First meeting of the Advisory Panel on Governance in the Use of Verifiable Credentials (VC/VDC)

Last Updated:: Apr 21, 2025

Overview

Date: Monday, March 10, 2025 (2025), from 15:30 to 18:00
Location: Online (Teams webinar)
Agenda:
1. Opening
2. How to proceed with the meeting
3. Mutual election of the chairman
4. Business
  - Introduction of activities by business operators and organizations
    - DID/VC Co-Creation Consortium
    - MAINA Wallet Co.
  - VC-Related Systems
    - Secretariat Briefing
    - Discussion on the secretariat briefing document
5. Closing and Communications

Material

Minutes

Secretariat (ISHII): Thank you, , we will start the first meeting of the Advisory Council on Governance in the Use of Verifiable Credentials (VC/VDC).

Thank you very much for taking the time out of your busy schedule today. My name is Ishii from Digital Agency, and I will be serving as the secretariat. Thank you very much in advance. On behalf of the secretariat, Mr. Kusunoki Digital Agency, Mayor of Group of Common Functions for Digital Society, would like to address you on the opening of this plenary session.

Office (Kusunoki): Hello, , I am Kusunoki who was just introduced.

I would like to thank all Committee members for taking the time out of their busy schedules to attend this plenary meeting. On behalf of the Secretariat, I would like to offer a few words of greeting at the opening of the first meeting of the Advisory Panel on Governance in Utilizing VC/VDC.

The purpose of this Advisory Council is to organize points to keep in mind with the aim of ensuring safe and secure use of Verifiable Credential, which is attracting attention as a general-purpose, machine-readable data format and data distribution format that realizes functions such as authenticity and falsification prevention through digital signatures.

The VC concept itself began to take concrete form several years ago, and it gradually attracted attention, starting with the establishment of related companies and organizations. After that, through standardization efforts at the World Wide Web Consortium, I recognize that discussions on the issuance and utilization of VCs are now active, mainly in the private sector. In recent years, for example, vaccination certificates, which were introduced as part of measures against the novel coronavirus, have been put into practical use as a form of VC. This was before Digital Agency was established, but I myself was also in the process of technical examination, and at that time, I tried to decide on a trust framework at the WHO, but it did not work well. In the hasty action, I was on the so-called passport trust framework, and made it possible to verify even with some Web PKIs, and it was still very much a trial positioning and meaning. On the other hand, it was one of the events that I keenly felt that there were many things to be decided regarding the format.

On the other hand, I believe that the environment surrounding VCs is still in the developing stage compared to PKI, public key infrastructure, etc., which have accumulated many years of discussions and experiences, and I recognize that further accumulation of discussions is necessary to realize this safe and secure use.

In order to promote the sound development, dissemination, and use of VCs, we plan to hold wide-ranging discussions at the plenary session, including consideration of measures based on the current systems and mechanisms and identification of future issues. We hope to receive frank opinions from the committee members and have lively discussions, so please take good care of yourself today.

Secretariat (ISHII): Thank you, . Now, I would like to ask the committee members present today to briefly introduce themselves. They will be nominated in the order of the Japanese syllabary as stated in the establishment outline, so please turn on the microphone and introduce yourself in about 30 seconds per person with your name and affiliation. First of all, Committee Member Keiko Itakura, please start.

Ms. Keiko Itakura: Based on what you have been saying so far, I believe it is very important to make the scope clear when considering going forward. As I explained earlier at the beginning, from the perspective of including identification and identity verification, I believe that the risk that an account that has already been identified may be another person at the time of identity verification is another matter. So, I believe it will be important to clarify whether identity verification is talking about how to safely identify the person and whether it is conducting identity verification. In addition, I believe it will be important to properly take care of cases in which identity verification was safe, but session hijacking occurred due to some circumstances in the identity verification, and identity theft occurred. Itakura.

I have been working in the ID and security industry for about 20 years, and I am currently working as a CSO for the Japan-surrounding region at Okta, a US-based company that provides software services for IDaaS. After this, I will probably touch on the IHV model, but I believe that business companies that will become Verifiers will use IDaaS to verify credentials, so I will mainly give my opinions on what perspective and how they should be verified. Thank you.

Secretariat (ISHII): Thank you, . I would also like to speak to Mr. Yoichiro Itakura, Committee member.

Committee member Yoichiro Itakura: One of the attributes that .

My job is basically to receive advice from companies on data protection and personal information. In addition, the JFBA (Japan Federation of Bar Associations) also has a Consumer Affairs Committee in charge of consumer affairs. In this field, it is difficult to decide whether it is data or consumer protection, but I think I will mainly comment on it because of the law. Thank you.

Secretariat (ISHII): Thank you, . Next, I would like to ask Ms. Reiko Kasai, a member of the Committee.

Committee Member Kasai: Lawson, Inc.

Within LAWSON, I am in charge of regulatory reform, where convenience stores are also involved, and Business Development. I am mainly involved in this matter. We are continuing to discuss the verification of identity and age in non-face-to-face verification of alcohol and tobacco use, such as self-checkout at convenience stores. On the other hand, I have experience of being seconded to Ministry of Economy, Trade and Industry for two years and have been involved in the certification system for data-sharing business operators. Including this, I would like to express my opinions on the governance of this discussion. Thank you.

