Promotion of DX Sub-Working Group that secured Trust (4th)

Overview

• Date and time: Tuesday, January 25, 2022 (2022) from 4:30 pm to 6:15 pm
• Location: Online
• Agenda:
  1. Opening
  2. Proceedings
     1. Proposed Future Issues on Assurance Levels (Secretariat)
     2. Presentations from members and external experts
        • Akihide Higo (Information-Technology Promotion Agency (IPA) Digital Architecture Design Center (DADC))
        • Sōshi Hamaguchi (Keio University SFC Research Institute)
     3. Free discussion
  3. Adjournment

Materials

• Agenda (PDF/146KB)
• Exhibit 1: Secretariat explanatory materials (PDF / 2,010 kb)
• Material 2 Materials to be submitted by Mr. Higo (Incubation Lab Project "Examination of Digital Identity Verification Guidelines for Different Services") (PDF / 1,662 kb)
• Material 3 Materials to be submitted by Mr. Hamaguchi (Assurance Level under the European eIDAS Regulation) (PDF / 1,725 kb)
• Proceedings Summary (PDF/394KB)

References

• Holding of the Trust Sub-Working Group to Secure Promotion of DX (PDF / 64 kb)

Relevant policies

• Data Strategy

Summary of proceedings

Date

Tuesday, January 25, 2022 (2022), from 4:30 p.m. to 6:15 p.m.

Location

Held online

Attendees

Members

• Hiroshi Ota (Partner, Nishimura & Asahi)
• Natsuhiko Sakimura (Senior Researcher, Tokyo Digital Ideas Co., Ltd.)
• Kazue Sako (Professor, Department of Information Science and Engineering, School of Basic Science and Engineering, Waseda University)
• Satoru Tezuka (Professor, Faculty of Environmental Information, Keio University) [Senior Researcher]
• Soshi Hamaguchi (Senior Staff Member, Keio University SFC Research Institute)
• Tatsuya Hayashi (Director of LocationMind Co., Ltd.)
• Hiroshi Miyauchi (Attorney, Miyauchi & Mizumachi IT Law Office)
• Kazuya Miyamura (Partner, PwC Arata LLC)
• Makoto Takamura (Counselor to the Director-General of cybersecurity, Ministry of Internal Affairs and Communications)
• Hiromasa Kiyo (Senior Assistant, Commercial Affairs Division, Civil Affairs Bureau, Ministry of Justice) *
• OKUDA Shuji (Director of the cybersecurity Division, Commercial Information Policy Bureau, METI)

