Skip to main content

This page has been translated using TexTra by NICT. Please note that the translation may not be completely accurate.
If you find any mistranslations, we appreciate your feedback on the "Request form for improving the automatic translation ".

Promotion of DX Sub-Working Group that secured Trust (7th)

Overview

  • Date and time: Tuesday, March 22, 2022 (2022) from 3:00 p.m. to 4:45 p.m.
  • Location: Online
  • Agenda:
    1. Opening
    2. Proceedings
      1. Explanation of Secretariat Materials (Secretariat)
      2. Presentation from Members, etc.
        • Sōshi Hamaguchi (Keio University SFC Research Institute)
      3. Free discussion
    3. Adjournment

Materials

References

Relevant policies

Summary of proceedings

Date

Tuesday, March 22, 2022 (2022), from 3:00 p.m. to 4:51 p.m.

Location

Held online

Attendees

Members

  • Hiroshi Ota (Partner, Nishimura & Asahi)
  • Natsuhiko Sakimura (Senior Researcher, Tokyo Digital Ideas Co., Ltd.)
  • Satoru Tezuka (Professor, Faculty of Environmental Information, Keio University) [Senior Researcher]
  • Soshi Hamaguchi (Senior Staff Member, Keio University SFC Research Institute)
  • Tatsuya Hayashi (Director of LocationMind Co., Ltd.)
  • Hiroshi Miyauchi (Attorney, Miyauchi & Mizumachi IT Law Office)
  • Kazuya Miyamura (Partner, PwC Arata LLC)
  • Makoto Takamura (Counselor to the Director-General of cybersecurity, Ministry of Internal Affairs and Communications)
  • Hiromasa Kiyo (Senior Assistant, Commercial Affairs Division, Civil Affairs Bureau, Ministry of Justice) *
  • OKUDA Shuji (Director of the cybersecurity Division, Commercial Information Policy Bureau, METI)

Observer

  • Satoru Ijichi (Executive Director of the time business Accreditation Center, Information and Communication security Division, The Japanese Telecommunications Association)
  • Takayuki Idaka (Special Advisor for medical care Information Technology, Research development Promotion Division, Ministry of Health, Labor and Welfare Health Policy Bureau) * Attendance by proxy
  • Daishu Ohta (Chairman of the External Affairs Department of the Digital Trust Council)
  • Hirohisa Ogawa (Chairman of the Steering Committee of the Nippon Trust Technology Council and Senior Researcher, Cyber security Strategic Group, Digital Innovation Division, Mitsubishi Research Institute, Inc.)
  • Mikio Ogawa (Executive Director of Administration and Settlement Systems Department, Japanese Bankers Association)
  • Tetsuro Okuno (Deputy Director of the General Affairs Division, Ministry of Health, Labor and Welfare Pharmaceutical and Environmental Health Bureau) * Attendance by proxy
  • OGURA Takayuki (General Manager of Corporate Sales Department, Shachihata Inc. Systems)
  • Seiji Kaneko (Director of the General Affairs Division, Pharmaceutical Affairs and Environmental Health Bureau, Ministry of Health, Labor and Welfare) * Attendance by proxy
  • KOMATSU Hiroaki (Partner, Tokyo IT Audit Department, KPMG AZSA LLC)
  • Hajime Sato I (Executive Director of the Policy Department of the New Economy Federation)
  • Sato Tatewaki (Cloud-based Electronic Signature Service Council Secretariat)
  • Koichi Shibata (Executive Director in charge of DX Service Planning Department and Chairman of the Planning and Operation Subcommittee of the Trust Service Promotion Forum, Seiko Solutions Corporation)
  • Kenichiro Shimai (Deputy Director of medical care Information Technology Promotion Office, Research and development Promotion Division, Ministry of Health, Labor and Welfare Health Policy Bureau) * Attendance by proxy
  • SHIMAOKA Masamoto (Senior Researcher, IS Research Institute, SECOM CO., LTD.)
  • Kikuzo Sodeyama (Director of SKJ Sogo Tax Accountant Office)
  • Hajime Toyoshima Kiyoshi (DigitalBCG Japan Managing Director)
  • Yuji Nakasu (Vice President of Government Affairs, SAP Japan Co., Ltd.)
  • NAKATAKE Hiroshi (Representative of Global Legal Entity Identifier Foundation (GLEIF) Japan Office)
  • Akira Nishiyama (Special Member of the Electronic Certification Bureau Conference (Representative of Future Trust Lab))
  • Eiji Nozaki (Director of the General Affairs Division, Supervisory Bureau, Financial Services Agency
  • Akihide Higo (Project Owner of the Digital Identification Project Team, Incubation Lab, Digital Architecture and Design Center (DADC), Information-Technology Promotion Agency (IPA))
  • Tomoaki Misawa (Partner, PwC Arata LLC)
  • YAMAUCHI Toru (Managing Director of the Association for the Promotion of Information Economy and Society and Director of the Digital Trust Evaluation Center)
  • WAKAMEDA Mitsuo (Senior Researcher, Data Strategy WG, Planning Committee, Digital Economy Promotion Committee, Japan Business Federation)

