Skip to main content

This page has been translated using TexTra by NICT. Please note that the translation may not be completely accurate.If you find any mistranslations, we appreciate your feedback on the "Request form for improving the automatic translation ".

Second meeting to study modernization of Electronic Signatures in Global and National Commerce Act certification standards

Last Updated:

Overview

  • Date and Time: Friday, November 1, 2024 (2024) from 13:00 to 15:00
  • Location: Digital Agency meeting room and online
    Livestream the review meeting (using Microsoft Teams)
    *Live streaming has ended.
  • Agenda:
    1. Opening
    2. Business
      1. Review of the First Review Meeting
      2. Discussion on the directions of modernization (iii) to (vi)
      3. About the next meeting
    3. Closing

Material

References

  • Reference Material 1: "Regarding measures for automation related to confirmation of user authenticity" * Members only

Minutes

Secretariat (Yamanoe): This is the Now that the time is set, I would like to open the second meeting of the Study Group on Modernization of Electronic Signatures in Global and National Commerce Act Accreditation Standards. Thank you very much for taking the time out of your busy schedule to attend this meeting. My name is Yamanoe from Digital Agency, and I will be serving as the secretariat today. I look forward to working with you.

First, prior to the meeting, I would like to check the materials we prepared today. There are three materials. The first is the agenda, the second is "additional discussion on the direction of modernization," and the third is "automatic response to confirm the authenticity of users," which was provided by my FinTech Co., Ltd., an accredited certification business based on the Electronic Signatures in Global and National Commerce Act distributed only to committee members. Do you have these three materials? Thank you for checking them. In addition, today's materials are also posted on Digital Agency's website, so please check them.

Then, I would like to ask Chairman Matsumoto to proceed with the proceedings from now on. Thank you, Chairman Matsumoto.

Chairman Matumoto: Now, let's move on to the agenda. I would like to ask for your continued active opinions. First, please give an explanation on agenda item 1 from the secretariat.

Secretariat (Yamanoe): This is the Secretariat. I will explain according to Appendix 1. The first review meeting was held on September 20, and as a result of compiling the opinions from the committee members, we agreed to discuss the overall policy of this review meeting by giving priority to the directions of modernization (1) to (6) presented by the secretariat.

Regarding Direction (1), there were discussions on the scope of revisions to the standards for incorporating risk management into the Electronic Signatures in Global and National Commerce Act and the content that should be incorporated when such revisions are made. Although there is no need to revise the laws, there were opinions that it is necessary to clarify the obligations of risk management in the Enforcement Regulations, and that risk management is not just a security measure, but should be incorporated in the governance of the entire organization by referring to not only ETSI but also standards related to governance such as the NIST Directive and ISMAP.

Regarding direction (2), the necessity of updating the technical standards for cryptographic equipment that manages the private key of the certification authority and the version of FIPS 140 that should be complied with were discussed. Some members commented that although it is necessary to update the technical standards for cryptographic equipment to FIPS 140-3, since there are few products compliant with FIPS 140-3 in the market, it is necessary at present to make it equivalent to FIPS 140-2, and that the timing of the transition to FIPS 140-3 should be based on the trend of related products in Japan. This concludes the Secretariat.

Chairman Matumoto: . The secretariat has just given us a review of the previous meeting, but since there are many discussions today, I will skip the Q & A session and move on to the next agenda item.

Commissioner Urushijima: The direction to automate May I just say a few words? Regarding direction ②, it says "because there are very few FIPS 140-3," but at least there are, so I think "FIPS 140-2" should be changed to "FIPS 140-2 or 140-3," but what do you think? I think it would be a problem if a new product cannot be used for an existing product.

Secretariat (Kita-Inoue): Secretariat. Thank you for your point. I am not thinking of excluding FIPS 140-3, and I am thinking of "FIPS 140-2 or higher". I am sorry that it was difficult to understand because it was written from the viewpoint of whether it should be limited to FIPS 140-3.

Chairman Matumoto: . I look forward to working with you in the future.
Next, let's move on to agenda item (2). This time, there are four issues, so I would like to move forward one by one. I would like to ask the secretariat to explain about (3).

Secretariat (Tonami): Secretariat. Regarding issues (iii) and (iv), there are some common ideas, but first, in (iii), we would like to discuss the important facilities around the HSM, especially in the certification authority, and then in (iv), we would like to move on to the discussion on general cloud use and remote control, including other facilities.

First of all, regarding point (iii), as I mentioned earlier, the issue is whether or not to allow the use of cloud HSM through the network, especially for key facilities in certificate authorities, which are called HSM and certified business facilities. As a specific issue, first of all, the secretariat would like to understand the needs and benefits of using cloud HSM to help future discussions, and I would appreciate your opinions. Second, as a requirement for remote control, the specific requirements for using cloud HSM are described in more detail in the following pages, so I will explain them later. Finally, it will be the method of investigation and examination. The provider of cloud HSM is not a certified business operator, but a separate corporation, so there are some places where legal norms imposed by Electronic Signatures in Global and National Commerce Act are not applied, so I would like to hear your discussion on that issue.

As I have just explained, with regard to Issues ③ -2 and ③ -3, we believe that there are mainly three types of standards related to HSM, cryptographic equipment, and certified business equipment in Electronic Signatures in Global and National Commerce Act. First, the standards related to the security of HSM itself. This is the standard related to cryptographic equipment represented by FIPS 140-2 and 140-3, which was discussed in the previous review meeting. Next, the room where HSM is installed is called the "certified equipment room," and the standards related to the building itself where the certified equipment room is installed. This includes fingerprint certification equipment for access control and fire prevention measures. Finally, the standards related to the operation of HSM. In this regard, whether access control is followed, control standards related to the chain of command, operation history records, and other records show that the certification authority is operated correctly. We would like to ask you to discuss the special requirements for cloud HSM and the viewpoint of what elements are necessary as standards related to remote operation.

As for the issues in ③ -3 regarding investigation and examination, there are some points that make it difficult for the competent ministries and designated investigation agencies to actually enter the cloud HSM operator, look at the actual building, and investigate whether it conforms to the certification standards. Therefore, I would like to ask you to discuss from such a point of view and clarify the points that are insufficient. That will be all the explanation from the secretariat. Thank you in advance.

Chairman Matumoto: . In the first place, I need to have a deep understanding of what HSM is. Around 2000, only certified business operators were using HSM, but now many cloud business operators are buying HSM and using it in various places. In 2000, there were business operators who developed HSM, so people understood how HSM should be operated in the first place. However, in a sense, there are hollowed-out areas in Japan, and I think the key is whether people can understand that it is not a simple matter of being safe if they use the cloud.

Now, based on my earlier explanation, I would like to move on to the Q & A session. If you would like to participate online or speak as an observer, please fill out the chat section. Now, I would like to start the Q & A session. Thank you.

Commissioner Urushijima: The direction to automate First of all, what I would like to clarify is that networked HSM and cloud HSM are two different things. May I ask what the current situation is in terms of whether or not networked HSM is permitted?

Secretariat (Tonami): Secretariat. Is it correct to understand that a network-based HSM simply refers to an HSM installed at another site via a network?

Commissioner Urushijima: The direction to automate For example, in a data center, a CA server connects to an HSM appliance device over a network.

Chairman Matumoto: I think you really need to understand exactly the difference between network HSM and cloud HSM. And I think a lot of CAs, or close to IA operators, use hosting and network HSM is almost the default. So I think you need to check how it is operated originally and whether it is operated as a single organization. I think that is what it is actually doing. What is the difference between network HSM and cloud HSM?

