Skip to main content

This page has been translated using TexTra by NICT. Please note that the translation may not be completely accurate.
If you find any mistranslations, we appreciate your feedback on the "Request form for improving the automatic translation ".

Second meeting of the Advisory Council for the revision of the identity verification Guidelines in fiscal 2024

We will hold an expert meeting for the next revision of 's "DS-500 Guidelines on Online identity verification Methods for Administrative Procedures," which has been developed as one of the standard guidelines for promoting the digital society, in .

Overview

  • Date: November 5, 2024 (2024) (Tue) from 18:00 to 20:00
  • Place: Digital Agency meeting room and online
  • Order of business
    1. Opening
    2. Proceedings
      1. Partial changes to the agenda
      2. Discussion Points for the Revision of the Guidelines
        • Positioning of Identification Assurance Level 1 and Standards for Measures Required for identity verification Documents
        • About Federation Assurance Levels and Countermeasure Criteria
    3. Adjournment

Material

Minutes

Attendee

  • Tatsuya Kadohara (Specialist Solutions Architect, Security, Amazon Web Services Japan GK)
  • Satoshi Goto (General Manager of RCS Development Department, DX Business Headquarters, Business Promotion Headquarters, TOPPAN EDGE Co., Ltd.)
  • Natsuhiko Sakimura (OpenID Foundation Chairman)
  • SATO Hiroyuki (Professor, National Institute of Informatics (Director General, Trust Digital ID Platform R & D Center))
  • Akihide Higo (Director of TRUSTDOCK Co., Ltd.)
  • Hisahiro Fujiei (Representative Director of OpenID Foundation)
  • Hisashi Mitsushio (Associate Professor, Faculty of Health Data Science, Juntendo University)
  • Toru Minai (Deputy General Manager, Market Research Office, Innovation Management Department, Japan Credit Bureau, Ltd.)
  • Koichi Moriyama (Chief Security Architect, NTT DoCoMo, Inc. , Member of the Board of Directors of the Executive Council of the FIDO Alliance, Chairman of the FIDO Japan WG, Executive Director (Board member) of W3C, Inc. )

Agenda (1) Partial changes to the agenda

The secretariat explained the partial change in the agenda based on Material 1.

Agenda (2) Discussion on points for the revision of the Guidelines

"Issue 2. Positioning of Identity Confirmation Guarantee Level 1 and Standards for Measures for identity verification Documents"
The Secretariat explained Issue 2 based on pages 2 to 16 of Appendix 2, and the experts held a free discussion.