Secretariat (ISHII): Thank you, . I would also like to thank Mr. Kazue Sako, Committee member, for his continued support.

Mr. Sako: Waseda University.

I have been researching cryptography at NEC for many years, and I am currently researching information security, privacy protection, and fairness assurance based on cryptographic protocol technology. I am very much looking forward to using Verifiable Credential not only to sign data, but also to add context to what is being signed. Thank you very much.

Secretariat (ISHII): Thank you, . Next, Mr. Toshio Taki, Committee member, I would like to ask for your kind cooperation.

Committee Member Taki: Money Forward.

Thank you very much. We often connect a large number of banking APIs to various places. In a way, we are in the position of a data token user, and in a way, we are in a SaaS launch pad where we do tax returns and various procedures by ourselves. Based on the information we have, there are cases where it functions as an issuer, and there are cases where we use it. I hope we can contribute in such an implementation-friendly way. Thank you very much.

Secretariat (ISHII): Thank you, . Next, Mr. Sosuke Nakamura, Committee member, I would like to ask for your kind cooperation.

Committee Member Sosuke Nakamura: I am Nakamura from Kyoto University.

I have been working on academic authentication since I was in my previous position at National Institute of Informatics, and I am currently considering various aspects such as ID federation and its promotion activities, as well as VC activities for student IDs. I would like to discuss this from that perspective.

Secretariat (ISHII): Thank you, . Next, Mr. Tatsuya Nakamura, I would like to ask for your kind cooperation.

Committee Member Tatsuya Nakamura: LayerX.

At present, I am in charge of the AI project for enterprises at LayerX. I was originally a contributor to the security aspect of the blockchain community, especially Ethereum. After that, I was working on the commercialization of privacy technologies such as secret computation and differential privacy. I am also currently serving as a director of the Privacy Technology Association. Today, from such a perspective, I would like to contribute from the perspective of implementing technology in society. Thank you very much.

Secretariat (ISHII): Thank you, . Next, Mr. Hisahiro Fujie, Committee member, I would like to ask for your continued support.

Dr. Sakae Fuji: There were some in OpenID Foundation Japan.

I have been working in the world of digital identity for a little over 20 years. I have been monitoring Verifiable Credentials for 6 or 7 years. I have been providing materials this time, but I have been following the discussions on how the U.S. and the EU are considering and discussing not only technology but also governance and its operation, so I would like to contribute from my knowledge. Thank you.

Secretariat (ISHII): Thank you, Next, I would like to explain how the plenary meeting will proceed.

Today's materials are also available on the Digital Agency website, so please check them at hand if necessary. I would like to explain the purpose and purpose of this meeting. Regarding Verifiable Credential, which has recently attracted attention as a machine-readable and general-purpose data format and data distribution format that can realize functions such as authenticity and falsification prevention through digital signatures, in order to promote its appropriate use in the future, this meeting aims to organize points of attention related to the use process based on its relevance to the current laws and ordinances and systems, and to discuss use cases for future use.

There are two main points for consideration. The first point is to discuss the requirements and responsibilities that VC issuers should meet in order to organize points of attention related to the VC utilization process and other points of attention for appropriate utilization of VCs. The second point is to discuss use cases, etc. where utilization of VCs is expected. Regarding the contents of the subsequent installation guidelines, as the committee members introduced themselves earlier, due to time constraints, I will omit them.

I would like to explain the proceedings. First of all, the chairperson of the plenary meeting will be decided by the committee members themselves. Next, as for the proceedings, today we have invited the DID/VC Co-Creation Consortium and Maina Wallet Co., Ltd. to the plenary meeting, so I would like to introduce the activities of each company. After that, the secretariat will explain various systems related to VC and discuss the secretariat materials. Finally, the secretariat will close the meeting and make various communications. Also, today, as reference materials, Committee Member Sakae Fuji submitted materials related to management requirements according to the use of digital credentials, so please download them from the Digital Agency website and refer to them if necessary.

Please let me know if you have any questions or comments on how the plenary meeting will proceed.

Then, in accordance with the outline, I would like to decide the chairman of the plenary meeting by the committee members' mutual election. As for the secretariat, we would like to recommend Mr. Sosuke Nakamura, a committee member. What do you think? If you have any objection, please press the raise your hand button in the Teams function.

Since there were no objections, I would like to ask Mr. Sosuke Nakamura, a member of the Policy Board, to chair the plenary meeting, and I would like to ask Mr. Nakamura, the president of the Nakamura-za Theater, to conduct the proceedings from now on. Thank you, Mr. Nakamura.

Chairman Sosuke Nakamura: Thank you very much, Well then, I would like to proceed as the chairman from now on since I am Nakamura, who has just been recommended by the chairman, and I would like to ask for your cooperation.

Then, I would like to move on to the agenda immediately. Today, we are inviting the DID/VC Co-Creation Consortium and Maina Wallet Co., Ltd. as guests as business operators and organizations working on the utilization of VCs. First, please explain the contents of each initiative.

Each company will give a presentation in turn for about 10 minutes, and at the end, I would like to collect questions from everyone, thank you. First, Mr. Funahashi, Mr. Imai, and Mr. Shishikura from the DID/VC co-creation consortium, thank you.

DID/VC Co-Creation Consortium IMAI: Thank you, DID/VC Co-Creation Consortium. My name is Imai from MUTB, and I will be in charge of the launch secretariat for the Consortium. In addition, Funabashi and Shishikura will be attending. Nice to meet you today. Mr. Secretariat, could you please project the materials?