Dr. Mitsushio: In other words, network HSM is a form in which the interface extends from the server. I also wanted to confirm that cloud HSM is the HSM owned by the so-called public cloud vendor. In that case, the cloud HSM discussed in other discussions is BYOK (Bring Your Own Key), but is it correct to say that the cloud HSM mentioned here is not BYOK but an HSM operated by a third party cloud service vendor? I think we need to clarify this point, but what do you think?

Secretariat (Tonami): First of all, I would like to answer the last point. As you pointed out, it refers to HSM provided by a third party cloud vendor. In the first place, the starting point of this discussion is based on the results of the questionnaire we conducted with certified business operators two years ago. In the questionnaire, the point related to cloud HSM was raised as a request from business operators. At that time, I do not think we went as far as talking about network-type HSM, so I understand that we are discussing HSM operated by cloud business operators this time.

Commissioner Urushijima: The direction to automate is defined as looking at the definition of ABC on page 9, but that is probably not enough. Unless we investigate and thoroughly confirm how the communication between the CA server and the HSM is and how the protection of that communication is ensured for both networked HSM and cloud HSM, we will not be able to make appropriate decisions such as "may be used" or "may not be used".

Chairman Matumoto: I also think that network HSM came out in the late 2000s, but that does not necessarily mean cloud HSM. So, what I think is a little difficult to discuss here is that there is a difference between when certificates are generally issued and when key ceremonies are held in the first place. How is network HSM considered in that regard?

Dr. Mitsushio: In that sense, I would like to confirm another point. In the "Purpose of Use of HSM" section on the left side of page 7, I understand that HSM functions as a CA like a server with an issuer signature. However, network HSM is not offline. I understand that it is not offline, but it is like issuing a large number of certificates, so is that part of the target?

Mr. Osawa, JIPDEC: Mr. J-LIS will also be involved in checking the expiration of the Basically, from the experience we investigated, it is directly connected to the CA server.

Chairman Matumoto: is the most well-known person, but I understand that you audit or examine the network HSM.

Mr. Osawa, JIPDEC: Mr. J-LIS will also be involved in checking the expiration of the , can I answer that?

Chairman Matumoto: This is not only about HSM, but also about what the "high-security Architecture" is for. Furthermore, it is really necessary to understand the Architecture of PKIs. It is necessary to understand that the "high-security room" is a region where high availability is not required so much and secrecy is increased at the expense of high availability. It is necessary for everyone to have a common understanding, and people who have been doing it for a long time have a common understanding, but it is whether you can understand it.

Mr. Osawa, JIPDEC: Mr. J-LIS will also be involved in checking the expiration of the certified certification business operators, as stipulated in the laws and ordinances, certified business facilities are installed in rooms that meet fairly high-quality requirements. In some cases, they are systems that are directly connected to certified business facilities, and in other cases, they are included in what is called a CA server. In any case, there is a condition that the certified business facilities can be handled only in rooms that are Electronic Signatures in Global and National Commerce Act and subject to fairly strict control, and furthermore, it is not assumed that they are on the cloud at all. As a designated investigation agency, I feel that it is necessary for experts to discuss whether it is okay to leave the certified business facilities room built by a certification authority that has been certified by the government.

Chairman Matumoto: I have some doubts about whether we can fully discuss this point in today's limited time, but I would like to reiterate that we don't really need high availability in our certified business facilities, or rather, we can't enter them. They are like cold wallets in financial institutions, and they can't be moved, so they are kept in a safe, which is a mechanism to keep them confidential. Therefore, the reason why we don't pursue high availability is that PKIs Architecture have to issue CRLs (Certificate Revocation Lists) every 24 or 12 hours in the first place. In other words, Architecture is built on the high availability requirement that "it is good if it can be restored by then", and the person who protects the keys of CAs is very strong. On the other hand, cloud HSMs are required to be highly available, so it is questionable whether they can do that. However, it is another story whether Electronic Signatures in Global and National Commerce Act actually requires such a requirement. However, it is made with a tradeoff between the highest security (confidentiality of keys) and high availability, so I feel that discussions don't mesh without this understanding.

Dr. Mitsushio: As you say, since the issuer signature code is inserted, everything under this, such as certificates or CRLs, will be certified. Therefore, if this breaks down, if it leaks and starts sending something else, everything will be said to be unreliable and it will collapse completely. In that sense, there has been an opinion for a long time that it should be strict. I think there are various discussions on whether or not it should be further hierarchical from here. From here on down, at least I think it can be made only by hierarchy, so in that sense, I think this point is important. On the other hand, regarding cloud HSM, I have also discussed ISMAP and CRYPTREC in various places, but they are still for encrypting storage or encrypting and decrypting storage data. These two are the main purposes, and they are not seen as protecting the PKI itself.

Chairman Matumoto: I think there are probably a ton of examples of PKIs being done using cloud HSM, whether they meet the Electronic Signatures in Global and National Commerce Act assurance level or not, cloud HSM has definitely evolved, but it's hard to be consistent with the past.

Dr. Mitsushio: I also believe that we can use alternative technologies.

Commissioner Urushijima: The direction to automate , I would like to confirm once again whether or not the keys need to be in Japan. For example, the time-stamp service certified by Ministry of Internal Affairs and Communications requires the keys to be in Japan. I think that whether or not there is a requirement for the keys to be in Japan for Electronic Signatures in Global and National Commerce Act certification will also be a key point when judging whether or not to use the cloud. What do you think?

Secretariat (Tonami): Regarding the opinion of the current Commissioner Urushijima, although no business operator has actually been certified so far, the "Standards for Certification of Specified Certification Business in Foreign Countries" have been established in the Electronic Signatures in Global and National Commerce Act. Therefore, I understand that it was assumed from the beginning that overseas business operators would be involved and the keys would be placed overseas.

Commissioner Urushijima: The direction to automate operator being overseas and having the key in Japan. I think it would be acceptable for an overseas operator to operate with a key in Japan, but in that case, I asked from the perspective of whether the key would be required to be in Japan.

Dr. Mitsushio: , I understand that overseas business operators were also within expectations. On the other hand, I didn't say anything about where to put the key.

Commissioner Urushijima: The direction to automate At that time, from a security perspective, I thought it was necessary to discuss whether it was really OK to have the key outside the country.

Dr. Mitsushio: : I think this is a possible point of discussion in the recent discussions. However, I also feel that it would be a good idea to include this point in the modernization story of the Electronic Signatures in Global and National Commerce Act certification. Since there are various possible discussions on this point, I think that it will become a partial discussion if we do not discuss it collectively and not only partially.

Commissioner Urushijima: The direction to automate I mentioned on page 9 that you need to check the network. If you use a network or cloud type, you will access the CA server through the network. From the attacker's point of view, there is one more interface for the attack. Therefore, you should investigate and check it carefully, and there should be no difference in the guarantee level between local operators operating at low prices. From that point of view, I think it is necessary to make a careful judgment.

Dr. Mitsushio: , regarding page 9, I think it will be difficult because it will be said that the final answer will not come out unless we check how it works with HSM, including not only the network but also the GUIs of cloud services, as you said, such as if it is not only a network-type HSM but also an HSM in the cloud.

Commissioner Urushijima: The direction to automate That's right. If we don't look at the overall protection measures including the network, we may not be able to judge whether we can use the cloud or not.

Imperial Household Committee member: In the sense that the discussion is based on the major premise that the existing cloud HSM may not be "good" and everything may be bad, unless we talk on the premise that "we will make this rule, but it will not apply to this rule. Even if it happens as a result, it will be good," I don't think the discussion will progress, so let me just confirm that.