Observer

• Satoru Ijichi (Executive Director of the time business Accreditation Center, Information and Communication security Division, The Japanese Telecommunications Association)
• Takayuki Idaka (Special Advisor for medical care Information Technology, Research development Promotion Division, Ministry of Health, Labor and Welfare Health Policy Bureau) * Attendance by proxy
• Daishu Ohta (Chairman of the External Affairs Department of the Digital Trust Council)
• Hirohisa Ogawa (Chairman of the Steering Committee of the Nippon Trust Technology Council and Senior Researcher, Cyber security Strategic Group, Digital Innovation Division, Mitsubishi Research Institute, Inc.)
• Mikio Ogawa (Executive Director of Administration and Settlement Systems Department, Japanese Bankers Association)
• Tetsuro Okuno (Deputy Director of the General Affairs Division, Ministry of Health, Labor and Welfare Pharmaceutical and Environmental Health Bureau) * Attendance by proxy
• OGURA Takayuki (General Manager of Corporate Sales Department, Shachihata Inc. Systems)
• Seiji Kaneko (Director of the General Affairs Division, Pharmaceutical Affairs and Environmental Health Bureau, Ministry of Health, Labor and Welfare) * Attendance by proxy
• Hajime Sato I (Executive Director of the Policy Department of the New Economy Federation)
• Sato Tatewaki (Cloud-based Electronic Signature Service Council Secretariat)
• Koichi Shibata (Executive Director in charge of DX Service Planning Department and Chairman of the Planning and Operation Subcommittee of the Trust Service Promotion Forum, Seiko Solutions Corporation)
• Kenichiro Shimai (Deputy Director of medical care Information Technology Promotion Office, Research and development Promotion Division, Ministry of Health, Labor and Welfare Health Policy Bureau) * Attendance by proxy
• SHIMAOKA Masamoto (Senior Researcher, IS Research Institute, SECOM CO., LTD.)
• Mariko Sugi (Information-Technology Promotion Agency (IPA) Digital Architecture Design Center (DADC))
• Kikuzo Sodeyama (Director of SKJ Sogo Tax Accountant Office)
• Fuminori Takaoka (Supervisor, General Affairs Division, Supervisory Bureau, Financial Services Agency) * Attendance by proxy
• Hajime Toyoshima Kiyoshi (DigitalBCG Japan Managing Director)
• Yuji Nakasu (Vice President of Government Affairs, SAP Japan Co., Ltd.)
• NAKATAKE Hiroshi (Representative of Global Legal Entity Identifier Foundation (GLEIF) Japan Office)
• Akira Nishiyama (Special Member of the Electronic Certification Bureau Conference (Representative of Future Trust Lab))
• Tomoaki Misawa (Partner, PwC Arata LLC)
• YAMAUCHI Toru (Managing Director of the Association for the Promotion of Information Economy and Society and Director of the Digital Trust Evaluation Center)
• WAKAMEDA Mitsuo (Senior Researcher, Data Strategy WG, Planning Committee, Digital Economy Promotion Committee, Japan Business Federation)

Digital Agency (Secretariat)

• Group Manager of Digital social common function Group Masanori Kusunoki, Group Deputy Manager of Shusaku Indo Group, etc.