Secretariat (ISHII): Thank you, We will project the materials here.

DID/VC Co-Creation Consortium IMAI: Thank you, . Please go to page 4. As a preface, our consortium is working to realize business co-creation and interoperability. First of all, our company focused on DID/VC. For example, financial institutions use various core systems, but there are cases where they fall into vendor lock-in. We believe that vendor lock-in is not limited to finance but also applies to other operating companies. Among them, we consider Verifiable Credential to be a technology that has the potential to break out of vendor lock-in by realizing interoperability of digital data distribution formats through authenticity and falsification prevention by digital signatures. We are considering business rules and legal regulations starting from use cases. Next, from Architecture's perspective, we will not reinvent the wheel. Based on the rules established by standardization organizations and academic institutions such as W3C and Trusted Web, we are discussing what rules should be selected according to use cases.

Please go to page 5. This slide shows the image of what the consortium is aiming for and how VCs can interoperate. Although there have been some demonstrations, production platforms, and development projects, it is our understanding that there have not been many cases in Japan where VC interoperability has been put to practical use. In our consortium, the image on the right side is that we have realized the "ToBe" image. The first is to realize interoperability that can be read even if VCs are brought to other platforms, the second is to improve governance, and the third is to establish a certain place for the Status List, for example, and aim for an efficient way of sharing that makes it easy to see.

Please go to page 6. Our consortium consists of two subcommittees: one for examining business co-creation based on the use case that we want to realize, and the other for developing and examining the system, laws, and other rules for implementing the use case.

Please go to page 8. This is an example of a use case in the FinTech verification test that we are currently working on with Mr. Financial Services Agency and Mr. Digital Agency. For example, we are currently demonstrating a mechanism in which the results of MMC's identity verification can be issued to holders in a form that can be used for secondary purposes, and can be reused in the identity verification of specific transactions, such as opening accounts for regional bank securities that will serve as verifiers and applying for insurance and loans. In the demonstration, the verifier looks at the offered VC and builds a mechanism to share the governance system of the issuer side so that it does not accept only the results. The governance perspective was given advice from Mr. National Police Agency in the demonstration. Just in case, I would like to add that we will not share the KYC content. We recognize that the KYC of each company will be conducted using a risk-based approach in accordance with the Financial Services Agency Guidelines. The details will be explained in a later slide.

Please go to page 9. This is a use case for electronic receipts. For example, in Self-Medication tax system, when you buy medicine, you need to store receipts at home for five years. Storing receipts in physical form or on paper is inconvenient because there is a risk of losing them when you move, so I think it is expected that it will be easier to store them in digitalisation or by using VC. On the other hand, we have identified issues with electronic receipts. Since they are digital, when retailers spit out electronic receipts, they are linked to the individuals who receive them, which creates a burden of managing them as personal data. For retailers, purchasing data is originally their own assets, and it is natural to think that it is used for marketing and product development, so laws and ordinances arrangement and stakeholder coordination are still to come.

Page 10 is a use case in which we are considering the prevention of illegal resale of tickets using biological VCs, and page 11 is a use case in which we are considering whether credit information can be shared when issuing corporate card to small and medium-sized companies. However, due to time constraints, I will omit it for now. From page 12 onward, Mr. Shishikura will explain it.

DID/VC Co-Creation Consortium Shishikura: Thank you for I would like to explain what we are currently doing at the FinTech verification test Hub.
Please turn to page 13. This is an excerpt from the OIDF's KYC Guidelines. The identity verification Subcommittee aims to reduce the time and effort of users by making it possible to make secondary use of identity verification results that have been conducted once.

Please turn over the next page. Regarding the verification test scheme currently being implemented, in order to ensure the existence of the Issuer, we will use the LEI, a 20-character alpha-numeric identifier based on ISO17442 issued by GLEIF. LEI is mentioned as a recommended identifier in the FATF recommendations, and to tell the truth, it is an international identifier that is familiar to Japanese financial institutions. In this verification scheme, GLEIF certifies the QVI, which is an organization that examines the Issuer, and the QVI periodically checks the existence of the Issuer in this verification and issues an LE vLEI, and if there is a problem, it expires the LE vLEI. The Issuer is supposed to register its Issuer attributes with the Trusted List operator and the Trusted Issuer List operator for the LE vLEI. This is the preliminary preparation for the demonstration. The issuer registered in the Trusted List, which in this use case is a bank, issues a transaction confirmation VC to prove to the user that the transaction with the bank is ongoing and there is no problem with continuous customer management. In addition, the method business operators specified in Article 17, paragraph (1), item (v) of the Public Personal Authentication Act, which will be explained later, issue the results of identity verification using Public Personal Authentication, etc. to users' wallets as signature verification results VC. Users can view these two VCs as VPs with a specified business operator that serves as a verifier, and present customer due diligence information of financial institutions and identity verification results by JPKI. We are currently examining whether this can be considered as a valid identity verification under the Criminal Proceeds Act.

Please turn to the next page. I am not familiar with the F method, so I would like to give a supplementary explanation. There is Article 6 of the Ordinance for Enforcement of the Criminal Proceeds Act, and in addition to the M method using a Public Personal Authentication, this F method is prescribed as a electronic certification method using a identity verification issued by a private business operator.