Secretariat (Tonami): There are various points of discussion, but I understand that there are standards related to key generators, such as the QSCD certification standards in Europe. It is necessary to carefully examine to what extent the scope overlaps with such standards, but I believe there are some business operators who may be able to actually apply it. I understand that the opinions you have discussed so far are that it may be difficult as a whole, but I would like you to discuss again the actual demand for the use of cloud HSM, which is difficult, and the needs.

Dr. Odajima: The keyword "public cloud" has been used since the 2023 As a business, I've checked with each company, and not all of them want Cloud HSM, which is not the majority of needs, but they say that there is a high level of enthusiasm and urgency about who wants it.

In addition to the security point of view I mentioned earlier, the price of HSM itself is quite expensive. The situation is completely different from the 2000s, and the price has become quite expensive. As was the case in (2), when it comes to actually changing it, a considerable decision will be made to adopt it. In that case, it is difficult to predict how the price will change in the future, but I will just say that there are business operators who consider it as an advantage of cloud HSM.

As I was told by everyone earlier, business operators will build certified business facility rooms and facilities, but it is a major premise to operate them properly in robust facilities, so we haven't discussed cloud HSM yet. Therefore, if cloud HSM suddenly becomes something that can be regarded as equivalent to the current guarantee level, including, for example, whether or not the network has been safely managed as I mentioned earlier, I don't think there is any need to close the door.

Chairman Matumoto: I think it will happen in the future, but I think it will be difficult at this point. HSM is almost becoming common, but it's not made in Japan, is it?

Dr. Odajima: The keyword "public cloud" has been used since the 2023 At the time of the enforcement, there was a vendor in Japan, and it was possible to purchase from that vendor, but there is no such vendor now, so it is difficult for domestic business operators.

Chairman Matumoto: In the first place, the cloud business is the largest customer for HSM vendors, and they make products according to the requirements of cloud users. However, there is another problem that whether it is OK to depend on the cloud or not. What should we do?

Imperial Household Committee member: , it's a little difficult to discuss.

Chairman Matumoto: : Once again, there are many things that I cannot understand by myself, such as the historical definition, the Architecture of PKIs, and the evolution of HSM.

Dr. Mitsushio: Odajima. If we understand the technology and organize it so that we can confirm it properly as a standard in the future, we will not be reluctant to do anything and we should not close the way. However, as we understand it now, there are still many people who do not understand the connection between various parts of cloud HSM, so if we can explain it, it will be OK.

Chairman Matumoto: It is becoming very important to be able to use HSM efficiently. A world should be created in which various standards, not only from the viewpoint of Electronic Signatures in Global and National Commerce Act but also from the viewpoint of key management, are properly organized, and this is the base point of trust in the society that should be in the future. I can say that it should be done, but the reality is not that clear.

Dr. Mitsushio: We are saying that we should use cloud HSM, but once again, stories are important for encryption processing. However, looking at the current situation, there are still few examples of actual use. For example, while a US SaaS vendor offers an option using cloud HSM, the Japanese subsidiary of the SaaS vendor in question has been asked, "What is it?" and pointed out, "Well, it's written here, isn't it?" The situation is that there is no knowledge of cloud HSM at the Japanese subsidiary level of the SaaS vendor.

As described above, cloud service vendors have not yet made sufficient progress, and to be honest, even the encryption of storage and the like has not yet worked well. We feel that it is extremely risky to ignore the current situation and suddenly adopt PKI-based HSM. We are probably required to proceed in a step-by-step manner. Various accidents and problems may occur along the way, and we feel that we can proceed to the next step while studying the process.

Secretariat (Tonami) Thank you very much. Lastly, I would like to confirm one thing from the secretariat. It will lead to the needs I mentioned earlier, but in this review meeting, the certification criteria for remote signatures are outside the scope. In the future, when we discuss this theme, I would like to confirm whether there will be discussions on cloud HSM again, and whether there will be new needs for the use of cloud HSM at that time. Cloud HSM is a little different in use, and I think it will be something like storing the user's keys, but I would appreciate your comments.

Dr. Odajima: The keyword "public cloud" has been used since the 2023 When we received a request from a business operator, we had no particular use for remote signing in mind. We assumed that it would be used mainly for HSM for CA purposes. Therefore, we are aware that the first of the needs on page 8 was not for signing by users at that time. However, if remote signing is considered next year or later, there is a possibility that cloud HSM will be involved. However, at present, cloud HSM is not necessarily used for remote signing, so it may be better to confirm this point with other parties concerned, such as the business operator of remote signing.

Commissioner Urushijima: The direction to automate So the remote signing story is about key management for the basic end entity. There are some things in common, but it's not very good to discuss them together if you don't organize them neatly.

Chairman Matumoto: The difficulty with remote signing is that Europe is trying to apply the QSCD standard to remote signing, which is about end-entity key management, not CA management, with the interpretation that remote signing requires availability while CAs are worth protecting at the expense of availability.

Dr. Mitsushio: That's where I first confirmed the purpose. Remote signing is a completely different topic from the previous discussion, and I think remote signing should be discussed separately because the previous discussion is more about CA signing.

Chairman Matumoto: It is true that PKI construction using cloud HSM is probably common and widely used in non-PKI applications. There is another aspect that it is not very good if certification business operators lose their competitiveness by being recognized, so it is the right direction to continuously investigate and consider whether certification can be achieved or not.

Imperial Household Committee member: is quite difficult. For example, there are strict rules, such as requiring more than one person to enter the certification facility room. The key management of CAs should be considered equally. Among them, entering the room, placing multiple HSMs in a room, and sharing the same HSM by multiple operators would be more dangerous. In light of these circumstances, I feel that there are difficult issues as to whether safety standards equivalent to those of CAs can be established. I do not deny the possibility, but I think it will be quite difficult.

Chairman Matumoto: It's quite difficult. If you are not involved in the development of HSM, you may not be able to understand it. The security domain and security controls within it have always been an area where high security standards have been required, but in Japan this area has been hollowed out in a sense.

Imperial Household Committee member: Perhaps it is necessary to review the existing CA management standards and consider whether they are sufficient or not. It is not included in the requirements this time, but I feel that it is necessary to consider this point in the future.

Chairman Matumoto: . Shall we go next?

Secretariat (Kita-Inoue): With regard to the current issues, I recognize that the consensus is that it will be quite difficult or will be a long-term discussion in light of the purpose of this year's review meeting, which is to "do what we can by the end of this fiscal year," and that the future possibility will probably be discussed separately. Therefore, with regard to the handling of this issue this fiscal year, I would like to summarize the points that should be seen, points that should be considered, and points that should be organized, which were discussed just now, and describe them in the report for future discussion. Thank you for your discussion.

Chairman Matumoto: . I would like to move on to the next step. Next, please explain about (iv) from the secretariat.

Secretariat (Tonami) I would like to explain point (iv). Point (iv) is a discussion on "remote control" and "use of the cloud" as a whole. As for the content, first of all, whether it is possible to remotely control various equipment of the certification authority, including certification business facilities, for purposes such as the maintenance of the certification authority and the alive monitoring of servers, and whether the concept should be expanded to enable the use of public cloud services to perform some operations of the certification authority are the points of discussion.

From a specific perspective, we would like to ask the participants to discuss the extent of cloud computing needs for each category of facilities and equipment among the various types of certification authority facilities, the allowable range for using public clouds in the operation of certification authorities, and specific measures for permission. In addition, we believe it is necessary to consider the methods and issues of investigation and examination in the current situation where the standards imposed on accredited certification business operators based on the Electronic Signatures in Global and National Commerce Act do not apply to cloud service business operators.

Regarding the facilities of the certification authority, there is a rough classification, but the current way of writing is a little complicated and there are many Chinese characters, so I think there are some parts that are difficult for everyone to imagine. Therefore, we have prepared materials with a little more organized genre.

