Skip to main content

This page has been translated using TexTra by NICT. Please note that the translation may not be completely accurate.
If you find any mistranslations, we appreciate your feedback on the "Request form for improving the automatic translation ".

Third meeting of experts in fiscal 2023 to revise the Guidelines for Identity Confirmation

We will hold an expert meeting for the next revision of the digital society "DS-500 Guidelines on Online Identification Methods for Administrative Procedures", which has been developed as one of the Promotion Standard Guidelines, in .

Overview

  • Date and time: December 26, 2023 (Tue) from 18:00 to 20:00
  • Location: Digital Agency Meeting Room and online
  • Agenda:
    1. Opening
    2. Proceedings
      1. Issue Discussion: Policy for Revision of the Identity Confirmation Guidelines (Draft)
        • Revision point (2) "Explanation of the concept of mission execution, etc. as a" basic concept ""
        • Revision Point (3) "Definition and Explanation of the Framework for Digital Identity Verification"
        • Revision Point (4) "Review of Guarantee Level and Standards for Measures"
    3. Adjournment

Materials

Relevant policies

Attendees

  • Tatsuya Kadohara (Specialist Solutions Architect, Security, Amazon Web Services Japan LLC)
  • Satoshi Goto (General Manager of RCS development Department, DX Business Headquarters, Business Promotion Headquarters, TOPPAN EDGE Co., Ltd.)
  • Natsuhiko Sakimura (OpenID Foundation Chairman)
  • SATO Shuko (Associate Professor, Information Technology Center, The University of Tokyo; Chief of the Next Generation Certification Collaboration Working Group / Trust Working Group, Academic Certification Collaboration Committee, National Institute of Informatics)
  • Akihide Higo (Director of TRUSTDOCK Co., Ltd.)
  • Naohiro Fujiei (Representative Director of OpenID Foundation)
  • Toru Minai (Deputy General Manager, Market Research Office, Innovation Management Department, Japan Credit Bureau, Ltd.)
  • MORIYAMA Koichi (Chief security Architect, NTT DOCOMO, INC., Member of the Board of Directors of the FIDO Alliance Executive Council, Chairman of the FIDO Japan WG, Director (Board member) of W3C, Inc.)

Agenda (1) Explanation of the opening and outline of the meeting

(Greetings and Secretariat Explanation)

  • Now, I would like to begin the third meeting of the Expert Council for the revision of the Guidelines for Identity Confirmation. Thank you for taking the time to gather.
  • We have received information that moves toward the release of NIST SP 800. 63-4 will be in full swing, and while there is an international trend to ensure interoperability, there have been problems such as erroneous linking of My Number Card information and information leakage due to internal crimes by companies. It has been a difficult year. In addition, the spread of cloud service is creating an environment in which we can respond to the security problem in a detailed manner, and I feel that there are many things to be examined, such as how accurately identification and person identification are functioning. As the standardization of the local government system progresses, I am pleased to be able to review the revision of the Identity Verification Guidelines. I would like to face the problem properly and create guidelines that can be proud of the world together, so please continue to cooperate.
  • There are three issues that I would like you to discuss today, and I would like to ask you to discuss three of the six points of revision of the Guidelines for Identity Confirmation that are under consideration.

Agenda (2) Discussion on issues for the revision of the Guidelines

Revision point (2) "Explanation of the concept of mission execution, etc. as a" basic concept ""

The Secretariat explained the results of the current review of revision point (2) based on Material 1, and experts held a free discussion.

(Expert Opinion)