Please refer to the diagram on the left for the flow. First, a user key pair is prepared. Next, in (ii) and (iii), the F Method business operator conducts identity verification with JPKI, etc., and receives public keys used for signature verification from the users. In step ④, the F System operator issues a electronic certification that links the users' public keys with the users themselves. Next, documents such as an application form are collected from the specified business operator in (v) and (vi), and the application form filled out in (vii) is signed with the private key generated in (I). Send the application form signed in ⑧ and the electronic certification received in ④ to the specified business operator. Finally, in (ix), the specified business operator verifies the electronic signature of the received application form and confirms the validity of the electronic certification with the F type business operator. The Wa method is similar to the Public Personal Authentication, but in fact, among the existing laws, there is the identity verification method, which proceeds in this way. The one that I thought if I could apply VC to this is the right side. The key pair is generated in the wallet and the flow to the identity verification by the provider is the same, and the electronic certification issued in ④ is replaced with the signature verification result VC. Next, regarding the application form, based on the information entered, the Holder himself becomes the Issuer in the Wallet and self-issues the specific transaction information VC, which is a VC version of the application form. Financial institutions' VCs for verification at the time of transaction are optionally combined here, and these three VCs are converted into VPs, which are presented to specified business operators, and the specified business operators verify the VPs. By doing so, we are looking at whether the identity verification method in line with the F method can be done under the current law in the demonstration hub.

Please turn to page 17. Among the ongoing verification test hubs, the biggest issue now is governance issues, especially eligibility, rather than technical factors. For example, when financial institutions collaborate with other financial institutions, it is necessary to evaluate the risk management system of the partner based on the AML Guidelines. On the other hand, if we try to expand the one to-one evaluation of the issuer and the verifier by further × n, it will impose a considerable burden on the verifier side, and it may become a burden on the verifier to refer to the KYC of various financial institutions.

This time, in the process of listing on the Trusted List, the Consortium evaluated the eligibility of the Issuer, and as long as it was listed on the List, the Verifier believed it and considered whether it would be possible to do business with it. However, the compliance departments of each company have expressed the opinion that Financial Services Agency is the only country that has the capacity and authority to conduct the examination, and it has been difficult.

Next, regarding the eligibility of the Wallet Provider, even if the eligibility of the Issuer is well managed, if the Wallet becomes a security hole, it is possible to open an account by spoofing, so a certain common security level will be necessary. On the other hand, even if we evaluate within this consortium, it is also a group of competitors, so a somewhat independent and third party organization would be desirable as a screening organization.

Finally, regarding the qualifications of the Verifier, we are aware that there are some opinions that the Issuer should manage the Verifier that can be VP. On the other hand, if this is done, when the VC is considered as a business, it cannot be a very fat business model, so this Verifier management burden may be a factor that prevents it from becoming a business. In addition, if we want to control the presentation destination in earnest, we need to take measures on the Wallet side, so I think we need to consider the complexity that the Issuer decides the presentation destination and the Wallet Provider responds. For example, when a university issues a graduation certificate VC and the Holder says he wants to use it for job hunting, I think it will lead to a problem such as whether the university should control the range of the presentation destination. In the case of PDF, the Holder can freely present information at his own responsibility, so I hope you will consider how much Holder protection is necessary when you become a VC. In this demonstration, the consortium used the W3C Bitstring Status List, but we have found that if we take measures such as access restrictions that block access to non-designated Verifiers, it will be out of the international standard as a technology.

DID/VC Co-Creation Consortium Imai: That's all for the explanation from the DID/VC Co-Creation Consortium.

Secretariat (ISHII): Thank you, . I would like to thank Mr. Tachibana of MAINA Wallet Co., Ltd.

My Wallet Corporation Tachibana: Nice to meet you. I am Tachibana from Minna Wallet Corporation.

Then let me share the screen a little.

Once again, I am Hiroyuki Tachibana, Representative Director of MAINA Wallet Inc. Today, I would like to introduce the business and share with you the future initiatives and issues using DID/VC. Thank you in advance.

We are developing a digital wallet using My Number Card. Using digital infrastructure, which has spread to about 100 million people, we aim to make the world's easiest society to use blockchain, DID/VC, and other technologies, and to realize a richer society through digital technologies.

Maina Wallet is a self-custodial wallet that utilizes account abstraction and can be used with private keys in the My Number Card. In the event of a lost, renewed or stolen card, Japanese Public Key Infrastructure can be used to recover the wallet. It is a wallet that is free from the eternal challenges of Web3.0 wallets and the management of private keys. In addition, since only one wallet can be created per person, it is possible to prove that it is a wallet owned by a real person with so-called civil resistance. In the future, a digital identity wallet function will also be implemented, which will support the receipt and presentation of VCs in multiple formats.

This is the actual usage scene of Myna Wallet. You can use it by entering a 4-digit PIN number. Behind the scenes, Japanese Public Key Infrastructure is used to authenticate the person in question. If you can confirm this, the flow is such that the user can start using the wallet.

