Skip to main content

This page has been translated using TexTra by NICT. Please note that the translation may not be completely accurate.If you find any mistranslations, we appreciate your feedback on the "Request form for improving the automatic translation ".

Fourth meeting to study modernization of Electronic Signatures in Global and National Commerce Act certification standards

Overview

  • Date and Time: Friday, January 17, 2025 (2025) from 10:00 to 12:00
  • Location: Online
    Livestream the review meeting (using Microsoft Teams)
    *Live streaming has ended.
  • Agenda:
    1. Opening
    2. Business
      1. Summary of the Direction of Modernization
    3. Closing

Material

Minutes

Secretariat (Yamanoe): This is the Electronic Signatures in Global and National Commerce Act Certification Standards. Ladies and gentlemen, thank you very much for taking the time out of your busy schedule today. I will serve as the secretariat. My name is Yamanoe from Digital Agency. Nice to meet you.

First of all, the secretariat will check the materials. There are two types of materials in total. The first is the proceedings, and the second is the report (draft) of the Study Group on Modernization of the 2024 Electronic Signatures in Global and National Commerce Act Accreditation Standards. Today's materials are also posted on the Digital Agency website, so please check it if you are attending. Then, I would like to ask Chairman Matsumoto to proceed with the proceedings from now on. Then, Chairman Matsumoto, please take care of it.

Chairman Matsumoto: Thank you very much, , I would like to ask for your continued support today. Now, I would like to move on to Agenda 1, and I would like to ask for an explanation from the secretariat.

Secretariat (Yamanoe): This is the Secretariat. I will explain according to Reference 1. (The explanation of the Reference is omitted.)

That's all the explanation from the secretariat.

Chairman Matsumoto: Thank you very much, . Now, I would like to begin my questions. I have received a written comment from Commissioner Mitsushio, who is absent today, so please read it on behalf of the secretariat.

Secretariat (Yamanoe): This is the Secretariat. I have received three written comments from Commissioner Mitsushio, so I will read them on behalf of him. Thank you.

First, I would like to ask about Point (1). ISO / IEC 27014 I think that the standardization of security governance is also a major direction, and I think that ISO / IEC 27014 should also be mentioned when strengthening risk assessment and response.

Regarding the second point (3-7), although I am not able to indicate the direction this time, I would like to promote the study on the arrangement of the laws and ordinances structure of the Electronic Signatures in Global and National Commerce Act as soon as possible. As an example, considering that IT solutions are not developed only in Japan but are promoted globally, it is necessary to consider how to deal with the difference between electronic signatures in the Electronic Signatures in Global and National Commerce Act established in 2000 and the services generally called electronic signatures that are currently used, and the difference in the definition of electronic signatures between Japan and the United States as described in the Japan-U. S. Digital Trade Evaluation.

Regarding the third point, the Government of Japan agrees with the direction stated in the Report with regard to 3-1 to 3-6. On the other hand, the Government of the United States recognizes that it is necessary to revise the descriptions at the level of the Investigation Sheet in order to certify accredited certification services. Therefore, the Government of Japan requests the Government of the United States to take concrete actions based on the direction of the Report and to revise the level of the Investigation Sheet while sufficiently listening to the opinions of the current accredited certification business operators.

These are the three points. Thank you for your help.

Chairman Matsumoto: Thank you very much, . I thought that was a reasonable point.

I would like to start asking questions again, but if you have any questions or comments, please say what you want to say in the chat section. I would like to specify from here, so please do so.

Committee on the Imperial Household: I would like to ask you a few questions. The last sentence of 3-1 was a little difficult for me to understand in Japanese, but before that, it says that there is no need to establish a new provision. On top of that, I was not able to understand that this will be clearly reworked and what exactly is being said, so could you please explain?