  • I would like to confirm the premise. Am I correct in understanding that the revised Guidelines for Identity Verification are limited to public service? If so, I felt that the expression "the administrative procedure" could be replaced with the expression "the subject procedure."
    • Secretariat: Although the scope of application is currently under review, it basically covers administrative procedures as in the current guidelines.
  • Although it is not an opinion on the revision point itself, there is an expression "collation of appearance" in the definition of terms on page 7, but I thought that the expression "appearance" would make it impossible to use biometric authentication technology other than the face.
    • Secretariat: We will review the terms and expressions in light of your comments.
  • Similarly, "identification card" may be a sensitive expression in some cases and may be reconsidered.
  • There is a possibility that another argument such as what is an identification card will be raised.
    • Secretariat: The terms on this page are only the definitions of terms in the materials for today's discussion, but we would like to reconsider what expressions should be used in the definitions of terms in the actual guidelines based on the opinions received.
  • Regarding the item of revision point (2), it seems that some of the contents of "2) Fairness and Accessibility" and "4) USABILITY" overlap. If they are to be described separately, it would be good to define the contents to be described for each. Next, regarding "3) Privacy", it is highly likely that the acquisition of 4 information using My Number Card will become a standard concept in the future, so I think it is necessary to devise a little bit about how to position it. In addition, NIST SP 800-63-4 mentions social security numbers, so I thought it was necessary to consider what kind of description should be made in Japan based on that. If it is called privacy, I think it is more appropriate to state that the application contents and related information in the business concerned should not be used for other purposes.
  • The words "confirm" and "validation" are used, but I thought that we should sort out whether the word "confirm" is appropriate and how to use it differently from "validation".
    • Secretariat: Regarding the proper use of terms, I intended to use different words for Validation and Verification, but I could not take into account that the word "confirmation" is also included in "personal identification" in the title of the guideline. Therefore, I would like to review the appropriate expression.
  • Verification, Validation, and Proof are all difficult to translate into Japanese on a one to-one basis, but since they are words with different nuances, I think it is necessary to take them well and raise their maturity level.
  • Even in NIST SP 800-63-4, there are some parts where the terminology is not used properly.
  • Regarding the fact that some of the contents of "2) Fairness and Accessibility" and "4) USABILITY" overlap, I thought it would be easier to understand if it was stated that this is what USABILITY is to ensure fairness after emphasizing fairness. I think it would be better to separate the story of the philosophy from the story of the points to be noted in implementation.
  • I feel that the definition of "5) security" should be described. The word "biometric authentication" alone can be interpreted in various ways, such as guarantee levels 1 to 3, how to safely manage information necessary for identity verification, and the performance of false acceptance rate in security.
  • I agree with you. As for security, I think we need to list the security goal.
  • It seems that they are saying that there will be trade-offs with fairness and accessibility when it comes to security, but we should understand that there are cases where this is the case.
  • I was also concerned that 5) is described as an opposition concept of 1) to 4).
  • I think it is a part that should be carefully described, such as clarifying what should be observed in the examination of the identification method, and if there are conflicting elements, which one should be given priority.
  • NIST SP 800-63 has a section called security, which describes security for CSP and IdP systems. Considering this, it seems inevitable that it will be described as in the current material, but I think it is good to consider it here because it will lead to feedback to NIST. There are various discussions about identity verification methods, such as attack methods and vulnerabilities, but I don't seem to be saying that, so I agree with the definition of security. Threats in identity verification and vulnerabilities of methods may be required to be summarized in a separate document.
  • The document says that these five points are important, but it says that it is not good to choose a method with a high security level without knowing the definition of the fifth point, so I felt that there was a strong feeling, but I feel that it is difficult to see where it is.
