Advisory Council on Issues of Attribute Certification (1st meeting)

Last Updated:: Nov 28, 2025

Overview

Date and time: Thursday, October 23, 2025, from 10:00 a.m. to 12:00 p.m.
Location: Online (Microsoft Teams)
- *The live stream has ended.
Agenda:
1. Opening
2. Procedure of the Review Meeting
3. Mutual election of the chairs
4. Agenda: Discussion on "Issue 1: Approaches to promote appropriate technical and operational measures"
5. Closing and Communication

Material

Proceedings (PDF/179KB) (updated on October 22, 2025)
Document 1: Outline for Establishment of the Advisory Council on Sorting Out Issues of Attribution Certification (PDF / 405 kb) (updated on October 23, 2025)
Document 2: Secretariat explanatory material (PDF / 5,307 kb)
Exhibit 3: Conference Schedule for Fiscal Year 2025 (PDF / 3,054 kb)
Proceedings (PDF/697KB)
Proceedings (PDF/253KB)

Minutes

Secretariat (Kitainoue): I would like to begin the first meeting of the Expert Committee on Sorting out Issues of Attribution Certification. Everyone, I know you are busy today, but thank you very much for your time. I am Kitainoue from Digital Agency, who will serve as the secretariat. Nice to meet you. Without further ado, on behalf of the secretariat, I would like to say a few words from Nakagawa from Director, Group of Common Functions for Digital Society, Digital Agency to the opening of this meeting.

Secretariat (Nakagawa): . Today, I would like to thank Professor Kuniryo and the other members of the organization for gathering here. On behalf of the secretariat, I would like to say a few words to open the meeting.

Thank you very much for your support, including last year, which had a different name. The "DIW Advisory Board" and the "Expert Meeting on Governance in the Use of Verifiable Credentials (VC/VDC)" were held to discuss the promotion of the use of so-called VC / DIW. Although the names were changed this fiscal year, the purpose of the meetings was to describe VC / DIW not as a tool but as a purpose. In Digital Agency, there is the word "Mission, Vision and Values," but among the values, there is the word "continuously evaluating our actions in pursuing our goals kake," and when we think about what the purpose is, we think of it as an appropriate name and present it to society at large. In this way, we hope to be able to hold a wider discussion on the digital completion of administrative procedures and the future vision of data utilization. In this sense, the name of the meeting was changed to the "Expert Meeting on Issues in Attribution Certification." In that sense, both in Japan and the EU, movements are being considered for educational credentials, and the digitalization and sophistication of attribution certification are increasing. In particular, in Japan, I believe there were some discussions, but I believe it is specific in the sense that Verifiable Credentials (VC), which are copies of residence certificates that are delivered electronically, are included.

At last year's meeting, it was pointed out that the risk at this time was not the paper certificates, but the name-based aggregation, and that it would not basically be completed by itself, but that there would be a risk that someone would aggregate various information. I believe that what kind of measures can be taken to reduce the risk will be the subject of discussion. It may be that it can be handled technically, but it may also be that it must be done by some means in the legal system. I would appreciate it if you could discuss how such a method should be. In that sense, I would appreciate it if you could discuss a wide range of topics. In the past, there may have been discussions here and there about various methods in particular, whether there were such technologies or such methods, but I would appreciate it if you could discuss while always questioning the purpose. I know it's a long story, but that's all from me. Thank you for your attention.

Secretariat (Kitainoue): Next, I would like to explain how the plenary meeting will proceed. Please refer to the installation guidelines in Document 1. To the audience, instead of the materials published on the website, we would like you to look at the materials currently projected.

Then, I will explain from the beginning. At this meeting, we would like to realize the attribution certification necessary for digital completion and automation of administrative procedures, etc., and we would like to promote the utilization of VC-DIW toward our major purpose. On the other hand, we are in a situation where the expected risks due to the new technology and appropriate technical and operational measures against the risks have not been organized. Therefore, at this meeting, we would like you to discuss methods to promote the implementation of these measures. The members are the 11 members shown in 3. Due to time constraints, I would like to omit the introduction of each person.

Please refer to the next page. The chair will be elected by the committee members, and the secretariat will be in Digital Agency. Next is the 6th working group. There is a provision that a working group will be established to conduct detailed consideration of a specific agenda item. Please refer to Document 3. I will explain the details later, but as described here, it is assumed that there will be a certain amount of discussion on technology in the plenary meeting, so we plan to establish a technical working group. I will explain the specific schedule and other details at the end of the administrative communication, so I will omit them here.

Going back to Document 1, as stated in 7, it is possible to request guest speakers and observers if necessary.

Lastly, the plenary meeting will be open to the public in principle as it is now, and materials and minutes will be open to the public. That's all for my explanation.

If you have any questions or opinions on how to proceed with the plenary meeting, please raise your hand, or if you are a member participating online, please press the raise button.

There does not seem to be anything special, so we will proceed with the plenary session as shown here. Next, in accordance with the establishment guidelines, the chairperson of the plenary session will be decided by mutual election of the members. The secretariat would like to continue to recommend Professor Kokuryo for the "DIW Advisory Board" last year, but if you have any objections, please raise your hand, and if you are a member who participated online, please press the raise button.

As there were no objections, I would like to ask Professor Kuniryo to chair this meeting. Professor Kuniryo, could you please say a few words?

Chairperson of the Committee: Good morning. It is a great honor for me to lead this meeting, which has changed its name since last year. I feel that the time is getting ripe, and I hope that we will be able to see even a little bit of a concrete path ahead. I would very much appreciate the efforts of the committee members and the secretariat. Thank you very much.

Secretariat (Kitainoue): , Chair of the Chair's Group, thank you very much. Now, let's move on to the next item on the agenda. Before we start the discussion, the Secretariat would like to explain the purpose of establishing the meeting, the sense of goal for this fiscal year, the scope of the discussion, and the risks and measures. After the explanation of the materials, I would like to ask the Chair of the Chair's Group to proceed with the discussion. Thank you. Then, the Secretariat would like to explain each item based on Document 2.

Secretariat (Nakagawa): . I will be the first person to explain, and later I will take turns to explain in detail.

First of all, I would like to ask about the aims and objectives. I believe you have already been informed of the background issues, but I believe we need to produce some concrete output, so I would like to once again explain the aims, background, and issues.

I went to the hospital just last week, and I believe that My Number Card has realized something like identity certification or insurance verification at a level where medical treatment covered by health insurance is available in digitalization and even smartphones are also available. However, there are certificates that are not only issued by public institutions but also certified by the public, such as copies of residence certificates and transcripts and certificates of enrollment that are required for enrollment and employment, and I believe that digitalization has not completed these in many cases. I believe that this is the core in the sense that we must do this well. The current certificates are sometimes issued in PDF format, but I believe there were improvements and points that were pointed out, and I believe these are the two main points. I believe that it is necessary to overcome these points and digitize and advance certification of qualifications and attributes.