Opinion of experts

  • I would like to comment mainly on Material 2. Regarding page 8 of Material 2, I think there will be a discussion about what kind of identity verification documents can be used at Identity Assurance Level 1. There was a discussion about whether the identity verification documents, which were equivalent to IAL0 last year, can be used as IAL1 because IAL0 was eliminated with the revision to NIST SP 800 63-4. At least, it is good if it can be identified and confirmed that the applicant and the recipient are the same, although it is almost anonymous. I think there was a discussion last year about whether there might be a procedure in which the continuity between the applicant and the recipient can be secured by AAL as long as it cannot be secured by IAL. There is an opinion that a slightly loose identity verification document can be used at Identity Assurance Level 1. I think it will affect the next page.
  • I think it is necessary to discuss whether the "Residence Card" described on page 10 of Appendix 2 can be the same level as a passport. I have already confirmed that there is no address written on the passport, but it is a matter of concern whether the address is also written on the Residence Card.
  • I felt a slight difference in level between "FAIR-a/c" and "FAIR-b" described on page 10 of Appendix 2. I think that it may be difficult to identify and confirm the issuer of FAIR-b. In particular, I feel that it is questionable whether it is possible to confirm employee IDs and student IDs of private companies, especially overseas employee IDs, by using the counter. FAIR-c is a public utility fee, and the issuer is limited, so it is possible.
  • I do not think it is a problem to allow the comparison of appearance by combining FAIR-a and FAIR-b (employee ID card, student ID card, etc. with a face photo) as described on page 12 of Handout 2, but I felt that there was a question whether it would be possible to confirm whether the two documents refer to the same person. In order to make a link, the only way is to confirm the name, and the name reported to the government and the name reported to the company do not always match. I have no objection to the combination itself, but I felt that it is necessary to consider the actual operation.
  • I did not understand the intention of the lead sentence described on page 24 of Appendix 2. The example in the parentheses says "Consider the necessity of adopting Implicit Flow in OIDC and artifact binding profile in SAML, etc.", but if this is written as an example that is susceptible to injection attacks, I felt that there might be a misunderstanding. (Note: It has been corrected in the public document in response to the point)
  • I feel that it is easier to classify them as follows: Level 1 is "confirmation of continuity and identity," Level 2 is "confirmation of reachability," and Level 3 is "confirmation of identity."
  • The targets for the current assurance levels 1, 2, and 3 are not very clear. As another committee member said, I think it would be easier to understand if the levels 1, 2, and 3 are divided into broad categories such as confirmation of continuity and identity, confirmation of reachability, and confirmation of identity. In addition, I think it would be better to sort them out as described on page 13 of Appendix 2 from the perspective of what threats they are resistant to.
  • In addition, I believe that threats will not become obsolete, and methods will become obsolete. I believe that threats will change depending on whether they are at an acceptable level of risk at present.
  • I think it is important to avoid obsolescence. If the description is centered on the countermeasure standards, the description will be a combination of the description based on threats and the description for Evidence, and I feel that it will be confusing. Regarding the classification of Evidence, I think it would be better to classify documents of public issuing organizations. Whether or not to publish it, I think it is important to map it with threats at the consideration stage, but I felt that it would be better to present Evidence in a classified form in the end.
  • As another committee member said, I feel that there is a big difference in the nature of the evidence between FAIR-a and FAIR-b. As a result, I do not think that there seems to be a significant difference between confirmation using only FAIR-a and confirmation using a combination of FAIR-a and FAIR-b. In the future, if verification by gBizID and corporations can be issued with digital certificates, I think that this kind of thing can be considered. I feel that it is not necessary to describe something like FAIR-b in these guidelines at present. On the other hand, FAIR-c values the fact that it is connected to the real world by stating that it includes an address, and I think that it is important in that it makes sense to submit it together with other identity verification documents as a supplementary document.
  • It may be included in the tailoring, but shouldn't the resistance of a threat be indicated by the degree of mitigation rather than by the presence or absence of it?
  • We believe that student IDs may fall under the Japanese version of STRONG if they are properly controlled.
  • The problem is how to verify the student ID card as a verifier.
  • In practice, the issuing schools are limited, but each school has its own format, so it is impossible to determine whether it is true or false. I feel that the use for confirming qualifications rather than identity confirmation and for non-critical missions may be the limit. For example, it can be used to apply the student usage fee of the gym for the facility reservation of the local government. If you can make an inquiry to Authoritative Source and validate it, I think it can be the Evidence of identity verification.
  • Regarding "② Alternative patterns in the event of loss of identity verification documents" on page 14 of Appendix 2, I believe that alternative patterns are necessary as a remedy. On the other hand, if we show patterns in the guidelines, there is a possibility that attackers will target them. I feel that it should be stated to what extent exceptional measures are allowed and the specific risks of exceptional measures.