  • If you think that there are identification guarantee levels and person authentication guarantee levels, and that it is necessary to evaluate the risk from each perspective and select an identity verification method is stated in the positioning of 1.3 as a message to the reader, I think that the meaning will be understood to some extent as it is, but I think that it should be supplemented as well as your opinions. In addition, I was reading it because I thought it was ambitious in terms of fairness and accessibility, but I thought that "we must adopt an identity verification method that can be used by anyone" was a fairly strong expression. I read it as if it was saying to adopt a universal method, but I was a little worried that it would be overinterpreted. It does not mean that it is good to have low fairness and accessibility, but I understand that the original philosophy was to make 99% of people digital and convenient, and to prepare a realistic and operational rescue method by paying attention to the remaining 1% in advance. I think that this part is related to the positioning of this document.
  • In the "Basic Concept," there is an expression "heuristic control," but I think it is a word that is generally unfamiliar even in this conference, so I think that "it is possible to find it later" should be replaced with another expression that is common to general readers.
  • I believe that fairness and accessibility should be considered not only online but also offline. Even in a certain local government, we have received opinions that we would like to provide an efficient method for those who can perform online procedures, save staff costs, and provide generous support for offline responses for those who are difficult to perform online procedures. In that sense, I felt that it would be good to describe offline methods as an alternative method as an option.
  • NIST SP 800-63-4 emphasizes Trusted Referees and states that it is necessary to have people in roles that help connect them to the digital fabric by providing offline support. Although there is a question of whether it is realistic in Japan, I think it is useful to consider whether to go there or not.
  • Japan is very weak in that regard, so I think we should step into it so that the world will gradually improve by stepping into it with this Identity Confirmation Guideline.
  • I have the impression that the scope has expanded and the volume has increased, including both the basic concept required for digital identity verification and the basic concept required for digitalization administrative procedures.
  • I feel that the contents described in the materials are basically true, but I think it is important to evaluate and improve them. In the USABILITY EVALUATION of Web services that I am in charge of, opinions that the creator does not even imagine are sometimes found, so I think it is important to receive feedback from the user and improve it, rather than creating it and ending it. I don't think it is easy because it costs a lot. The phrase "It should be easy for users to do the right thing, difficult to do the wrong thing, and easy to recover when the wrong thing happens" written in the translated version of SP 800-63-4 by OpenID Foundation Japan was impressive.
  • Although it is a little off topic, 3) in the privacy section, "minimization of acquired information" and "notification of purpose" are described, but I was concerned about the reason why only these two cases were taken out of the eight principles of OECD and the eleven principles of ISO. In addition, it is described that "an applicant is uniquely identified by a combination of minimum attribute information," but if this is the purpose of identification, I think it should be described in the first sentence, and there may be doubts as to whether this is really the purpose of identification. If it is used for administrative procedures, it will lead to the story that there is no problem if there is a My Number.
    • Secretariat: Eight Principles, the Secretariat has a sense of Issue, so I would like to consider it again based on today's comments. I also feel that the purpose of the identification is as you pointed out, so I will reconsider it.
  • 1) Regarding the execution of the mission, is the identification of the administrative procedures described here only for Japanese nationals, or does it include foreign residents and travelers? I think it is premised on the proper and accurate identification of the person according to the type of public service, but in the concept of alternative means and exceptional measures, there is a description that "in the case that the execution of the mission is hindered by adopting a strict identification method," so I thought that users might be in trouble later if such an explanatory content precedes.
    • Secretariat: may also be eligible.
  • There is also an assumption that strict procedures are not easy to use. I feel that it is enough to talk about how to do what you want to do in this part.
  • I think you've fallen for the trade-offs. I think you've put a little too much emphasis on the implications of risk acceptance based on risk assessment.
    • Secretariat: I think you have a point. I would like to reflect your opinions today and make it a better document.