In addition, with regard to the network security discussed in (iii) above, I believe that the main points of discussion will be how to achieve a secure network connection when connecting to a public cloud and how to ensure safety, including UI and log collection, in addition to the security of the network itself. Specific points of discussion are summarized on page 14.

On the next page, facilities used in the business of the certification authority are classified from A to D. We would like you to discuss which categories have particularly high needs for cloud use and remote control, and whether there are categories that are beneficial not only to business operators but also to users. We would also like you to consider the scope of remote control and its requirements.

Among the facilities classified from A to D, we would like to ask you to discuss the range of acceptable remote operations that can ensure the requirements required on-premise in the current Electronic Signatures in Global and National Commerce Act, as well as other standards that do not deviate significantly from the standards of the CA/Browser Forum, WebTrust, eIDAS, etc., and standards necessary to guarantee that cloud services are safe when used in the cloud.

Finally, as a method of investigation and examination, in addition to checking the user guide and audit report provided by the cloud service provider, we believe that we will also check the logs provided by the cloud service provider. Please also point out any concerns that may arise in such cases.

This is a classification of the facilities in the Certification Authority into four categories. First, A is "use in the repository of the Certification Authority," which includes the public keys of the Certification Authority, CRLs, and PDF documents of CP / CPSs, which are open to the public. Next, B is "use in facilities for user application and identity verification." And C is "use in the maintenance and operation of the Certification Authority," which includes servers for logging and alive monitoring, and servers for remote maintenance. In C, both the installation and remote operation of servers are involved. Finally, D is slightly different from A, B, and C. It is related to the management of books and documents that are required to be stored based on the certification standards of the Electronic Signatures in Global and National Commerce Act. It includes user identity verification documents, application forms, and management books such as the Certification Authority's entry and exit history, and it is classified whether these can be stored in the cloud.

In addition, the scope of remote operations and the methods of investigation and examination are organized based on two standards: technical standards and investigation methods. As I mentioned earlier, technical standards include ensuring the safety of communications and ensuring other information design. It is also important that the use of cloud services requires a highly available configuration. For example, for applications that have traditionally required the installation of backup servers, there is a possibility that a highly available configuration can be achieved by using two regions when going to the cloud. I would like to ask for your discussions on these as well. The main aspects of the investigation methods for cloud use and remote operations are to compare the specific configuration diagram of the cloud with the actual operation status, to confirm permissions, and to check logs. In addition, the cloud services to be used must meet certain security standards. For example, external audit standards such as ISMAP and ISMS cloud security certification may be adopted as standards, and if a cloud service meets these standards, it may be allowed to migrate part of the certification authority's facilities to the cloud.

However, in these audit standards and systems, there are differences in the scope of coverage. Therefore, we would like to ask you to discuss in detail the scope of coverage and systems to be covered by cloud services in specific certification operations. In addition, the level required may differ depending on the equipment classified from A to D earlier, so there will be many points that need to be discussed in a horizontal and vertical matrix, but I hope you will have active discussions. Thank you in advance.

Chairman Matumoto: . There are quite a lot of difficult issues, and it will be difficult to organize them unless we discuss them in several parts. Then, I would like to move on to the next agenda first, but let's look at the needs first.

Dr. Odajima: The keyword "public cloud" has been used since the 2023 First of all, I asked the business operators about their needs. Both 3 "Information processing related to organizational management" and 4 "Information processing related to facility safety measures" had high needs and ranked first or second in each company. On the other hand, 1 "Books and documents related to application for use" and 2 "Books and documents related to expiration" were not given high priorities for cloud use because many applications were currently paper-based. However, some of them are online and documents are stored on-prem, so of course security is a major prerequisite, but there are some needs in such places. Next, should I talk about ABC?

Chairman Matumoto: Yes, let's go. Let's talk about remote control next.

Dr. Odajima: The keyword "public cloud" has been used since the 2023 A is high. Availability is the most important requirement, and it is also the place where the advantages of the cloud can be utilized. In many cases, businesses now have redundant on-premises configurations, but when they move to the cloud, it depends on the configuration of the cloud as to how much redundancy to guarantee.

As for B, each business operator is operating on-prem, but if security is guaranteed, cloud migration is necessary. In the case of cloud, all data migration, which occurs once every five years, will be eliminated, so the burden on the business operator will be reduced and there is a possibility that the amount will be returned to the users.

Chairman Matumoto: . As a business operator, there is a need for cloud computing. While the world is talking about cloud first policy, I think that business operators are in a situation where they are prevented from using cloud computing by law. On the other hand, I thought it would be difficult to know whether it was actually auditable or whether it was within the framework of Electronic Signatures in Global and National Commerce Act without looking at it closely.

Commissioner Urushijima: The direction to automate needs, regarding A on page 15, the public part of the repository, especially the CDN, is expected to be cloud-ready. For users, it is important that revocation information is always available, for example. Also, the CRL issued by the Certificate Authority is signed data, so there is no harm in putting it anywhere. In addition, regarding the public release of CPS, signed PDFs can be put anywhere as well. Therefore, I feel that these cloud uses should be recognized as soon as possible.

Chairman Matumoto: is a natural move, and it is very important that it is signed, and for that reason it has the keys firmly in place, and that is what Architecture is originally like.

Secretariat (Tonami): CRL and the repository, but we would like to ask one question from the secretariat. In the case of OCSP (Online Certificate Status Protocol), could you please give us your opinion on what the thinking will be?

Commissioner Urushijima: The direction to automate For example, in our case, companies that have recently seen an increase in OCSP traffic prefer to generate OCSP responses in advance and place them in the CDN. In this way, the OCSP responder itself does not need to be publicly available, and only the response can be placed in the CDN for verification. I think this is one way to think about it.

Chairman Matumoto: Public Key Infrastructure and work out what it should be like. However, I think there are still a lot of points to be discussed, such as whether it can be consistent with the current various regulations, and whether it should be done as much as possible, but whether it can be done at all.

Dr. Odajima: The keyword "public cloud" has been used since the 2023 A. What do you think?

Mr. Osawa, JIPDEC: Mr. J-LIS will also be involved in checking the expiration of the 3C56, and the cloud, which is being discussed this time, is exactly the same in terms of how it will be protected. If it is the same, on what basis should I say that it is right? It does not mean that everything is good as a cloud, right? In such a case, if we do not have a thorough discussion on what is right and what is right as a designated investigation institution, we will be in trouble even if we are told, "It is OK, then please appoint a designated investigation institution." There has been talk about ISMAP for some time, and if we do not ask for ISMAP, we will need to discuss what criteria should be used as a criterion.

Imperial Household Committee member: According to my research, the provision of information is not mentioned in the guidelines or policies, but only in the examination standards. I would like you to be aware that this is the kind of information that is provided. I don't think there is any information that can be directly maintained except for the present examination standards.

Dr. Odajima: The keyword "public cloud" has been used since the 2023 , I agree with you.

Mr. Osawa, JIPDEC: Mr. J-LIS will also be involved in checking the expiration of the survey sheet is written in the policies, though.

Imperial Household Committee member: Plan? I don't think I wrote it much.

Chairman Matumoto: In connection with the previous discussion, when the Electronic Signatures in Global and National Commerce Act came into effect in 2001, it was originally intended to complete everything within its standards. At that time, there were no other major standards, but at the same time, there was also discussion about ISMS. Currently, there are many standards, and I think they will be used to ensure security. However, I am not sure if the standards and Electronic Signatures in Global and National Commerce Act can be consistent, and I think that JIPDEC may have to sweat the most, but I don't know. It is not a standard for JIPDEC.

Mr. Osawa, JIPDEC: Mr. J-LIS will also be involved in checking the expiration of the When revising compliance examples of survey sheets, we always check with the competent ministries and receive their approval.