Secretariat (Kita-Inoue): Thank you, Secretariat. Thank you for your point, Dr. Miyauchi. I believe that this point is not established as a provision as you just pointed out in your conclusion. In the first place, what has been required so far has become clear when I reconfirmed the standards and other matters, so if I request it again here, it will be a double request, so I do not think there will be a provision itself. However, since it is already required, it is not at all possible to say that it cannot be written in the policy and plan for responding to such risks because it is separately required to clarify responsibilities and authorities with such emergencies in mind. Rather, in the policy and plan for responding to such risks, it is not excluded at all that what responsibilities and authorities are clarified at such times and what processes are used internally are written in the policy and plan. Rather, it is recommended and preferable to see the whole picture of the policy and other matters. That is all for the explanation.

Committee on the Imperial Household: "On top of that," The following does not mean this framework, but it means that each company is doing it individually. I couldn't read it at one time, so it might be better to think about how to write it a little.

Secretariat (Kita-Inoue): Thank you, I understand. Thank you for pointing it out.

Committee on the Imperial Household: 3-2, it is stated that this is the case at the present point in time. For example, do you intend to establish such a transitional measure, such as setting a level equivalent to FIPS 140 No. 3, but until when is this acceptable?

Secretariat (Kita-Inoue): Thank you, . I believe that this will depend on what will happen when we specifically incorporate it into the standards, so I would like to decide how to write it after consulting with the person in charge of laws and regulations within the organization.

On the other hand, as I mentioned in the first part of this document, the administrative notice that was issued in June last year, while there are indications that this is the standard, on the other hand, there are also places that have not revised the standard. I believe that there are various ways to write whether or not a security level 3 of 140-3 will be established this time, so I would like to take that and think about it.

Committee on the Imperial Household: No. 140 No. 3 were to be completed in the future, but even though it has already been completed, I think that the previous one would also be a provision on what to do because there is a history, so please consider it a little.

Secretariat (Kita-Inoue): Thank you, .

Committee on the Imperial Household: Also, I looked hard at this table from about one third from the top of page 15, and I think that this service provider is what is called a certification authority. In the picture on the left, 4. In short, I think that authorization means issuing and sending a electronic certification.

And number six is to verify the validity, but I don't think I'll send you the certificates here. I just want to send you the issue number of the electronic certification, so I think it's better to review everything and write it correctly. Is that okay?

Secretariat (Kita-Inoue): Thank you, . This is the same as the document I submitted in the 3rd meeting, but I believe that this figure has been discussed in various ways. It is true that if you write "authorization" in laws and ordinances style sentences, it may cause something different, so I will review the accuracy of this figure once again to make it as detailed and easy to understand as possible and to prevent any inconsistency.

Committee on the Imperial Household: That's right. If you received it in 3 and registered it in 4, I think you probably issued a electronic certification there and sent it, so I would like you to check it.

And in the sentence below that, from the end of the fifth line of (2) Direction of Response, it says "③ Securing," but I think ③ means that the private key written at the top is not available to third parties. The ③ from the fifth line that I am talking about now should be saying that we should not receive public keys from anyone other than the user. When the user sends us a public key, he says that it would be terrible if someone else sends us something that we don't have and makes a certificate, so I think there is a subtle difference between ③ at the top and ③ at the bottom. I think it is necessary to rewrite it so that it does not receive or accept verification codes from anyone other than the person himself. Could you please check it and consider it?

Secretariat (Kita-Inoue): Thank you, .

Committee on the Imperial Household: There are one or two more details. In the middle of page 10, in the books and documents of the Certification Authority, in the second part of the arrow, it says that the original is still there. Is there a concept of an original in electronic information?

Secretariat (Tonami): Thank you, . In this regard, the purpose of the section after "Note" is to clarify that the information disclosed in the repository of the certification authority may be brought to the cloud. At that time, some of the documents disclosed in the repository are required to be stored under a separate provision, the provision on the storage of books and documents. In order to ensure consistency with the provision on the standard for storing books and documents, the documents disclosed in the cloud are the same as the documents disclosed in the repository. In addition, the storage format is required for the storage of books and documents to ensure the compatibility of recording media. It is not always necessary to secure such information in the cloud, but it is sufficient if such information is properly secured at hand.