Minutes

• The Secretariat explained Material 1 "Explanatory Materials for the Secretariat."
• Experts made presentations on Material 2 "Incubation Lab Project' Study of Digital Identification Guidelines for Different Services'" and Material 3 "Assurance Levels under the European eIDAS Regulation."
• In the open discussion, the following remarks were mainly made.
  • The purpose of this sub-working group is to secure Trust and examine specific promotion measures for DX. The assurance level is an additional condition. In DX, data interoperability and automatic processing are important. In order to secure API connectivity and data format interoperability, it is necessary to determine specifications and provide a testing environment for continuous testing, and the assurance level of authentication and certification will be included. Therefore, data interoperability should also be discussed in this sub-working group.
  • Page 4 of Exhibit 1 shows the Trust Assurance Level, but the Trust Service Assurance Level is more accurate.
  • Page 10 of Attachment 1 is written in a way that requires a hardware base in AAL. 3. However, in NIST SP800-63, hardware means hardware that meets the requirements of FIPS 140-2. The documentation should list the requirements specified in FIPS 140-2 or reference FIPS 140-2. It is practically important to think on a threat basis. The documentation should state that there are requirements for a hardware base and validation spoofs resistance.
  • In discussions at the level of identification and certification processes, the basic idea should be addressed in international fora such as SC27, as there are international standards.
    In use cases, there have been cases of problems such as the presentation of forged certificates and the leasing of authentication machines. It should be noted that in Japan, it is very difficult to confirm the non-falsification of certificates.
    It goes without saying that Binding and Federation are important. The issue of borrowing and lending is also closely related to the story of Binding. Remote eKYC is a story of certified information linkages. However, it is doubtful whether it can be decided at the national level, and it should be delegated to a standardization organization and discussed where Interoperability can be achieved.
  • Regarding Material 2, it is good to refer to New Zealand. The person who was an editor of ISO/IEC29003 formulated the standards, and the discussions of ISO/IEC29003 are reflected. (Being announced) You said that there are no digital identity verification guidelines in private sector, but there is an approach to realize the standards of ISO. Both ISO/IEC29003 and ISO/IEC 29115 are in a period where they need to be revised, and there is no editor to accept them, so it is a good way to raise your hand on the contrary. The use cases listed in the announcement is probably identity verification in public authorities identification and certification, but the attributes to be verified actually vary from use cases to use cases. As a first step, the attributes to be verified should be listed. Basic information should be considered for each region because such basic information is not necessary a priori. (Reference)
    As for the level classification, it is better to rewrite it on a threat basis. In accordance with international standards, etc., it is better to think about the theory of what it should be like, such as how it should be, but since Japan cannot do it, it is better to think about it as a compromise.
  • Regarding Exhibit 3, it is necessary to summarize whether eIDAS1.0 was a success. Please provide information on the definition of EU Digital Identity Wallet (DIW). Article46 on electronic documents is important.
  • eIDAS has regulations concerning eID and Trust services. When eIDAS2.0 was issued, an investigation was conducted to determine whether eIDAS1.0 was sufficient legislation in Europe. As for eID, the percentage of EU citizens who could be covered as a whole was less than 60%. Under the eIDAS Regulations, the goal of distributing eID to all EU citizens so that everyone could use various services online, and eID could be used for certification or certification across countries could not be achieved. The standards for guarantee levels of Low, Substantial, and High were also indicated in the regulations, but the evaluation method was operated in an ambiguous manner. By distributing EU DIW to each EU citizen under eIDAS2.0, we aim to achieve a 100% diffusion rate.
    Regarding Trust services, in survey, about 70% of the respondents felt that eIDAS Regulations had spread Trust services, resulting in cost savings, time savings, and simplified administrative procedures. On the other hand, in eIDAS1.0, the technical standards were adopted only as national standards, and the link between the law and the technical standards was not clear. Therefore, there were Issue in places where the requirements for remote identification, for example, varied from country to country.
    In addition, new concepts such as distributed ledgers and portable identities are emerging, and eIDAS2.0 will require expanded Trust services.
    The part related to attribution certification is not completely contributed to DX in eIDAS1.0. The eID service defined by the Trust AS Regulation only guarantees basic reliability. For example, the reliability of the level of who signed it. When I sign a document, the area recognized by eIDAS1.0 is only to guarantee that "I certainly signed the document." It does not guarantee what degree I have and what kind of person I am. This time, there is a request to guarantee the reliability of attribution information in the communication, education, and aviation industries of the regulation industry. In eIDAS2.0, it is a framework to guarantee the reliability of attribution information required for each field by incorporating a new Trust service called attribution certification in addition to the guarantee of natural persons.