In that sense, in terms of the purpose and objectives of this conference, when various certificates are digitized and advanced, I believe it is important to spread them as a service to the private sector. As I mentioned earlier, when it comes to the introduction of such certificates, including those for high schools, private high schools, and public high schools, I believe it is important that they are inexpensive, simple, and quick to implement. I believe that if we try to introduce them in a technology-oriented manner, it will not spread easily if they are safe but expensive or if it takes time to introduce them. In terms of systems, it will be quite difficult to make laws and impose penalties. Also, there are some procedures that need to be taken and the hurdles will be even higher, so I think the costs of institutional parts must be minimized as much as possible. I think this is really the point. I think it is necessary to hold discussions while not forgetting this point as cheaply, easily, and quickly as possible. I would be very grateful if you would consider it while asking about the convenience and safety of various certificates compared to paper ones. I would also be grateful if you could give me advice on general certificates from the institutional aspect.

Basic information starts from the next page. It describes what Verifiable Credentials and VC are, and what DIW is. Although this is new, I believe there will be people who will attend the hearing for the first time, so I have included it here as well.

The next page is "What should be done to digitize and advance certificates," and I believe that the leftmost part is what has been realized by the current My Number system and My Number Card. It is equivalent to an identification certificate. The middle row is the eligibility verification, and the right row is the attribution certificate issued by the private sector. Regarding the eligibility certificate and attribution certificate, we have written that they require response, which is the scope of this meeting. We have written all the unorganized parts and whether it is necessary to make such provisions. That is all for my explanation, but I would like to continue the explanation from the secretariat until the "Introduction" section.

Mr. Sawada (Japan): I would now like to read out the views that we have received from Mr. Next, I will start with Sawada from Digital Agency. First, I will look back on last year's discussions and introduce recent trends.

In the last fiscal year's "DIW Advisory Board," we organized the various benefits of DIW for each stakeholder. We organized the types of use cases in which DIW can be expected to be utilized. We also identified the risks that we are concerned about when using such VC and DIW. We asked for opinions on what kind of governance is necessary for verifiers or wallet providers regarding what kind of measures against risks and governance are necessary. In the "Expert Panel on Governance in the Use of Verifiable Credentials (VC/VDC)," another meeting body, we discussed the responsibilities that issuers should take and the points that issuers should pay attention to in particular. Based on these discussions, in the report of the "DIW Advisory Board," considering that measures against various risks have already been taken in the existing governance, we summarized the necessary measures specific to VC and DIW until we organized such a framework. We hope that this fiscal year will be a continuation of this discussion. In addition, regarding the future outlook, we have organized the outlook that VC and DIW will be able to promote convenient and efficient data integration, can use them with peace of mind, and create value such as new services. That is all for the brief review of the last fiscal year's discussion.

Next, I would like to introduce two examples of the recent growing expectations for the use of VC. First of all, regarding the expectations from the government side, this fiscal year, a working group in Ministry of Internal Affairs and Communications is considering the issuance and computerization of certificates of residence. It does not mean online application, but it is related to the issuance in electronic media. Regarding this, there are concerns about the risk of spoofing, etc. in PDF, and consideration is being advanced, including the possibility of using VC. In addition, in the private sector, there are expectations of the possibility of using it in conjunction with new technologies and businesses. In the new protocol announced last month, an idea was announced that when an AI agent is delegated by a user to process some kind of purchase settlement, etc., a VC that shows that it has been duly delegated will be issued and used. In this way, I am aware that the interest and expectations regarding VC and DIW are increasing. That was the introduction that was the premise of the discussion. Next, I will go on to explain the points at issue. The explanation will be a little long, but I will explain it throughout.

First of all, I would like to clarify the issues to be dealt with in this year's plenary session. In the main meeting held today, we will discuss how to show appropriate technical and operational measures and promote their implementation for risk measures in the digitalization and sophistication of certificates by VC and DIW. In this regard, in the summary of last year that I introduced earlier, we used the phrase "technology, operation, and system," but as Mr. Nakagawa said at the beginning, since there are cases where technical and operational measures can be taken without a system, we used the expression "method to promote appropriate technical and operational measures" as shown in blue in the material. In addition, the technical working group, which will be held in the future, will define specific technical requirements to be recommended for technical and operational measures and feed them back to the main meeting. As a premise for the discussion, I would like to highlight one point, which is described in the main meeting above, but this time, I would like you to think about what measures are necessary for "public and high-risk use cases."

Regarding what public use cases are, examples of images are listed only in the handout to committee members. Committee members, please refer to the handout in front of you. Public use cases include both certificates issued by public institutions and those issued by the private sector and received by administrative agencies. In addition, it is difficult to discuss what public and high-risk use cases are without specific examples, but for example, I think that it corresponds to the case where a copy of the residence certificate introduced earlier is converted into a VC. A Various Certificates issued by an administrative agency that contains personal information such as name and address, and that has a risk of being submitted in many situations. I hope that you will discuss this as a public and high-risk use case.

Next, I will explain the risks and threats that are a prerequisite for the measures to be taken. Based on the risk classification in the last year's discussion, this is a re-arrangement of the threats along the VC life cycle. There are risks and threats related to the use of various VCs and DIW. This is a summary of the types of risks for these threats. The first is "theft and reuse of legitimate VCs and impersonation", the second is "damage caused by acceptance of counterfeit VCs and derivative VCs", the third is "invasion of privacy caused by VCs", and the fourth is "decrease in availability and convenience of VCs". The details of these four risks will be explained later. Incidentally, it is not always possible to cover all the risks of VC and DIW in this year's discussion, and risks generally caused by Web services and risks for which there are few issues regarding the content and promotion of measures are excluded from the discussion.

Next, regarding these four risks, I will explain the details of each risk and the outline of countermeasures against the risk.

First, the first risk is "impersonation or impersonation through theft or re-use of legitimate VCs." This refers to the overall risk of third parties abusing VCs when VC information is stolen or leaked through attacks at various stages of the VC life cycle. Next, there are two main measures against this risk. As described in the middle, the first is a measure called "holder binding," in which information that identifies the holder, such as the holder's signature key and identity verification information, is linked to the VC. The second is to strengthen measures to prevent unauthorized accesses and duplication. Specific methods of these measures and their usage will be discussed by the technical working group. At this main meeting, I would like to ask for discussion from the perspective of when and to what extent to urge Wallet Providers to implement measures such as "holder binding" to prevent such impersonation or impersonation.

Next, the second risk is "damage from acceptance of counterfeit and derivative VCs." Due to the nature of VCs, tampering after issuance can be detected by verifying signatures, etc., but acts committed at the time of issuance cannot be detected. Therefore, there is a risk that a malicious fake Issuer will issue a counterfeit VC. Another derivative VC that I am introducing is "another certificate issued based on the original certificate," but in particular, if there is an inappropriate operation in which a person who is not the original issuer issues a derivative VC based on the reliability of the original, there are issues such as the accuracy of information, such as the original certificate not being reflected even if it is revoked or changed. As a measure against such risks that occur at the time of issuance, it is necessary to verify whether the issuer of the VC is an appropriate entity, which is called the eligibility of the Issuer. In particular, in use cases where there are many Issuers, this measure may be expected. As a specific method, as shown in the figure on the lower right of the material, a third party organization publishes a list of screened and registered Issuers, and the Verifier can refer to and verify it. Regarding the eligibility verification of the Issuer, what should be verified as eligibility will be the issue of this main body meeting. As shown on the left, for example, if the certificate is issued by an administrative agency, it may be possible to verify whether it is an actual administrative agency as eligibility. For private issuers, it is difficult to verify the eligibility of all companies, but if it is a field that is highly public and has a list of approved business operators, such as medical and financial services, list verification may be possible. In the EU and the United States, such a mechanism for verifying the eligibility of issuers has already been provided. Based on this, I would like you to consider to what extent and to what extent such measures are necessary.

