Skip to main content

This page has been translated using TexTra by NICT. Please note that the translation may not be completely accurate.If you find any mistranslations, we appreciate your feedback on the "Request form for improving the automatic translation ".

Study Group on Installation of My Number Card Functions on Smartphones (5th)

Overview

  • Date: July 22, 2024 (2024) (Mon) from 16:00 to 17:30
  • Location: Online
  • Agenda:
    1. Opening
    2. Administrative communication
    3. Agenda
      1. About installing the My Number Card function on smartphones
      2. Operating status of smartphones
      3. Exchange of views
    4. Notes
    5. Adjournment

Material

Summary of the Proceedings

Date and

Monday, July 22, 2024, from 16:00 to 17:30 2024

US>

Held via web conference

Attendees

Knowledgeable person

Chairman Tezuka, Member Obi, Member Taki, Member Nomura, Member Moriyama, Member Kanda.

Local governments and industry groups

Mr. Nishimori, Manager in charge of Government Online (Kobe-shi), Deputy Manager of Mizuochi Individual Number Center and Senior Councilor of Hayashi Public Personal Authentication System Development Department (Japan Agency for Local Authority Information Systems), Mr. Sasaki, Chief, Steering Committee of MVNO Committee (Telecom Services Association), Mr. Yokoyama, Mr. Ohno, Mr. Baba, Mr. Itoh, Mr. Sugita, Mr. Saeki, Mr. Iimori, Mr. Oda, Mr. Suga, Mr. Murai, Mr. Hangai (Telecommunications Carriers Association)

Observer

FeliCa Networks Co., Ltd., Graduate School of Information Security, xID Co., Ltd., NEC Corporation, NTT Communications Corporation, Hitachi, Ltd., Reuse Mobile Japan, Japan Information Economy social promotion association, National Association of Mobile Phone Distributors, TRUSTDOCK Co., Ltd.

Ministries and agencies concerned

Ministry of Internal Affairs and Communications

Secretariat, etc.

(Digital Agency)

  • Honmaru Chief Architect
  • General Manager of Matsudate Engineering Unit
  • Shimoe Group of Common Functions for Digital Society Trust Service Manager
  • Group of Service for Citizens Murakami Director-General, Miura Deputy Director-General, Kamikariya Director, Koike Deputy Director, Tsubonochi Product Managers, Murase Project Managers

Main opinions from the members (summary)