Sending a transaction on the blockchain is also very easy. This time, we are sending tokens to a person named John on ENS. You can actually enter the amount of tokens and send them. Next, we will check the contents of the transaction in advance. Since MAINA Wallet uses account abstraction technology, it covers the user's gas bill. Therefore, the user can immediately send and receive tokens without buying the ETH required for gas bills, that is, native tokens, at an exchange, etc. After confirming the contents, follow the same procedure as before, enter the four digit PIN number, hold the card and sign. The signature is verified on the smart contract, and if it passes the verification, it is executed from the transaction of the local government.

MynaPay is a payment solution that utilizes the use of My Number Card's Kazashi. With the familiar UX of touching a card, you can receive and confirm ownership of NFT tokens and send small amounts of tokens. It can be used only with a card, and even users who do not have a smartphone can use it.

This video is a video of a user who has a stablecoin called USDC making a payment with MynaPay. Payment with tokens has been realized by using the same UX as the transportation IC and holding it over the head.

This is a video of verification test in the Yamakoshi area of Nagaoka city, Niigata prefecture last November.

My Wallet. In this verification test, we conducted a feasibility study of touch payments using "My Wallet," a service that utilizes My Number Card as a digital asset wallet, in the Yamakoshi area of Nagaoka City, Niigata. As the digital currency used for the verification test, we used "USDC," a stablecoin linked to the US dollar issued and circulated on blockchains. In fact, we had a wide range of age groups, from elementary school students to those in their 80s, experience charging and paying with stablecoins.

This time, with the cooperation of the residents of Yamakoshi Village Digital Village, a wide range of ages participated, and we were able to confirm that it was really easy to use the stable coin. As a result, we received a lot of feedback. We will continue to conduct demonstrations to create such use cases.

In the future, we will start providing the Web3.0 wallet function as a wallet that anyone can use with peace of mind. In doing so, we would like to utilize DID/VC to realize more secure and safe transactions. After that, we will cooperate with financial institutions and simultaneously provide services that contribute to solving problems with the national and local governments, and we would like to take the lead in creating precedents for the social demand of blockchain technology.
Next, we will look at the use cases of DID/VC and the verification test we are considering. The first is the use case of the Kazashi Shimin Wari. We are considering a demonstration using the special zone system with Fukuoka City, and we plan to pay with a small stablecoin using Kazashi. At this time, we are considering giving a resident discount to Fukuoka citizens. If a resident discount is given, a means of resident certification is required, so we are considering the use of Japanese Public Key Infrastructure and DID/VC. When issuing a VC, how to ensure the eligibility of the issuer remains an issue, but this is a demonstration, so we will proceed with the study while taking into account that the expiration date of the VC can be shortened.

Next, there will be an account linkage between the wallet and financial institutions. Regarding this, various linkage patterns are conceivable, and the contents and methods are currently under consideration. We would like to consider specifications that balance convenience and security to reduce identity verification costs.

The third is to utilize Japanese Public Key Infrastructure and DID/VC when accessing DeFi. At the BGIN Block #12 held the other day, a similar initiative called Accountable Wallet was discussed. DeFi has many issues and we are not in a position to actively promote DeFi, but on the other hand, it has become an extremely large use case for Web3.0, and as a wallet operator, we would like to make it possible to use DeFi more safely and securely. To be specific, we are considering creating a liquidity pool that can be used only by users who are in identity verification or whose credentials have been confirmed, and demonstrating DeFi that does not mix external funds that can be used only by so-called KYC users. In this case, there are many issues such as what kind of VC should be used and what to do with Issuer.

Fourth, local governments, the private sector, and DAOs can be used to distribute benefits and tokens. This is a vision for the future, but if the attributes and eligibility information that will be the conditions for benefits can be made into a VC, it will be possible not only for the central and local governments but also for the private sector and DAOs to provide benefits to their holders. For example, if there is a VC who certifies the number of dependent children, I believe that benefits for Oigo families can be realized not only by the central and local governments but also by the private sector. On the other hand, in the case of VCs that are public or semi-public in nature, the responsibility of the issuer is very heavy and will be a major issue.

Lastly, we would like to share our requests and issues. First, we would like VCs to be able to receive payments in various wallets, rather than in a dedicated wallet for each VC. If there is a dedicated wallet for each VC, in the future where VCs will spread, users will need to manage multiple wallets, which will eventually damage UX, and we recognize that there are issues such as VCs in multiple wallets and the linking of credentials. In order to develop various DID/VC use cases, including in the Web3.0 domain, we would like to see balanced governance that allows VCs to be issued to various wallets. Second, we would like to see the use of DID/VC as a Web3.0 wallet. Although tools for utilizing DID/VC on blockchains have emerged, there are few actual examples and the ecosystem is not mature. We feel that there is a need for initiatives that support researchers, developers, and the entire community without separating Web3.0 and DID/VC. Last but not least, we are considering the use of Japanese Public Key Infrastructure and Japanese Public Key Infrastructure for VC issuance, etc., but I believe there are issues that need to be sorted out in the future regarding the use in VCs. My Number Card

That's all from us. Thank you very much.

Chairman Sosuke Nakamura: Thank you very much, Thank you very much. I have just received two explanations from each company. First, if any of the committee members have any questions or comments on the presentations so far, please raise your hands or chat with them. First, Mr. Sakae Fuji, the committee member, will speak.

Dr. Sakae Fuji: There were some in .