  • As another committee member said, in the end, I think it will be more beneficial for users if identity verification documents are classified and labeled in an easy-to-understand manner. For example, I agree that examples of identity verification documents are included as shown on page 10 of Appendix 2. However, I think it would be more desirable if they are not included in the Guidelines but are taken out of the Guidelines in the form of enforcement regulations of laws so that they can be added to the identity verification documents listed in the Guidelines when a threat becomes apparent.
  • We are considering making a separate volume of examples of identity verification documents.
  • Identity verification If you classify documents, there will be differences in the detailed conditions, and vulnerabilities may be exploited. However, considering the difficulty of changing the description in the text of the guideline, I think that it may be good to describe it in a separate volume.
  • I believe that the main agenda of the second meeting of the Advisory Council is identification, and I was made to think again about what identification means. We believe that there should be a clear distinction between verifying identity and verifying eligibility. Identity verification, or identity verification, is about "whether or not a person really exists", and the threat is considered to be impersonation. I believe that the private sector has been conducting checks at stores based on the Cell Phone Misuse Prevention Law and identity verification required for financial services. However, despite the fact that a certain level of countermeasures have been taken based on the recognition that impersonation should not be allowed, attack techniques have become sophisticated, and as a result, there are cases where countermeasures that were believed to be sufficient at one time are no longer sufficient. I believe that what should essentially be written in the identity verification Guidelines is that in terms of what identity verification is, it means not to be impersonated, and that the threat is impersonation. With regard to the extent to which countermeasures should be implemented, procedures that were once acceptable with residence certificates are no longer the case. Therefore, in addition to the issue of whether it is the Japanese version of SUPERIOR or STRONG, the threat of impersonation occurring in many situations should be taken by both administrative agencies and private companies, and it is necessary to determine how to prevent impersonation, even if it is complicated. Regarding how to fill in page 8 of Appendix 2, I think that it is very important to confirm the appearance at Assurance Level 3/2, and if it is difficult to confirm the appearance, I think that the procedure must be positioned at a low level. In addition to the presence or absence of confirmation of appearance, we believe that the level should be set so that it can be appropriately explained from the ease of reproduction and forgery. As stated in the "Comprehensive Measures to Protect Citizens from Fraud" announced in June, I believe that it is important to ensure the confirmation of appearance and scanning of IC chips at the time of identity verification. Confirmation of appearance, etc. is only a method, but it is necessary to show that it is a realistic and feasible method to prevent impersonation. As for the procedures for the lower level than that, you need to think separately whether the purpose is identity verification or confirmation of qualifications. If it is only necessary to know that the person who came is the same as the applicant, I think that there is a possibility that the identification of the person may be sufficient instead of the identification. In addition, if the purpose is to confirm qualifications, they cannot be confirmed by My Number Card alone at present, and it is necessary to confirm them together with documents that certify qualifications such as degrees.
  • In "③ Necessity of Category Definitions for identity verification Documents in the Guidelines" on page 14 of Appendix 2, it is stated that the actual guidelines do not define categories such as "Japanese SUPERIOR", and it would be clearer and easier to understand if the countermeasure criteria for each assurance level are directly defined as on the previous page. However, it is not necessary to cover all of them, but I think it would be easier for the reader to understand if the specific name of the identity verification document is stated. In addition, I think it is necessary to consider to what extent physical verification is required. On page 12 of Appendix 2, it is stated that physical verification is required at the time of Validation for Japanese FAIR-a and Japanese FAIR-b. If the issuing entity of Japanese FAIR-c is an electric power company, etc., physical verification is possible to some extent, but I think that physical verification of identity verification documents for Japanese FAIR-b may be difficult. In particular, physical verification is almost impossible when online verification is performed or when photos and copies of identity verification documents are submitted. I think it is very important to consider to what extent the standards for identity verification documents required at Identity Confirmation Guarantee Level 1 should be relaxed or strengthened.
  • It does not mean that we have to be strict in terms of security, but as a result of a third party impersonating the person himself, in addition to the fact that the original user cannot use it, it can be assumed that the original user's identity verification information, etc. will be used for illegal money transfers, although it is limited. Some private business operators may be able to ease the threat if the level of the business threat is not that high, but I strongly feel that private companies also need to be quite strict in identity verification.
