Advisory Council for the Revision of the identity verification Guidelines (fourth meeting in fiscal 2024)
- Last Updated:
An expert panel will be held for the next revision of the "DS-500 Guidelines on Online identity verification Methods for Administrative Procedures" , which has been developed as one of the Digital Society Promotion Standard Guidelines.
Overview
- Date and time: January 16, 2025 (2025) (Thu) 18:00 to 20:00
- Location: Digital Agency meeting room and online
- Proceedings
- Opening
- Business
- Discussion on issues related to the appropriateness of the proposed revision of the Guidelines
- Closing
Material
- Agenda (PDF/48KB)
- Document 1: Consultation Material on the Appropriateness of the Proposed Revision of the Guidelines (4th meeting) (PDF / 3,086 kb)
- Minutes (PDF/303KB)
Attendee
- Tatsuya Kadohara (Amazon Web Services Japan G. K. Sr. Specialist Solutions Architect, Security)
- GOTO Satoshi (General Manager, RCS Development Dept., DX Business Div., Business Promotion Div., Toppan Edge Co., Ltd.)
- Amane Sato (Professor, National Institute of Informatics / Director, Trust Digital ID Platform R & D Center)
- Takashi Niizaki (President, Cedar Co., Ltd.)
- Akihide Higo (Director, TRUSTDOCK Co., Ltd.)
- Hisahiro Fujie (Representative Director of OpenID Foundation)
- Minai Toru (Deputy General Manager, Market Research Office, Innovation Division, Japan Credit Bureau Co., Ltd.
- Koichi Moriyama (Chief Security Architect, NTT DoCoMo Inc.; Executive Council and Board Member, FIDO Alliance; Chair, FIDO Japan WG; Director (Board Member), W3C, Inc.)
Agenda (1) Exchange of comments and opinions on the proposed revision of the Guidelines
About "3.1 Identity Proofing"
The Secretariat provided an explanation on "3.1 Identity Proofing" in the revised draft of the Guidelines based on Document 1, pages 5 to 32, and experts held a free discussion.
(Expert Opinions)
- I feel that P32 has become more organized than what was presented at the previous meeting. Regarding the discussion points "(1) Results of organizing threats in identification" and "(2) Overview of the identity verification Process", I felt that the figures are everywhere and are intuitively easy for readers to understand.
- Regarding the consultation point "4. Positioning of Guarantee Level 2B," the use of IC chips is also pointed out in the "Comprehensive Policy to Protect Citizens from Fraud," and I understand that it is extremely difficult to confirm the authenticity of identity verification documents without IC chips. I believe that the effectiveness will be enhanced by actively mentioning the necessity of IC chips in these guidelines as well. In this regard, I believe that the difference between Level 2A and Level 2B in the current plan is significant. This is just one opinion, but I believe that it is desirable to define Guarantee Level 2A as "Guarantee Level 2," and to treat Guarantee Level 2B as an exception. It is debatable whether Guarantee Level 2B should be included in Guarantee Level 1, but I believe that it should be the default that identity verification documents contain IC chips. However, in the current plan, there is no distinction between "confirmation of appearance" and "non-confirmation of appearance" in Level 2. There are cases where a person who has illegally obtained a My Number Card through theft, buying or selling, etc. is treated as if he or she is the person himself or herself. Therefore, if Guarantee Level 2A is the basis of Guarantee Level 2 and classified within it, I believe that classification based on whether the appearance is confirmed or not is required.
- Regarding consultation point (3), "Non-face-to-face inspection of identity verification documents" should be set at Level 1, and (5), "How to establish standards for measures against identity verification documents" should be discussed, but I believe that it will be a supplementary discussion rather than a central one. I believe that it will be supplemented in the tailoring.
- I also think that it is desirable to treat the current guarantee level of 2A as "Guarantee Level 2" and treat Guarantee Level 2B as an exception. In addition, I don't think readers who don't know that NIST has three levels don't understand that the guarantee level is 3/2A/2B/1 instead of 1 to 4 in the first place. If you keep Guarantee Level 2B, I think that it is desirable to set the guarantee level to 1 to 4.