The third risk is "invasion of privacy caused by VC." Since VC contains information that is easy to identify, such as signature values, if multiple Verifiers intentionally share the information of the presented VC, there is a risk that privacy, which should have been protected by selective disclosure, will be violated. There are two major measures against this risk. The first measure is called Unlinkability, which prevents linking to the same entity that presented multiple information. There are various methods to technically realize this, and the proper use of them will be discussed at the technical working group. The second measure is that the parties to whom VC is presented are limited to those who can be trusted in the first place. However, even with analog certificates, there are few measures that systematically limit the parties to whom they are presented, other than identification, so it is necessary to be careful not to take excessive measures. Today, I would like to hear your opinions on privacy measures from the perspective of which means should be required and to what extent.

Finally, the fourth risk is "reduced availability and convenience of VC." This is a general risk that if the VC does not have the required compatibility when the Wallet Provider or Issuer terminates the service or replaces the terminal, the VC cannot be transferred and cannot be used. As a countermeasure against this risk, it is generally difficult to require private companies to take measures against this risk when the business ends for the Wallet Provider. For example, it is possible to make VC interoperability a recommended requirement. Also, for the Issuer, it is possible to provide a guideline on measures to prevent the loss of the certification capability of the issued VC even after the Issuer has terminated the VC issuance service. The Main Body Meeting would like to discuss to what extent and how it is necessary to indicate the requirements that such Wallet Providers and Issuers should meet. In Europe and the United States, these interoperability allowances have been made to a certain extent. If the government itself provides the wallet, as in some European countries, the risk of withdrawal of the Wallet Provider does not need to be considered.

This is an overview of the risks specific to the four VCs and DIW and possible measures. Lastly, the next page is distributed only on paper, so please refer to it. Some of the risks can be covered by the existing laws and regulations, so the relevant laws and regulations is shown in your hand. The Secretariat is unable to organize the coverage of each laws and regulations or present its views here, but I would like to hear your opinions on whether they are covered by the existing governance. Up to this point, this is an explanation of the risks that are the premise of the discussion and the risk measures that we would like to discuss on how to promote implementation. That is all for the document explanation from the Secretariat. Then, I would like to once again hand over the progress of the following discussions to the Chair of the Committee.

Chairperson of the Committee: After this meeting, there will be an explanation of what the goal of the meeting should be, and a proposal and discussion from the secretariat. Assuming that it will come later, I would like to invite any questions or opinions on the materials so far. What do you think?

For example, you mentioned Holder Binding. In terms of whether Holder Binding is really necessary for all credentials, I think there are credentials that can function even if the binding strength is not that strong, so I think we can start by understanding these points. Regarding derived credentials, for example, I think there are parts that have been implemented in society as so-called derived credentials, such as IDs in Wallets, which Apple has started in the US. Overall, I can say that it is impossible to operate everything as a registered seal, so I think it is possible for the Verifier to make a decision in the case that derivation is acceptable. If so, on the premise that the Verifier can recognize that it is a derivation, giving a few specific cases where derivation is acceptable may be a better case than strictly binding it. There are various issues related to the management of various keys, including the replacement of terminals, but as you explained earlier, various efforts are being made in various places. For example, in German countries, I think they have actually implemented the use of Cloud HSM, so I think it would be good if we could have discussions that are not limited to binding them by presenting a workaround or options. That's all for now.

Chairperson of the Committee: Thank you very much. Regarding the narrowing down of use cases, what Mr. Sakae Fuji has just said, with a specific image, is that it would be good to think about concrete implementation starting from low-risk ones that are highly likely to be realized. From that perspective, in this material, there are examples of residence certificates and AI agents. Do you think it would be appropriate to proceed with this idea, or do you think it would be better to think of other use cases as "possible use cases"? If you have any opinions on this, please let me know.

Sakae Fuji: Just one quick thing. I think it is good to set the guidelines as the goal, but I felt that it is necessary to make it possible for users to understand that the verifier or issuer is operating in compliance with the guidelines. In particular, as you mentioned about the AI agent, unless we create a state in which such things can be judged mechanically other than qualitatively by people, in the world of so-called non-human identity, I think we will not be able to work. So, although it may be something that the technical working group will consider, I thought it would be good if we could create guidelines that go into such areas and refine the sense of goal so that it can be developed along with a mechanism for enforcing it. That's all. . Well, as a use case, you mentioned certificates of residence and AI agents. For example, in the case of AI agents, even though I understand the implementation details and protocol details of using mandates, I wonder if we could create another case that would be a little less strict, including the use of country-issued credentials.

Chairperson of the Committee: Thank you very much. Mr. Matsumoto, please come in.

Mr. Matsumoto: risk. I think it would be good to look at the risk after understanding the benefits such as convenience. However, since Architecture is not confirmed in the first place, I think it is difficult to analyze the risk, but after listening to what you just said, I can understand it because I have been dating them for the last year and the year before, but I thought that there are very few people who can understand what you are talking about. What I thought would be good to do as a risk analysis, what I thought would be good to clarify, I did not understand well who the risk is for. I do not know, or rather, it is not specified here. Broadly speaking, there are the person, the relying party, and the verifier. I thought that it would be easy to understand if there is such a classification at the beginning. The other is, who is the attacker, there are various things such as the attacker is a malicious third party, malicious or non-compliant relying party, and verifier. I thought that it would be good to classify them in such a way, but in the case of paper certificates, the person who is in trouble in society is definitely the attacker. It is the person who forged it. If there is a classification from such a perspective, it would be easy to understand. Since VC is clearly difficult, even if we analyze the risk on the premise of that, those who understand and those who do not understand will not understand.

I was a little concerned about the usage of terms. Although there are the words "qualified issuer" and "qualified VC" in slide 30, if there are three, they are actual issuers or derived VCs. In the European eIDAS2.0, the "qualified issuer" is called a qualified issuer. There is a qualified issuer, and for a lighter usage, there is a non-qualified issuer. Therefore, there are two guarantee levels for the issuer. There is no discussion here, whether it is necessary or not, but there should be a discussion such as Levels of Assurance (LoA) that VC is only one guarantee level in the first place. If you write "qualified issuer" including that, some people think that this is referring to the European Qualified Issuer. This is Japanese, and there are problems such as how to translate "qualified" in Japanese, so we should be careful.

Chairperson of the Committee: Thank you. Is there anyone else who has requested the floor?

Committee Member Kasai: Thank you, . Nice to meet you. I would like to ask you about pages 17 and 18 of the secretariat's explanatory material. I think there are many cases where copies of certificates of residence are issued by photocopiers at convenience stores. This time, you mentioned this to VC, but I would like to ask if you are looking at both pages 17 and 18 or if you are looking at both pages or if you can do it online to online, in terms of the scene after using it, or if you say we have completed VC, and how we submit it, whether it is all online on pages 17 and 18 or if it is something like going somewhere face-to-face and submitting it.