  • I have the same opinion. The previous statement was only about Identity Verification Assurance Level 1.
  • I feel that Level 3 and Level 2, which is close to Level 3, are important. I think that the level below that does not require much rigor. For Level 1, I think that it is good to describe that an accurate combination is made and verified in light of the purpose.
  • I felt that it was difficult to move the standards, such as whether to relax the physical verification of the identity verification document required at Level 1 of Identity Confirmation and Guarantee because it is difficult, or whether to confirm the anti-counterfeit printing technology even at Level 1.
  • As in the case of the "Japanese version of SUPERIOR," identity verification documents are classified, but is the corresponding relationship with the identification assurance level described on page 11 of Appendix 2 somewhat loose, or is it decided by each organization in tailoring?
  • At each Identity Assurance level, what use cases, not just threats, do you envision? It is understood that a use case is applied to each identity assurance level, a threat corresponding to the use case is determined, and the definition of the level is finally determined. When developing the current identity verification Guidelines, Identity Assurance Level 1 assumed a use case of "how to make a library card in a government office". In other words, I have doubts about the use of a confirmation code itself, and I feel that if it is just a matter of booking a facility such as a library card, I can just assert myself. In the Japanese version of FAIR on page 10 of Handout 2, I think it is difficult to verify a certificate of seal registration or a copy of a resident's card at the counter. In that respect, I feel that it is no different from a student ID card or an employee ID card. However, Article 202 (18) of the Code of Civil Procedure contains two requirements for the authenticity of official documents, stating that "a document is presumed to be a bona fide official document if it is found to have been prepared by a public official in the course of his / her duties by virtue of the form and purport of the document. If there is any doubt as to the authenticity of the establishment of an official document, the court may, ex officio, make an inquiry to the relevant government agency or public office. It is considered that the court can confirm this by making inquiries. It may be difficult to confirm the copy of the resident record with the administrative agency on the spot, but it is recognized that the court can confirm it in the end. In that sense, I feel that a Copy of Resident Record and a student ID are different. I think you can also make an inquiry about the receipt of utility bills because the number is listed.
  • I think it is also an important point of view that receipts of utility bills can be tracked because money is moving.
  • From such a point of view, I feel that the "receipt of utility charges" written in the document and "other postal items used for address verification" are not equivalent.
  • In the United States, when you open a bank account, you are required to bring a postal item used to prove your address, so I think it is necessary to modify it so that it can be tracked in accordance with the current Japanese situation. What I would like to ask the secretariat is whether there is any assumption about the level of Identity Verification Assurance Level 1. If the use case has not been decided, I think that Identity Verification Assurance Level 1 needs to have a certain acceptable range. It is not necessary to be anonymous, but I think that a space where you can work under a pseudonym is necessary. If you are even prohibited from working under a pseudonym, there is a risk of becoming a shadow IT, so I feel that it is better to implement positioning and control it.
  • I felt that there was no concept of "Attended or not" (whether or not an operator exists) that was incorporated in the revision of NIST SP 800-63-4 2 pd. I feel that it is necessary to consider when making subtle differences in Identity Confirmation Assurance Level 1, etc. In addition, I think that Identity Confirmation Assurance Level 2B will also be in the case of Remote unattended, so I think that it is better to write it down properly because it has been rounded off where there is a difference from Remote attended. In addition, I remember that NIST SP 800-63-3 described the handling of Supervised Remote Proofing half-heartedly, and I think that Attended or not needs to be added as a factor. At present, is it only Remote unattended that checks appearance remotely? The result may not change, but by implementing the case division, I think that a sense of understanding of readers will be fostered.
  • There are 2 ways to check your appearance remotely. One way is to authenticate automatically, and the other way is to check visually later.
  • In the first place, I am wondering if it can be divided into identity verification assurance levels 1/2/3. I feel that ID as a mere plastic card means nothing in terms of forgery. There are measures to deal with threats, and it would be better to profile with a combination of those labels. We believe that the current standards of Level 1, Level 2, and Level 3 for identity verification and assurance may not be consistent with those of other countries. For example, I feel that it is meaningful to summarize Identity Verification Assurance Level 2D, which can use identity verification documents that can be easily created by color printers, as Identity Verification Assurance Level 2. In addition, the point that another committee member was referring to is important in that it is an activity under a pseudonym. There is also the question of whether it should be positioned as Identity Assurance Level 1. The verification using only My Number Card's electronic certification for user certificates does not itself include names, etc., but I feel that it is almost close to Identity Verification Assurance Level 3 in terms of strength. In addition, it is easy to imagine an operation in which the same identifier is issued to the same verifier, although an ID is issued at random in the applet every time using mdoc, etc. I feel that this debate is occurring because the Level 1/2/3 standard itself, which has been in place since NIST SP 800-63-3, seeks to push the increasingly diverse perspective of certification strength into a limited dimension. Rather, I feel that it would be better to attach a label only on whether it is phishing resistant or counterfeit.
