Promotion of DX Sub-Working Group that secured Trust (2nd)

• Date and Time: Monday, December 13, 2021 (2021) from 11:00 to 12:30
• Location: Online
• Agenda:
  1. Opening
  2. Proceedings
     1. Main points of the previous meeting and status report of the fact-finding survey (Secretariat)
     2. Presentations from members and external experts
        • Makoto Takamura (Ministry of Internal Affairs and Communications cybersecurity Director-General Office)
        • Toshiki Kusunoki (The Japanese Bankers Association (Sumitomo Mitsui Banking Corporation))
        • Takayuki OGURA (Shachihata Inc.)
        • Hiroshi Ohta (Nishimura & Asahi)
     3. Free discussion
  3. Adjournment

Materials

• Agenda (PDF/144KB)
• Appendix 1-1: Main Points of the Previous Meeting (PDF / 532 kb)
• Attachment 1-2: Report on the Status of the Hearing and Questionnaire Survey on Trust Services (PDF / 1,466 kb)
• Material 2 Materials to be submitted by Mr. Takamura (Status of consideration of e-seal policy and future Issue and needs) (PDF / 1,839 kb)
• Exhibit 3: Materials to be submitted by Mr. Kusunoki (Sumitomo Mitsui Banking Corporation's loan electronic contract service) (PDF / 256 kb)
• Exhibit 4: Materials to be submitted by Mr. Ogura (on the history of electronic seals and their role in electronic contracts) (PDF / 1,789 kb)
• Material 5 Materials to be submitted by Mr. Ota (Validity of Electronic Contract) (PDF / 2,415 kb)
• Proceedings Summary (PDF/266KB)

References

• Holding of the Trust Sub-Working Group to Secure Promotion of DX (PDF / 64 kb)

Relevant policies

• Data Strategy

Summary of proceedings

Date

Monday, December 13, 2021 (2021) from 11:00 a.m. to 12:45 p.m.

Location

Held online

Attendees

Members

• Hiroshi Ota (Partner, Nishimura & Asahi)
• Natsuhiko Sakimura (Senior Researcher, Tokyo Digital Ideas Co., Ltd.)
• Kazue Sako (Professor, Department of Information Science and Engineering, School of Basic Science and Engineering, Waseda University)
• Satoru Tezuka (Professor, Faculty of Environmental Information, Keio University) [Senior Researcher]
• Soshi Hamaguchi (Senior Staff Member, Keio University SFC Research Institute)
• Tatsuya Hayashi (Director of LocationMind Co., Ltd.)
• Hiroshi Miyauchi (Attorney, Miyauchi & Mizumachi IT Law Office)
• Kazuya Miyamura (Partner, PwC Arata LLC)
• Makoto Takamura (Counselor to the Director-General of cybersecurity, Ministry of Internal Affairs and Communications)
• Tatsuo SHINOHARA (Director of the Commercial Affairs Division, Civil Affairs Bureau
• OKUDA Shuji (Director of the cybersecurity Division, Commercial Information Policy Bureau, METI)

Observer

• Satoru Ijichi (Executive Director of the time business Accreditation Center, Information and Communication security Division, The Japanese Telecommunications Association)
• Takayuki Idaka (Special Advisor for medical care Information Technology, Research development Promotion Division, Ministry of Health, Labor and Welfare Health Policy Bureau) * Attendance by proxy
• Daishu Ohta (Chairman of the External Affairs Department of the Digital Trust Council)
• Hirohisa Ogawa (Chairman of the Steering Committee of the Nippon Trust Technology Council and Senior Researcher, Cyber security Strategic Group, Digital Innovation Division, Mitsubishi Research Institute, Inc.)
• Mikio Ogawa (Executive Director of Administration and Settlement Systems Department, Japanese Bankers Association)
• OGURA Takayuki (General Manager of Corporate Sales Department, Shachihata Inc. Systems)
• KOMATSU Hiroaki (Partner, Tokyo IT Audit Department, KPMG AZSA LLC)
• Hajime Sato I (Executive Director of the Policy Department of the New Economy Federation)
• Sato Tatewaki (Cloud-based Electronic Signature Service Council Secretariat)
• Koichi Shibata (Executive Director in charge of DX Service Planning Department and Chairman of the Planning and Operation Subcommittee of the Trust Service Promotion Forum, Seiko Solutions Corporation)
• SHIMAOKA Masamoto (Senior Researcher, IS Research Institute, SECOM CO., LTD.)
• Kikuzo Sodeyama (Director of SKJ Sogo Tax Accountant Office)
• Hajime Toyoshima Kiyoshi (DigitalBCG Japan Managing Director)
• Yuji Nakasu (Vice President of Government Affairs, SAP Japan Co., Ltd.)
• NAKATAKE Hiroshi (Representative of Global Legal Entity Identifier Foundation (GLEIF) Japan Office)
• Akira Nishiyama (Special Member of the Electronic Certification Bureau Conference (Representative of Future Trust Lab))
• Eiji Nozaki (Director of the General Affairs Division, Supervisory Bureau, Financial Services Agency
• Tomoaki Misawa (Partner, PwC Arata LLC)
• YAMAUCHI Toru (Managing Director of the Association for the Promotion of Information Economy and Society and Director of the Digital Trust Evaluation Center)
• WAKAMEDA Mitsuo (Senior Researcher, Data Strategy WG, Planning Committee, Digital Economy Promotion Committee, Japan Business Federation)

Digital Agency (Secretariat)

• Group Manager of Digital social common function Group Masanori Kusunoki, Group Deputy Manager of Shusaku Indo Group, etc.