- In general, I agree with the previous opinions. Regarding the question of whether or not to implement "appearance verification," in some laws and ordinances, there are methods for implementing electronic signatures in Public Personal Authentication, but there are some that do not require appearance verification. On the other hand, in discussions with private sector, there is a request to add appearance verification to Public Personal Authentication in the background of anti-fraud measures. In laws and ordinances, it is not required in Public Personal Authentication, so I am wondering whether to add appearance verification from the viewpoint of user burden.
- Regarding the exceptional treatment of Assurance Level 2B, in order to make the guidelines more effective, it would be better to create a supplementary document that provides examples of identity verification methods that can be used in the country. Among the identity verification documents that can be used, it is considered that identity verification documents that do not include IC chips, such as medical treatment notebooks, will be included, and it would be better to indicate how to handle them.
- I would like to express my opinion on P20. Among the main methods, it is stated that "the applicant himself / herself fills in the form and verifies it by making inquiries." However, I do not think that the current description alone will lead to the verification of the next identity verification process. I do not think that it will lead to the verification of the identity verification documents unless it is presented together with Evidence.
- It is my understanding that "(iv) Copying of this confirmation document" in the threat summary plan on page 8 is currently written on the assumption that it is physical, but I think that it should be written separately in consideration of the future use of Digital Credential, whether it is duplicate to copy in one bit unit or just copy in electronic copying.
- Regarding the method of expressing the mapping of the countermeasure standards from P9, I feel that it is difficult to visually understand the difference between each level. It is desirable to create a diagram with higher visibility, such as coloring the difference from the previous level in a different color.
- Although there is a problem of preference in the expression method of P9, I feel that the amount of information on the expression of the combination is small. You can choose any one of them as long as it is within the frame of this figure, and I think I will express that at least the weakest part in the frame is acceptable. If you define guarantee level 2 or 3, I think you need to check once whether it is valid even if you choose the weakest part in the frame.
- If you look at the chart for Assurance Level 3, you can see that there is a boundary between "PIN authentication" and "appearance verification." However, in Assurance Level 2A, the case where appearance verification is performed and the case where it is not performed look the same. As a guide, it is desirable to distinguish the presence or absence of appearance verification and to be able to judge the necessity of it at the time of tailoring. Even when using My Number Card, there are cases where PIN authentication is used and cases where appearance verification is performed, so it may be necessary to maintain consistency between them, but I think that the difference between them should be made clear looking forward to the future.
- In terms of PIN numbers, for example, knowing the child's PIN is not a problem from the perspective of mission delivery. However, there are cases where it can be used as a vulnerability, so I do not think this table alone can express how to check the appearance of the child even if the PIN number has been checked. It is difficult to decide how to express it, but risks differ in gradations depending on the method even within the same guarantee level, so I think that measures against such risks should be considered after considering whether to match the stricter one or to be in the middle. In addition, risk measures that are too strict may not satisfy the perspective of mission delivery, so I think that measures may be relaxed to some extent.
- I think it is very good that the table shown as a draft countermeasure standard is visually easy to understand the outline of the intensity from "weak" to "strong." However, I think it is necessary to improve the point that the threat of "(A) Illegal issuance of identity verification documents" is a lump from left to right, and it seems that the same countermeasure is OK regardless of whether it is weak or strong. For example, if the issuing agency is a government agency, I think it is necessary to make a gradation even within the same lump, such as making it stronger. In addition, regarding the threats of "(1) Double registration," "(2) Mislinking with another person," "(3) Forgery and falsification of identity verification documents," "(B) Illegal issuance of identity verification documents," and "(6) Theft of identity verification documents," I think it should be clearly stated that "no countermeasure" does not even meet Level 1.