Mr. Sawada (Japan): I would now like to read out the views that we have received from Mr. residence certificate, we are currently considering how to proceed in Ministry of Internal Affairs and Communications, and we are unable to give an answer. However, the focus of this meeting is on the following points: In terms of the scene of presentation, I believe there are situations where you can present what you have put in your smartphone in person, submit it online, or submit it via online.

Committee Member Kasai: Thank you, I understand. If that is the case, I would like to ask a question because there was not much in the way of verification equipment for face-to-face submission in the category of how to do it, and that is also very important from the perspective of limiting the users and related to risks.

Chairperson of the Committee: Yes, thank you.

Nakamura: . This is related to your remarks, but when we examine in detail, when we analyze risks, I think we need to think a little more in detail about how to classify usage scenarios. Dr. Sakae Fuji mentioned earlier that it would be better to distinguish cases where there are derivative VCs and cases where there are not. Even in the case of a certificate of residence, if the content of the certificate of residence is guaranteed to be correct, there are use cases where it does not matter who presents it, and there are also use cases where it is true that you can bring your own certificate of residence. Therefore, I wonder if we should assume cases where the certificate of residence is presented by another person, or if we should verify that the person clearly presents it as his or her own VC. For the presented VC, does it matter if we only confirm the effectiveness at the moment of presentation, or if there are use cases where we store it and verify its effectiveness after a certain amount of time? Depending on these points, the method of risk analysis or the extent to which required technologies must be prepared will change.

If there is one more point, there is no My Number or other information on certificates, for example, the current residence certificate, but in the sense of digitalization, what to do with identifiers for individuals, and therefore what identifiers should be treated by DIW are also the subject of discussion, I believe. There are use cases where it is necessary to change them to pseudonyms so that they cannot be linked, and there are use cases where it is acceptable to link them separately as an administrative procedure, so I believe we need to consider how to classify them. If we can clarify which ones to consider this time after classifying them, I believe it will be easy to discuss when considering technology.

Chairperson of the Committee: Is there anything else I can do for you?

Committee Member Itakura: Mr. . Where the risk lies naturally depends on who presents what, but when the attack on the Issuer is dangerous, I think the Verifier that presents it is probably the most risky because it will cause financial damage to some person. The fact that a fake Verifier can be easily made is another story, and it is not about money, but rather that reliable information can be easily obtained. Yesterday, it was reported on the news that fake QR codes are posted on trains and information can be extracted, but if it becomes easier to enter the Verifier, such things can be made even easier, and I think we need to take care of that.

I may have said this last year, but bad people ignore the law completely and think about attacks most efficiently, so in this context, we have to design it to suit the loosest person and do the loosest person properly. It is a story of a certain financial institution and a certain telecommunications carrier that were attacked by the loosest people, so we have to learn from that.

Also, I think we will listen to various stories from business operators. When a business operator wants to confirm attributes or make a identity verification, of course, one of the excuses is that it cannot be done because of the high cost. I think it is okay to listen to the story. This one also has the effect of reducing the risk. The other type is that there are people who honestly want even weird users to come in. If we say it clearly, no matter who they sell it to, they will get a commission. There are platforms that want to take a commission in addition to the shop without doing anything bad about the identity verification. The stories of such people are unfair from the beginning. They are inappropriate. In short, they do not need to be reflected. Otherwise, I think there is no need to listen to all the business operators flatly. That's all for now.

Chairperson of the Committee: Thank you very much. In light of your remarks, I feel that it would be better to proceed after making it a little clearer where the goals of this meeting will be decided. Regarding the previous meeting, as the topics will expand more and more, I would like to see the secretariat's draft of the goals that we would like to aim for, and then after discussing whether the goals are good, I would like to improve the resolution by discussing what to discuss in line with the goals. It is quite difficult every year, but I would like to ask for your cooperation.

Secretariat (Nakagawa): . Regarding the "points for discussion" on page 34 on the screen, as you just discussed, for example, there are use cases such as saving once and showing it again, which are technically different. If we include all of these, we will not be able to reach the point where we should start from. In the sense of creating an island to which we can stick to a certain extent, I believe it is important to start from here.

In that sense, regarding the general types of risks that you just discussed, the technical operations and examples of measures for each of them are shown on the right. These include "linking between VC and Holder," "data management within the wallet," and "ensuring unlinkability." Which methods are necessary to appropriately promote technical and operational measures, and as you mentioned earlier, for example, when showing a copy of the certificate of residence, considering examples of technical and operational measures that are limited to cases such as when it is not necessary to show the identity of the person submitting the certificate of residence, I think it would be good to have discussions on what should be done technically in such cases, and how to bind the guidelines and operational aspects at that time.

The next page, please. While focusing on technical and operational measures, there are public and high-risk use cases to prove personal attributes and qualifications, as well as cases that are not under consideration by Digital Agency, so for example, cases that are publicly shown and have a large impact, and I think it would be good to create islands that can be attached to them. For example, a copy of a residence certificate has come up several times, but I would like you to discuss it, keeping in mind that there are cases that need to be confirmed quite critically. If the ecosystem can function "cheaply, simply, and quickly" without institutional constraints, it can be done without making too many decisions by government offices and without making things technically heavy.

I sorted out the discussion points on page 37, and each of them is broken down into 1-1, 1-2, and 1-3. With public use cases in mind, there is a provision to promote appropriate technical and operational measures to promote this, and as an example, it is written as guidelines. If it is a guideline, I think it is important to show what kind of content it is and create it. At the time of discussion, I think we will create Issuer eligibility verification and Verifier eligibility verification, which are functions of wallets that handle public VCs, from their respective perspectives, so I think you will consider these points. I wonder if the scope and positioning of this will come up in 1-2, which is the point at issue, and regarding 1-3 this time, in that sense, after this review meeting is held, we will move to the technical working group, so I would be very grateful if you could discuss what I would like the technical working group to discuss in particular, and what I would like to convey to the technical working group in the form of homework.

I would also like to introduce the next page. If the guidelines are to be developed this fiscal year, I would like to summarize the main points. It is written in the form of a table of contents of the guidelines on the right. Starting with the "Introduction," from basic concepts to recommended requirements for risk measures, reference information, etc., I would like to suggest that the goal for this fiscal year be to create an outline of recommended requirements for risk measures when these are used as use cases. We will continue to discuss the contents from there, but I think it is an idea to show these in the guidelines while having discussions, and the secretariat is presenting it. The explanation will be longer if I go further, so I would like to do it in this way to some extent. What do you think? I would appreciate it if you could discuss this.

Chairperson of the Committee: Thank you very much. Regarding these goals, I think the one you are showing now is the most compact. Do you have any comments on these goals?

What about Dr. Nakamura? His orders are a little too vague and a little clearer. I think there are a lot of them.

Nakamura: , I think we will finalize the discussion in the way you have just explained. To be specific, you have presented two use cases in this document. If you divide them into several cases and have detailed use cases that you would like to discuss this time as the subject, based on that, it will be easier to discuss the extent to which we need to consider each point of view and the extent to which we need to consider risks. In that sense, if we do not share what kind of use cases we assume, even if they are fictitious, I think it will be difficult to have a shared awareness discussion with the members of the technical WG. If you could spend some time on that, I think we will be able to prepare for the technical WG. At this point, we have not been able to sort out which specific points of view.