Digital Agency (Secretariat)

  • Group Manager of Digital social common function Group Masanori Kusunoki, Group Deputy Manager of Shusaku Indo Group, etc.

Minutes

  • The Secretariat explained Material 1 "Explanatory Materials for the Secretariat."
  • Experts made a presentation on Material 2 "eIDAS2.0 and EUDIW".
  • The secretariat announced the opinions of the Sako members who were absent from the meeting.
  • In the open discussion, the following remarks were mainly made.
    • On page 14 of Exhibit 2, I wrote an overview of the functions of EIDIW. Regarding the deployment part, how to deliver it to users through a secure channel is important for Trust. Please tell me if there is any description of this part.
      In the multi-stakeholder process, it is necessary to have a process of reviewing and collecting issues and problems. By collecting these, the cycle of how to improve them can be turned around. What is important in the multi-stakeholder model is transparency and openness. Recently, the Japanese government has been able to promote the use of GitHub, and by widely and openly disclosing related documents, issues, and pull requests, the multi-stakeholder process can be minimized and efficiently and openly implemented by the power of digital tools.
    • There is no related description within the scope of the materials published now. It has not been decided that EU DIW will be deployed as an app on smartphone. So far, EU laws have been written with neutrality from the technical implementation, so at this stage, it has not been written that implementation will be. Without it, deployment will not be discussed. implementation
      On page 4 of Exhibit 2, the number of authenticated transactions between member countries is 60000 in 2020, which is a small number. Is it because there are no transactions closed within Japan and there are few transactions across countries? At this point, it will not be interoperable, and how to ensure the reliability of Wallet will be a difficult issue, but is that being considered?
      Regarding the secretariat materials in Material 1, it is strange that companies and business organizations are included in the Civil Society, which is a multi-stakeholder model. In the OECD, the Civil Society and Business are also separated. In the OECD, trade unions, workers, and Business are separated, so it is better to consider that. It is better to rephrase Business Owner to service provider. It is better to create a framework called Business in the same way as Tech Community and Civil Society, or a framework like trade union depending on how you think about it. Regulator should also be partly within the dotted line of multi-stakeholder. Evaluation and transparency are important for multi-stakeholder. Since transparency and Trust are very closely related, how to ensure transparency? It is necessary to consider securing logs.
    • The statistics do not show transactions between all Member States, and they are the number of certified transactions between Member States, not domestic certified transactions. For example, only the number of eID in Luxembourg used in Netherlands is added. Even so, the number is not so large. As stated in the evaluation result of eIDAS in eID, the range was too narrow. Even though there is only a notified scheme that can cover only 59% of citizens at the maximum, if it is available only in cross-border services and public services, the number of people who want to access public services across borders is limited in the first place, and among them, the number of people who have eID is limited, so the number is small, as shown in this evaluation report.
      In response to your question about the reliability of wallets, it is not yet written how to ensure their reliability technically, but in the bill, experts from each member state of the EU gathered to write a so-called functional requirement level, such as the Architecture and Reference Framework mentioned earlier. After that, technical standards were created. After the creation of technical standards, the EU's Cyber security Framework is currently being certified, and the bill says that design certification of EU Digital Identity Wallets will be performed there. security certification of EU Digital Identity Wallets will be performed there.
    • The multi-stakeholder model in the Secretariat materials will be revised by the next time based on the opinions received.
    • In the secretariat materials, I felt that in the multi-stakeholder model, relatively more attention will be paid to disposition notices, official certificates, etc. Timestamps and e-seals are also important in terms of GPKI, updating of LGPKI, and ensuring the authenticity of official documents, but when DX is considered in society as a whole, official documents are not considered to be the most important. Rather, the main area of DX will be BtoB and BtoC. In such an area, DX for electronic transactions is very important, and for that purpose, it is necessary to review Electronic Signatures in Global and National Commerce Act and establish standards for cloud signatures such as remote signatures and witness signatures.