- In "Non-face-to-face appearance check" on page 9, it is stated that "Note: Only allowed in controlled environments", but from the viewpoint that face-to-face appearance check is the principle, I thought it would be better to state it as a warning for face-to-face appearance check.
- Regarding the methods of countermeasures in "(1) Double registration" and "(2) Mis-linking with another person" in Identity Assurance Level 2B on page 11, if they are presented together with evidence, manual input may be permitted. The OCR reading is not 100% correct, so I felt that it would not change.
- This is just for your reference, but regarding the "forgery and falsification of camera images," a joint working team of ISO/IEC JTC1 / SC27 and ISO/IEC JTC1 / SC37 for biometric authentication has been established internationally, and the formulation of a standard for injection attacks has started. Recently, there have been cases of replacing camera images and broadcasting videos, so I think it is good to write that there is such a threat.
- Many business operators have been concerned about the fact that Method E of the Criminal Proceeds Act will fall under Level 1 by setting "non-face-to-face ticket inspection" to Level 1, and I believe that no major problem will arise. However, there is a concern about how business operators will perceive the difference between the Criminal Proceeds Act and the Guidelines, so I think it would be desirable to provide a guideline that goes beyond the response under the Criminal Proceeds Act and leads to the direction that in such cases, it is better to adopt Level 2 rather than Level 1.
- Considering the current situation, I believe that there is no choice but to raise the level of Method E of the Criminal Proceeds Act to Level 1. As the Criminal Proceeds Act and the Mobile Phone Act are also scheduled to be reviewed, I believe that there is no problem in general.
- I would like to comment on Consultation Point (5), "How to Establish Standards for Measures against identity verification Documents." In order to make the guidelines highly useful, it is desirable to provide as many specific examples as possible. It may be difficult to provide comprehensive examples in consideration of the period until the revision, but it would be good to supplement the examples by creating supplementary documents.
- Regarding the last comment on page 29, I believe that the requirements for identity verification documents are becoming clear at Level 3. However, after defining appropriate procedures for Level 2, I assume that the tailoring will be made to lower the level in some areas due to the lack of operation on site. In doing so, I think it would be better to state in the guidelines that it is necessary to consider how much the risk has increased and how much measures have been taken against the risk by means of supporting documents. I think it is acceptable to operate in such a way that it is necessary to confirm the IC chips as a rule in the procedures, and if not, to request supporting documents as an exception. In addition, I agree with the idea that a uniform classification of identity verification documents such as NIST's "SUPERIOR" does not match the current Japanese situation. Even considering that point, I think that a description that touches on supporting documents is necessary. In addition, I feel that it would be difficult to make individual judgments without presenting what is generally accepted as supporting documents in the world.
- In this regard, I believe that the evidence of settlement, which cannot be done without evidence of life, such as receipts of public utility charges, is one of the supporting documents that is relatively easy to use, although it does not reach the level equivalent to SUPERIOR.
- I think it is desirable to specify what kind of documents the supporting documents are in the separate volume.
- In this revision, NIST also changed the handling of expiration dates. There is a view that even if the expiration date has expired, there is no problem digitally to some extent, so I think it is desirable to clearly state a guideline that allows a range depending on the business.
- Rather than listing the documents that can be used as exceptions, it would be better to list the exceptions by the cases in which they are necessary. For example, it would be easier to understand if there is a description of what kind of supporting documents should be used when a device for verifying digital signatures cannot be used due to a natural disaster. Since the difference between Level 2A and 2B is only whether or not IC chips can be used, I think that there is a way to describe exceptions from such a perspective.
- We should not simply relax the standards just because it is a time of disaster, but I think it is also good to describe examples of how to relax in the guideline.
- Does this guideline refer to Trusted Referee?
- It's entirely possible to include ideas like Trusted Referee as part of your tailoring.