Chairperson of the Committee: You mentioned earlier that we should divide the cases. In this case, can we have an idea of the categories of the cases at this stage?

Nakamura: In that sense, I would like to separate them into more detailed categories or cases, and if there are such cases, I will no longer think about them in order to make them simple. I feel that there will be at least five or six viewpoints from which the mechanism is simple to use, so I think it would be a good idea to start by first sorting out those points and then, within that scope, discussing how it would be in each category in each simple situation.

Chairperson of the Committee: Thank you. As your hands are up, Mr. Taki, please.

Committee Member Taki: Thank you very much for your explanation. I would like to tell you what I thought about the phrase "with high-risk use cases in mind" that I mentioned one time ago.

For example, even if the procedures are high-risk and the intensity is high, ordinary people's sense of risk is never zero until the end, including situations where the person is being manipulated, has his or her weaknesses grasped, or is being taken manipulate of. This is something that often happens in the case of investment fraud. However, I believe that ordinary people's sense of risk is that the risk will never be zero until the end. Private business operators basically draw a matrix of the probability of occurrence and the maximum damage at the time of occurrence, and make decisions such as not taking this risk, daring to take this risk, or taking measures when the balance is poor. Therefore, I think it is necessary to look at it from the perspective of whether the damage can be controlled, rather than taking a flat view of only high-risk cases. I think it is better to consider one very low-risk case. To give an appropriate example, for example, what is the credential that allows you to borrow up to five books at a library? I think the maximum damage will be about five books. I think that libraries are taking measures in a relaxed manner. I think that in many cases, they are operating with a gradation, or in the end, whether damage can be controlled in the overall framework and in the operation of the site. I think that it is better to look at at least one light point of view. That is my opinion.

Chairperson of the Committee: Thank you, Mr. Yokota, go ahead.

Rep.

Secretariat (Nakagawa): , thank you for your opinion. We call the laws and regulations part a legal matter, and I am often asked about this when we negotiate with Cabinet Legislation Bureau. It is stipulated that this can be stipulated if it is necessary to stipulate it and it is the only way. If it is something that is already protected by technical measures or other measures, or by private sector's customs, some people say that it should be stipulated there. Laws are said to have the minimum and only effect, and we cannot help but focus on doing that. In that sense, I think that the Guidelines are a draft, even if we start from the beginning.

During the discussion, I came up with an example of a copy of a residence certificate as shown on page 17. I have been discussing this in cooperation with Ministry of Internal Affairs and Communications. There are various use cases. One is a case in which all household members are identified, who is in the house, and when subsidies are applied, for example, the head of the household submits it to the city hall. In the case of the head of the household, such as My Number Card, who needs to prove his or her identity in addition to proving his or her attributes. If something is to be done first, it may be possible to think about what kind of surrounding technology is necessary. With this as one of the pillars, for example, if there are cases in which the head of the household does not need to prove his or her identity, there may be an example of creating a broad framework of guidelines such as excluding this and this.

If one theme is to be created, how about a case in which the head of the household brings the residence certificate of all family members and applies for a subsidy or child allowance? How about discussing it while creating such pillars, and discussing what is necessary and what is not.

Rep. : Since this is the first meeting of this committee since it has been opened to the public, I would like to ask you to advance the discussion in such a way that it can be understood that the current selective disclosure or digital completion of verification has considerable merits for citizens, the receiving administration, and other people who develop it. For that purpose, if legal amendments or ordinance amendments are necessary, I basically think that we should advance the discussion in the direction of not hesitating. However, I do not think that it is immediately necessary. However, as a starting point for such discussions in the medium to long term, I understand that there is nothing we can do unless we first clearly indicate appropriate lines in the guidelines and then get people to use them. That is what it is. That is all.

Secretariat (Nakagawa): Thank you very much. You are absolutely right. If we think about one thing and decide that a law is necessary, of course we can make it a government ordinance, ministerial ordinance or law. In that sense, I would like to start by considering it as a use case. Thank you for your opinion.

Mr. Matsumoto: : You mentioned mid - to long-term. That is one of my concerns. I understand what you are saying. I understand that you want to do what you can without amending the law so that it will be accepted by everyone. That is Can-Be. I think it is quite dangerous to do Can-Be without thinking about To-Be. It is necessary to point out that To-Be is To-Be and everyone will go in this direction. I am a little skeptical that there will be no discussion on this point. To be extreme, I think it would be good if there is a law that enforces the use of VC for all qualifications in a package like the e-Document Law of 2005. The e-Document Law of 2005 is a package law that allows the digitization of documents that are obliged to be stored by the private sector. Although we promoted the use of electronic documents instead of paper documents, it does not promote machine-readable digital documents. As a result, they can only be confirmed by human eyes just like paper documents. In order to move to the next stage, we need to be able to process them automatically. I think that this is a good To-Be. This may not be the discussion here.

Chairperson of the Committee: Thank you very much. Did Commissioner Sakae Fuji raise his hand a while ago, or is it another time?

Chairperson of the Committee: I see. Then, please say it. After that, I feel that I have kept Committee Member Matsuo waiting for a long time, so please proceed in order.

Chairperson of the Committee: Thank you very much. Mr. Matsuo, thank you for waiting. Please come in.

Committee member Matsuo: , thank you very much. However, I wanted to ask a question about something that came up after Mr. Yokota. In the first place, when creating guidelines, how to enforce them and how to get people to use them are very important, and I have almost nothing to add since everyone has already said so. For example, depending on who implements them, whether it is the national government, the local government, or the private sector. When it comes to public sector use cases, private sector use cases, or public and private sector use cases, it is perfectly clear that if there are different implementers and their perspectives are not aligned, and if things with different perceptions are implemented on the premise of collaboration, it will be a source of conflict in the future. In that sense, it is of course beautiful to create guidelines after anticipating to a certain extent whether the guidelines are for the national public sector, local government, or the private sector, how they can be used, and whether they will be included in procurement standards. However, it will take a long time to do so, and even if it is not the case, I think it is necessary to issue guidelines after carefully considering how the guidelines will be received. That is all.

Chairperson of the Committee: Thank you very much. Committee Member Kasai, please.

Committee Member Kasai: Thank you, Thank you very much. I also have doubts about the fact that it is desirable for the ecosystem to function without the restrictions of the legal system, which I mentioned earlier. It would be fine if it were public. As I told the previous study group, the more the private sector tries to spread it, the more the viewpoint of the Antimonopoly Act comes next. Convenience stores are in an oligopoly state, so this is a point I am concerned about. From that point of view, of course, it would be a goal to have a guideline that does not deal with it. I think there will be a point of view that it is easier to spread if a legal system is created. It is desirable to function without restrictions, but I will also comment on the point of view that such a legal system will be necessary in what phase the private sector and the public sector are different.

Chairperson of the Committee: Thank you very much. With regard to Mr. Kasai, he said that he would like to make relatively specific selective disclosure of attributes. It is strange to say that it is imminent, but he asked if the disclosure that you demonstrated about two years ago has not been made yet.

Committee Member Kasai: Thank you, . On the reading side, if anything, the reading side that wants to do VC or some kind of identity verification, we are considering alcohol and tobacco, is it okay to read the same rules for all convenience stores? When considering the project realistically, it will be a challenge. I think it would be good if it is public, but if the private sector wants to spread it, if it becomes an oligopoly, it will come out there, so in some cases, a certification system or something like that will be necessary.