    eIDAS1.0 is not a fully successful law, but a majority of people are in favor of it and are trying to adapt it by adding more services that are more useful to the times.
    EUDIW is a form in which validation results of smartphone, which are issued as an app on eID, are incorporated into the app, and each of them can be provided to the Relying Party as their own identity in a self-sovereign form.
  • It is true that discussions on the Identification Assurance Level are advancing internationally, but since there are base registry, resident records, and registration as a certain family registry, the level of IAL should be shown as one way of thinking how strong the relationship with such a certain base registry is.
    The assurance level of Trust services is very important. In this forum, IAL, AAL, etc. have been discussed in advance, but if you look only at ID providers, it is naturally important whether or not they are reliable.
    As a viewpoint for considering the standard of the assurance level, regardless of the type of Trust service, it is necessary to separate the common requirements from the requirements for each type of Trust service. In security, organization requirements, human requirements, and physical requirements are probably determined without depending on the processing of Trust service. On the other hand, some technical requirements are common. It is important to organize around this when considering the assurance level of Trust service.
    Regarding mobility, it is difficult to determine by law and public notice. Therefore, a specialized organization should be set to determine the standard, and the standard should be formulated here.
  • Regarding eIDAS Article26, it is said that the currency of electronic documents cannot be denied simply because they are in electronic form. In some countries, it says "except as specified by the law." If you add a restriction that such things must be paper depending on the law, this article loses its meaning. It is important that there is no exception here.
  • If the assurance level of Identification is considered in Japan, it should be discussed how to apply it to the current situation in Japan.
  • In the initial stage, a specific use cases is necessary. First of all, it should be implemented from the administrative and government sectors. In consideration of small start and advancing things by ourselves, it is desirable to materialize use cases from the administrative domain.
  • Since there are places where we are talking without clarifying the definition of Trust service, we should clarify what it refers to so that we can discuss it in the future.
  • Regarding Exhibit 3, there were talks about the success or failure of B2B in eIDAS. In eIDAS, we tend to think about things between countries, but in reality, the use of B2B by the people is biased, and the area in the middle is relatively used. Please tell us your sense of Issue.
    As for EUDIW, I heard that you will be making a smartphone on the implementation app, if you know when.
  • There are no statistical data on B2B. From the viewpoint of the Certification Authority, the market size and sales have tripled since the eIDAS. About 20 to 30 percent of them are qualified Trust services, and it can be said that the spread of B2B in non-qualified areas has advanced.
    As for the EUDIW rough schedule, official information from the European Commission shows the EUDIW design plan, which is said to be a toolbox, and technical standards from the European Commission on October 30.
  • I agree with the elimination of exceptions that are not denied simply because they are in electronic form. I also agree with starting with the administration first.
  • I feel uncomfortable about the fact that identity verification is based on the premise of (disclosure of) address, name, and date of birth. When I heard about an IT service company that how to verify the agreement between the two parties when making an electronic contract, I heard that a service is actually used in which you can ask the date of birth of the other party, register it as a password, and when the other party enters your date of birth, you can get that data. I am concerned that there will be a problem in which people who are asked to submit their date of birth for identity verification can log in to other places using that date of birth. Based on base registry, it would be good if we could consider an authentication service that works well in My Number Card just by having private sector and without showing any other detailed information.
  • Currently, the use cases that we want to actually realize can be achieved by using administrative procedures, etc., but there are cases where it is impossible to respond to the scope of the Trust required in the future. We should consider data interoperability, B2B use cases, and use cases of agreement confirmation for data use when conducting joint development using data jointly by multiple companies.
  • I can understand that small start will be used from the point where it is most used in use cases, but this sub-working group should cover the whole and discuss what steps to take strategically.
  • Regarding Exhibit 2, there was no sense of discomfort in the classification method of civil and private procedures proposed by DADC, but the IAL is classified into five levels, and there is a question about the original purpose of creating such a five level classification.
    In terms of legal effects, for example, in the framework of eIDAS, it is easier to handle at three levels in practice, but I would like to ask whether you are classifying IAL levels with the intention that the classified levels will eventually lead to legal effects, or if you are preparing them as a scale for considering things as a whole, will it be much easier to discuss them in the future?
