Skip to main content

This page has been translated using TexTra by NICT. Please note that the translation may not be completely accurate.
If you find any mistranslations, we appreciate your feedback on the "Request form for improving the automatic translation ".

Expert Meeting for Revision of Personal Identification Guidelines (second meeting in fiscal 2023)

We will hold an expert meeting for the next revision of the digital society "DS-500 Guidelines on Online Identification Methods for Administrative Procedures", which has been developed as one of the Promotion Standard Guidelines, in .

Overview

  • Date and time: Thursday, November 16, 2023 from 18:00 to 20:00
  • Location: Digital Agency 20th Floor Meeting Room and online
  • Agenda:
    1. Opening
    2. Proceedings
    3. Discussion on issues concerning the revision of the Guidelines
      • Issue 4. Review the Risk Assessment Process
    4. Adjournment

Materials

Relevant policies

Minutes

Attendees

  • Tatsuya Kadohara (Specialist Solutions Architect, Security, Amazon Web Services Japan LLC)
  • Satoshi Goto (General Manager of RCS development Department, DX Business Headquarters, Business Promotion Headquarters, TOPPAN EDGE Co., Ltd.)
  • Natsuhiko Sakimura (OpenID Foundation Chairman)
  • SATO Shuko (Associate Professor, Information Technology Center, The University of Tokyo; Chief of the Next Generation Certification Collaboration Working Group / Trust Working Group, Academic Certification Collaboration Committee, National Institute of Informatics)
  • Akihide Higo (Director of TRUSTDOCK Co., Ltd.)
  • Naohiro Fujiei (Representative Director of OpenID Foundation)
  • Toru Minai (Deputy General Manager, Market Research Office, Innovation Management Department, Japan Credit Bureau, Ltd.)
  • MORIYAMA Koichi (Chief security Architect, NTT DOCOMO, INC., Member of the Board of Directors of the FIDO Alliance Executive Council, Chairman of the FIDO Japan WG, Director (Board member) of W3C, Inc.)

Agenda (1) Explanation of the opening and outline of the meeting

(Explanation by the Secretariat)

  • Now, I would like to begin the second meeting of the Expert Committee on the revision of the Guidelines for Identity Verification. Thank you all for taking the time to gather. Today, we have two issues to discuss: "How to reflect the risk evaluation process" and "What kind of support can be provided in Digital Agency for risk evaluation."

Agenda (2) Discussion on issues for the revision of the Guidelines

Issue 4-1. How should the risk assessment process revised by NIST be reflected?

The Secretariat explained the current policy on Issue 4-1 based on Material 1, and the experts held a free discussion.

(Expert Opinion)