Chairperson of the Committee: Thank you very much. It is easy to think that there is such a specific image. Committee Member Itakura, please.

Committee Member Itakura: Mr. , and I am not saying this because we cannot do business without laws. Among the risks you have already mentioned, there is a question of whether wallets will be issued even if they are issued by public organizations, and whether such wallets will be permanent or not. This is a question of data portability. There has been debate on whether data portability was introduced during the Reiwa era or a little before then. Although the Act on the Protection of Personal Information subtly includes something like that, it has been included only in an extremely incomplete form, such as, if possible, please disclose the information to the person in electronic form, even if the basis is electronic or paper. There is no such thing as a right of data portability in Japan. In most cases, when a problem arises, it may already be subject to legal liquidation procedures. In that case, it is a matter of court administration. It is not a matter that can be handled by guidelines without laws. If we are to do this, we have no choice but to face data portability again.

The other issue is related to the Anti-Monopoly Act, which Mr. Kasai mentioned earlier. Forcing security in the supply chain is not a cartel but an abuse of a dominant bargaining position. Japan Fair Trade Commission has issued some sort of guidelines. As I said earlier, this system must raise the minimum level, and everyone must follow them. Whether or not a law will be established, at least it will not be an abuse of a dominant bargaining position. The security of the supply chain must be ensured in a comprehensive manner. Therefore, I would like to point out that there is a system that does not violate the Anti-Monopoly Act. That is all.

Chairperson of the Committee: , Committee member, please.

Dr. Sakimura: Thank you very much. As many people have mentioned, there is some overlap, but I think we should do light use cases. For the EU Digital Identity Wallet, we should start with age verification. We are currently doing it lightly, but we are also doing it from this point of view. From the perspective of children, from an international perspective, age verification or electronic age verification, we should do it properly with selective disclosure. This is being discussed very seriously, and international standards are being developed, so I would like you to consider this.

In addition, the authentication of the wallet is quite problematic, and even if we say that selective disclosure is possible, unless we can show why the information is necessary in a sufficient, concise, and easy-to-understand manner for the person, selective disclosure has no meaning at all. Also, users can hardly judge whether the information requested by the information provider and relying party is appropriate or whether data minimization is working properly. Therefore, what to do about this is currently being actively discussed in the Internet Identity Workshop, so I think it would be better to consider it from that perspective, even if we consider guidelines to some extent. The system did not go very well, but I had the impression that it would be good to proceed while referring to the information bank certification system, which includes a considerable amount of information on how to indicate what is requested. That is all.

Chairperson of the Committee: (Japan): Thank you, Mr. Kuniji. I assume that you have received an opinion in advance from Committee member Wakae, who is absent today. Could you introduce him to us from the Secretariat?

Mr. Sawada (Japan): I would now like to read out the views that we have received from Mr. , Commissioner of the Wakae Committee.

"Regulations based on hard law (including joint regulations with sanctions in the event of non-compliance) should not be excluded from the scope of consideration. Of course, it is ideal that the ecosystem operates smoothly without the existence of national rules and systems. However, in the absence of rules, there is a risk that it will be abused and consumers will be harmed and privacy will be violated. If distrust spreads, it may not become popular. On the contrary, use may concentrate on Wallet of Google and Apple, which are large and secure, and monopolize the market. This is different from the goal of DIW, which is to regain control of data in the hands of platforms.

It would be best if a private or public certification system worked, but a certification system would only work if consumers wanted to choose safe and secure products. As can be seen from the example of the information bank, it has been pointed out that a certification system is difficult to work for services related to invisible data risks, and in the case of services such as DIW that are convenient but supported by difficult technologies, consumers do not know where the risks are, so they do not care whether they are certified or not, and there is no incentive for vendors to acquire certification.

Existing legislation has been proposed, but it is difficult to deal with the privacy risks of DIW at least through the Act on the Protection of Personal Information. For example, in order to minimize the acquisition of data through selective disclosure and to prevent tracking, it is important to adopt measures such as the use of zero knowledge proofs and the random issuance of signature values, but the Personal Information Protection Act does not have a legal basis for complying with them. The principle of data minimization in the GDPR is strict: "Only the minimum necessary data should be handled to achieve the purpose." If you sell alcohol, you can only obtain data on people over or under 20 years old. However, in the case of the Personal Information Protection Act, as long as the purpose of use is specified and the notice is made public, it is possible to handle it for various purposes (including those that are completely unrelated to the original purpose) even if it is set for that purpose. The consent of the person is not required. In addition, the restrictions on the purpose of use of the Personal Information Protection Act and the rules such as the obligation to appropriately acquire information cover "personal information," and the information acquired by the verifier in DIW does not necessarily correspond to personal information. Even if it corresponds to "personal information," the restrictions on personal information in the Act are only to obtain consent when it is changed to personal information by a third party provision.

A large amount of information will be accumulated in the Wallet Provider, but at present, if the Wallet Provider specifies the purpose of use in the terms of use, etc., it is possible to use it for a purpose completely unrelated to the original purpose of use. If the oligopoly of Google and Apple arises in the future, options will be reduced, and various digital services will not be available unless DIW is used, will it not be necessary to prohibit the use for a certain purpose different from the original purpose?

Regarding the use cases to be considered, when assuming a case where the administration receives a certificate, it is difficult to imagine the misuse of the verifier, and it may not be appropriate to verify a wide range of risks. A wide range of use cases should be covered in anticipation of future expansion of utilization.

In addition, I feel uncomfortable with the setting at the beginning that "' being able to implement it cheaply, simply, and quickly' is important." DIW is drawing attention around the world for "user-centered digital ID management." In other words, it is expected that control over data that has been in the hands of platforms can be regained. If it cannot be done, even if it can be used "cheaply, simply, and quickly," it is putting the cart before the horse. In that sense, it is important to protect the rights and interests of users, and "safety" should be added to "cheaply, simply, and quickly."

That is all. I read a somewhat lengthy document quickly due to time constraints, but to summarize it briefly, I understand that you raised questions about whether some method is necessary mainly from the perspective of the Wallet Provider and about "something cheap, simple, and fast" to ensure a certain level of safety. Committee member Wakae's opinion, who was absent, was introduced by the secretariat.

Chairperson of the Committee: Thank you. I believe that your request has been covered for the time being. It is very difficult to summarize your opinions on the goal image you gave me today, but depending on the use case or situation, there may be various ways of using it, and it is difficult to raise all the risks of all the variations and respond to all of them. The use cases will be divided into areas with very high convenience, areas with very high risk, and usage patterns, and we will discuss how to create guidelines in these areas. After sorting out what are the variables, we will consider what risks are there in the usage and what guidelines are necessary to respond appropriately.

Among them, the use case of selective disclosure of age verification using residence certificates is quite visible, so I would like to think about it in detail. No matter how you look at it, it is hard to imagine that we will be able to write a comprehensive guideline this year, so I would like to focus on a rough map of where the overall picture is, and areas where I think it would be better to move things that are convenient and have a risk of this level as soon as possible, and think about the risks. There are various recipients and players, but there are verifiers, issuers, and relying parties, and what kind of obligations should be placed on each party, and whether it would be better to not only have guidelines but also something like authentication. I felt that the flow was roughly to include these aspects in the discussion, create a specific image, and try to create it this year. What do you think?