  • In the case of ISO 27002, mapping is often done by making a lot of tags instead of one or two axes. However, it is necessary to maintain consistency with global standards.
  • At the same time as deciding on labels, I think a mapping table should be created to ensure consistency with other countries. As a document for mapping exercises, I think it would be good to create a document that the level in the United States is equivalent to the combination of labels in Japan. When conducting risk assessments in Japan, I think it would be good to determine whether each label is necessary or not.
  • I think labeling is a good way to write guidelines. However, experts may be able to judge by tags, but it remains a concern whether general administrative officials can judge the necessity of each measure.
  • I think we will need to prepare a typical combination of labels in advance. I don't think there are many different examples, such as in the case of online application or in the case of lottery. Also, considering the compatibility with previous guarantee levels, I think that whether LiveNess Check should be at Identity Check Guarantee Level 1 or 2 is subject to political pressure. We can no longer ignore the social loss caused by relaxing the standard or recognizing it as a higher standard for a specific use case. Originally, I think that it is desirable to consider the idea that NIST SP 800-63-5 is in line with the identity verification Guidelines, rather than going to match NIST SP 800-63-4. If we are at a standstill in considering the correspondence with Identity Check Guarantee Level, I feel that this concept itself is unreasonable.
  • Based on trends in Japan, there is a recognition that society's expectations and requests for this conference body will become stronger than ever. What do they do for the purpose of identification? I think the purpose of identity verification and identity verification is to prevent impersonation. Not only in administrative services, but also in private sector, for example, when making a new contract or changing the model of a mobile phone service provider, we must not make a contract with a person who pretends to be the wrong customer even if we make a mistake. I think the first thing to discuss is how far to go when it comes to asking for rigor when it comes to making identity verification. I would like to reiterate that it is difficult to discuss specific identity verification document combinations for Identity Assurance Level 1 when the use case is not clear. For example, in the case of a library card, even if you bring your passport, you can't use it because you don't know where you live. If the work is clear, there is a range in level 1, and tailoring can be done appropriately. I think that clear descriptions will be a useful document because the discussion at higher levels such as Identity Assurance Level 3 and 2 will be important. On page 11 of Appendix 2, it is not clear what kind of work is supposed to be done at Identity Verification Assurance Levels 3 and 1, which have been discussed so far, and there are multiple stages in Identity Verification Assurance Level 2. Intuitively speaking, Identity Assurance Level 2B or higher has become a necessary level for the process of seeking a strict identity verification. Identity Assurance Level 2A/2B states that electronic verification and remote / face-to-face appearance comparison are required, but Identity Assurance Level 3 does not. The description alone does not distinguish between Identity Assurance Level 3 and Identity Assurance Level 2A. I feel that Identity Assurance Level 2A or higher or Identity Assurance Level 2B or higher may be regarded as a category similar to the new Identity Assurance Level 3. For those with a low level of assurance of identification, tailoring may be necessary depending on the purpose. For example, if the person has a copy of the residence certificate, I think there are cases where it is sufficient.
  • In addition, I feel that the definition of "public institution" described on page 10 of Appendix 2 is not clear. For example, national universities are public institutions, but private universities are not public institutions. As discussed earlier, I believe that selecting based on criteria such as whether or not it can be tracked will be a key to success.
  • Bearing in mind that the identity verification Guidelines that will be revised this time will be used for three to four years, there are already about 95 million My Number Card documents in stock at present, and it is expected that more people will hold and use them in the future. While business operators are checking My Number Card documents that fall under the Japanese version of SUPERIOR, if they are not the Japanese version of SUPERIOR, it is necessary to emphasize what is different from identity verification documents that fall under the Japanese version of STRONG, what is vulnerable, and what risks there are.
  • How many more years will the situation continue in which we do not need to think about anything else as long as we can authenticate in My Number Card? Since the ID card can be held by any Japanese citizen, the more people hold it, the more problems such as lending and borrowing arise, and as such knowledge is accumulated among signature verifiers, it is necessary to consider how to conduct tailoring of the standards on which we rely.