Committee on the Imperial Household: ," I think there are legal implications, such as an original copy of a judgment, an original copy of a notarial deed, etc., so when you say "the original copy," I think that if you could write it in a better way if possible, there may be no one who thinks like me.

Secretariat (Tonami): Thank you, . I believe that the minutes of this communication will clarify things to a certain extent, but I would like to consult with you after I consider whether I can make a little more effort to call it an original.

Committee on the Imperial Household: In addition, there are stars like Maru-Pochi and Yaba, but I would like to avoid quoting them by what number, so I would like all of them to be numbered A-I, A-B, A-C, A-D, etc., if possible. There are quite a lot of sentences like this, but I am sorry that it is very difficult to do something, but I would like to encourage you to do it. That's all from me.

Chairman Matsumoto: Thank you very much, , Imperial Household Committee member, thank you for your various comments. Next, I would like to ask Mr. Urushijima for his comments.

Mr. Urushijima: About . Since Committee Member Miyauchi also explained it in full, please allow me to comment in full as well.

First of all, could you please show me the direction of the response in (2) of the risk assessment on page 3? Regarding the information security risk response, I do not think it is desirable to have a risk assessment as a general information system. For example, WebTrust for CA and CA / Browser Forum requirements, as well as ETSI EN 319 401 in Europe and the Adobe Approved Trust List (AATL), which are widely used industry standard requirements for certification authorities, require regular risk assessments. The Signature Act lacks such a requirement, so I remember that the starting point of the discussion was to add such a requirement from the viewpoint of equivalence with a view to mutual certification in the future, and I think it would be better to write it.

In this table, ISO27000, METI management standards, SP 800-53, ISMAP, and other signature law certifications are not mandatory requirements. It would be strange if certification could not be obtained without these certifications. Therefore, I would like to request that the table itself be revised.

In addition, WebTrust and CA / Browser Forum are standards used by other certification authorities, so I think it is better to compare them first (it is not described at present).

Also, you said that risk assessment will be conducted on a regular basis, but this is also a requirement for other companies, so I would like you not to forget to include the word "regular."

Also, regarding ETSI EN 319 401 in Europe, although this is a policy requirement of the Certificate Authority, I think it would be better to add it in the title because the reader cannot easily understand why it is included in the comparison table only by the number.

That's all for the comments on the risk assessment. Should I discuss something? Or can I continue?

Secretariat (Kita-Inoue): Thank you, Secretariat. Thank you very much. Regarding 3-1, you pointed out several points, so first of all, the secretariat would like to return the favor.

First, regarding the background and premise of the first point, I believe that in (1), in consideration of domestic and international standards, there were some parts that were written relatively roundly, so I would like to take over and think about whether it is possible to write down a little more, but I will tell you that I am not writing without paying attention to such things at all.

The second point is that each standard or standard described in this figure is not absolutely necessary. We do not request that it be absolutely necessary. Therefore, in the second paragraph on the fourth page, at the end of the section that starts with "first," in the section on what to actually do, we confirm that there is a policy and plan for responding to risks, such as risk assessment, or that we have obtained such related third party certification. We believe that this wording clarifies that we do not necessarily have to take something from what is written here (standards and standards).

The third point is that you pointed out that it is important that risk assessments are conducted on a regular basis. As I stated earlier, in the paragraph starting with "first," I used the phrase "in a timely manner," which I intended to express, but I would like to respond by changing the phrase "in a timely manner" to "on a regular basis."

As for the last point, as in the first part, I think that there were some parts that were rounded off based on domestic and overseas standards and specifications, so I would like to ask you to consider whether it is possible to write down a little more, while paying attention to the expression that is not too redundant.