Revision Point (iii) "Definition of a framework for digital identity verification"

The Secretariat explained the results of the current review of revision point (iii) based on Material 1, and experts held free discussions.

(Expert Opinion)

  • Regarding the term "authentication cooperation," I have discussed with experts that it is not actually cooperating in authentication but circulating assertions. I think that we should consider another term in the Identity Verification Guidelines. In addition, FAL of NIST SP 800-63-4 mainly describes the basics such as mutual TLS authentication, and it seems to be a little bit floating compared to IAL and AAL. I also think that it is better to raise the perspective to cooperation between services, such as the risks caused when cooperating as a business, and I think that a term like "service cooperation" is more appropriate, although it is a common expression.
  • On page 22, there are three diagrams: "Authenticated Federated Model," "Non-Authenticated Federated Model," and "Wallet Model." The CSP shown here is internal. If you add an external CSP to the diagram and draw a border around the RP, Verifier, and CSP, you can represent each model in one diagram.
  • I think it depends on whose point of view the figure is drawn, so I think it can be expressed collectively by adding how to cooperate with external CSP based on the "non-certified cooperation model" in the center, which is the easiest for readers to imagine. The "Wallet model" is also just applying the method in which Holder appears as an authentication means.
  • It should be noted that the Verifier represented in the "Wallet Model" diagram and the Verifier represented in the "Authentication Federation Model" and "Non-Authentication Federation Model" diagrams have completely different meanings.
  • The figure of the "Wallet model" is a story to prove the qualification, and the point is considered to be whether or not the held credential is qualified to receive the service rather than whether or not it is the person himself, so I think it is not necessary to put it together with the other two figures.
  • It's true that NIST is interested in the structure of this model, but I don't think it's a new topic, just a different name.
    • Secretariat: While referring to what will be described in the Second Public Draft of SP 800-63-4, which is scheduled to be published in the future, I think that it is necessary to discuss whether the model figure itself should be the subject of the explanation. In addition, when actually organizing the concept of the model, it is a troublesome matter whether the "authentication cooperation model" and the "non-authentication cooperation model" should be expressed as separate figures or should be summarized into one figure with an explanation of the changing roles.
  • Even if the majority of people say that it is better not to call it "authentication cooperation," I feel that it is better to include the discussion of cooperation itself. When my organization created internal digital identity guidelines, I asked experts for their opinions on how to handle this cooperation. I think it is better not to avoid discussions on cooperation because threats that may occur can be organized in a matrix form based on the ID held by your system, the Identification Guarantee Level as an IdP, the Person Authentication Guarantee Level, and each guarantee level of the cooperating system.
  • In the "unauthenticated cooperation model", since it is completed in one entity, it is possible to verify each operation, but in the case of multiple entities such as the "authenticated cooperation model", it is impossible to verify what kind of operation the other party is performing between each entity. There are elements of Trust, so I think it is very important to make it possible to divide an entity and to discuss what kind of risk will occur when it is divided.
  • In these Guidelines, is the entity responsible for identity verification always the government?
    • Secretariat: That is not necessarily the case. I believe that the case of C2G receiving attributes from private sector must be explicitly recognized in this revision.
  • I think it is true that there are cases in which attributes are received from private sector, but it depends on whether the administrative side performs the identification of the person who receives the attributes or whether it is completely dependent on the administrative side, so I think that this model cannot be written without making a break. If the "authentication linkage model" is to be valid, for example, the identity confirmation result of a certain business operator will be blindly trusted, and only the RP will be prepared by the administrative side, but there are some questions about whether this is acceptable in the administration. Instead, I have recognized that it is original form to receive the attributes provided by the business operator A as metadata and treat them as auxiliary attributes for the identity confirmation procedure. What do you think?
    • Secretariat: In that case, I think G2G use cases applies very well. In other words, in the case of cooperation across ministries and agencies, both ministries and agencies can be on the RP side or the IdP side.
  • I think the case of using My Number Card for Public Personal Authentication falls under the "certification cooperation model." In addition, in the certification cooperation described by NIST, we were trying to realize the acceptance of private sector's CSP.
  • On page 22, it says "Utilize various certification bases of the government," so I thought private sector was not really a target.
  • I think the story of federation as a technology and the story of federated but administrative authentication infrastructure are a little different.