I have several questions about each of them, but I would like to pick them up. First, the DID/VC consortium. As you said, I understand that the governance of the Issuer is very important. First of all, I thought it would be good to define the division of what can be done with technology and what can be done with rules, and the location of responsibility. For example, looking at the guidelines for the Mobile Driver's License issued by the AAMVA in the U.S., it is required that the Issuer also manage the Wallet to be issued. At the ARF in the EU, there was a discussion on the Trusted List in the latter part, and I think it is being discussed, so I think you have already seen it, but I thought it would be good to refer to it.

Also, I thought the focus was on re-using credentials, but I think it would be better to think a little bit about whether we can reuse documents that really correspond to identification documents and make them good. I would like to ask your opinion. Looking at the materials, it seems that they use certificates that have been confirmed, which were created by a specific bank based on the original identification documents, in various places. From the perspective of the Verifier, you mentioned a credit card company as an example, but this is not about the credit card company doing the identification and identity verification. If you accept the confirmation by the bank, you don't have to do it yourself. I thought it was a scenario in which you accept it because the bank did it. First of all, I didn't understand the meaning of re-using, so I would like to reconfirm it.

And in that case, I think the issuer is the bank, and the bank is responsible for the holder using it everywhere. The original issuer of the ID is, for example, if you use My Number Card, it will be the country, but it is the derived credentials that the bank issued using it and confirmed the identity.

As there is no traceability in this regard, I believe that the minimum requirement for banks is to properly manage the reused credentials, including cancellation, and to properly manage their state. I would like to ask you a little more about how and to what extent they are going to be implemented, how much of what is in the wallet can be deleted, and how it can be revoked after it is presented to the Verifier, as you mentioned in the Trusted List.

Regarding Maina Wallet, I could not clearly read the relationship between blockchains, VCs, and My Number Card. I would like to ask what you are thinking about the meaning of using blockchains. For example, in order to perform governance, the Verifier uses a consortium-type chain to limit the scope of signature verification, and I assumed that this is the meaning, but I would like to ask you about that.

I'm sorry, but that's all for now.

Chairman Sosuke Nakamura: Thank you very much, Then, shall I ask you to answer here?

First of all, I would like to ask DID/VC co-creation consortium.

DID/VC Co-Creation Consortium Shishikura: Thank you for DID/VC Co-Creation Consortium. I believe I have received some advice and questions. I will answer any questions.

With regard to the question of whether it is acceptable for a VC to submit documents equivalent to identification documents, in the scheme I introduced this time, the method stipulated in Article 6 of the Ordinance for Enforcement of the Criminal Proceeds Act is already stipulated in the law as a electronic certification using a identity verification issued by private sector, and from that point of view, it seems that the private sector has already submitted a electronic certification and the government has approved it.

We are only looking at whether it can be technically applied to that, and we have not included in the scope of verification whether private sector can issue a electronic certification equivalent to an identification card.

To be more specific, this F method business operator is an authorized specified certification business operator authorized by the government, but it is also obligated to manage the status of the validity confirmation of the electronic certification issued in the certification process, so if it cannot be updated, it may not be certified in the first place, so I believe that the up-to-date nature of the issuing holder will be ensured.
On the other hand, regarding the issue of whether or not to use the VC issued by the bank for verification at the time of transaction for identity verification, in the examples I introduced today, it is not used as an identification. It is positioned as an optional combination VC that uses the results of the anti-social force check conducted by the bank in combination with MAINA as a supplement.

On the other hand, regarding the question of whether credit card companies that you pointed out can trust the identity verification of banks to conduct transactions, there are already cases in Article 13 of the Ordinance for Enforcement of the Criminal Proceeds Act, which is a method of using bank APIs, but whether VCs can be used in the same way. There are many issues, but I would like to consider them.

Dr. Sakae Fuji: There were some in . The difference from the discussion about bank APIs is the offline scenario as a characteristic of VCs. I think how far you think about this is a good thing about VCs, so if you want to eliminate it, I thought it would be good to think about the meaning of using VCs while considering that it would be fine with federations or APIs.

DID/VC Co-Creation Consortium Shishikura: Thank you for .

Chairman Sosuke Nakamura: Thank you very much, Next, I would like to ask Ms. Maina Wallet to give us a brief answer.

My Wallet Corporation Tachibana: , but first of all, the minor wallet is not a digital identity wallet but a Web3.0 wallet, so in that sense, using blockchains is a base use case.

Therefore, we are considering how DID/VC or credentials can be used in blockchain use cases. This is our view on DID/VC.

Dr. Sakae Fuji: There were some in .

Chairman Sosuke Nakamura: Thank you very much, . Next, let's start with the second member, Mr. Kasai.

Committee Member Kasai: . I would like to ask DID/VC Co-Creation Consortium a few questions.

Regarding the issue of eligibility on page 17, I believe you have just presented it, and I would like to know if there was such a discussion. After all, I think there is a discussion that it may cost a lot to confirm the governance and eligibility of each stakeholder. Originally, I think there was a sense that once a identity verification is made by a bank, if it is made easy to use, it will be easy for customers to use and the cost will be reduced. However, I think there will be a certain amount of cost to strengthen risk governance. For example, I would like to know if there was a discussion about the balance between cost and this way of doing things in such a consortium, such as whether it would be cheaper or less costly for the Verifier to directly confirm the My Number Card.