  • In addition, the current materials are divided into two areas: remote and face-to-face. In Japan, there are ATMs in convenience stores, and I would like to know which is applicable, face-to-face or remote. Of course, the situation where people are watching is important, but I think that it is even more important that they are running on managed terminals rather than personal devices that are highly likely to be compromised. Convenience store ATMs will be deployed at various convenience stores, and there are already card readers with facial recognition in hospitals, and I feel that the fact that devices with a uniform profile are deployed nationwide is a unique situation in Japan that does not exist in the United States. It is precisely because of Japan that the debate over whether devices are managed or not and whether they are attended or not, rather than whether they are face-to-face or remote, can be considered separately, and I feel that if we become too much of a follower of the United States, it will be difficult to make the most of what we are doing first in Japan.
  • What you just mentioned is something that was missing in our discussions so far, and I feel that it should be covered. It is a good thing that My Number Card has been widely used, but I believe that people with malicious intentions will come into contact with boundary conditions such as those who have lost their cards, those who have not received issue, and those who have come from overseas. I think that it is better to take measures beyond what can be done in My Number Card for such people. I strongly argue that we cannot protect ourselves from attacks from people with malicious intentions unless we confirm their appearance, whether in person or not. In addition, I believe that the matter of bootstrapping people who have lost their My Number Card is also very important. Ultimately, from the timing of their birth, it may be possible to use some kind of trust anchor and issue it again, but there are people who become Japanese citizens in various cases, and it is assumed that such people will be able to hold their My Number Card. I think that it is desirable to identify these various boundary conditions and implement measures.
  • I am concerned that it may be difficult to reissue the My Number Card when I lose it. If the My Number Card is combined with the driver's license, I think the matter of how to reissue the My Number Card is stuck in the bootstrap, so I think we need to think about it. I think it will be very difficult for the identity verification documents to be completely unified, and it can't be helped if there are many identity verification documents, so I think we should consider reissuing them and guarantee that there are several.
  • As for the story that there are no documents that can be used for reissuance, it is possible that we can use the story of putting Derived Credentials in Authentication App or mdoc. I think the situation where only My Number Card can be used will be improved in a few years.
  • I think that Derived Credentials are just qualifications. I think that identity verification bound to a person and identity verification bound to a thing are different from each other.
  • I think we need to work on use cases such as what to do if the status remains on the smartphone when the My Number Card as a physical card is lost. There are many boundary issues, for example, there are people who do not have a family register. I think the method of reissuing and boundary issues need to be carefully considered.
  • Regarding reissuance, I also think it's a problem. I thought that the discussion on account recovery that we've been discussing at the FIDO Alliance could make a contribution. Traditionally, FIDO credentials were not supposed to come out of devices, so there has been discussion about what to do if a device is lost. In that discussion, based on the results of certain identification checks, we made a FIDO authenticator for FIDO credentials, and proposed that if one is lost, account recovery can be done using the other authenticator. Now, it's allowed to have both a paper My Number Card and a smartphone My Number Card, so if the My Number Card remains on the smartphone, I think we can discuss whether it can be remotely reissued or whether it can be reissued only by going to the city hall.
  • I feel that there are cases where it does not apply well because I think too much about mapping to three stages with the types of Evidence like NIST. In the first place, in the United States, the difficulty of obtaining Evidence of SUPERIOR itself is so high that I wonder what corresponds to SUPERIOR. On the other hand, as another committee member said, I recognize that it is not easy to make inquiries to Authoritative Source in Japan, but in the United States, it is considered to be verified by the system, and I think the situation is different. I recognize that the fact that it is currently listed as Identification Assurance Level 2A/2B/2C is a sign that it did not work as a result of trying to meet NIST. As a result of confirming what threats have been reduced from the means now in Japan, I feel that it may be good to take an approach of consideration that can be finally summarized into several patterns. When I sorted out risks for companies in the past, I arranged risks such as survivability and existence in a detailed matrix and evaluated plus and minus for each. There is a discussion about whether it is okay to simply add up the evaluation results to make a score, but I feel that it may be good to show a certain degree of sense. This discussion will have a significant impact on the scope of consideration for this fiscal year at the plenary session, so I would like to discuss again what direction I should think in.
  • NIST says that if you reissue the Authenticator, you should redo Identity Proofing with the same IAL. However, if the My Number Card is equipped with a driver's license, there will be a problem that the driver's license will be lost and the Authenticator will become one, and I think account recovery will be difficult. I understand that the My Number Card installed in the smartphone does not have to have the same expiration date as the paper My Number Card, and can be registered as a different Authenticator. I feel that I am being pulled too much by the NIST framework.