  • In the Federal PKI, for example, it is quite common for an aircraft manufacturer to accept employees who handle confidential information by authenticating them with PIV-I. I believe that Japan must also consider such a case. Considering such developments, I believe that it should be assumed that the IdP part is not necessarily the government.
  • I think there are quite a few places where private sector is the source of property information.
  • Based on the fact that the revised guidelines are scheduled to be published in 2024 or 2007, I think it is a matter of what possibilities should be considered, including the discussion of the "Wallet model."
    • Secretariat: Yes. We would like to proceed with consideration while being aware that the guidelines will be used for about five years after disclosure.
  • If we consider targeting not only Japanese nationals who have the Basic Resident Register but also foreign nationals and travelers from overseas, I think we cannot ignore various cooperation. Even if we leave the "Wallet model" for now, it is good to have a resolution for whether it is the "authenticated cooperation model" or the "non-authenticated cooperation model" and apply it to it.
  • I think it is important to allow the user to draw a border around the entity after the decomposition.
  • When we talk about this kind of thing, experts tend to use neatly organized diagrams, but I think what's important for readers is whether they can imagine and map what they are familiar with when they use it. In actual system development, the majority of cases are "non-certified cooperation models" that use internal IdP to complete, but I think the figure of "certified cooperation model" is there to recognize that there is a way to explicitly separate entities by using external IdP. However, I think it is better to write that use cases changes depending on who the RP or IdP is. I think most readers only imagine that Digital Agency prepares IdP and the service of the government receives the certification result in the form of a Public Personal Authentication, so if it is assumed as a scope, I think it will probably not be understood unless I write that this pattern occurs due to the change in roles in this model.
  • Regarding the question of whether it is appropriate to recommend a "certification linkage model," what is the aim? I think that readers will be confused if a typical use cases is recommended without a set. I felt that it is appropriate to discuss after confirming the aim of the Secretariat.
    • Secretariat: The original aim is to avoid the proliferation of authentication mechanisms. Of course, there will be cases where the existing authentication mechanisms are excessive or insufficient, so based on the discussion about fairness earlier, I don't think I can write down to the extent that it is limited to this authentication mechanism. On the other hand, it is difficult to launch an authentication mechanism independently, so it is desirable to recommend an "authentication cooperation model" as a description in this guideline.
  • I think the idea is sound. Look around and see if there is an existing IdP that meets the requirements, right?
    • Secretariat: Yes. I believe that IdP that can be used by central government ministries and agencies will be introduced in reference materials.
  • If specific candidates are listed, such as a public private My Number Card for authentication App, I think that policy is fine.
  • I understand very well the message that you do not want IdP to be mass-produced, but if you do so, I feel that the distribution of descriptions in the entire document will change. Since practical contents such as which IdP is acceptable as an RP are required, I felt that the description of the authentication cooperation guarantee level will be more than the identification guarantee level and the person authentication guarantee level. Does the Secretariat also think so?
    • Secretariat: I am thinking about that point right now, and I feel that it is necessary to consider where we should focus and where we should cut down on other parts, based on the fact that there are cases where it is easy to understand as a result of omitting some explanations with determination, such as the case of Thailand. As I think you all recognize, the current guidelines do not even separate the identity verification guarantee level and the person authentication guarantee level, and they are treated as Levels A, B, and C together. I think that the authentication cooperation guarantee level is discussed premised on the understanding of the identity verification guarantee level and the person authentication guarantee level, so I think that a certain amount of description is necessary.
  • At the beginning, you can feel the difficulty of considering the identification guarantee level and the person authentication guarantee level, and at the end, you can mention FAL and ask someone to do it.
  • In that sense, I thought it would be solved if I wrote in the flow that let's organize the identification guarantee level and the person authentication guarantee level properly, and then it is OK to separate RP and IdP.
  • Well, there is a model that is made by thinking hard about the identity verification guarantee level and the person authentication guarantee level, and is used around.
  • It may be a little late, but if the IdP in private sector is to be allowed to participate, I think the Government will have to recognize the IdP in some form. Are you preparing for this?
    • Secretariat: Although there is no confirmed information at this point, we are considering it, and I think we need to consider the consistency with the Identity Verification Guidelines for private business. I am strongly aware that it is necessary to consider the consistency for external use in the form of guidelines.
    • Secretariat: model, so we would like to reflect your opinions in our future consideration. In addition, I believe that there are some additional matters that need to be considered, so we will consider them, although they may be in the next fiscal year.