      In that sense, it is written in the document that it is an electronic contract for identity confirmation in the government system, but it is not necessary to limit it to the government procurement like the electronic contract in the government procurement, and it is appropriate to consider the electronic contract more widely.
      In addition, there have been cases in which virtual currency dealers have large amounts of virtual currencies, but the standards for the security are not generally said, and as a result, very large amounts of virtual currencies have been distributed. It is necessary to consider the promotion of DX that secures Trust as a stone of another mountain. In particular, it is necessary to firmly establish criteria for determining the identity verification of electronic signatures, including observer-type electronic signatures, and the uniqueness of the process of the observer-type electronic signature service indicated in the Government Q & amp; A on September 4, 2020. This is an essential situation for Promotion of DX as a whole.
      From this point of view, the multi-stakeholder model seems to be a proposal on the system of government, but in fact, it is necessary to consider the framework of Trust, including private sector, and the legal system. I would like to ask the Secretariat's opinion on this.
      Also, what is the service operating company written in this Business Owner? If this is only dealing with national systems, it would be Digital Agency, but in private sector, is it correct to think that this Business Owner is a service provider?
    • Regarding the first point, the multi-stakeholder model is not limited to those mentioned in Examples 1 and 2 of the materials, but is also assumed for procedures and transactions in private sector. First of all, in presenting a proposal as the secretariat, I gave an example because it is possible to operate a multi-stakeholder model in Digital Agency.
      Regarding the second point, regarding the members of each community, we need to work out a few more ideas, but in the case of private sector procedures and transactions, we are currently thinking that the service operation company may be, for example, a Trust service provider.
    • The updating of the technical standards of the GPKI and the technical standards in official documents, which are mentioned by the Secretariat as examples, can be decided by the government. Hearing opinions from various sources should be done by using public comments. There is no need to use the multi-stakeholder model. Are the technical standards of the eIDAS also really decided by the multi-stakeholder model? For example, in the materials presented by Hamaguchi members, the development of the subordinate regulations of the eIDAS2.0 is mentioned. Here, too, the development of the subordinate regulations that specify the technical standards is mandatory for the EU Commission. In that sense, this is decided by the EU Commission with responsibility, and it is not always decided by the multi-stakeholder model. Furthermore, in the Japanese legal system, the multi-stakeholder model is adopted in the formulation of guidelines for certified personal data protection organizations in the form of Article 53 of the personal data Protection Act. In the case of the personal data Protection Act, there are various parties with very various interests. It is my understanding that the multi-stakeholder model is used to create a model that can be convinced by parties with such subtle interests. However, the technical standards of Examples 1 and 2, which are mentioned now, are technical standards, and it is strange to discuss them by multi-stakeholders.
      In fact, ICANN and the IETF were mentioned as examples, but in a sense, the Internet is a forum for discussing technical standards in a world without governments, so it is not strange that the multi-stakeholder model is used in ICANN and the IETF because it is decided within a village of experts. In this talk, it was suggested that consumer groups and bar associations be included in the Civil Society, but I don't think that bar associations can do this.
      In the Secretariat materials, what should be done about the mechanism of the ID Wallet with international interoperability? I think it may be somewhat compatible with the multi-stakeholder model, but the government can decide on the notification of disposition, official certificate, and identity verification in the government system. If the multi-stakeholder model starts to be involved in the discussion, the discussion will not converge. Moreover, if the consensus of all members is required, the decision will never be made, and the swiftness will be significantly impaired.