Agenda (2) Discussion on points for the revision of the Guidelines

"Issue 3. Federation Assurance Levels and Countermeasure Standards"
The Secretariat explained Issue 3 based on pages 17-25 of Appendix 2, and the experts held a free discussion.

Opinion of experts

  • NIST's FAL has a lot of technical content and is like a combined package, so I think there is room for debate about whether that packaging is appropriate. However, compared to IAL, AAL and FAL are less unique to Japan, and there is no sense of incongruity in using NIST as a reference. I understand that the assertion injection attack in FAL2 basically prohibits IdP-initiated assertions in SAML. IdP-initiated assertions are widely used in enterprises, where a list of applications is arranged like a dashboard on a portal where you log in with SSO, and you can log in by sending an IdP-initiated assertion to a selected application and use it seamlessly. It is a use case that is often used in the company, within the agency, and within the ministry, and existing use cases automatically become FAL1. How much impact will the ban on IdP-initiated assertions have on the administrative system?
  • Until now, it has been difficult to create a portal screen because the procurement itself is different, and as a result, it has been loosely coupled. With the establishment of Digital Agency, there is a possibility that multiple systems will be integrated, but it is assumed that it will be closed to the Shimpu inter-provincial network.
  • Currently, we have adopted the concept of zero trust, so I don't think it has anything to do with whether it is on the intranet or the Internet. In fact, services that are used via the Internet are increasing, and if you buy licenses together, there may be a need to put them side by side. However, if it is not IdP initiated but implemented via the SP, it will be SP initiated, and we recognize that some systems have measures in place.
  • If many services have such measures, I understand that they can be introduced without much impact for now.
  • OpenID Connect does not have IdP initiated in its specifications, so I think that the SAML SP in particular will have to deal with this in the future, or has already started to deal with it. Therefore, I thought that there would be no problem even if requirements such as Appendix 2p24e. Taking measures to protect against assertion injection attacks were included.
  • I feel how to classify the level. If it is in the direction of selecting the setting, it may be necessary to classify the level, but in the end, it is only in the direction of setting it correctly. Even if the federation guarantee level is decided, I feel that it will not be chosen by administrative officers when they decide their own affairs. I feel that the concept of the federation guarantee level will become necessary if administrative procedures using private IdP appear as in the United States, but looking at the Japanese situation, I do not think that administrative procedures using private IdP will appear soon. In the identity verification Guidelines, it may be necessary to refer to federations, but the need for classification of levels may be low.
  • I think it would be good if the bottom line is raised and the tailoring options are organized in response to threats. After listening to the discussion so far, I felt that the leveling of federations is not a situation that is strongly required, and that the consistency of tailoring options should be taken as other guidelines.
  • When the current guidelines were established, it was the time when the world was introducing new federations, so we did not describe it, but now you are starting to create a system using federations. I felt that it is important to make it known as a warning to people outside the Digital Agency.
  • I think that there is a good acceptance of private IdP in local governments. As an initiative based on the concept of push-type administration, we use private IDs to provide information and guidance on procedures to people with light IAL, but there are many procedures that can be applied as it is. I am aware that these are not the original scope of the identity verification Guidelines, but in reality, I feel that there is a need to include FAL1 as a document that is often referred to by local governments.
  • Although it overlaps with the remarks of another committee member, I think that there is a possibility of referring to the attribution information of private companies. There are cases where private companies have more detailed information such as mobile phone numbers and bank account information, and I think it is useful to utilize it.
  • The identity verification Guidelines cover only the administrative procedures of each ministry and agency. However, in reality, it is necessary to consider that they are referred to by local governments as well as the NISC Guidelines. Even if many US enterprises still use SAML, major banks and providers that can be Attribute Providers have been established in the wake of the 2015 revision of the Banking Act, and most of them are assumed to have been established since 2017. Therefore, I think that they have built a fairly solid IdP using OpenID Connect.
  • I think it is a waste that the concept of shared signal is used only within the administration. When there is a division between the administration and the private sector, there is a possibility that people will point out the value of shared signal. Administrative agencies want information from private companies, and private companies want information from administrative agencies. How to solve this has not yet been answered. However, the current shared signal does not contain information that can identify individuals, so it seems possible to pass it to private companies if they want to.
  • It is possible to discuss whether a shared signal between the government and the private sector can be implemented under the current law in the identity verification Guidelines or whether it is necessary to go further, and to describe it in the identity verification Guidelines as a means of mitigation against threats in line with other countries, and to separately conduct an assessment on whether it can be implemented under the law.
  • It's true that Shared Signal is often difficult, and while SAML is used by some customers in the enterprise, it's all OpenID Connect for mass consumers.
  • Is there any way to realize FAL3 as it is now? If we are looking ahead to the future use of Holder-of-Key Assertion by Japanese PIV and Digital Authentication App, I think FAL3 itself may be possible. I felt that FAL1,2,3 would be informative, not normative, and could be handled as a base after the initial FAL review, keeping a record of the reasons for implementation.

Adjournment

Secretariat

  • I feel that we were able to hold discussions based on the actual situation. I believe that it would be desirable if we could present issues that will stand up internationally, and I ask for your continued support.

(End)