Revision Point (4) "Review of Guarantee Level and Standards for Measures"

The Secretariat explained the results of the current review of revision point ④ based on Material 1, and the experts held free discussions.

(Expert Opinion)

  • I believe that the level of fragmentation of the identification assurance level depends on how much information the RP wants to be fragmented, but how many administrative procedures are there that would be problematic if there were no fragmentation level?
    • Secretariat: If anything, various procedures were concentrated in Level 2 due to this reclassification, and there were too many elements that were difficult to organize only in Level 2, so it is the recognition that the intention to subdivide is ahead. We were considering the request of RP with the recognition that it would be fine to organize them according to the type of administrative procedure.
  • I see. Then, if 2C is not appropriate for many administrative procedures, there is a possibility that the level will not be covered.
    • Secretariat: In theory, I think that may be the case.
  • As such, we are working on where to draw the evaluation.
    • Secretariat: You are absolutely right.
  • The difference between 2A, 2B and 2C is whether to respond to loan-and-borrow attacks or to consider such threats. In addition, is the difference between 2A and 2D the difference between validation by a machine and inspection by a person?
    • Secretariat: Yes, I think so.
  • On page 32, it says that "digital authenticity verification using an IC chip, etc." is required at Identity Verification Assurance Level 3. If this is allowed, I think it will be impossible to issue Identity Verification Assurance Level 3 credentials because bootstrap is not possible.
  • In that sense, I think it is necessary to consider how to include fairness. Bootstrapping may be a typical example, but considering that the procedure itself must be provided equally to people who do not have anything or have no access, it is not good to create something that has no alternative.
  • When we classified existing authentication methods in private sector in the past, methods such as "sending a copy of an identification document by mail" and "uploading a photographed image" were classified at a lower level. In the table on page 33, I think it will be at a lower level than 2E, but is it correct to understand that we are considering classifying this area with a view to not recognizing and discarding some existing methods?
    • Secretariat: That point is under consideration, and we recognize that it needs to be considered while comparing it with the handling of registration codes at Level 1, but the current situation is that we have not been able to consider it in the proposal for segmentation this time.
  • Of course, the intensity of the method by mail is lower than that of face-to-face, so if there is a strong intention to abolish this method in a few years, I think it is good that such content is reflected.
  • There are still many operations such as mailing a pre-printed application form to an address registered in the Basic Resident Register, signing, sealing, attaching a copy of the license, and returning it. I think there is no problem if the revised guidelines state that in principle, it is face-to-face or online, and that mail is listed as an alternative means, but I think it is still a little strict to say that it is not allowed at all. Since there is an additional cost for mail to be received only by the person himself / herself, it may not be very realistic depending on the number of mails to be sent, but I feel that there may be a discussion on whether or not it falls under Level 2 because it is confirmed face-to-face.
  • There may be a misunderstanding, so I would like to confirm it. The fact that the registration code is Identity Verification Guarantee Level 1 in SP800-63-4A indicates that you can make a validation for an address by sending the registration code to an address that includes phone numbers and email addresses, not limited to the so-called address of residence. It just cannot be used for address validation, but it says that you can use the registration code even at Level 2 or Level 3, and it is possible to use the registration code as a stopgap to resume an interrupted Identity Proofing session. It is said that the mail to be received only by the person in Japan is not used to verify the address, but is used to confirm the identity of the person in person at the post office, and the registration code is used to resume the Identity Proofing session. Therefore, I think most of the readers will probably misunderstand it if you simply write that the identification is performed using the registration code at Level 1. It is said that the mail to be received only by the person in question is basically used to connect to another route to check the face-to-face photo certificate, so I think if you organize and recognize it, you will not hesitate.
  • The mail to be received only by the applicant is 2D here, isn't it?
  • Yes, I think you can use it as a level 2.
  • I think it would be good if it was a specified matter transmission type mail to be received only by the person himself, which is a means of identity verification by mail as stipulated in the Mobile Phone Fraud Prevention Act.
  • I remember that it is almost the same as the Act on Prevention of Transfer of Criminal Proceeds, and in the case of the specific matter transmission type, only the registration code is delivered and you have to go to the designated place to show it. Some credit card companies upload the identification document first and send it by simplified registered mail without forwarding it, but I think that it is an interpretation that the registration code is used to connect a series of processes in which the identification document has been uploaded, so if it can reach the address, it will be received at the end, so it is necessary to be careful. However, I think that it is necessary to discuss whether images can be used when uploading the identification document next time.
    • Secretariat: Registration Code. In addition, we recognized that it is necessary not to confuse identification by mail with registration code, and to sort out which identification is equivalent to face-to-face identification.
  • Regarding the discussion of the axis of the matrix, face-to-face and remote are separated depending on whether or not the appearance is checked, but I think it is originally about how much resistance to presentation attacks is maintained. Supervised Remote is specified not only by the presence of the Supervisor but also by environmental conditions, but the reason is to ensure presentation attack resistance. Therefore, I don't think it is very good to separate it into face-to-face and remote. Similarly, I think this level 2B and 2C can be separated depending on whether or not it is resistant to lending and borrowing.