  • Regarding Exhibit 3, I understand the framework for mutual recognition among member states under the eIDAS. However, in the future, when considering the assurance level of Trust services in Japan, if there is a possibility that we need to consider mutual recognition with the EU, I think it is important for Japan to consider mutual recognition not between member states but with countries outside the EU. Is there any discussion on this?
    For example, the United Kingdom is no longer a member of the EU due to Brexit, but in relation to the United Kingdom, the European Union should be in a situation where it has to prepare some kind of mutual recognition framework. In that sense, the framework of mutual recognition with countries outside the European Union should be discussed.
  • There is a fairly certain base registry. There is no family registry in the U.S., and I don't think there are many countries that have something like a seal registration certificate. On the other hand, under the Anglo-American Law, there is a rule that oral documents cannot be evidence (parole, evidence rule). In that sense, it is understandable that the capacity as evidence cannot be denied just because it is in the electronic form of Article46 in eIDAS. However, since there is nothing that can be denied as evidence in the Japanese case, this part does not serve as a starting point for discussion as it is. It would be efficient to proceed with the discussion from the point of what will happen based on the premise of the certain base registry that exists in the Japanese case.
  • Whether the five levels are appropriate or not is still a matter of debate. On the other hand, there are two goals for the classification of identity verification levels. The first is that you can decide on your own. In many cases, business operators are the main parties responsible for verification, so the methods currently being considered are mainly those for which the methods are listed in law. Even if you look around private sector now, there are not many original methods. If I had to say, it would be to take photos while confirming that you have an official identification card in real time, and the other methods are defined in law. The reason why the original methods have not appeared is that there are no guidelines for what level you need and what method you should use to verify. In that sense, I would like to provide you with materials to help you decide on your own.
    The second point is interoperability. When each business operator verifies the identity of their own users, they may rely on other business operators to verify their identity themselves. We can imagine a world in which users who have been verified by their own company cooperate with other business operators in information linkages. At that time, the other party will be asked at what level you are verifying and whether you meet the level we are requesting.
  • In terms of interoperability, I think there are people in the world who have nothing to do with electronics. For example, if there is a person who has a registered seal and a seal registration certificate, where does such a person fit in this method? I think it may be a world of 4/4 or 3/4, but it is better to properly consider the correspondence between identity verification and person authentication in a form that has nothing to do with DX. Do you intend to include things that are not in the digital world, such as a registered seal and a seal registration certificate, in this method?
  • When considering information linkages and certification cooperation, I think there may be a timing when it is once copied to digital. Offline to offline information linkages may also be considered. The method, material, and evidence at the time of confirmation may be analog, but it is confirmed digitally and the cooperation starts with some kind of authenticator in overwhelmingly many cases. In that sense, it is good to be copied to digital and think digitally.
  • As for matters outside the EU, since the UK left the EU, the UK has been removed from the mutual recognition umbrella of the eIDAS Regulation. Eligible Trust services for each Member State are published in Excel format in the form of a Trusted List. The list is maintained by the List of Trusted Lists maintained by the EU Commission. The last Trusted List of the United Kingdom on the list was published on January 1, 2021, and the Trusted List of the United Kingdom that was published more than one year ago is listed as it is.
    After the Brexit, the United Kingdom implemented a law that copied the eIDAS Regulation into domestic law. In addition to the Trusted List, there is a British Trusted List. However, it is a Trusted List operated under British domestic law, and the link with the EU has been broken.
    On the other hand, regarding the framework of mutual recognition with third countries and outside the EU, eIDAS1.0 states in Article14 that regarding cooperation with countries outside the EU, mutual recognition of qualified Trust services will be carried out by an agreement between the EU Union and third countries.
    There are two conditions for this. The first is that the third country's eligible Trust service is guaranteed to meet the same requirements as the European eligible Trust service. For example, it is necessary to indicate that the security requirements and policy requirements are the same level as the eIDAS requirements for Trust services. The second is that the EU's eligible Trust service is given the same legal force as the domestic eligible Trust service recognized under the third country's domestic law.
    If these two conditions are met, the UK's qualified Trust service will be recognized in Europe as equivalent to the European qualified Trust service, but only if there is an agreement between the third country and the European Union.
  • International mutual recognition will definitely come out in the context of digital trade. In terms of the personal data Protection Law, we have made the GDPR and the Japanese personal data Protection Law at the same level and worked to ensure mutual cooperation. I believe the same phenomenon will occur in this field. Unless we conclude mutual recognition with the EU at the treaty level in a G-to-G relationship, we will not be able to cooperate internationally. We must consider how to improve the environment in Japan at that time.