DID/VC Co-Creation Consortium Shishikura: Thank you for . As you pointed out, we have not yet been able to verify whether this method, which is business-like, has a cost advantage over Public Personal Authentication when implemented. There are some specific business operators, including financial institutions, that cannot be implemented by MAINA in identity verification, and we need to determine whether they are anti-social forces, which I mentioned earlier. Currently, there is so-called anti-social force information in National Police Agency's database, and some specific business operators can access it, but it is also sensitive information, so not everyone can access it.

The business operator who has access to the database issues the confirmed information at the VC. If this customer is a VC who has been properly checked by us and confirmed that he or she is not a so-called anti-social force, the value that cannot be achieved at MAINA will come out. On the other hand, we cannot confirm that, we cannot directly inquire at the police station, and such business operators collect such information on their own and take measures, and they spend a lot of money, so I would like to judge whether it is reasonable, including the cost of collecting information on anti-social forces, rather than simply whether it is economically reasonable compared to MAINA.

Committee Member Kasai: I understand. Thank you very much.

Chairman Sosuke Nakamura: Thank you very much, ? Next, Mr. Yoichiro Itakura, please.

Committee member Yoichiro Itakura: One of the attributes that . This may sound like a joke, but when I talk about this kind of thing, I think I should refer to the past cases of a certain financial institution and a certain telecommunications carrier. I thought they were all legitimate companies, but both sides were completely in the hole, and there was a lot of illegal use. Another thing that I have to remember, not by itself, is that bad people are even more rational than we are, and they put all their energy into where there are the most holes and where they make the most money.

Recently, you may not know it, but there is a unique digital local currency business that allows you to buy 15000 yen worth of local currency for 10,000 yen, but it seems that something was not right and it was used illegally.

So, in particular, the issuance of VCs that involve the transfer of money, you said earlier that you would not use it for the transfer of money, but if you are even a little bit thinking about it, I think the basic idea is that you should not enter those whose security is even a little lower than now.

The other is Wallet Provider. As you all know the story of a certain cryptocurrency exchange in the past, it has been analyzed that the problem was probably around that Wallet Provider.

I don't think it should ever happen that you start a business when you don't understand it well. In other words, in the first announcement of the consortium, it was written that basically the bank should be responsible, but I don't think it should happen that you start a business driven by Wallet because you are a bank and you don't understand the system at all, unless you make a system to eliminate it, everything will be done without knowing what it is, you will close down, and Wallet's company will continue to survive.

Also, I understand that you said that you don't want to manage merchant stores. However, since there is basically no merchant store management responsibility, there are various financial law problems. If you design a system with a mechanism that doesn't manage merchant stores, I think at least those involved in consumer protection will never allow it. If you manage merchant stores, the issuer will be responsible for everything. Even so, I think it would be better for you to think about whether it will be profitable or not.

In terms of the system under the Criminal Proceeds Act, we are in the direction of amending the rules as needed to stop dangerous things, and when Japan becomes a hole of inappropriate use, bad people will target such countries and do bad things. They will target the place where there is the biggest hole in the world. I don't think we are in the direction of lowering the level because it may become a business now. The sweetest place in the world will be targeted, so I would like you to prevent that from happening, especially when it involves the transfer of money.

Other than that, of course, you can consider the risk and the proof of qualification, but I think it is necessary to think on the premise that the worst place in the world is targeted where money flows.

I am not asking for any particular answer, but this is my impression.

Chairman Sosuke Nakamura: Thank you very much, , I would like to move on to the next question.

Now, Ms. Keiko Itakura, a member of the committee, would like to make a speech.

When considering such VC cases, I believe that revocation management is an important point. If you cannot delete credentials when you want to do so, it will lead to privacy issues, so I think it is necessary to consider this point. If there is anything you are considering, please tell me. The other point is particularly about account linkage with financial institutions. In the past cases, as Professor Itakura mentioned earlier, there were cases in which there were accidents in the identity verification where only e-mail addresses were used for linking, so how to use binding with biometric information and face photo verification will be one point.

I would also like to ask if there are any plans to link such information with biometric information.

Chairman Sosuke Nakamura: Thank you very much, , please let me know.

My Wallet Corporation Tachibana: . I think there are things like the eligibility of the so-called Issuer, what kind of VC will be issued, and how difficult it will be to manage it, so we are currently very much considering it. In addition, regarding the linking with so-called biometric information, we are currently assuming that we will use Japanese Public Key Infrastructure, but of course we are in the process of considering such things.

Therefore, I would like to reflect the results of various discussions and advice I received at such occasions as needed.

Chairman Sosuke Nakamura: Thank you very much, , but Commissioner Taki, please.

Committee Member Taki: . I have one comment and a question for the DID/VC Co-Creation Consortium. My big comment is that financial institutions, whether they are individuals or companies, are the organizations that confirm the existence of VCs in practice, and by far, among other social functions, they are doing that, so I think it is very good that VCs are provided from them.

My question is that I am also in the position of running an association to promote digital invoices, and as a common story, for example, I often end up saying that I want to make an application. The sender of the invoice, the bank account information on the invoice, and when I send the money, the name of the recipient comes out through the integrated ATM switching service, and I send the money. However, I don't know if this is really the person, but the business ID or LEI is linked, and the LEI becomes very reliable. Until now, it has been thought that the reliability of information sent by fax and digital invoices is the same, but it has changed to a type of information that can be trusted as information on the recipient.