    • On page 9 of Exhibit 2, it is explained that the European Commission is obliged to develop subordinate regulations to specify technical standards. In the subordinate regulations, it is stated that the legal requirements of eIDAS2.0 are deemed to be satisfied when the following technical standards are satisfied. Therefore, basically, the list of technical standards that have already been created is specified in the form of subordinate regulations. Among the three European standardization organizations, ETSI, CEN, and CENELEC, the technical standards themselves are basically referred to by CEN and ETSI. The standardization process is probably different between ETSI and CEN, and in the standardization process of ETSI, ETSI is basically a members-only standardization organization in private sector. For example, Google has a lot of voting rights recently, and ETSI has begun to have a fairly strong opinion on European standardization. However, the European standardization organization basically does not allow general private companies to have a lot of voting rights and exert strong power to create technical standards. Therefore, there is actually a voting process as a European standard on top of it. In the process, actual voting by each member state and voting by one member state are performed to establish a European standard. Therefore, even if general private companies and private sector companies vote in their favor at the planning and drafting stage, such a process does not work as an actual European standard. However, it is questionable whether it is a multi-stakeholder at the same level as the multi-stakeholder model shown in this Secretariat material. However, in the framework of eIDAS, the standardization of technical standards is basically entrusted to the standardization organization. However, the technical standards to be adopted are approved by the voting of member states at the end. Finally, the European Commission is responsible for creating subordinate regulations in the form of developing subordinate regulations and specifying the technical standards created by law. It is not included in the public process. Basically, opinions are received in the form of public comments. ETSI also has lawyers who are familiar with technical matters, and people who are widely engaged in various businesses using their strength in IT have entered the standardization organization. Therefore, the technical standards are created in the form of public comments.
    • In Attachment 2, the expansion of Trust services, e-Ledger was described. What kind of use cases is expected in Europe?
    • It is a so-called distributed ledger. The bill itself does not say it is a distributed ledger, but in the preface of the bill, it says that we need to respond to the evolution of technologies such as blockchains, distributed ledgers, and distributed ledgers. Its legal effect is to guarantee the authenticity of time series data recorded on the distributed ledger. Regarding what kind of service model there is actually, for example, assuming that a Digital Identity Wallet is implementation on smartphone, if you try to achieve a self-sovereign identity such as Self Sovereign Identity, if you validation in a way that a service provider asks you whether the ID in the wallet is a genuine ID every time you implementation, it will happen that data on who authenticated yourself, when and to what will be traced. This distributed ledger is used to determine how to actually implementation it. It seems to be discussed that part of the so-called function of the self-sovereign type can be implementation by going through a process in which the record of the issuance of the ID is recorded on the distributed ledger, and the validation side goes to the distributed ledger to see the validation result of when the ID was issued and whether it is genuine.
    • In eIDAS2.0, is ID and ledger for IoT considered?
    • In eIDAS1.0, it was considered to guarantee the authenticity of data, for example, photographs of images, coming out of equipment by digitally signing them with certificates for e-seals. However, it seems that it was assumed that the certificates would be operated in a form linked to the information that the equipment was manufactured, managed, and operated by some corporation, rather than the certificates of the equipment itself, as is being considered in Japan.
    • Regarding the multi-stakeholder model, based on the current situation in which Trust is secured based on not only the technical standards but also the context, it is written that T of DFFT is assumed. Considering this, I believe that it is not only the technical standards. If so, if we can see in the entire map which use cases in DFFT is the technical standard, and what the use cases is about, including the wider context, whether the multi-stakeholder model should be applied or who should be set as stakeholders will change.
    • Based on the opinions received, we would like to consider the content and scope of the discussion in the multi-stakeholder model.
    • In addition to ETSI, it is also necessary to look at the relationship between ETSI, CEN and ISO. In terms of multi-stakeholder, ISO does not divide its stakeholders like the OECD, but it is able to participate. It seems that there are lawyers and people with a Civil Society feel.
