt that it was a little difficult to judge only at the level of private cloud and network HSM, and I think Mr. Urushijima probably mentioned that, but I think that the criteria for that will be decided if we don't lower the image of where we are connected and operate in the network configuration by one rank.

Chairman Matsumoto: Urushijima. In the case of HSM, which is not a Net HSM in the first place, I think that the HSM has a port for key ceremonies, etc. and a separate port for simply typing a signature, but I think that it is isolated and has a structure that requires you to enter the certification equipment room when you operate another port. How is the Net HSM handled?

Committee Member Urushijima: Since the I don't think it will change that much.

Chairman Matsumoto: This network map doesn't cover that area.

Committee Member Urushijima: Since the That's right. So it's either directly connected to the CA server by PCMCIA or by Ethernet. Usually, when using a net HSM and a CA server, a firewall or something like that is installed in the front of the CA server in a place where it cannot be connected from a strange device.

Chairman Matsumoto: That's the story of the most secure, which is that it depends on the Architecture of the HSM, and it's hard to explain. Since the RA is remote, you can remotely request a signature on the HSM, but you can't update the key, such as backing up the signature key. When you update the key, you probably have to have enough people to do it. I don't know much about it, but there is a similar DNSSEC root zone key update, and in the past, all the authorized people went to the site to update the key, but now they do it remotely. It seems that they can do it without all of them. It seems that they do it without all of them being there. I wonder how they do it.

Committee Member Urushijima: Since the For example, the HSM is connected to the network in this figure, and the network type HSM has something like an operation numeric keypad, and it is operated by more than one person by inserting a dongle or typing a key code.

Chairman Matsumoto: However, in terms of hosting, rather than this area becoming more complex, the more shared services become, the more difficult it is to investigate.

Mitsushio: As you said, Mr. As you said earlier, for example, in this network diagram, you said that the key ceremony would probably not change, so I don't think this is written here, but I believe that the key ceremony will be held in a proper place. If you sort out those things a little, to be honest, I don't think there will be much change, but I have not seen all of them, so I think it is necessary to sort out those things so that you can clearly see where the difference really is. That's all.

Chairman Matsumoto: keys, how to keep a trail, etc., it is a little difficult to explain only with this diagram. This is rather close to the diagram during normal operation.

Member ODAJIMA: You are absolutely right, Matsumoto-san, and I think it is a diagram for normal operation. There is no backup, such as a key update in the CA's issuer signature.

Chairman Matsumoto: Actually, the most important aspect of security is the key update. Are there any other points of contention? As mentioned in the previous report, this is the issue of how to operate CA in the cloud. I believe that something that can be done in some way is being considered, but I think that there is a possibility that HSM will have to be created for it.

Secretariat (Tonami): Thank you for your In addition to this figure, in the case of a key ceremony, in the case of a general key ceremony, and also in this figure, there is not only a single line from the HSM, but I would like to ask for your opinion on whether it should be done by properly distinguishing the line at the time of key generation, such as for maintenance, etc.

The Secretariat does not have any knowledge on how to use HSM from the committee members, so we would like to have additional knowledge on how HSM is actually used. In some cases, we would appreciate it if you could share an image of such a place with the Secretariat by e-mail, as it would enhance our understanding. However, I would like to ask you to continue to comment on what you would like to say here today, as I would like to refer to what you would like to say in this open forum of the review meeting and in compiling the future policy.

Chairman Matsumoto: I thought there were still a lot of things to consider, including HSM for private clouds.

I would like to ask the secretariat to explain the following point (iv). This is also a slightly very wide area, so the discussion may diverge, but I appreciate your cooperation.

Secretariat (Tonami): Thank you for your Secretariat. Regarding point (iv), as I repeated this document last time, each of A, B, C, and D was to bring the certification authority equipment to the cloud. Also, the point was to what extent remote control is allowed for this.