Minutes

• The Secretariat explained Attachment 1-1 "Main Points of the Previous Meeting" and Attachment 1-2 "Report on the Status of Hearings and Questionnaire Survey on Trust Services".
• Presentations by external experts on the needs for Trust services and Issue in DX are given in Material 2 "State of Consideration of the e-Seal Policy and Future Issue Needs", Material 3 "Electronic Contract Services for Loans at SMBC", Material 4 "History of Electronic Seal Impressions and Their Roles in Electronic Contracts", and Material 5 "Effectiveness of Electronic Contracts".
• In the open discussion, the following remarks were mainly made.
  • Regarding Attachment 1-2, we would like to ask you to supplement the questionnaire in some way so that the opinions of SMEs can be properly picked up.
  • Regarding Attachment 1-2, it is desirable to clarify what level of Trust services are expected.
  • Regarding page 22 of Appendix 1-2, it would be good to know the percentage of respondents who answered "I can't say either way" or "I don't want to make a digitalization" for the percentage of respondents other than those who think that they want to make a Trust of 30% (potential users of digitalization services).
  • Regarding page 8 of Exhibit 1-2, the validity of transactions can be said to be a point of view when actually considering use cases.
  • Regarding Material 2, since ease of use is important in the spread of e-seals, please tell us the history of the consideration of Levels 1 and 2. In addition, since delegation and proxy are important when a large number of e-seals are issued, please tell us if there is any deep discussion.
  • Regarding the level, the Sanmonhan level is Level 1, the Mitomein level is Level 2, and the Jitsuin Führer is Level 3. Level 1 is the level at which it can be proven that the seal has not been tampered with, and the technical details have not been decided. There is debate over whether Level 1 is sufficient if it can be guaranteed in the institutional design that the spread of the seal will not be hindered. Regarding the delegation relationship, the conclusion of the Ministry of Internal Affairs and Communications Study Group was that it would be sufficient to basically allow the representative to apply for the issuance of the e-seal and leave the management of the private key to the management of the person who received the issuance.
  • There is a sense of Issue that it is difficult to have representatives do operations, especially as the company becomes larger.
  • Regarding Exhibit 2, when you want to use eSeal for server-side scaling, you copy the same certificate, so the destroyed credential is very important. Have you considered this?
  • The basic idea is that if the private key is installed in the server, the certificate authority side should issue a E-Certificate using a different private key for each branch office. If the server wants to use the same E-Certificate for the private key installed in the server, the recipient side will not understand. The certificate authority side will tell the customer that it is not desirable in terms of security, but if the private key is used by a third party without permission as a result of loose management, it will be the responsibility of the administrator. This is the conclusion of this review meeting.
  • In open banking in the United Kingdom, it was assumed that the hardware would generate the low key issued by the certificate authority, sign it, and use it in rotation. It is extremely important to ensure that such a design is institutionally acceptable and does not become a technical hindrance.
  • It is important to discuss not only the standards of each Trust service but also the methods of online identity verification, for example, whether identity verification using an issuer key in advance is allowed.
  • Regarding Material 3, in the contract process, if the E-Certificate of the authorized certification service is used and the E-Certificate based on it is used, is there no Issue on the UX?
  • Our service uses specific authentication equivalent to certified authentication services. As a Issue on the UX side, we recognize that there is no particular impact on usability.
  • Does SMBC provide an electronic signature service for individuals? It seems that the identification of electronic subscribers is secured by Issue of the IC card and initial password handed by the administrator. How does SMBC ensure the identification of the administrator?
  • For individuals, we provide a service for sole proprietorships. The flow of sending the IC card to the administrator is that the administrator who registered for the service called Valuedoor also serves as the administrator of the electronic contract service, and the IC card is sent to that person.
  • The end-to-end process analysis perspective is very important when using electronic certificates for transaction authenticity.
  • When conducting international transactions, isn't it important to have an international agreement on the expression of Trust chains within a company and a corporation?
  • Our service is a form in which Valuedoor is used in Japan, and the current electronic contract service is also used only in Japan. At present, there is no need for overseas branches to use something together, but there is a problem of whether our electronic contract service is known overseas.
  • Regarding page 22 of Exhibit 4, it may be misleading to say which is more acceptable only by the display screen. On the other hand, it is necessary to discuss how to display the technical Trust results to the user in an easy-to-understand manner in the validation service. Regarding page 24, in the case of the party-type signature, there are specific authentication services and certified authentication services, and there is a framework that can guarantee the reliability of linking the user and the signature. On the other hand, in the case of the witness-type signature and the NFT seal, who can link the user and the seal and how to guarantee the reliability of the linking operation? There is a difference in the guarantee level that can be achieved between the party-type and the witness-type signature. It is necessary to position the witness-type signature properly in terms of the guarantee level of the Trust service. I agree that this method is appropriate for many internal business processes.