  • In foreign countries, it is common that you need to activate your credit card after receiving it, but in Japan, with some exceptions, the card you sent can be used immediately. The reason is that the reliability of the post office is high. If you consider the possibility that the reliability will decrease in the future, I think additional consideration will be necessary.
  • I feel that there is a tendency to consider it OK even if the order is reversed if the elements are aligned, and I understand that the credit card sent by simplified registered mail can be used immediately assuming that the identification has been confirmed, so if the order is changed, the operation will also change, and it will be available after the identification is confirmed online, etc. after the receipt. That needs careful consideration, but I feel that it is a rather difficult part.
  • Does it mean resistance to mail fraud?
  • It is something like a receiving fraud.
  • I don't think there are any in Japan, but there is a possibility that there is a area where the mail situation is bad, such as the mail being thrown away.
  • Regarding the figure on page 33, I think it is very well thought out. I really feel the importance of checking the IC chip, and the fact that there are 2D and 2E behind 2A, 2B and 2C matches my sense very well. On the other hand, I think the bootstrap problem that you commented at the beginning is like that.
  • Anyone in My Number Card, for example, can get the bootstrap problem if they drop a card.
  • I think there are various ways, such as even if you have lost the My Number Card itself, if you have another item issued on the premise of possessing the My Number Card, you can perform account recovery based on it.
  • In this figure, I do not think that the strength of the oblique relationship between 2B and 2D is clearly shown, but in general, I had the impression that the authentication strength was higher in the order of ABCDE.
    • Secretariat: Regarding the detailed expression of Level 2, as a result of discussion within the Secretariat on whether to make the one with the higher intensity to be A or to reverse it, it was tentatively decided to organize it like this.
  • I also had the impression that the certification strength was in the order of ABCDE. I have heard that financial institutions are also introducing devices to read IC chips at their counters. I also feel that private sector is moving in that direction.
  • Regarding Level 3 in the third row of the table on page 31, I think that the validation of digital signatures is very good, and IC chips are also acceptable. On the other hand, in driver's license card, there is a story that the digital signatures in the IC chips are not updated when you change your address. Although it is necessary to change the systems and cards themselves, I would like to tell you that My Number Card is the only place where digital signatures can be used reliably.
  • Regarding the level 1 on the 4th row, I think it is good to confirm by sending the registration code to the e-mail address in terms of establishing a channel, but even if the e-mail address is sent there without being written in the evidence and confirmed, I think it is impossible to know whether it is under control or not. I think the quality may be different between sending it to the address written in the evidence and sending it to the e-mail address not written in the evidence.
  • We need to consider separately what to do, but what NIST IAL1 says is that you can use the address declared by the applicant for verification, so regardless of whether you really live at that address, we will check to the extent that you can receive the package. That is why I feel it is Level 1. Level 2 and Level 3 do not allow this, so the address declared simply will not be used for validation. It will be validated only by validation of the signature of the address written on the IC chip, so I thought that in the case of Level 2 and Level 3, the registration code can be used only to transfer the connection of the Proofing session to another path. It does not seem so strange, and I feel that the address declared in Level 2 and Level 3 can be used for validation, so I think that sense is almost the same.
  • What kind of cases are you assuming for face-to-face verification without facial verification on page 33? If you allow verification without facial verification, it is not necessary to limit Evidence to identification with a face photo.
    • Secretariat: In the explanation of SP 800-63-4, there is a description that IAL1 is newly established as a level where Verify can be performed without facial appearance verification, and identity verification equivalent to this is assumed. In addition, as you pointed out, there may be inconsistencies in the Evidence part, so we will check it.
  • In the table on page 33, the second line in particular is prominent, but I feel that there are few options overall. I think it is necessary to confirm whether it fits the current situation in Japan. I wondered if all Americans have so many identification documents with photos, and when I looked into it, there was a document called the Implementation Guide for SP 800-63-3, which contains details. In it, Americans generally have such identification documents, and it says that Superior has this, and Strong has this. The NIST guidelines are for government officials, so the first one is premised on a PIV card, and I felt that it is necessary to be careful about such a difference.
    • Secretariat: Thank you very much. We are currently considering the types and number of identification documents, and some of them have not been organized on a threat basis yet, so we will reconsider based on the comments received.
  • If you look at the actual list, I have a feeling that there are many people who do not have it.
  • I think it is necessary to consider the facial recognition My Number Card as a new pattern, and on the other hand, I think that there is information in the IC chip such as the E-Certificate entry aid, so I felt that it is necessary to consider whether this can be used at Level 2 or Level 3.
    • Secretariat: Face Authentication My Number Card, I will try to organize where it applies while checking the specifications in the future.
  • For reference information, at the forum on CBDC held by the Bank of Japan on December 8, a presentation was made on digital identity guidelines for private sector enterprises. I think there are various ways of thinking about guarantee levels, and I introduced them as a reference.
    • Secretariat: Thank you very much, I will use it as a reference.

Closing and Next Guidance

(Administration Office)

  • That is all I would like to discuss today. The next meeting is scheduled for Tuesday, January 30, 2024, and we plan to discuss the revised points that have not been discussed today. Thank you very much for participating for a long time and for your various opinions today.

()