The points of discussion were divided into A, B, C, and D. Discussions were also divided into several points of view. Among them, discussions have progressed a little and can be organized. In addition, there is still a lack of early discussions to define the direction. Therefore, this time, I would like to proceed with the discussions in the form shown on page 40, taking into account the high and low needs and the progress or lack of progress in discussions.

Specifically, we would like to ask you to first confirm the organization of the use of certification authorities in their repositories, which is highly needed, and then confirm and supplement the organization of the investigation and examination methods, such as the ISMAP and ISMS cloud certification systems. After that, if you have time, we would like to ask you to continue the discussion based on the opinions of the second review meeting on the use of certification authorities in maintenance and operation and other matters.

The secretariat will explain the theme of use (A) in this repository, so I would like to return it here, and after the discussion on 4-1 of (A) is over, I would like to explain the rest. 4-1 Regarding the use in the repository of the certification authority, in the previous meeting, there was a discussion on the direction that the repository of the certification authority is basically required to be available and the risks related to confidentiality and integrity are limited, and there was a talk that there are few problems in using it in the public cloud. Below this, I have written confirmation matters, but in order to summarize the direction of using the public cloud service in the repository of the certification authority, I would like to clarify these two points.

The first point is, is there really no problem even if we do not require the cloud to be safe and secure, such as ISMAP, ISO 27017, and other systems related to cloud service security certification, because we really only require this availability? The second point is, in the operation of certification authorities so far, such things as backup servers have been done on a voluntary basis, so when it is used in the cloud, there is no need to require availability standards such as redundancy. There are two points that are described here. The secretariat would like to confirm these confirmation matters, so if there are any other points that should be discussed in addition to admitting the use of certification authorities in repositories, please comment separately. That is all.

Chairman Matsumoto: In this regard, the needs are a little high and the risks are limited, so I would like to come to a conclusion as close as possible today. Please give us your comments, Mr. Odajima.

Member ODAJIMA: First of all, as for the order of priority, (A) was the highest in the opinion of each certified business operator. As for availability, I believe that using the cloud is the intention in the first place, so I have no particular objection to that either. In the confirmation matters section, I don't think it is necessary to require ISO27017, such as ISMAP, for public cloud services. I don't think it is required to that extent as a repository. On the other hand, information necessary for signature verification is posted in the repository, so I think the certification authority is fully aware of the importance of the repository. That's all.

Chairman Matsumoto: ? Thank you, Mr. Urushijima.

Committee Member Urushijima: Since the and others do not require such security certification. However, at that time, I believe that some security measures are necessary separately, for example, encryption measures are taken for such information, such as highly confidential logs. I thought it would be better to confirm that in the investigation. Thank you.

Chairman Matsumoto: .

Mitsushio: As you said, Mr. Is this A? In short, is it okay to understand that Mr. Urushijima's current log cannot be entered? I have made comments before, so it may be the second time, but as you know, I think it is OK to say that ISMAP management standards are not required for non-confidential items in NISC unified standards, and in that sense, I think it is better to do so.

As for the second one, it is certainly better to ask for redundancy and availability. However, according to my understanding, the cloud vendor probably does not have SLA settings for availability. In fact, redundancy in the cloud has various levels, such as using availability zones, regions, and multiple different clouds. So, I do not intend to ask for such a difficult thing at all, but I thought it would be okay to write something at the level of asking them to do something normal like creating at least two availability zones. That's all.

Chairman Matsumoto:
For certification business operators, the availability of repositories is really the most important, so I thought it would be normal to look for availability from the perspective of how to reasonably realize it in terms of cost. Do you have any other opinions?

Secretariat (Tonami): Thank you for your Secretariat. First, regarding the security certification system for security cloud services, I believe that we are currently discussing the direction that it is not necessary to require it, but I believe that there are measures that have been implemented by general certification authorities under the current standards, even if it is not explicitly required. I believe that such a point means that it is fairly safe for users of major CSPs, but in the absence of such standards, there are cases where very low-level services are used, and I would like to receive a few comments again on whether there is a risk in such a case, and the Secretariat would like to set the standards and direction after we are relieved about that point. I hope that you will discuss this point a little more.