Appendix 1: Installing My Number Card functions on smartphones

  • Secretariat: Apple Inc. is positive and cooperative, and the project is progressing smoothly. On the other hand, I feel that it is necessary to calmly explain to the public that smartphones and My Number Card have been integrated and taken over by iPhones. I would like to proceed while receiving advice from experts on how to explain the convenience of installing smartphones to the public without making technical mistakes.
  • Speaker: I feel that It has been possible to install JPKI on Androids since May 11 last year. In addition, functions other than JPKI, which had been a pending issue at that time, can be implemented based on the revision of the law, and mdoc can be installed on iPhones based on international standards. I feel that this is more progress than expected. As a comment, I think it is necessary to strictly manage private keys of mobile terminal facility holders regardless of iPhones or Androids. Androids stored private keys and certificates in GP-SE and strictly managed them so that they cannot be used even if they are taken out outside. In the present electromagnetic record in place of a card, the management method is also considered to be distinguished because attribution information is information received by the recipient. From page 8 of Document 1, it seems possible to use it for driver's licenses and various qualification certificates, and there is an expectation that it will be possible to operate better than the Mynaportal app in terms of UI / UX. If Architecture, which ensures security while distinguishing private keys and attribution information, can be achieved according to the smartphone ecosystem, I expect that people can use it with peace of mind.
    • Speaker: I feel that I would like to ask if Apple's handling of FIDO this time will cause a difference from Android. Please tell me if there is no need to worry in particular or if it is necessary to consider it again.
    • Speaker: I feel that Regarding FIDO authentication, Apple, Google, and Microsoft have basically unified their ideas so that passkeys can be used by as many users as possible. In December last year, the FIDO Alliance announced that passkeys could be provided to password manager vendors other than Apple, Google, and Microsoft. In that sense, online authentication has enabled many users to use passkeys instead of passwords, and I hope you will understand that there is no difference between Apple and Google.
    • Speaker: I feel that I understand. It is my opinion that, for example, push notifications when a driver's license is about to expire will be important. I think there is an expectation that people will receive notifications so that they do not forget to renew their licenses, so I would like to discuss it in the future.
  • Speaker: I feel that , has been promoting identity verification by electronic means, and I am glad that a system that allows confirmation of the four basic pieces of information has been established this time. I also feel that it is good that Apple's response has progressed. Even if I cannot disclose the details, I think it is necessary to convey how Apple's security is ensured. In addition, mdoc is based on the international standard of ISO18013, but since it is only a data storage method, I feel that it is necessary to convey how the data is handled and whether it is verified to be safe.
    • Secretariat: Regardless of differences in operating systems and smartphone devices, Apple has taken the same security measures as Android. Android stores private keys, electronic certification, etc. in GE-SE, obtains CC certification EAL4 +, and communicates in accordance with international standards. Apple will also take the same measures. On the other hand, for mdoc, we are currently considering the storage location of device keys, security measures, storage location of attributes, and third party evaluation. We would like to ask experts to continue to provide guidance.
    • Speaker: I feel that I understand. As the penetration rate of My Number Card increases, not only security but also privacy issues may come up in the future, so I would like you to take measures.
  • Speaker: I feel that smartphone terminals as is currently done in My Number Card. It is necessary to aim for the same level as in My Number Card, but even if they are different, I think it would be sufficient to explain that a certain level of security is ensured. I think it would be good if the verifying side recognizes the difference and uses cards if the required level of security is the same as in My Number Card, and if not, it would be sufficient to use smartphones. Therefore, I would like you to proceed with the consideration as a future challenge. In response to a question, it is stated in the law that it is necessary to confirm the validity of electronic records that can be used in place of cards. I would like to ask whether a system will be created to confirm online. In addition, it seems to be stated in the law that only authorized applications can be used for smartphones. I would like to ask whether a certification system will be created and only applications approved by Digital Agency, Ministry of Internal Affairs and Communications, etc. will be used.
    • Secretariat: Card Substitute Electromagnetic Records, it is stipulated that the issuer will send a revocation notice to the smartphone when the record expires and automatically revoke the information on the smartphone, and that the validity of the record will be confirmed when it is used and will not be transmitted. This is different from OCSP and CRL confirmation such as JPKI, but smartphone certificates are updated to the latest state of validity or invalidity and the validity at the time of use will be confirmed. For applications, the program for transmission will be used for transmission and the program for reception will be used for reception, thereby ensuring the proper use of the program by limiting the program. It is stipulated that the necessary functions of the program for transmission will be specified by law and ministerial ordinances based on the law, and that the Prime Minister will certify it after examining whether it meets these requirements. There may be needs for programs for reception that private sector and others want to create on their own, so they will examine whether they have implemented the necessary functions and certify them. We are considering a system that allows you to choose whether to use the one distributed free of charge by Digital Agency or to certify and use the one made by the private sector.
    • Speaker: I feel that system. I think it would be better to create restrictions so that the receiving program created by private sector does not provide more information than necessary. There are also privacy issues, and I think it is a problem to provide more information than necessary by mistake, so I would like you to consider screening in that regard.
    • Secretariat: We understand that this is a very important point and will consider it.
  • Speaker: I feel that JPKI, it is stipulated that the basic four pieces of information can be obtained and the document can be signed. However, since the electronic certification for user identification does not include the basic four pieces of information, it has not been stipulated as a method of identity verification in Act on Prevention of Transfer of Criminal Proceeds. With the revised law, there is a possibility that the basic four pieces of information can be sent by a method other than JPKI, so strictly speaking, identity verification will be authenticated using the 16 characters of electronic certification for signing. This part has been organized based on the idea that biometric authentication cannot be used, but if identity verification can be done using biometric authentication, I think it will be possible to do identity verification more safely and conveniently. If this point is also sorted out, it will be more widespread and convenient to use.
    • Secretariat: Regarding the recent revision of the Number Act, we recognize that the transmission and reception of electromagnetic records is positioned as a identity verification method and that the four basic types of information and facial photographs can be used for identity verification. Naturally, we believe that it should be positioned as a method of identity verification under the Act on Prevention of Transfer of Criminal Proceeds or the Act on Prevention of Improper Use of Mobile Phones, and we have begun discussions with the competent authorities of the systems.