  • In the figure on page 7 of Material 1, is it an image that the method and threat are segmented by tailoring and reflected in the segmentation of guarantee levels 1 and 2? Does it mean that the threat pattern is confirmed in advance at the time of design depending on the type of procedure, and the method is determined as a result? The risk assessment is roughly performed at first, isn't it?
    • Secretariat: In order to prevent the complexity of the review process in Step 1, we would like to avoid fragmentation of the guarantee level. As you are aware of the review procedure, we assume that we first conduct a rough risk assessment in three stages by category, for example, "How much damage to life is expected?", and then select a method to be adopted while observing the threat resistance of the method corresponding to the guarantee level.
  • We wondered if Step 1 was unnecessary if we could determine which method to adopt based on threat resistance.
    • Secretariat: Task Force, there is a concern that guarantee levels 1, 2, and 3 are useful as criteria for communication, and that if we start from step 2, the "highest method that can respond to all threats (a method equivalent to level 3)" will be selected by all means. Therefore, we are considering a two step process of selecting a method for the guarantee level judgment.
  • In Step 2, you said that you would subdivide the method, but is that what the RP in the administrative procedure uses? In OIDC, you said to bring Evidence, but are you thinking about that?
    • Secretariat: The figure on page 7 is based on a model in which an RP performs identity verification and identity verification functions by itself. However, I believe that the same idea can be adopted in implementation.
  • In the case of federation, is it like specifying the Authenticator to be used by the administrative procedure side? For example, A, B, and C are not accepted.
    • Secretariat: If an IdP provides multiple means of tailoring, we will conduct authentication from the perspective of whether those methods can be adopted in the relevant procedure, and we will not accept methods that do not have the necessary threat resistance.
  • In the figure on page 7, in the case of guarantee level 3, it is essential to respond to threats a, b, c, and d. In the case of guarantee level 2, it is essential to resist threats c and d, and it is essential or recommended for threat b. Is it correct to say that the necessary threat resistance is determined by the guarantee level?
    • Secretariat: Measures Standard. We assume standards such as "face-to-face" with the same granularity as NIST. However, as for the certification guarantee level of the person himself, I believe that threat resistance itself may be a measure standard as well as NIST AAL.
  • In step 1 of the figure on page 7, for each category of xAL, if you imagine a solid, there are three layers of risk assessment. On the other hand, if you select a method on the right side, it will be decided as if it were degenerate. I wondered whether the solid would ride on a plane well. I think this is an example of what you just said, but it seems that brain conversion is quite necessary here.
  • If the flow is to check what kind of threat is in the cluster of risks first, and if there are threats a, b, and c, for example, as the threats, select method A or B as the corresponding method, it may be better to reverse the positional relationship in the figure.
  • There was a comment that only Step 2 would be fine, but in the actual field, it is sometimes difficult to determine the necessity of threat resistance, and it can be used for communication such as "In this case, Level 2 is fine, right?" So, I think the level classification of Step 1 is very useful as guidance. However, Step 1 also has six categories, and if I understand them and judge the three levels, I think even Step 1 will be a difficult process.
  • If we consider from the perspective of who will be the readers of the guidelines, for example, as there are actually various differences in the methods specified in the Criminal Proceeds Act, there are differences in threat resistance even if the methods fall under the same level. Therefore, I think the threat-based approach on the right side is useful in terms of considering the ideal way of identity verification. On the other hand, there are few people who can suddenly understand and judge from the necessity of threat resistance as written on the right side, so the level-classified approach on the left side is useful for such people. I thought that if we could decompose the left-hand approach and the right-hand approach according to the purpose, it would be a very good document.
  • From the perspective of a company engaged in system development, I think that basically, in the introduction of services, the process is to perform risk judgment at a place such as an in-house steering committee, but I recognize that in many cases, experts will leave the judgment to a security consultant or a vendor who has development the system. I think the same is true not only for companies but also for administrative procedures and local government. Therefore, I think it is important to consider who is the main reader of the reference materials for these guidelines. If you want to do it in-house in organization, you can start with the approach on the left, and if you want experts to see it, you can start with the approach on the right.
  • I think you are right. With the approach on the right, I think the content will be very detailed. For example, when the word "phishing resistance" comes up, to be honest, I think it is difficult to think about what impact it will have on your business. As a person who has been engaged in security consulting for a long time, I think it is extremely important that the operation will go around, and I don't think it is meaningful to make something that doesn't go around no matter how neatly organized it is. What we used to do was the approach on the left side of this figure. For example, design to be able to classify the level roughly by a simple question such as "Do you handle personal data?" The work to increase the resolution from there is to involve experts with insight into risk analysis. I thought that the operation will not go around unless we assume a step-by-step flow in which people on the ground first make a rough judgment, and then consult with experts in their own organization and further subdivide it. In that regard, I felt that this material may be a little too neatly written.
  • In last year's discussion, there was a debate over whether risk analysis should be centralized in Digital Agency or on-site, and it was difficult to get an answer. In my experience, however, it was often in Issue that the operation would go around. Therefore, I have an image that step 1 in this figure should be simpler, with about two steps. After that, I would consult with experts in organization and raise the resolution if necessary. If it is necessary to raise it to a higher level, I would raise it to a centralized point and make a judgment. I feel that such a hierarchical structure can be reflected in the process.
  • I was also concerned about whether the term "tailoring" would be understood. I think that the reader of the guidelines must clarify what should be done and what should be achieved in this situation. I made a comment because I think that the main idea of this proposal is to firmly implement tailoring.
    • Secretariat: tailoring" needs to be replaced and explained. In addition, regarding who will read the guidelines, basically we assume that the officials in charge of administrative procedures will be in charge of the guidelines, and depending on the scale of the system, the support providers will also be in charge of the guidelines. Therefore, at least when the administrative officer alone examines the guidelines, I believe that the guidelines should be written in accordance with the assumption. Based on the content of the discussion just now, we assumed that Step 1 would be examined by the administrative officer in charge of administrative procedures, but we thought that Step 2 would require examination by experts, so we recognized that it is necessary to consider different readers for each step. In addition, we have discussed the significance of dividing Step 1 several times today, but we thought that it is necessary to consider two types of readers, those who read Step 1 and those who have to read both Step 1 and Step 2, considering the difference in readers.
  • The approach on the left is for those who plan administrative procedures, who have an understanding of law and a certain awareness of the system, but need to be consulted on the details of security. The approach on the right is for those who can accurately understand and judge security and other perspectives. If such an image of the intended reader is written somewhere, I think it will be easier to be understood in the process of creating the document.
  • We tend to read NIST SP 800-63, but OMB M 04 - 04 is the one that US administrators read. Risk levels are specified from the perspective of whether people will die or suffer great damage if they make a mistake, and I think that is the end of the administrator's job. In NIST SP 800-63, the perspective of fairness and privacy is included, but basically, I think the left part is to draw the line between the risks of not being able to provide this public service or providing it to the wrong party. After the levels are specified at such a granularity, experts make detailed judgments according to the threat, and in the case of privacy, there are cases where organization alone cannot decide whether to accept the residual risk, so stakeholder consultations may be necessary.
    About Assessing Risk in Six Categories Some people said it might be complicated, but I think this much is necessary.