Chairman Matsumoto: How about this? Go ahead, Mr. Mitsushio.

Mitsushio: As you said, Mr. You are absolutely right. I am not asking for (A) at all with the first one. In that sense, I am asking for (A) because security is CIA. That is not equal to ISMAP. In that sense, I also wrote the second one in small letters. As for the level, I think it is natural to assume a minimum of multiple availability zones, so I am asking for (A) around that level, although I am not sure if it is that level. That is all.

Chairman Matsumoto: From the standpoint of certified business operators, as Commissioner Odajima mentioned earlier, I believe that certified business operators believe that using existing cloud services will increase their availability. Rather than creating a system that does not stop at all for 365 days by ourselves, we believe that cloud services are basically easier to maintain availability because they are shared services, so it is a bit of a misnomer to say that it will get worse than it is now. Based on that view, I understand that there is a high need for (A). Is that okay?

Member ODAJIMA: Matsumoto-san. In terms of availability, I think the cloud is higher than the on-prem, so there was a talk earlier that there is a possibility of choosing a low-quality one, but in that case, there is no point, so I don't think there is such a thing.

Chairman Matsumoto: From the perspective of certification business operators, the confidentiality of the facilities for the operation of certification authorities mentioned earlier is generally higher than that of the cloud, and conversely, the availability of the cloud is higher than that of the cloud, and I think it is probably behind this that services should be created by combining them well.

Member ODAJIMA: . At the very least, I think information on the verification of signatures is very important. Furthermore, if it leads to government public key infrastructure, I think I have a responsibility.

Chairman Matsumoto: I understand. I did not think there was any room for discussion on this point, but I think there is still such a thing as how to incorporate it into the text, but I think the direction is almost the same. Is that okay?

Mr. Osawa, JIPDEC: If someone with knowledge of ? I am sorry for my lack of insight, but how can I confirm that I have told you that I will take multiple availability zones? If it is a Amazon Web Services, does it mean that such a thing is written in the specifications? Is that correct?

Committee Member Urushijima: Since the specifications are probably unknown, I think we will check based on the system design documents such as where the certified business operator is using the availability zone.

Member ODAJIMA: yet, but I think it's as you just said.

Mitsushio: As you said, Mr. , so please show me the setting screen. I think there are design documents at the previous level. In the end, we will believe in the cloud from there, but I understand that if there is a setting screen, that's fine. That's all.

Imperial Household Committee member: Miyauchi, I think you are generally right. That is true for AWS, but is it okay if it is a cloud that Miyauchi personally operates? Is it okay not to worry about such things?

Mitsushio: As you said, Mr. On the other hand, I do not think there is anything that cannot be confirmed at all. It can be a command line, or it doesn't have to be a pretty GUI like the configuration screen, but if you can't see something, you can't actually configure it.

Imperial Household Committee member: is a necessary condition, but I am asking if I can say that it is a sufficient condition. Even though there is a setting screen, I don't think I know how things are operated in the Imperial Household according to that.

Mitsushio: As you said, Mr. You are right. Whether or not it is really set on the back side of the setting screen means you believe in the cloud.

Imperial Household Committee member: It's all right to believe it, but I asked because I was wondering how it was.

Mitsushio: As you said, Mr. I think it's an important topic. It's difficult.

Mr. Osawa, JIPDEC: If someone with knowledge of It is very difficult for difficult burdens to come to us.

Mitsushio: As you said, Mr. I'm very aware of that. I'll think about it for a while, but I need someone to help me.

Mr. Osawa, JIPDEC: If someone with knowledge of can provide specific information that if there is a minimum requirement to be confirmed, such as having multiple availability zones, we can confirm it in this way, and if such a condition is acceptable, I thought we would deepen our consideration here. Thank you.

Chairman Matsumoto: If you actually design it, I think you can see it a little more.