  • Japanese people are given a My Number Card, and all of them can receive it. With a My Number Card for residence, a E-Certificate for electronic signatures is also included, and various procedures can be performed. It is also necessary to view the utilization of a My Number Card rather than creating another one from scratch.
    My Number Card has a structure in which the top of the assurance level is secured by the fact that delivery is made face-to-face. It is necessary to clearly show such a point from this group. First of all, there is My Number Card, and as a derivative thereof, we should consider what is highly convenient and can be handled casually.
    It is dangerous to put a starting point of trust in a smartphone. There is a risk that a smartphone will be replaced, lost, or destroyed. If it is normal data, it can be moved, but if a tamper resistant module is inserted, it can be written but cannot be read. Then, all the E-Certificate will go somewhere. We are discussing ways to make it possible to use a Public Personal Authentication and user certificate on a smartphone in Ministry of Internal Affairs and Communications, but since it is not possible to take it out from My Number Card, two E-Certificate for user certificate will be issued, one for a smartphone and the other for a My Number Card. With such things in mind, we are concerned that implementation will be difficult or costly unless we aim for a realistic method.
  • eIDAS Article46 is discussed in the Legislative Council about the introduction of IT in civil suits. In the end, the admissibility of evidence and the story of the lawsuit are to be considered from the Code of Civil Procedure. Therefore, we should not come up with the story of Article46 here, but should watch the movement of the Legislative Council.
  • Please tell us if there are any examples of mutual recognition among countries in eIDAS.
  • We are talking about the level, but it is difficult to say whether the level alone is actually useful. It is important to let them know the metadata of who checked it when, where and how.
  • Article46 may have to watch the discussions of the experts of the Sewing Council, but it is necessary to raise the cry that there is a need from such a place.
  • There is currently no mutual recognition outside the EU in the framework of the eIDAS. The European Commission document lists several countries where such discussions are already under way. However, no official announcement has been made.
  • For example, if you just send a notification that you have been authenticated at Level 3, in the end, the recipient will be in trouble unless you actually hand over more detailed data together. We need to keep that in mind.
  • It will not be a usable ID unless we discuss a wide range of issues, including attributes and how to pass them, as well as sorting out the assurance levels.
    Over the past few months, we've been experimenting with smartphones and optimizing costs. The reason why user identification hasn't spread in use cases, private sector, is that attributes can't be taken. In order to obtain name and address information linked to serial numbers, it is necessary to connect to Juki Net or the resident system in local government. However, the number of people who can connect to it is limited, and there is a hurdle that Digital Agency will not only develop the system but also be recognized under the Basic Resident Registration Law.
    We started issuing certificates in December last year, but we originally wanted to use the E-Certificate for user identification, but the Basic Resident Registration Law does not allow the issuance of so-called vaccination certificates, so we couldn't get the attribute, so we pulled out the 12-digit My Number from the vaccine passport entry assistant app and hit it. It's technically nonsense, but we had to do this because we wanted to enter the PIN only once. vaccine passport
    It is difficult to align the technical ideals at the time of design with the implementation in the presence of actual constraints. It is necessary to firmly convey to Trust, in reality, that if this is done, the world will be better. Naturally, we should be aware of the global trend and the flow of globalization, and consider how to interoperate with foreign countries.
    Even if we try to distribute reliable data in Japan, there are many in Issue. Since the governing law is written in the contract, even if it is not interoperable, it does not mean that we cannot exchange Trust in the closed country. However, if we try to seriously promote DFFT in the future, we will have to face the reality of globalization within the scope of a wide Trust, including how to secure Trust for distributed data.
    Now, how we should digitalization the world in conjunction with the Digital Consultation is an important issue that the Kishida Administration is addressing. If we try to include Trust's story in the Digital Consultation, we will return to use cases, which we have been discussing since last year, while deepening our discussion on the assurance level, or we will return to the discussion on what impact we should have on society. I would like to ask for your continued support and open-minded discussion. Thank you very much.
• The secretariat explained that the meeting materials will be published on the Digital Agency website later, that additional opinions and questions will be communicated to the secretariat and used as a reference for future operations, and that the minutes of the meeting will be published after the members confirm the content.
• The secretariat explained that the next meeting of the sub-working group is scheduled to be held online from 11:00 on February 8, 2022 (2022).

End