Committee Member Kasai: Thank you, . I think it is very difficult to summarize this, but for those of us who use published guidelines, etc., it is still difficult to gain understanding even within the company on how to spread the use of VC and digital certificates. Therefore, at the same time as some guidebooks and guidelines are published, I would like to draw out business operators who are working hard to do it now, and although it is not an event, I would also like to see something like a promotion activity from the users. As I said earlier, there will be discussions on devices, and I think all players should consider it, so I would like people close to consumers to liven up the use of them.

Committee Member Itakura: Mr. , Committee Member Matsumoto: What you said is that I think it would be better to write in 1-1 of the Introduction. Since the raison d'etre of Digital Agency itself is digital-first, I think it would be appropriate to say that ultimately, as long as we do this, we should do this without paper.

Another thing that did not come out is that the digitalization of the residence certificate will be changed to Ministry of Internal Affairs and Communications, but the acquisition of the residence certificate with eKYC was disputed in the trial and it was rejected (Tokyo District Court, December 8, 2022, No. 2608, p. 27). Moreover, during the trial, even the ministerial ordinance was amended and it was said to be useless. I thought it was great, but in hindsight, eKYC has been attacked more and more, and now they are talking about stopping it because of money laundering. In the end, it is appropriate, but if that is the case, I think at the root of it is that I want people to use the information on resident records with a level of certainty that it is not acceptable. It is the information that you cannot obtain it unless you make a considerable identity verification even at the stage of obtaining it. For some reason, I do not understand why it is good to send it by mail, but I will go on the premise that it is done at that level (easy distribution will not be accepted). At any rate, the bad guys are attacking everyone by throwing all their power, in disregard of the law, at the most profitable place. As a result, there are some Japanese who have been arrested at the Cambodian border. The real enemy is the global mafia, and as long as they know where and how to make money, they will throw everything they have into it. The minimum line must be designed to be safe, and it must be digital-first. The number of people will decrease and the cost will increase, and if we don't do that, we won't be able to make it. My Number Card has done a tremendous job of pushing the adoption of Public Personal Authentication so that it can somehow be used in all sorts of places, and once it passes a certain threshold, it becomes popular. Of course, as Committee Member Kasai mentioned earlier, there is a question of what to do about devices, but if it can be solved by software, I think we should focus on the direction of smartphones, which are everywhere, but in this 1-1, I think it would be better to write digital-first, which is the ultimate goal, although I won't say it should be done next year. Yes, that's all.

Chairperson of the Committee: Thank you. Anything else?

Mr. Matsumoto: are important. The stakeholders involved change depending on the use case, so in a sense, there are many things we need to think about how to respond to use cases. Among them, I personally do not have much interest in the residence certificate, and my question is whether I have a residence certificate in the first place. In short, I can prove myself in My Number Card, and the rest is my household information, which cannot be done under the current law, but with the My Number Act, I think I should be able to push my will to this company through a collaborative platform with the My Number Act. I have long thought that this would be a solution, and that is back-office collaboration. Front-office collaboration is the way of VC, but I do not know which is better at this stage. Including that, I feel that what we should aim for is more between the private sector and the private sector. I would like to return to the subject, but we have to consider both what we can do now and what will happen in the future.

Chairperson of the Committee: Thank you very much. In the future, of course, something like an official certificate to be used by the private sector is on the horizon. In fact, they are saying that it would be better to do it from there.

Mr. Matsumoto: . We haven't discussed the goal, and everyone has a different way of thinking about it.

Chairperson of the Committee: On the other hand, back-end cooperation would be better for exchanges between government officials.

Mr. Matsumoto: That's right, I said that last time. That's exactly what the Once-Only Principle is. In Europe, there is the Once-Only Principle. That is exactly the idea from the beginning, since administrative agencies themselves are not supposed to exchange residence certificates at the front desk. There may be cases now where it's better to do it with VC, in fact, I just don't know if that's the goal.

Chairperson of the Committee: After all, I think it will be something that will be considered with several specific use cases in mind. At that time, I would like to talk to the government officials and use an official certificate for private citizens, because the age verification to buy cigarettes is for private citizens, right?

Secretariat (Kusunoki): , so it is a use case for private citizens to carry out duties imposed by the government.

Chairperson of the Committee: Personally, I have quite a feeling that that one is bigger.

Secretariat (Kusunoki): I completely agree with that. This is clearly not covered by the information provision network system, so I had high expectations for it.

However, there are some reasons why the subject is a government official. There are some reasons why it is difficult to do this unless you do it for yourself. In particular, since the residence certificate has historically been used as a document equivalent to a identity verification document, fairly strict requirements that you cannot do this or that have been discussed at the study group in Ministry of Internal Affairs and Communications this time. In terms of how strict the requirements can be, they are somewhat strict for use cases for the private sector, such as transcripts and company enrollment certificates. Or when I change jobs, I wonder how many excel forms I am required to fill out when I enter Digital Agency. I entered the Immigration Bureau while really feeling the loss of the digital era. I want to get rid of them. I don't think most ordinary people can write accurate status reports every year. I wonder how many or what percentage of Japanese people can distinguish between income and revenue. I think the General Affairs Department is really great because they have them filled out properly for the year-end tax adjustment. As you say, in the end, it is within the broad scope of using this for the private sector. I think it is not persuasive unless we take it as our own case. In that sense, I think it includes scenarios for the private sector, the public sector, and the government and the public sector. That is what you mean.

Chairperson of the Committee: In this case, too, there are talks about VCs issued by the government and VCs accepted by the government. The level of VCs that the government thinks it is okay to accept will have a high sense of level, and if it is adjusted to that level, it will stand up to general-purpose ones. If we use that as a standard, it will be too strict and it will be useless. I would like to think about it.

Secretariat (Kusunoki): Frankly speaking, if possible, it would be desirable to make it so light that even the private sector would want to copy it, and see how far we can realize it. About two years ago, at the time of digitalization of the notice of disposition, etc., the requirements were put into language, and in fact, there were many easy-to-implement methods that were as low-cost as possible, and we worked on details such as digital signatures. Rather than setting high requirements and doing it in a way that only the national government could do with a special infrastructure, I hope that we will be able to satisfy these requirements in a way that makes it easy for anyone, even for issuing receipts.

Chairperson of the Committee: Thank you very much. Will Dr. Nakamura be able to do it in this amount?

Nakamura: ? If only there were a few more materials.

Chairperson of the Committee: What kind of material do you want? Is it a use case?

Nakamura: . Well, I would like to have a use case. In addition, as I mentioned earlier about the graduation certificate as an example, I would like to discuss whether it is acceptable to limit ourselves to a discussion of the VC-DIW as a thought experiment, and whether or not we should discuss it together with the aim of something useful to the world in the future. I would also like to discuss whether it is acceptable to limit ourselves to a discussion of the VC-DIW as a thought experiment, and whether or not we should discuss it together with the aim of something useful to the world in the future. I would also like to discuss whether it is acceptable to limit ourselves to a discussion of the VC-DIW as a thought experiment, and whether or not we should discuss it together with the aim of something useful to the world in the future. I would also like to discuss this while keeping in mind to a certain extent whether it is appropriate to consider making a digitalization at the level of confirming the graduation certificate at this point in time, or confirming the graduation certificate, or something like confirming the graduation certificate, which is something that can be made but which people will believe in, and whether or not we should consider making a digitalization at that level as a starting point, or if we should aim to make something that is reliable to some extent as long as we make a reservation.