(Explanation by the Secretariat)

  • In the initial plan, we were going to summarize Issue 4-1., but based on the opinions we received, we thought it would be better to go directly to Issue 4-2. first, and then receive comments as a whole, so I would like to explain Issue 4-2.

Issue 4-2. What kind of examination support and control are necessary for appropriate risk assessment?

The Secretariat explained the current policy on Issue 4-2 based on Material 1, and the experts held a free discussion.

(Expert Opinion)

  • What are the specific administrative procedures that fall under Level 3? If you know that, it would be faster to make a decision by excluding that.
    • Secretariat: administrative procedures. However, considering that the guidelines will be operated for a certain period of time after the revision and that they will be referred to by local government and private sector, the task force was considering writing the ideal theory in the guidelines first and summarizing the examples of administrative procedures applicable to each level as informative information.
  • When I looked at the description of the actual risk impact, I thought that if I was asked to choose from three levels (2), (3), and (4) on page 13, it would be likely to have an upside. Therefore, I thought that the way of asking "whether or not it is applicable" would be effective in preventing an upside.
  • When we are in the position of evaluating risks, it may be difficult to say that some are "completely not applicable." In particular, we cannot say that some are not applicable in areas related to privacy, and I was concerned that there would be a considerable number of cases judged to be Level 3 in this way. I think there may be a range of cases such as "In principle, not applicable, but may be applicable in this pattern," and I think that thinking about this will lead to a good risk assessment.
  • At our company, when we contact the Steering Committee, we create and submit something like a "front steering sheet." However, the purpose of this is not to make an accurate judgment on the sheet, but to communicate with the Steering Committee. Therefore, I think this worksheet is also positioned as a communication tool.
  • The PIA report is like that. You have to think carefully to write a report, and if you decide on the items in the report, I think it will be very easy to use as a communication tool.
    • Secretariat: Thank you very much. This tool is also used as a communication tool, but by keeping this sheet as a "document of risk assessment results," we hope to connect it to continuous improvement.
  • It may be a completely different approach, but is the documented risk evaluation result applicable to what is disclosed as an administrative document? If so, it will be a clue to the attacker, so I thought I had to be careful about handling it.
    • Secretariat: information disclosure, I believe that it will be treated in the same manner as a design document for normal information systems, and that any part that has security concerns will be handled in a non-public manner.
  • As a reference, in Europe, PIA reports must be published by making a "PIA report for publication."

(Explanation by the Secretariat)

  • Based on the discussions so far, I would like to organize the risk evaluation in Step 1 using the worksheet as explained in Argument 4-2. However, the granularity of the judgment alone is too large, and in some cases, even if the judgment is made at Level 3, from the viewpoint of fairness and privacy, the method equivalent to Level 2 should be combined with supplementary measures. I recognized that it would be ideal if the tailoring process in Step 2 could be made into a guideline that can be adjusted while experts and support providers are involved.
  • When I interviewed actual study cases, there were procedures that adopted a method different from the method examples shown in the current guidelines from the viewpoint of USABILITY, and I would like to be able to define the tailoring on the site side as a process.

(Expert Opinion)