Imperial Household Committee member: That's why it is designated.

Dr. Mitsushio: For your information, when ISMAP is applied to government systems, it is not necessary to apply Confidentiality level 1, which is public information, and only availability is ensured. Therefore, how to make a decision is questioned, but when Confidentiality level 2 is applied, it is required to meet about 150 ISMAP management standards. From a sensory point of view, A is public information, so there may be no problem even if there are no special regulations. On the other hand, as you say, B and D require minimum Level 2 standards to maintain a secure environment. Whether it is ISMAP or not is a separate matter, and I think that the way of provision can be classified as there is some regulation and it should be observed.

Chairman Matumoto: Compared to the previous discussion on protecting HSM, it is more like general information, so I think it is probably right to use the current framework of the world.

Mr. Osawa, JIPDEC: Mr. J-LIS will also be involved in checking the expiration of the Certification Authority?
The hash value of the certified certification business is disclosed together with CRL, CP/CPS, etc. in the repository of the certified certification business operator, and measures are taken to prevent falsification and identify the specific certification business.

Chairman Matumoto: That should really be one of the points of discussion.

Mr. Osawa, JIPDEC: Mr. J-LIS will also be involved in checking the expiration of the business operator, if we disclose the hash values of certification authorities in a place different from CRLs and CP / CPSs, it will incur additional costs, so we are concerned about whether we can ignore it and discuss it.

Dr. Mitsushio: , I think what is written now is fine, but are you talking about what the hash values are written in official gazette?

Mr. Osawa, JIPDEC: Mr. J-LIS will also be involved in checking the expiration of the Certification Authority are made public in official gazette at the time of certification and when changes to key updates are certified, but since official gazette can only confirm them for a certain period of time, they are generally made public in the form (repository) next to CRLs and CP / CPSs.

Dr. Mitsushio: . It's not that it's not okay, but it's different to say that it's absolutely necessary to sit next to it. At that time, there was an opinion that it would be better to create a "country route," but it turned out to be difficult, and the discussion ended there.

Imperial Household Committee member: The one displayed here is official gazette, the original, and it's a copy, isn't it? It's a copy, so it's OK to be fluffy.

Dr. Mitsushio: be like? As you just said, official gazette is an original document. The person who should be online is more of a person from the competent ministry, and I guess it's just like saying, "This is mine."

Imperial Household Committee member: Time Stamp on the Ministry of Internal Affairs and Communications website. That's what you have in mind.

Dr. Mitsushio: That's right. Even now the service name of the authorized certification service is written. I think the one next to it is the trust in the true sense, but it is just for convenience to put it at the user's place.

Mr. Osawa, JIPDEC: Mr. J-LIS will also be involved in checking the expiration of the However, as for the current situation, it is a reality in a sense that users are looking at the repository of certified certification business operators when they follow the route in electronic certification where they received the issuance. It is a system that has been built over many years.

Dr. Mitsushio: Act, and I understand that what had been there up until now was not even essential. You can continue to do that, but it is not a requirement. Where it should be is another story, isn't it?

Imperial Household Committee member: laws and ordinances doesn't say what to do in particular, but it says that you should submit it in various ways.

Chairman Matumoto: and the GPKI are mixed up. Since the GPKI is a mutual certification system, there are ways to verify it. However, we are gradually having to consider international mutual certification in other areas and beyond the framework of the GPKI. In the first place, what to do with Japan's trust list is a more important issue than today's one.

We don't have much time, so let's talk about remote control. As for remote control, I think the story changes depending on what the target is. Remote control is also a dangerous story in a sense, and it can become an attack target itself, as in the case of the Digi-Cert incident in the past. In the first place, if it is not clear what to do with remote control, I understand that there are various needs, but I think that the discussion will not be settled. What do you think?

Dr. Odajima: The keyword "public cloud" has been used since the 2023 As a premise, it is used for maintenance. I think it should be separated from placing it in the cloud. In last year's research report, it is said to be done in maintenance, but it is basically done on-prem, but there are things used for maintenance in the cloud, and there is a possibility that the human burden on the certification authority and the burden on the system will be reduced. I think it will be different depending on which equipment is maintained. Basically, I don't think it will be possible to maintain it in the cloud. On the other hand, I think it would be good to do that for A.

Chairman Matumoto: Maintenance includes monitoring. We also want to outsource log collection and so on. There are talks about going to the cloud and monitoring it remotely.

Dr. Mitsushio: , it would be better to define the scope of maintenance and alive monitoring. The scope refers to the maintenance of B and D, not the private key. In that case, I think it is possible. For example, B and D will be done in the cloud now, so C may be given the same requirements, but I think it is OK to do it, considering the connection method later. On the other hand, is it OK not to use a different cloud for logging and other operations? Does this mean that operations are supposed to be done in the same cloud, and the alive monitoring server will also be installed in the same vendor's cloud? In that case, I don't think there is anything remote. Also, is there a person in the room ahead for remote maintenance?

Dr. Odajima: The keyword "public cloud" has been used since the 2023 alive monitoring server, there is a possibility that business and maintenance are in separate clouds.

Secretariat (Tonami): Is it correct to understand that the other cloud that you are talking about in your opinion is not a different CSP but includes a different region? On that premise, at this point, it is not expected to use other clouds, and the current certification authority business will continue to be implemented on-prem. However, in on-prem, the alive monitoring server will not be installed, and only the monitoring server will be installed in a separate facility, and both will not be shut down at the same time. At the present time, I do not think that there was any in-depth discussion on that part, but I understand your concern that you want to avoid a situation where the alive monitoring server and the installed facility are shut down at the same time, so I believe that there is a high possibility that such a measure will be adopted in the actual configuration, but I would like to have a little more discussion on whether or not to use this as a standard.

Commissioner Urushijima: The direction to automate Recently, the number of companies providing alive monitoring as SaaS has been increasing, and I think that reducing the burden of maintenance by using such services should naturally be considered. I also think that it is necessary to have systems that do not hinder the use of such SaaS.

Chairman Matumoto: outsourcing services. There is a cost issue for a place that has to provide services 24 hours a day, 365 days a year.

Dr. Mitsushio: For a moment, I was thinking that if you want to increase the availability of alive monitoring servers and monitored servers, it is normal to separate them. However, I felt that both are possible as a requirement for certified certification. There are various ways of thinking about the concept of independence, such as independence between different CSPs and independence due to differences in availability zones even within the same region. In that sense, there are multiple layers, so no matter which approach is taken, there is no particular problem with certified certification operations.

Secretariat (Tonami): At present, I understand that in many on-prem certificate authorities, the servers that monitor and alive monitoring logs are located in the same place. In the first place, the current standards did not require that separation, so I think there is a debate about whether that requirement will be newly required in the case of the cloud.

Commissioner Urushijima: The direction to automate After all, I think it is necessary to judge "this is good" or "this is bad" for each one. In the discussion earlier, I think the atmosphere is becoming that it seems good to use the cloud for maintenance, but there is also a dangerous aspect. For example, when operating and maintaining remotely, it is common to go through a "landing server," for example, to set up HSM. If this landing server is vulnerable, there is a problem, so in any case, using the cloud is good, but I feel that it is necessary to list and organize the points that are not good here.

Chairman Matumoto: It's true that it becomes a wild argument. Maintenance is also a story that can easily become a backdoor.

Commissioner Urushijima: The direction to automate , but if, for example, an agent for monitoring is installed inside and the status is transmitted to the outside, there will be no problem, so I feel that it will be quite difficult unless we sort out these viewpoints and decide on standards such as "this is good" and "this is bad."