Mr. Urushijima: About . Could you please display the information at the top of page 3-2, page 5? From around the second line, it is written that the reliability of the data can be ensured by verifying that the data has not been tampered with and that it is connected to the verification key. However, I think there is a slight misunderstanding that this alone can verify the certificate only by the chain of signatures. Since the certificate cannot be verified without properly verifying the additional information described in the certificate, I thought that it is necessary to accurately describe such matters. This is all for the first item of 3-2. What do you think?

Secretariat (Kita-Inoue): Thank you, Secretariat. Thank you very much. As you said, I think this is to prevent strange misunderstandings, so I would like to think about what we can do a little more.

Secretariat (Tonami): Thank you, Thank you very much. I would like to comment as well. I believe that it will take several pages to explain the extent of electronic signatures, digital signatures, public key cryptography, and PKI if I explain them properly. I believe it is about how far to go, but I would like to review the wording so that it can be understood that it is not just about the elements written here.

Mr. Urushijima: About .

Chairman Matsumoto: Thank you very much, With regard to your comment, there is a considerable gap in understanding between the primitive verification of public key cryptography and the verification of policies included in X. 509 public key certificates, so I thought it would be better to include something.

Mr. Urushijima: About Regarding the table on the lower side of the same page, there is a column of problems with FIPS140-2, but I think there is a slight mistake in the description from the certification there. My understanding is that after five years from the certification, anything that is not renewed will become historical. According to the description now, by September 2026, all FIPS140-2 certifications will become historical. I think there will be a misunderstanding that there is no historical until then. There are historical products already, and some of them are historical because they are already five years old, so I think this description itself is a little wrong. I thought it would be better to check it and revise it a little.

Secretariat (Kita-Inoue): Thank you, . This is the same as the first report, but I would like to confirm it just in case. Thank you for your comment.

Mr. Urushijima: About . Regarding 3-4, it is the second part of Yaba on page 10. In addition, even with OCSP, it is written that if you use the cloud only for the part that requires only availability, but I don't think I can understand the meaning well if it is written, and I thought it would be better to replace it with a footnote because it is clearly written in the footnote about what to do in the content. It is the first one. What do you think?

Secretariat (Tonami): Thank you, . This section was written based on the comments from Commissioner Urushijima, but the content of the footnote is not that long. After giving an example of this, I would like to respond in a way that the footnote is integrated into the text, such as "even in the case of OCSP, limited to the parts where only availability is required, such as the method of placing signed OCSP responses in CDNs, etc."

Mr. Urushijima: About . The next is the last. On the same page, at the bottom of the footnote, there is a description such as the section number of the survey sheet, but I believe there is an official document name, so I think it would be better to describe it first.

In addition, I remember that the survey sheet itself was not made public, and I think that readers will not be able to understand it unless I supplement the contents of the section numbers, including what they are. I would like to ask for your consideration. That is all for my final comment.

Secretariat (Tonami): Thank you, . I would like to comment on the last point about the survey sheet. The official name is "Survey Sheet on Accreditation of Specified Certification Operations", and when I use the term "survey sheet" first, I will write the official name and use this term as an abbreviation.

In addition, the survey sheet is disclosed on the website of the designated investigation institution.

Mr. Urushijima: About . That's all. Thank you.

Chairman Matsumoto: Thank you very much, Urushijima, Committee member. Do any other members or observers have any comments?

Odajima: Report. I am grateful that you have reflected various opinions. After that, I would like to comment from the standpoint of an accredited certification business operator.

First of all, on point 3-1. I have looked at the conclusion, and I have no particular opinion on this. Please let me just confirm whether it is OK to conduct a survey at the time of the next certification renewal. What I would like to say is that I do not think it is a recognition that does not correspond to a certification change. Also, on that premise, I would like to ask for clarification in the survey sheet, which was mentioned earlier.

First of all, in terms of confirmation, is it correct to understand that this will be done during the on-site inspection at the time of the certification renewal, and it does not constitute a certification of change?