Chairperson of the Committee: They want to use it at the end.

Secretariat (Kusunoki): paper is quite sloppy, isn't it? I wonder if it will be accepted with the same sloppiness when it is digitized, but I feel that it will be easier to copy and rewrite than paper, so they will want to seek a higher level.

On the other hand, as we have jurisdiction over the Electronic Signatures in Global and National Commerce Act, the Electronic Power of Attorney Act, etc., we have seen in the quarter century of e-Japan that if it is too strict, it will not become widespread. Can it be made a little lighter? I don't think it is as good as paper, but can it be made lighter? For example, there are good and bad images, but SSL has spread. I think this is a sensitive use case for bank transactions, but it is being used properly. There are various problems such as phishing.

In terms of commerce, protocols that will serve as various foundations for AI agents in the future, such as A2A and Agent Payment Protocol, which were introduced today, show that digital signature technology has been introduced at the protocol level, and we are now in a world where trails are left behind. There is no guarantee that legal matters will not appear in this responsibility demarcation point in the future, but I feel that there will be a considerable part that can be solved only by interpreting the world of the evidentiary power of civil law. If the parts that cannot be cleared only by interpreting it or applying the current law are clarified here, I think it will be an opportunity to firmly shoulder it. I would be most grateful if we could create a system that eliminates paper by clarifying the requirements, sorting out what is desired, and discussing whether or not it will cause confusion in society. If possible, we could do something special, and if it is not a system that can be used by only a few people, but if it can be used equally by residents, and if it can be used not only in Japan but also around the world, in a way that is universal or can be spread smoothly.

Secretariat (Nakagawa): , as a result of the discussion, I think it would be good to have use cases that expand to the private sector as well, so tentatively, for example, when the private sector receives a certificate of residence, for example, when a mobile phone operator receives it as a identity verification document, what are the devices when they receive it, and what kind of use cases are they? I would like to focus on the time when the private sector receives a certificate issued by the public sector, and see how it spreads to the private sector.

Secretariat (Kusunoki): Office receives documents from the private sector, such as receipts when filing tax returns, and there are so many people between the private sector and the government, and between the government and the private sector, so I think there will be various typical cases where a lot of paper is left, so I think it would be good to deepen discussions on a wide range of use cases, although they may not be known by the next time. Despite the digitalization, paper has not run out at all, so I think it would be good to organize specific use cases while receiving opinions.

It just so happens that the issue of residence certificates is being handed over to us at the review meeting in Ministry of Internal Affairs and Communications, and we need to organize one thing properly. However, there are many other forms of paper that cross over between the private sector and the government when it comes to administrative procedures, and even when it comes to changing jobs between the private sector and the government, there may be some that can be picked up and some that cannot be picked up, so I think it would be good to consider it while receiving opinions in advance. I think it would be good to put those who are in trouble and can't be helped on the table as much as possible.

Chairperson of the Committee: As expected, there are various issues. However, among them, what we need to discuss and where we need to target have been shared by all of you. So, among them, at the end, I think it is the responsibility of the owner to do this. If you can imagine it based on this discussion, what kind of image you will have if you materialize it within that framework, what kind of guideline you can assume, and whether it is versatile or not will have to be verified again later. But, first, from the map of what patterns there are, I think it will be easier to proceed with the discussion if you can say that there are very high needs here, so try it here. Thank you very much.

Then can I return it to the office?

Secretariat (Kitainoue): Thank you very much.

Prior to the closing of the meeting, the secretariat will issue an administrative communication. The opinions received today, including those summarized by the Chair, will be reflected in the agenda for the next meeting and in the discussions of the Technical Working Group. In addition, today's proceedings will be announced on the Digital Agency website after confirmation by the members. In addition, the next meeting and the Technical Working Group are scheduled to be held as shown in Attachment 3, which is being projected now. I will not give a detailed explanation because it is a little past the scheduled time, but I would like to thank all the members of the Technical Working Group for their continued support.

This concludes my remarks. At the closing of this meeting, on behalf of the Secretariat, Mr. Digital Agency, Mayor of Group of Common Functions for Digital Society, and Mr. Kusunoki, would like to offer their greetings.

Secretariat (Kusunoki): Thank you very much for your active discussion.

I was really looking forward to today, but since the date happened to be the day after I was appointed as Minister, I will only be able to participate for a short time. Later, I would like to carefully review the meeting including the minutes.

The opinions you gave us today will be thoroughly passed on to the technical working group, and we will work out the specific technical requirements required of VC and Wallet. After that, I would like to convene this main meeting again.

Looking back at the discussions last year and the year before, at the beginning of e-Japan, the operations that we wanted to download and upload were easy on computers and browsers, but on smartphones, how do we do them in the touch UI? It suddenly became difficult to present them in a bundle, and we had to do this well with Wallet. And since we had to be able to verify whether the paper we put in Wallet was real or not, there were discussions on how we could use it to eliminate paper while holding VC, mdoc, and other technologies that are emerging now.

In addition, since the beginning of Mainaworking, there have been institutional barriers to various things that were originally intended to be done through back-office collaboration in the public service mesh. For example, unless we do some other method such as information collaboration through the person, for example, the four pieces of information cannot be sent to the information provision network system, and there is no system in which the point that indicates the relationship between multiple persons, such as the family register and residence certificate, protects privacy and works smoothly the moment the code conversion system is installed. Committee Member Matsumoto has raised the issue of whether it should be done through back-office collaboration or at the front desk. This is exactly what was vaguely intended to be done through back-office collaboration when we were discussing around 2020, but Digital Agency has been unable to do it properly in the past few years. We have encountered various barriers to institutional reform for that purpose. At the same time, what can be done through back-office collaboration is only communication between the government and the public, and there are so many forms of paper in procedures between the private sector and the public and private sectors. I have renewed my recognition that in order to change things in an up flow, a system that includes the front desk is necessary.

Speaking of this year, Open AI has just announced Atlas, and before that, there was a comment on Perplexity. I think this year will be the first year of Agent Browser. I think this is a pretty scary story, and the browser stores your various credentials, and the AI can type all of them for you. This year is the year that a kind of human being handed over the eaves to the AI. Probably, it will be normal for people to keep their residence certificates and other things so that the Agent Browser can take care of the procedures in one stop. There will be people who will file their tax returns next year using the AI browser, which is a reality. I think that various accidents will happen, so I will not close it. It is becoming more and more important to be a little ahead of what will happen in the future, to leave various tasks to the AI agent safely to some extent, and to prevent fake documents from entering the process. I think it is very important to have discussions here, not only on so-called smartphone wallets, so that human beings will be able to ride AI properly in the next 10 or 20 years. I think it would be best if we can produce specific outputs and make it to the point where I am glad that we had discussions at that time. I would like to ask for the continued support of the committee members. Thank you.

Secretariat (Kitainoue): Thank you very much. With that, we will conclude the first meeting of the "Expert Panel on Sorting out Issues in Attribute Certification." Thank you very much.

Greater than or