Imperial Household Committee member: In your earlier discussion, if you say it's the same as on-prem, then in the case of on-prem, it's my place, so I can see the situation pretty quickly. However, if it stops somewhere on the cloud, I can't say it's exactly the same.

Chairman Matumoto: As for (iv), generally speaking, I don't know if we should accept the use of the cloud and call it remote control, but I think it will be promoted as a set. However, it is a bit rough to say that everything is fine with it, and I feel that there are some parts that need to be scrutinized.

Dr. Mitsushio: To be honest, I didn't have much of an image of VPN connections. For example, if it's an availability zone issue, it's a matter of synchronizing settings between availability zones. Even if the CSP is different, it's common these days to use a closed network connection instead of the Internet. Also, regarding VPN, I don't think I hear much about VPN between clouds because I think it's usually based on dedicated equipment. In that sense, I'd like to avoid connections via the Internet if possible. Also, regarding the incorporation of certification below, for example, I don't think everything is OK just because you have acquired an ISMS. There are discussions about the possibility of using the same evidence and test cases, but it's still at the stage where no conclusion has been reached. I can't say it's exactly the same for SOC2 and SOC3, but I think it's possible to use the evidence inside.

Secretariat (Tonami): have been extremely heated, and the Secretariat is currently discussing whether or not to e-mail the issues in (v) and (vi), and how to proceed with them. I understand that the discussions in (iv) are not likely to be settled yet, so after discussing them for a while, I would like to proceed with (v) and (vi) as much as time allows, and if there is not enough time, I would like to refer to the next meeting or e-mail the discussions.

In addition, regarding (iii) and (iv), I plan to organize the discussions this time and classify them into levels by the next time. For example, regarding the part A that I mentioned earlier, since it is a part where only availability is required, it is a part that can be addressed immediately, and rather than changing the certification criteria, I think it can be organized in the direction of organizing compliance examples. Regarding C, the direction of realization is becoming clear, but I would like to organize and show the issues that came out this time.

In order to reach a conclusion, I would like to ask for your opinion to supplement the reasons for the points that can be adopted immediately, deepen your opinion on the points that need further discussion, and comment on the points that need to be sorted out by the next time. I haven't heard about B and D yet, but what do you think?

Commissioner Urushijima: The direction to automate , there is a point that I am a little concerned about. There are parts that contain personal information. If we move to the cloud, we would like to hear comments from the committee members and the secretariat on whether it is necessary to confirm whether the personal information is properly managed.

Chairman Matumoto: Personal information is naturally required for services provided in the cloud, and I don't think Electronic Signatures in Global and National Commerce Act certified business operators are different from others.

Dr. Mitsushio: In that sense, I believe that personal information and trade secrets should be kept confidential. Then, as you say, I recognize that some kind of security is necessary for B and D. It is true that this point has not been denied in particular in the past accreditation certification business, but in the case of on-prem, it was secured by facilities, so in that sense, I feel that it is a little different from cloud.

In the end, I think it is necessary to organize it with reference to the ISO/IEC 27000 series. For example, if ISO/IEC 27002 is based on on-prem, I think we should refer to ISO/IEC 27017, which ensures cloud safety. In that case, it will be almost equivalent to the security standards of ISMAP and ISMS, so it will be how to tune it and which requirements will be set in the end.

Chairman Matumoto: B is about RA, and RA is also a part that must be guaranteed at a certain level in Electronic Signatures in Global and National Commerce Act, so I feel that awareness of that is high.

Dr. Odajima: The keyword "public cloud" has been used since the 2023 Currently, most applications are made on paper, and copies of residence certificates and seal registration certificates are handled. For this reason, I think there is a trend similar to the so-called keeping of books and documents. Regarding B, it corresponds to the first application part, and in most cases, it is basically handled by inputting it on the web and printing it out. The point is how to manage the information obtained in this way, but I think it is good to manage it appropriately in accordance with the Personal Data Protection laws and ordinances.

Dr. Mitsushio: The only thing I would like to add, as I mentioned on slide 12, is that while the requirement is to have a terminal facility for registration, it also assumes human activity. Conversely, ISMAP and ISO/IEC 27017 cover requirements for computers and do not include requirements for human activity. However, if human activity is involved, it may be better to use the traditional requirements. In the end, it may be related to the issue of where to operate the cloud's management terminal, but in the past there were requirements for human assessment, so an equivalent requirement may be necessary. On the other hand, if it is automated, the requirement may not be necessary.

Secretariat (Tonami): You have just expressed your opinion that this will lead to a discussion on automation. However, some business operators, such as My Number Card, conduct identity verification and identification in a way that does not involve many people. In such a case, there will be a growing need to shift B to the cloud.

Chairman Matumoto: B has a lot to do with automation.

Secretariat (Tonami): Is this all for today? If there are any points that need to be sorted out by the next meeting, I would like to hear your opinions now. If there are no particular comments, I would like to move on to (v). What do you think?

Chairman Matumoto: Shall we go next? OK, then I will finish ④ here and move on to ⑤. Next, the viewpoint is a little different, but please explain about ⑤ from the secretariat.

Secretariat (Yamanoe): This is the Document 1. As for Issue (v), as a matter of last year's consideration, in relation to accredited certification services, verification of the authenticity of users of electronic signatures and decisions on granting applications for use based on this had previously been operated as necessary by natural persons, but from the viewpoint of technological trends and improving convenience, as described on page 18, a notice was issued by the JIPDEC, a designated investigation agency, to allow automation, including last year's book entry. Currently, accredited certification business operators are responding to this notice, but from the viewpoint of clarifying it, there was a discussion on the need to state it in the document under the name of the competent authority. In response to this, as a policy of the discussion at this review meeting, it is necessary to establish appropriate provisions in order to state it in the document under the name of the competent authority, and it is necessary to collect information on specific examples of compliance with automation, so for Issue (v), I would like to ask you to discuss understanding of needs.

The content that I would like you to discuss is what are the examples of suitability for automation of acceptance or rejection based on the results of identity confirmation when using a My Number Card. To be specific, on page 19, my FinTech Co., Ltd., an accredited certification business operator, is currently implementing automation of business operations such as new issuance for services that require confirmation of the authenticity of users by the LRA. As described on page 20, in the past, natural persons made decisions on acceptance or rejection of applications and issued instructions for certificates, but now it has been changed such as making automatic decisions on acceptance or rejection of applications by the system, and administrative work has been reduced by automation. As described on page 21, I would like the committee members to discuss the details of the issues. That is all from the secretariat. Thank you.

Chairman Matumoto: , the My Number Card was not issued in the first place, so as an authorized business operator, you may not have been very interested in it. However, in a way, there was a change in the situation where the My Number Card was forcibly spread, and the My Number emerged as a means to realize the most efficient eKYC, but I guess that was gray.

Dr. Mitsushio: , I would like to make a comment first. The conventional rules were based on the premise of a process in which human beings are always involved. Therefore, I have the impression that automatic judgments are finally coming out. I don't feel any particular discomfort, and I think it would be better to proceed. I think the secretariat has almost the same understanding, so I will only comment on the point that it is necessary to ensure consistency with the identity verification Guidelines, which are being considered separately.

Secretariat (Tonami): . In the first place, in order to confirm the authenticity of users of this Electronic Signatures in Global and National Commerce Act, for example, we accept basic types of mail received only by the person, electronic certification for signatures, or those with electronic signatures of certified certification services that have already been issued to users and have not expired. Therefore, basically, when we implement automation, we recognize that it is limited to this electronic certification for signatures or electronic signatures by electronic certification of specified certification services that have not expired. I don't think there are probably any other methods. There may be some reflecting the discussions in the identity verification Guidelines here, but the methods have already been narrowed down considerably on the issue of automation, so if we reflect the discussions in the identity verification Guidelines, it will not be limited to online identity verification where automation is possible, but it will be related to the discussions of users' identity verification in Electronic Signatures in Global and National Commerce Act as a whole.