Secretariat (Kita-Inoue): Thank you, . This is the secretariat. At the moment, we do not expect to ask all of you to approve the change at the same time, so we hope to establish appropriate transitional measures in that way.

Odajima: . Next, I would like to ask you about the point 3-2. As for the conclusion, I believe that it is written based on the results of consideration given to certified certification business operators. In particular, I would like to thank you for the consideration given to mutual certification in the GPKI, including the fact that the crypto migration was set in 2028, as well as the current historical issues of FIPS140-2, and the fact that there is currently not much room for choice in FIPS140-3. On that basis, I believe that each company will respond appropriately. I do not particularly ask for answers.

With regard to 3-3, I have confirmed once again that many business operators are not ready to make a decision on cloud HSM, and that there are hurdles in ensuring the current level of confidentiality when making a decision on cloud HSM. This is as stated, but I hope it will be reviewed in a timely manner in the future. This is also not a request for an answer.

Next is 3-4. First of all, the repository should be approved, and I would like to thank you again. Also, regarding B to D, I am not asking for a hasty conclusion, and I do not think there are any particular objections to the need for confirmation in the future. I believe that various policies and other matters may change depending on the future state and environment, so I hope that you will consider such matters in a timely manner and revise them if necessary. This is also not asking for answers to specific questions.

Also, it is 3-5. Regarding this conclusion, I do not oppose automation in particular. In addition, I believe it is as written in the supplement. Even in the case of automation, I agree with the necessity of taking necessary measures to ensure that the process does not become vulnerable to cyberattacks, such as ensuring the necessary strength of the identity verification. I do not ask for an answer either.

The last question is 3-6. I have no particular objection to the conclusion itself. As the Imperial Household Committee member pointed out earlier, this figure may be difficult to understand, but at least (3) is as Professor Miyauchi mentioned earlier, and I think the meaning of (3) is slightly different from that of (3) in the case where a so-called certified certification business operator creates a user signature code. In the end, in this figure, I think the service provider, the certification authority, issues a electronic certification. The electronic certification itself is something that can be disclosed, something that is supposed to be disclosed, and something that will be given to the other party, so if I read it as it is in (3), I think it will be what it means. I think it is as Professor Miyauchi mentioned earlier, but I think it would be good to review the description. There is no objection to the conclusion itself. That is all for 3-6. What do you think?

Secretariat (Kita-Inoue): Thank you, Thank you for your point. I may have to repeat my previous answer, but I would like to take it back and think about it so that the description is as appropriate as possible.

Odajima: . That's all from my side.

Chairman Matsumoto: Thank you very much, . You have already given us your comments. Do you have any comments, Mr. JIPDEC, or other observers? Is that okay?

JIPDEC Mr. Osawa: , I don't think I have any particular reason to make a statement here. I have already made a comment to the secretariat.

Chairman Matsumoto: Thank you very much, Committee. Have you listened to other members' opinions and their replies?

Odajima: Secretariat about the schedule after compiling this report, for example, laws and ordinances, and when the certified certification business operators will finally start responding to the revision of the survey sheet. I would appreciate it if you could tell me if you know at this point.

Secretariat (Kita-Inoue): Thank you, . This is the secretariat. In regard to this report, I basically agreed with the conclusion on the points raised by various committee members. However, some members pointed out that there might be more appropriate expressions in the way the report was written and that there might be some factual errors, so I would like to review such expressions. In the end, I believe that the report will be set after consulting with the chairman. Conversely, I do not expect that public comments will be made on this report itself in the future.