Appendix 2: Status of Smartphone Use

  • Speaker: I feel that certificates, do you have any target numbers in Digital Agency? The number of downloads is considered to be a conservative figure in the context of the large number of Android-based devices with a strong impact of being equipped with smartphones. I would like to ask whether it was started conservatively due to concerns about obstacles in the event of large-scale deployment, and what efforts were made in public relations.
    • Secretariat: Digital Agency has not set a target number in an authorized manner. In order to have as many people as possible use smartphones, we are conducting PR activities through various media in cooperation with Ministry of Internal Affairs and Communications and J-LIS. We believe that the best way to spread the use of smartphones is to increase the number of use cases, but we recognize that we need to make efforts in terms of numbers.
    • Speaker: I feel that My Number Card is particularly effective in terms of public relations. It is important to enhance use cases outside the home, such as delivery at convenience stores and health insurance cards, and I think that a public relations opportunity will come as iPhones will be available in the future. Among them, I think that delivery at convenience stores is a very important use case, and I think that sticking a sticker such as "No need to carry a My Number Card" on kiosk terminals is the most effective way to see it. I would like you to consider it.
    • Secretariat: family, minor emergency, health insurance card response, and disaster response are important. If it is equipped with a smartphone, it will be considered from the viewpoint that it will be more effective because you carry your smartphone with you on a daily basis, and public relations activities will be carried out while aiming for iPhone response next spring, including delivery at convenience stores.
  • Speaker: I feel that Regarding NTT DoCoMo's efforts, starting in February 2024, users can set up electronic certification on their smartphones to make D account identity verification, which has been well received by users. It will be a good reference for other operators. As mentioned in the plan to launch the service in the future, we expect to increase the number of users by comprehensively improving the handling of tax returns and health insurance cards, and the inability to use the service when switching to a new smartphone model. Also, as mentioned on page 3 of Exhibit 1 regarding the use of biometrics, even if the current Mynaportal app is set to use biometrics as the default, the screen for entering passwords and selecting biometrics is displayed, and a three screen transition is required before biometrics can be used. In general banking apps, biometrics can be used as the default if you set up biometrics, so I think there is room for improvement in this UX. For iPhones, while there are expectations that the new mdoc method will improve UX, I think that the number of users will increase by working on improving the UX of the Mynaportal app on Androids.
    • Secretariat: We will promptly consider specific improvement plans and also consider comprehensive improvements.
  • Speaker: I feel that The time has come to consider how to increase the use of smartphones in the future, and it is necessary to delve into the administrative field. For example, in the use of health insurance cards, elderly people may need to present an elderly recipient, so it can be considered to expand it gradually as an accompaniment. There are various methods in the field of childcare support. I would like to see the active use of smartphones in the administrative field promoted in the future.
    • Secretariat: It is as you say. Hospitals and other administrative services will be reviewed so that they can be fully utilized.
    • Speaker: I feel that Hospital, the use of a My Number Card over the reader has become smoother than before. If the card reader is compatible with smartphones, I think hospital counter services will improve even more smoothly. We should promote the expansion of these usage scenarios.
  • Speaker: I feel that smartphones is more convenient when using Mynaportal than My Number Card. Therefore, in order to expand its use, it is necessary to inform the public of what kind of information can be obtained in Mynaportal. In particular, medical information should be made known in cooperation with Ministry of Health, Labor and Welfare. In addition, since health insurance cards will be abolished in December, I would like health insurance cards to be compatible with smartphones as soon as possible. By telling users that they can use their smartphones to check in at the hospital reception desk, I think the burden of bringing My Number Card will be reduced and psychological barriers will be reduced. I would like you to consider this matter.
    • Secretariat: health insurance card, we are considering it with Ministry of Health, Labor and Welfare and the payment fund, etc. We will work to realize it as soon as possible, including raising awareness of improving convenience in Mynaportal.

Exchange of views

  • Speaker: I feel that When disasters occur, I think it is difficult to evacuate with a My Number Card, but it is likely that people will evacuate with a smartphone, so I think it is possible to appeal the superiority of having a smartphone. Also, there are people who react negatively to the mere mention of My Number Card, so there is a possibility that people will resist the explanation that smartphones will be equipped with My Number Card. On the contrary, I think it would be good to appeal with another name such as an identification card.
    • Secretariat: Valuable opinions will be shared and examined within the Digital Agency.
  • Speaker: I feel that As MVNOs basically handle smartphone terminals distributed on open markets, we believe that the scope of cooperation with them, such as obtaining CC certification, is smaller than that of mobile carriers. We would like to request MVNOs to make comprehensive efforts so that open market terminal users will not suffer disadvantages such as not being able to use smartphones.
    • Speaker: I feel that We are making efforts to make it available to the public regardless of whether it is a carrier terminal or an open market terminal.
    • Secretariat: Valuable opinions will be shared and examined within the Digital Agency.
  • Speaker: I feel that is making steady progress, but the future will be very important. Androids are already in operation, but it is important to take measures so that there are no differences from the viewpoint of users due to the addition of iPhones. I would like Digital Agency to take measures so that differences in platforms can be absorbed and there will be no discomfort no matter which device is used. I would like experts to point out from that perspective in the future.

Greater than or