Mitsushio: As you said, Mr. Availability Zone at this point. In that case, I don't think there is a need to confirm that more than one Availability Zone is being used. I don't think there is a need for further confirmation when I see that more than one Availability Zone is being used on the system design drawing.

Chairman Matsumoto: It is a little painful to discuss here. I think it is just a matter of taking such a choice.

Secretariat (Tonami): Thank you for your , is OK, I think the problem lies in the fact that the definition of the term cloud service has not been established in the first place. I believe that you are also discussing the use of a general cloud service provider, but I would appreciate a few more comments on what should be done when a non-general cloud service is brought in, whether it should be rejected as inappropriate, and what are the criteria for rejection. What do you think?

I don't have much time, so I would like to ask you to send me an email about the remaining issues later, or I would like to hear from the secretariat individually. So, I will not discuss the remaining issues today, and the secretariat will contact you again, so please wait for that. I would like to ask you to finish this discussion nicely to some extent and then finish it today.

Chairman Matsumoto: , I guess you're going to declare that some degree of abeyability is guaranteed in this way.

Mitsushio: As you said, Mr. Matsumoto-san, I feel that it is nothing but a statement. No matter how much I dig into it, what is happening with IT in the end will be the same as the story of the world at the highest level of CC, so it is not realistic. If it becomes a statement, it depends on who makes the statement. In that sense, including the question of how to say the statement properly at the top management level as an organization, in terms of the recent certification method, even if I narrow down the details, there are too many variations, and I don't feel that there is a final answer. In that sense, I think that the somewhat close-to-the-basket aspect comes down to the fact that the management, which was the first story, properly declares that it will do it seriously. That is all.

Chairman Matsumoto: Availability also comes down to a cost trade-off, so I think it's common in the world to do things in a certain way, and the point of arrival is determined by the cost trade-off.

Member ODAJIMA: 's position, but I believe that we have a necessary duty with regard to repositories, especially signature verification environments. When it comes to bringing them to the cloud, we do not intend to use the cloud, which is a pity, at least to ensure availability. Basically, we will prepare something that can be used, I think. As Mr. Mitsushio mentioned earlier, if we go into the details, I think it will be a bottomless swamp, so basically, we will ask the certification authorities to confirm that they are doing this as a declaration, and we will calm down. That's all.

Chairman Matsumoto: SLA.

Member ODAJIMA: If you have an SLA, I think you can say that the SLA is about this much, but if you set it too strictly, it will become a real quagmire, so I think you should not do that.

Secretariat (Tonami): Thank you for your . In today's discussion, I believe that there is no problem with continuing to allow the use of this certification authority in repositories and requiring a certain level of availability in that context.

So, I think there are some points that need to be clarified a little more in terms of how the competent ministries and agencies or designated research organizations will confirm this as evidence. For example, I believe that we will confirm the self-declaration, SLA, and the operational performance of the cloud service that we are going to use as evidence, which Commissioner Odajima mentioned earlier. In this regard, I would like to ask for your continued wisdom as we work out specific standards. In addition, even after the direction of this report is finalized, I believe there will be some consultations with you during the work of finalizing this report, so I would appreciate your cooperation in that case. Finally, I would like the secretariat to explain the schedule after this.

Chairman Matsumoto: , please explain from the secretariat about the next meeting and the schedule going forward.

Secretariat (Yamanoe): This is the Secretariat. I will explain from page 52 of Handout 1. Based on today's review meeting, the Secretariat is considering setting the fourth review meeting for January 17. The meeting will be held from 10:00 a.m. to 12:00 a.m., and the Secretariat will send the review meeting materials again, so please share them with us as needed. That will be all for the Secretariat's explanation. Thank you.

Chairman Matsumoto: Yes, I don't think there is any particular significance, so I would like to end today. Thank you very much for the lively discussion today. Now, I would like to close today's third review meeting on modernizing Electronic Signatures in Global and National Commerce Act certification standards. Thank you all very much.