Based on the report by the Study Group, I believe it will probably be written in the form of a rule or a lower-level document, but we, the government offices, will think about revising those parts, and we will listen to the opinions of the public, including the people of Japan, in the form of public comments, and finally we will revise the relevant documents, including the relevant laws and ordinances, in the overall process. In terms of the overall timing, I am afraid that the specific provisions have already been made, and in fact, we are not in a situation where we will be able to make public comments immediately from tomorrow at all. Based on today's discussion, we, the secretariat, will think about it, so I think it will take a little time, but I do not intend to extend it unnecessarily, and I would like to advance the process as firmly as possible before the summer. Based on that, from the perspective of responding to certified business operators and others, as written in the other part of 3-7, I believe that 3-3 to 3-6 are not asking for something, but rather admitting that such a way is good, and at this point, I assume that such a way will be done promptly without any special transitional measures.

On the other hand, with regard to 3-1 and 3-2, I believe that it will take a certain period of time to respond, so we will set an appropriate transitional period. I cannot predict the specific timing at this point, but considering the situation of certified certification business operators and the possibility of equipment replacement due to HSM and other factors, it may be my personal guess, but I believe that there may be at least one year, so I would like to set an appropriate period based on such considerations.

Odajima: I understand very well. Thank you very much. That's all from me.

Chairman Matsumoto: Thank you very much, First of all, regarding the report, I understand that there will be public comments on the subsequent revisions. Thank you very much. How about others?

Mr. Urushijima: About Urushijima, can I add just one point? At the top of page 16 of the report, please go to the very end of 3-6.

It is written that OCSP responses are stored by existing certification business operators, so it is OK. However, even if OCSP responses are not stored, in the future, I think it is possible to confirm with the API, for example, and decide that it is OK based on the result that it was OK. Since such an API for certification can be used, I thought it would be better not to store OCSP at all. In that sense, I thought it would be better to make it clear that the method is not limited to storing OCSP responses. Additional comments. That's all.

Chairman Matsumoto: Thank you very much, . That's quite a difficult question. What about the others? Is that all right? If you don't have any comments, I will conclude my questions on agenda item 1.

Thank you very much for your various opinions on the report. After listening to your talk, I thought it would be quite difficult to understand the report as a whole, because although there are not so many items to consider and the report is not so large, each of them requires a considerable depth of expertise, and the issues are wide-ranging. Regarding today's draft report, I would like to reflect today's developments as appropriate in the secretariat as necessary, and I would like to confirm and compile it as the chair, but could you leave it to me? If you have any objections, please state them. What do you think?

Everyone: , no objections.

Chairman Matsumoto: Thank you very much, As the minutes to date have not been completed yet, if we do not read them together, we may not be able to understand the consistency and whether or not the opinions have been fully reflected. Therefore, we would like to aim for a highly complete report by referring to the minutes to date. We appreciate your understanding.

Regarding the second agenda item, at the end of the meeting, I would like to ask the secretariat to explain how to proceed.

Secretariat (Yamanoe): This is the Secretariat. I will explain how to proceed from now on.

First of all, I would like to thank the committee members for their active discussions. This is the last meeting of the Study Group. The report will be published on the Digital Agency website based on and reflecting the comments made today and after Chairman Matsumoto's confirmation. In addition, we plan to take handle appropriately of any necessary measures. That is all for the explanation from the secretariat. Thank you.

Chairman Matsumoto: Thank you very much, .

The Study Group on Modernization of Electronic Signatures in Global and National Commerce Act was held four times, and I believe there were various opinions. In addition to the current Electronic Signatures in Global and National Commerce Act, there is a possibility that various discussions will be involved, such as about trust services, e-Seal, which is under consideration in Ministry of Internal Affairs and Communications, and e-Attribute Attestation, which is under consideration at eIDAS2.0 in Europe. I believe that related discussions will be active in the future, including in the Electronic Signatures in Global and National Commerce Act itself. I do not know whether it will be a catalyst, but I hope that the report will be made public and discussions will start from a new perspective. Thank you all for your continued support.

Now, I would like to close the fourth meeting of the Study Group on Modernization of Electronic Signatures in Global and National Commerce Act Accreditation Standards. As for the final meeting, thank you very much. I look forward to working with you in the future.

Or more