- (Secretariat) I think it is difficult to define a situation where a machine cannot be used. It is not so simple to say that if the business system is working, it can always be read and handled correctly. Therefore, I think it is possible to give an example of tailoring, but I think it is difficult to uniformly describe criteria such as whether Level 2B can be used. When choosing Level 2B, I feel that the only thing that can be done is to appropriately recognize the risk and conduct risk assessments and tailoring so that the risk can be accepted at some point in the overall process. In addition, since there is a viewpoint of not causing trouble to others, I think it is also good to describe high-risk cases where Level 2B should not be used, such as the issuance of an ID card.
- In the bootstrap issue, there was a talk that identity verification documents equivalent to SUPERIOR are decreasing, but I wonder if they are really decreasing. I think there were many kinds in the past, but many of them had a limited number of owners.
"4. Method of Considering the identity verification Approach"
Based on Appendix 1, pages 33 to 47, the secretariat provided an explanation on "4. Methods of Consideration for the identity verification Approach" in the table of contents of the proposed revision of the Guidelines, and experts held free discussions.
(Expert Opinions)
- I feel that the description of the combination of the identification assurance level and the individual authentication assurance level is not sufficient. For example, even if the identification assurance level is high, spoofing can easily occur if only a means of authenticating the individual without phishing resistance is provided. Even if the individual authentication assurance level is high and an authentication method with high phishing resistance is used, if the identification assurance level is low, a completely different person may behave like that person at a high individual authentication level. Since the combination of such assurance levels is also important, I think that it should be clearly described so that it is easier for readers to understand.
- Table 4-4 in the guideline revision draft may cause misunderstanding. In fact, I think that the identification assurance level and the person certification level are often the same. However, even if there is a deviation as a result of the final tailoring, I think that it is good to simplify the determination of the assurance level and make it the same at the time of initial level judgment.
- Chapter 3, "Threats and Countermeasures in identity verification," has chapters on "Identification," "Identity Verification," and "Federations." Although the structure is easy to understand if you read it from the beginning, there are very few readers who can distinguish between identification and identity verification. It is desirable that Chapter 4 can be written, assuming that readers who have not read Chapter 3 well read it.
- I think it would be better to mention in each chapter what identity verification has to consider from the two perspectives of "identification" and "identification of the person concerned," and what it has to consider from the combination of these two perspectives.
- I think it would be better if it is labeled so that it is easy to understand whether you are referring to identification or identification of the person.
- Laws and ordinances and administrative documents should be prepared in a simple manner. In practice, I think it is common to refer to the manual in the field. In this guideline as well, it would be better to describe the details in the manual instead of making the main part of the guideline long.
- In the financial business, identity verification in compliance with the Criminal Proceeds Act and identification of the person who is resistant to phishing are implemented. However, for example, when purchasing content, it is not necessary to comply with the Criminal Proceeds Act. Therefore, it is necessary to keep in mind that there may be cases where the identity verification level is different for the same person who is resistant to phishing.
- Listening to the discussion so far, I feel that the identification in academia is completely different from the identification in administrative procedures. On the other hand, I feel that we can make a generally consistent evaluation because the person authentication is a technical part. Therefore, I thought that it would be desirable to break down A/B/C as a common level when there is a movement to make only AAL common although IAL cannot be made common for mutual authentication between trust frameworks.
- When the DS 500 was first created, phishing was not as easy as it is now. By actively using authentication that does not allow phishing, users who have a certain qualification or who have achieved a certain identification level can be identified when they use the service on a daily basis, but I believe that we can expand various possibilities by actively recognizing that there is a difference in the qualification verification part.
- Assuming that various people will use the guidelines, I think it is desirable to judge the level by a simpler method. After judging the authentication level and identification level of each person, I think we will be able to focus on the risks that will be exposed when they are combined at the end.
Closing
- (Secretariat) Thank you again for your active discussions today. As this field changes greatly, I believe it is a luxurious place to receive advice based on the latest knowledge. If the revision is realized this time, it will be the first large-scale revision since Digital Agency was established. I believe that discussions have been completed that will be the foundation of the guidelines that will be valid for the next five to ten years, so please continue to support us.
END