  • I think it is necessary to consider whether the failure mode of identification should be considered on a tailoring basis or should be included in the risk evaluation in Step 1. A famous example is a pregnant woman in Uganda who did not have a national ID and was refused to provide medical care. In such a case, the inability to confirm her identity is related to the risk of life and death. It is easy to think only from the perspective of security, but we must also consider the risk if public service cannot be provided, and I think this perspective should be included in the risk evaluation on the left side of page 7.
  • As I told you in the previous meeting, the problem with the flowchart for the guarantee level judgment is that there is an "If Then" but no "Else". In the risk assessment, I think it would be good to allocate the three guarantee levels after incorporating the idea of considering "what to do if you can't do something" and "what to do in other exceptional cases" in the risk assessment of step 1.
  • In the example of this risk assessment worksheet, "enter the risk if applicable", but even if it is determined that it is not applicable, I think it is necessary to keep the basis for the judgment as a record.
  • If the options are "applicable" or "not applicable," there may be a concern that the edge case will be caught. As a way of thinking, I think it is better to ask whether there are any unacceptable risks remaining with a way of thinking like alternative control in PCI DSS. If so, for example, if you want to adopt another method from the viewpoint of usability, etc., you may be able to make a judgment on the acceptance of residual risks by taking alternative control. I think it is important to have the results of that judgment written here.
  • It is very important to keep it in writing. There was a discussion earlier about whether it would be published or not, but at least in public authorities, I think it would be better to share it.
  • The part that has been accepted and judged as a residual risk should be recorded and disclosed. Even if the content is organized within the administration, there is a possibility that a business operator in the private sector who cannot understand the intention may use the administrative certificate for another purpose. I think it also has a purpose to prevent that.
  • I think the purpose of the worksheet is to use it as a common language. From that point of view, I think that if you only have them write down the reason for being applicable / not applicable, the amount of information will decrease, and I think it is also important to have them write down the specific failure mode. I think it would be good for the department in charge to think about what kind of undesirable things would happen if they could not provide their own service, and to think about leaving it as a record. At first, it may take time due to the pain of birth, but as it accumulates, you will be able to refer to past judgments, and I think it will lead to the overall efficiency.
  • To be slightly negative, I think that how to fill out this risk evaluation worksheet will require quite high skills based on the discussions so far. It is very important, so I think training and knowledge sharing will be necessary. On the other hand, I think that it will be difficult to create human resources specialized in this examination in each organization. So, I was listening to the story while thinking that everyone can carry out the base risk evaluation as much as possible, and that Digital Agency should create a system and mechanism so that experts can make detailed judgments.
  • Let me confirm one thing. What is the relationship between the risk assessment worksheet on page 13 and the failure mode on page 12 in the document?
    • Secretariat: I believe that the failure mode to be considered will probably differ depending on the administrative procedure. Therefore, I had an image that the guidelines would include examples of major failure modes such as "service will be provided to the wrong person" and "service itself cannot be provided," and the degree of risk impact when the failure mode to be considered occurs in the procedure would be determined on the worksheet. Based on the comments you made earlier, I think it would be good to have the failure mode to be considered written down at the top of this worksheet.
  • Originally, when a professional risk analyst examines, he or she would list what assets should be protected and what the attack path is, think about the attack scenario, and then the failure mode will appear around this point. He or she will determine the guarantee level and risk acceptance, sort out the remaining risks, and confirm the achievement of the security Goal. However, even if all of these are required, the operation will not proceed. Therefore, I think that the failure mode is one in which the person in charge of the administrative procedure can write out with high accuracy as a party.

(Explanation by the Secretariat)

  • The scheduled end time is approaching, so I will summarize it. Thank you for your opinions and advice on Issue 4-2, including the worksheet. I will include the comments you gave me so that this worksheet will work.
  • Finally, I would like to ask for your comments on the pros and cons of this worksheet approach. I feel that the discussions so far have generally been evaluated. On the other hand, the Secretariat is concerned that the flowchart has been deleted at NIST. If there are any negative opinions on whether or not to proceed with the policy of using this worksheet, I would appreciate it if you could comment on them.

(Expert Opinion)

  • I think it's good. If you assume that you don't finish once you decide, but you continue to operate by actively reflecting the feedback you get while operating, you can also learn about operation.
  • If you want the results of the study to be documented, you must decide on a common entry item and table of contents in any case. I think the worksheet this time is one step more detailed than that. It just happens that the table of contents structure is in the form of a worksheet, so I think it is good.
  • I think it's good, too. By using a worksheet, you can get something close to risk analysis for the first time, and I think it becomes a form in which the soul is injected into the flowchart. If you go to the flowchart suddenly, you will be in a state where you don't understand well, so I think it is necessary to organize it using this worksheet.
  • These documents are necessary both in terms of keeping records and in terms of tools for communication, so I think it's just a difference in how to call the documents.

(Explanation by the Secretariat)

  • Thank you very much. Regarding the risk evaluation part of Step 1, I would like to proceed with the current policies. On the other hand, I think that the tailoring part of Step 2 needs to be organized a little, so I will consider the opinions received today within the Secretariat and prepare to explain them as proposed policies at the third meeting.

Closing and Next Guidance

(Administration Office)

  • Today, I was in the middle of the meeting, but I felt that the level of discussion was very wonderful because they were really enthusiastic about the discussion and were really serious about it. I thought again that it is important to have specific discussions such as how to infuse souls and how God is in the details. I thought again that one or two more steps are necessary to form the guidelines, as you pointed out. So I think it is really important not only to bring NIST SP 800-63-4 as an imported study, but also to repeatedly think about specific threats in Japan and how to adapt various technologies, and to keep a history of them in a proper document while responding to new threats. Through such activities, I hope to raise the level of public office, not only in security, but also in private sector. Thank you very much for your continued guidance.
  • That's all for today's meeting. The next meeting is scheduled for December 26 (Tue). Thank you very much for your time today.

()