Dr. Mitsushio: does not contradict the identity verification Guidelines. In other words, it's not something we are currently considering, and I think it can be said in the past. So, I think that's fine, and that's all. That's my recognition.

Chairman Matumoto: Electronic Certification Authority meeting?

Dr. Odajima: The keyword "public cloud" has been used since the 2023 : There have already been discussions, and I don't think there is anything in particular.

Chairman Matumoto: discussion, there may be other ways to go about it in the future. There may be rapid progress towards automation.

Dr. Odajima: The keyword "public cloud" has been used since the 2023 system can be automated, the burden on business operators will be reduced and it will be returned to users.

Commissioner Urushijima: The direction to automate direction, I think it's a very good thing to use My Number Card. However, how you made a identity verification will be properly recorded. For example, "I applied for revocation in My Number Card" is a recognition that everything will remain.

Chairman Matumoto: If I had a question, it would be whether or not the user's application is in the form of an application document or a consent document, and whether or not the user has given his or her consent to the document. It would be whether or not the user has given his or her consent to the document without being aware of it.

Commissioner Urushijima: The direction to automate For example, even if you do something with a button operation, it's whether it's really the right application or not.

Chairman Matumoto: business operators have proved it, but I am a little concerned about whether the applicants themselves are really aware of the contents of it. If nothing is decided, such a problem will arise. Automation should be done, but if people check it, human errors will inevitably occur. However, if automation is done, there is also a problem that it is easy for it to become the target of attacks. I think it is a little problematic that there are no provisions there. Now, for example, WebPKI, etc., if people are involved and it takes time, it is less likely to become the target of attacks.

Imperial Household Committee member: Of course, there are regulations about the information to be checked, and the problem is not that it says "Do it by people". It says "Write who is doing it" when you write it in the book. These are regarded as problems in the regulations. Therefore, I would like you to understand that now it is not a matter of "Are you doing it properly?" but it is a problem in the regulations that what should be done is done properly and how to write it in the book.

Commissioner Urushijima: The direction to automate For example, it was written that applications can be made with the application, but from the perspective of how to ensure that there are no cases where, for example, the official application is rigged with illegal code and other applications are made even though it is not considered to have expired?

Chairman Matumoto: There may not be a problem here, but I feel that such risks will increase with the future automation. Probably, the world is moving toward a situation where everything is completed by smartphones at once.

Imperial Household Committee member: It's not about the application. What you're saying now is that if I accidentally sign when I use my smartphone, important procedures will be completed. Is it okay to do it in the same way as holding a card or stamping a registered seal? There is a risk that people will do important things without realizing it, so I think this is a very big problem, not just about the application.

Mr. Osawa, JIPDEC: Mr. J-LIS will also be involved in checking the expiration of the (5) is a case where signatures are signed in My Number Card. On the other hand, when the private key of the user is generated by the certificate authority, there are cases where a receipt is received from the user regarding the receipt of the IC card after the issuance of the IC card, or an application for revocation is made electronically. In such cases, the procedures for confirming the authenticity of the user have been mechanized, and in some cases, automation has actually been implemented. Therefore, Dr. Miyauchi proposed in last year's report that it is necessary to amend the wording in the policy to clearly indicate that the automatic receipt and implementation by the system are allowed with regard to No. 6, 1. (1) and (2).

Chairman Matumoto: That's right. It's not a point of contention this time, but it doesn't specify anything about the environment of the signatories, so that's certainly a problem. There is always talk that it might be dangerous. This cannot be a point of contention this time, but it is a problem that must be solved somewhere.

Dr. Mitsushio: Moreover, since this story also has a relationship with Article 3, it may be said that "Article 3 will not be accepted unless the environment is like this." It will also become a debate on whether it is really good or not.

Imperial Household Committee member: It is a difficult problem. Just as there is no law that stipulates that registered seals should be managed in the first place, the basic principle is that the management of private keys should be done by users from the viewpoint of responsibility, not by the government or certification authorities. However, even so, there is a way of thinking that we should accept it to some extent and respond to it because we don't know what will happen if we leave it as it is. However, if we do so, we have to think carefully about how much we should intervene in the behavior of individuals, and I feel that it is a very difficult problem. I don't know if it can be solved by today's meeting or this year's examination, but I think it is okay for the certification business to kindly stipulate "this should be done". However, if the certification business operator "should do this", it is a big problem. Therefore, I think this problem is a very big theme.

Chairman Matumoto: my FinTech Co., Ltd. is doing is good, it is important that there are remaining issues.

Imperial Household Committee member: , regarding the matter I am talking about now, a machine is checking that it was signed in My Number Card. It is supposed that a human being has to give an "OK" once. This is ridiculous, isn't it? The reason is that it is written in the regulations that "write who did it," so it must be done. This is ridiculous, isn't it? This is the beginning of the point of discussion this time. Therefore, we are talking about putting in a little bit of a text, and if it is processed properly, we should not have to write the name of that person.

Dr. Mitsushio: Your name is finally readable, isn't it? This enables more accurate identification, making it easier to make automatic judgments. In other words, it is no longer necessary to make judgments based only on character information, which is a significant reason for the progress of automation.

Chairman Matumoto: In addition, evidence will remain more accurately. Next, please explain about ⑥ from the secretariat.

Secretariat (Yamanoe) I will explain from page 22 of Document 1. As for Issue ⑥, the current Ordinance for Enforcement of the Electronic Signatures in Global and National Commerce Act does not specify a method for users to send a user-signature verification code at the same time as the user applies, and it is necessary to make a issue or send a user identification code. In order to reduce the burden on both users and business operators, we believe that "simultaneous sending," which is allowed by the Ordinance for Enforcement of the Public Personal Authentication Act, should be made possible. In addition, since there is a difference in the survey method for certification between the Electronic Signatures in Global and National Commerce Act and the Public Personal Authentication Act, it may be necessary to change the method of the certification procedure of the Electronic Signatures in Global and National Commerce Act in order to unify the method.

In response to this, it is necessary to consider whether it is necessary to unify the methods in the Enforcement Regulations of the Public Personal Authentication Act and how to change the specific authentication service of the Electronic Signatures in Global and National Commerce Act if such a method is added. For example, in Japanese Public Key Infrastructure, a verification key is sent at the same time as the application for use, but in the authorized service of the Electronic Signatures in Global and National Commerce Act, a user identification code is sent by mail, etc. after the application for use, and the verification key is sent again from the user.

In the background on page 24, there is a revision of Article 6, Item 3 of the Enforcement Regulations. At first, it was assumed that the certification business operator would create a user-signature code, but later, there were more cases in which users themselves created key-pairs and sent verification codes to the certification business operator to automatically create a electronic certification. Therefore, in 2003, the certification standards were organized to accommodate this business model. Later, the Public Personal Authentication Law was enacted, but the technical standards for Electronic Signatures in Global and National Commerce Act were not revised, and the current provisions are maintained. Please refer to the details of the issues on page 27, and I would like you to discuss the contents of the secretariat's consideration on Issue ⑥. That is all from the secretariat. Thank you.

Chairman Matumoto: Electronic Certification Authority Conference?

Dr. Odajima: The keyword "public cloud" has been used since the 2023 Yes, I know the content. There aren't many companies, so I don't think it will have a big impact on current people, but I personally feel uncomfortable.