  • I believe that the security service will spread only in a form that combines the understandability of the interface on the surface and the technical Trust on the backend. I cannot say much about the identity verification in the form of a combination of witness type signature and NFT because the mechanism is under construction in development, but we are considering securing the reliability of the identity verification by blockchain.
  • Regarding the statement on page 12 of Exhibit 4 that a registered seal proves trust in public office, it is considered that this statement includes trust in the process of actually handing over and submitting documents, so it is better to organize this part. How can society accept the recognition of new concepts?
  • I have slightly skipped the part of the identity of the registered seal. As for the interface, while we have been providing electronic seal services for a long time, the seal has been incorporated into the company's regulations during transactions, and it is difficult to change the operation itself. Even if new technology comes out, it takes time to make a design of the internal system and costs and effort to penetrate into each person in the company. It is effective to use a familiar interface as a means to jump through these.
  • Regarding page 4 of Attachment 5, standards are required according to the level classification. Certification and certification services are specified for E-Certificate issuance, and certification standards for business operators are specified in the Ministry of Internal Affairs and Communications Notice for time stamps. On the other hand, there are no clear standards for security on the service side for remote signatures and witness-type signatures, and certification and compliance audits are not performed for business-signature-type signatures. In addition, standards for equipment such as personal identification, facility management, and cryptographic equipment are not specified as a definition of specific certification services. In a state where there are no precedents or standards, users and judges are at a loss for judgment. If business operators who do not know whether they truly guarantee safety are rampant, there is a risk of hindering the spread.
  • With regard to the first stage of estimation in the two stage estimation, it is necessary to consider how to think about the case of the business operator signature type. In the case of the current business operator signature type, it is difficult to immediately infer this series of procedures in which the business operator signs the uploaded document after confirming the identity of the person from the data attached to the electronic document. It is necessary to consider the standard that the service business operator is doing the process properly. At present, in foreign countries, the eIDAS in Europe, the UNCITRAL in the UN, and the Panel on Commercial Transactions are considering a model law on electronic signatures, etc. In the case that Japan is interoperable with foreign countries, is it possible to cope well with each other under the current legislation? In particular, how do you think of the business operator signature type in the framework of international currency?
  • In particular, as for the validation of whether the party-directed service among the business-signature-based services conforms to the requirements of Article 2, Paragraph 1, Q & amp; A and Article 3, Q & amp; A, guidelines have been established on when the requirements are satisfied under Article 2, Paragraph 1, Q & amp; A and Article 3, Q & amp; A. Therefore, the rest is a matter of applicability. Regarding applicability, even if there is not necessarily a certification system, if businesses providing each electronic contract platform have a validation with a law firm and obtain a legal opinion form that conforms to the requirements, it may be sufficiently useful in relation to the court.
  • Regarding the two stage presumption, as a basic idea, if it is validation that the electronic signature of the creation holder was generated by the private key of the person, it is virtually presumed to be based on the intention of the holder. There are no precedents for this, but practitioners can generally obtain consensus. If we go this far, it will be a presumption of Article 3 of the Electronic Signatures in Global and National Commerce Act. I understand that the problem is that we have issued a guideline in Article 3 Q & amp; A that it is necessary to be able to be evaluated as unique in order to fall under the category of electronic contract platforms that are signed by business operators and instructed by parties. I also think that it will be necessary to obtain a validation on whether or not this requirement is satisfied. However, it does not necessarily have to be a certification system, and it is a matter of application under specific circumstances. Therefore, if we obtain an opinion from a law firm or the like, it will be a certain support.
  • Basically, in relation to UNCITRAL, if the authenticity of six contracts is guaranteed as much as in writing, the effect equivalent to that of a written contract will be guaranteed. However, since this has not yet been examined, it is considered to be a future Issue.
  • Article 3 Q & amp; A takes a very abstract view of the extent to which a sufficient level of specificity is met, and I am concerned that if I do not write it in more detail, views may fall apart.
  • I think it is indicated now that the part of uniqueness should be at least at the level that the person is certified in the form of two-factor authentication, but I agree that it is better to give more examples that there is a sufficient level of uniqueness.
  • In the end, I think the point is which level corresponds to the authority, for example, when only ID is flowing, what level the ID is and what authority the credentials are issued from. What kind of service level is provided by the electronic contract servicer? There are various factors such as the treatment of personal data and the management of the facility, so I think it is not just a discussion of the process.
  • I would like to discuss in what form it will be established in Japan in the future.
  • The secretariat explained that the meeting materials will be published on the Digital Agency website later, that additional opinions and questions will be communicated to the secretariat and used as a reference for future operations, and that the minutes of the meeting will be published after the members confirm the content.
• The secretariat explained that the next meeting of the sub-working group is scheduled to be held online from 2 pm on December 27.

End