    • If the multi-stakeholder model is adopted, it will not be possible to make a clear difference from the composition of the Expert Council unless the rules are clarified. It is important to summarize the authority and responsibility of each community and the formal position of the deliverables created by each community in the model as rules, and to create rules in a fair manner for the selection method of the members. Regarding this, some pointed out that the government should decide. Isn't a multi-stakeholder model at the same level as ICANN and IETF unnecessary for this case? There is a level of multi-stakeholder model, and I think there is a difference between a multi-stakeholder model at the level of ISO and a multi-stakeholder model at the level of ICANN, but it should be discussed at the necessary level.
      In light of the needs for time stamps and e-seals in official documents, what should be stipulated in these technical standards? Even if they are formulated in the form of time stamps to be affixed to official documents or technical standards for e-seals to be affixed to official documents, for example, as in NIST SP 800-63, even if the technical standards for time stamps and e-seals are said to be standards for official documents, I think private sector will refer to them, so it is necessary to examine the technical standards with such things in mind.
    • Regarding the assurance level of Identification, it is considered wrong that this working shows use cases. It should be possible for the use cases side to select the level after qualitatively indicating how much confirmation is applicable.
      Regarding the future review system, in the multi-stakeholder model shown in the secretariat materials, it is missing who will determine the necessary conditions. If the Regulator side does not enter the required conditions, it will be a waste of time to discuss them. What we are discussing here is also a discussion on what to do with electronic signatures, in other words, what to do with alternatives to registered seals, so don't we need to have such required conditions? Also, Business Owner, Tech Community, and Civil Society are strange to people who are not used to them, so they should be written in Japanese, such as service providers and people who know user technology.
      There are examples from ICANN and the IETF, but it should be noted that the voices of the proponents are louder in the multi-stakeholder model of the Internet. I think it is different from the multi-stakeholder model considered here because the Civil Society is the one who imposes the requirements. In other words, it is the people of the Civil Society who demand privacy in the world of the Internet. On the other hand, in the current situation of Japanese society, it is the Civil Society that asks us to relax the requirements for privacy because it is troublesome, so we think that if we set the conditions wrong, it will become a mess.
      In terms of users, it is not particularly strange that user companies enter the companies in this Civil Society.
      In Exhibit 2, there was a discussion of attributes. In Europe, it is said that the discussion of attributes will be held in the future. Therefore, it is better not to try to reach a conclusion on the topic of qualifications, which has been discussed several times here, at this stage, including monitoring the situation in Europe.
    • When I heard Mr. Hamaguchi's presentation, I understood that the European discussion is taking the next step after reviewing how the current products are being used. This attitude is originally extremely important in Japan. There were talks about how the current Electronic Signatures in Global and National Commerce Act is being operated and how cloud signatures are being used, but based on these discussions, I thought that we need to discuss how we need to improve the shortcomings. Regarding the EU's Digital Identity Wallet, I thought that if iOS and Android were to support it more and more, we would be able to share it well, but it seems that it will take a little more time. Rather than waiting for it and doing something, I felt that it is realistic for Japan to think about it on its own and take the initiative, and at that time, refer to what requirements each country is trying to meet.
      In addition, we had a lot of discussions on the multi-stakeholder process proposed by the Secretariat. Although there are some parts that are immature, I would like you to continue to provide guidance on how to make it possible to turn it around properly and make it acceptable. In use cases, which includes private sector, and while we believe that there is a greater need for a new one, if we want to actually do it, service providers need to sweat a lot, and the Digi Agency has decided to sweat first, so I think it will be a very big Issue to what extent we can turn it around with the support of private sector.
      Including such things, we would like to produce outputs properly in the next three months. I would like to ask for your continued guidance.
  • The secretariat explained that the meeting materials will be published on the Digital Agency website later, that additional opinions and questions will be communicated to the secretariat and used by the secretariat as a reference for future operations, and that the minutes of the meeting will be published after the members confirm the content.
  • The secretariat explained that the next meeting of the Sub-Working Group is scheduled to be held online from 4 pm on Friday, April 8, 2022 (2022).

End