Dr. Mitsushio: . Who distributes the IC cards on the right? The ones on the left are distributed by a government agency. What are the specifications of the IC cards on the right? Depending on what kind of communication is performed, whether the entire system, including communication, is properly managed, in other words, whether the IC cards and applications are properly managed, will be a point of discussion. I think it would be better to simply keep them the same, but since the specifications are controlled in My Number Card, I think it would be better to check the differences as well.

Imperial Household Committee member: As a premise, Article 26 of the Enforcement Regulations is a regulation for certification under Article 17, Paragraph 1, Item 5 of the Public Personal Authentication Act, isn't it? In short, it is good as long as the specific certification business satisfies these conditions, and one of the conditions is a little different from the regulations of the certification business of the Electronic Signatures in Global and National Commerce Act. However, I didn't understand this picture well, but in fact, I don't think the text says anything particularly strange. Originally, valid certificates were those of JPKI or certified certification business, and when an application form with a signature based on the certificate is submitted, a request to "issue a certificate" is received. In that case, the text says that it is okay to write "This is my public key." In other words, it is the difference between No. 5 certification and certified certification business.

Mr. Osawa, JIPDEC: Mr. J-LIS will also be involved in checking the expiration of the I think this discussion is based on the content of the slide on page 25. There was a discussion on "Do I have to send the user identification code?" As a procedure, I understand that it was said that the method of "a" in the Ordinance for Enforcement of the Public Personal Authentication Act could be considered. In other words, there is a question about the mechanism in which the user identification code must be sent even though the user has a private key issued by a certificate authority that has already been certified by the government. I would like to incorporate the idea of "a", but since Article 6, Item 3-2 of the Ordinance for Enforcement does not say so, business operators have to go to the trouble of sending the user identification code at a high cost.

Chairman Matumoto: This is also close to saying that this is because My Number Card has spread. There was no starting point for trust.

Mr. Osawa, JIPDEC: Mr. J-LIS will also be involved in checking the expiration of the Before the introduction of the electronic system, the paper procedure allowed the person in charge of the certification authority to directly confirm the fact that "We have confirmed that you are indeed a real user," and we were able to confirm the requirements that satisfied the certification standards. It certainly took a long time, but we were able to confirm the trail for sure. However, now the system is electronic, and the designated investigation agency and the business operator are groping around in the investigation. The user's declaration of issuance and expiration, and the confirmation that it is digitally signed with the private key associated with the valid electronic certification that has not been expired, are certified (confirmed) by the application log and information stored in the database table, etc. In addition, the "information on the identification of the responsible person" mentioned in the previous requirement (v) is also recorded and must be confirmed. Under these circumstances, we are at the stage of searching for a method to confirm the necessary investigation information without incurring as much cost as possible while coordinating with the business operator. Since there are aspects that differ from business operator to business operator, it may be necessary to coordinate individually. Therefore, if we adopt such a system, it would be helpful if we could discuss at least "We should confirm such things."

Imperial Household Committee member: It's a question of whether you can say "Yes, it's all right" when someone says, "Is it really all right if there are no people involved?" It looks all right, but who can say "all right"?

Chairman Matumoto: In systems such as WebPKI, automatic issuance is a matter of course, but a method such as CT is used as a means of confirmation, which is a mechanism for automatic confirmation.

Dr. Mitsushio: statistics and sampling. In order to grasp the overall picture, we should first check the number of cases, "How many are there?", whether there are any contradictions in the overall picture, and "What kind of people are included?", and look at some samples.

Mr. Osawa, JIPDEC: Mr. J-LIS will also be involved in checking the expiration of the paper and in the case of electronics, right?

Imperial Household Committee member: When an application form signed by JPKI comes in, someone has to look at it and say, "Is the correct information on the screen?" Something like that has to be checked somewhere, but it doesn't mean that it's okay if someone looks at it, nor can it be said that it's okay because the machine is correct. I think this is exactly as you say.

Mr. Osawa, JIPDEC: Mr. J-LIS will also be involved in checking the expiration of the . It is not closed only between the certification business operator and the users, is it? We need to check the OCSP response as well, and confirm that the sampling data that should have been checked as an investigation target and the communication results between the business operator and the J-LIS can be correctly stored in the database and verified from the logs.

Secretariat (Tonami): Is that all right? Regarding (vi) here, we have received various opinions, and we do not have enough time today to further explore this. Therefore, if there are any points to be further explored among (iii) to (vi) discussed today and (I) and (ii) discussed last time, we would like to organize them and show them at the third and next review meeting.

Chairman Matumoto: meeting.

Secretariat (Yamanoe): This is the Secretariat. I will explain on page 28 of the handout. Today, the second review meeting was held on November 1, and based on the first review meeting and today's review meeting, the secretariat would like to hold the third review meeting. The date is scheduled for November 26.

Regarding the content that we would like to discuss at the 3rd Review Meeting, we would like the secretariat to organize it once and contact the committee members again. Based on the 3rd Review Meeting, we would like to make a decision again on whether to hold the 4th Review Meeting for additional discussion or to review the contents of the review so far based on the report. Thank you very much for today.

Chairman Matumoto: Everyone, thank you very much for your lively discussion today. I look forward to working with you next time.

(Reference) Additional comments by e-mail
Dr. Odajima: The keyword "public cloud" has been used since the 2023 Survey and Research, and there is a misunderstanding that only public clouds are covered. What is needed is the attitude of information disclosure and cooperation of cloud service providers, and being public is not directly related to the requirements and does not deny private clouds. Rather, private clouds would eliminate concerns about data crossing borders. In the final report for fiscal 2023, it was reported that "private clouds are not denied."

In the case of remote control of computer automation systems, there was a case where a landing server was placed in the cloud to monitor the server by remote control, and there was a discussion as if it was assumed that it would be used by connecting to it via VPN. However, in reality, a monitoring network physically independent of the Internet is installed, and using this network (from behind the scenes in a sense), a VPN connection is made from the outside to the landing server on the monitoring network to perform computer automation alive monitoring and collect logs. Even if the actual operation is suitable for the cloud, it may be performed from the monitoring network side outside the cloud to the logical cloud, which is different from the discussion that the monitoring network exists on the Internet side inside the cloud. The remote control part of the final report for fiscal 2023 is based on awareness of the existence of such a monitoring network.

In addition to being provided by public clouds (AWS, Azure, and Google), there are cloud HSM (Luna Cloud HSM Services) provided by HSM vendors, and this service has many functions. It is a service by the HSM vendor itself, and it is assumed that the certification of FIPS140-3 and CC is guaranteed when this service is published. The actual services include the following.
① Data protection service using Thales' cloud HSM
In discussing HSM, the following is an example of an HSM product from THALES, an HSM vendor.
② Network connection type HSM
③ USB connection type HSM
④ PCIe built-in HSM

Commissioner Urushijima: The direction to automate user verification (identity verification) by My Number Card (Public Personal Authentication certificates) was agreed at the meeting, and I agree, but there are some concerns.

Concern 1: Unlike paper-based or face-to-face applications, the settings, mechanisms, and flow of operations are complex. For example, elderly people, people who are not used to using smartphones, and people with physical disabilities may not be able to understand the meaning and operations themselves, and there may be cases where a proxy (a relative or a person familiar with the situation) will do it. I think it is necessary to carefully examine to what extent it is allowed. For example, it is necessary to take measures to prevent certificates and keys issued to a proxy's smartphone from being stored using an elderly person's My Number Card, and from being able to sign without the consent of the person in question, and further discussions are necessary.

Concern 2: There is a need for further discussion on what needs to be left as evidence and audited, such as how the identity verification was performed and what information on the terminals that stored the keys should be recorded.

Based on the above, I generally agree with the identity verification by My Number Card, but I believe that it is necessary to continue to further study and refine the content of the examination.

Or more