As for such use cases, I would like to ask you frankly if there was any discussion within the consortium, or what your thoughts are. At this time, LEI is often discussed. After all, LEI is a corporate My Number, or I think it is often identified by a corporate unit, but some billing services like ours have different IDs for each department. So, if you have any feelings about the difference between the corporate ID and the business office ID, I would like to ask you to tell me. As far as I can tell, that would be fine. Thank you.

DID/VC Co-Creation Consortium Shishikura: Thank you for . This is Shishikura from DVCC.
In comparison with the trend of EUDIW, there is a debate on whether LEI should be spread as an international standard, but as a function that is attracting attention, it can be used to prove the identity of the company to which you belong and the identity of your employees.

It is possible to issue a different vLEI such as this vLEI for the general manager of XX department and this vLEI for the general manager of △ △ department, so while it is like a My Number for each company, it is possible to issue a VC that goes down to the employees who belong to the company linked below it, so I think it is possible to link it with the one that is issued by the name of the person in charge of the department to which you just mentioned.

Going back to the previous question, when I considered the use case of the receipt, it was discussed whether or not the VC could be adapted to the invoice of the use case linked to the invoice, but I have never been able to discuss in depth.

Committee Member Taki: .

Chairman Sosuke Nakamura: Thank you very much, , so I would like to ask Committee Member Tatsuya Nakamura.

Committee Member Tatsuya Nakamura: Maina Wallet, I wonder if the combination with DeFi is a very interesting and desired theme as a person who created the DeFi platform, but from the perspective of how to actually implement it in society. First, I think there was an example of Uniswap, but how to force DeFi business operators to do it, and while people from various countries are throwing transactions, there are accounts that have been verified by the Japanese system for the time being, so what are the steps to make it a rule? Second, without understanding the technical specifications, it is a very naive question, but accounts linked to the authentication system of such a specific country, and after verifying that they are linked, I was curious about how to prevent sales and purchases.

My Wallet Corporation Tachibana: Thank you for your question.

As for the first point, the example we are currently presenting is Uniswap, and the current trend is that the DeFi side is such so-called qualified investors, and in order to make it easier for such institutions to use DeFi, we are starting to provide a mechanism to insert middleware.

This time, Uniswap also released a feature called Hooks in V4. Using this feature, you can plug in arbitrary validation logic or something like that. In that case, for example, in our case, we can quickly realize a liquidity pool that can be accessed only from a minor wallet. In that case, we can separate the pool from a pool where we don't even know who the funds are, so we can realize that we can trade in a clean pool. This is not just Uniswap, but other DeFi have also started similar initiatives recently, so this is an area that we are paying a little attention to. I have a second question. Excuse me, may I ask you again?

Committee Member Tatsuya Nakamura: The second point is how to prevent the trading of accounts that have been declared safe.

My Wallet Corporation Tachibana: That's right. Thank you very much. Regarding that, it's an international trend, and we haven't caught up with it, but in the case of My Wallet, it's based on Japanese Public Key Infrastructure in the first place, and if you can't enter the PIN, you can't send transactions. In that case, in our case, unless My Number Card and the PIN are stolen or traded, even if we sell the account, we can't operate it.

Committee Member Tatsuya Nakamura: .

Chairman Sosuke Nakamura: Thank you very much, May I have your attention, please? I am sorry that I pushed the time a little bit, but I have received many questions, so I have received your answers. That is all for the introduction of the initiatives, and next, I would like to ask the secretariat to explain this document about the various systems related to VC, which is the purpose of this Advisory Council.

Secretariat (Tonami): This is the Secretariat. Tonami Secretariat will explain about "Various Systems Related to VC" in Appendix 4. Today, I just took a moment to explain briefly.

First of all, the overall explanation is a little long, so if I would like to briefly explain the flow, first of all, I would like to explain about the VC this time and the various scopes of the review meeting this time, so I would like to explain them first.

This time, the scope is identity verification, which uses VC, so I would like to explain the challenges and threats in identity verification. In addition, I summarized the relevance to the laws and ordinances, systems, and structures such as PKI, which I mentioned earlier, and points to keep in mind based on the IHV model. In addition, based on the structure and laws and ordinances so far, the secretariat summarized briefly what points we need to pay attention to and what points we need to consider. Finally, I would like to summarize the points that the secretariat would like to discuss at this meeting. I would like to have in-depth discussions on the organization of the secretariat in Chapters 3 and 4.

First, I would like to ask about the subject of the discussion. The theme of this meeting is Verifiable Credential (VC), which is a machine-readable and general-purpose data format that can realize functions such as authenticity and falsification prevention through digital signatures. This may refer to the W3C's Verifiable Credential Data Model itself, but at this meeting, I would like to focus on the issue of digital certificates, including mdoc and other certificate formats, and advance the discussion.

As explained earlier, the scope includes mdoc and other formats.

In addition, this time, we are holding a meeting on the utilization of digital certificates, not limited to the IHV model, and we would like to focus on the Issuer and organize it. There are various points to discuss regarding governance in the IHV model, such as the Issuer, Holder, Verifier, Verifiable Data Registry, Status List Provider, and Wallet Provider, but this time, we would like to focus on the issuance of credentials and the action of the Issuer in the distribution of certificates, not limited to the IHV model.

Lastly, I would like to clarify the scope. In particular, I would like to focus our discussions on applications related to identity verification. However, I believe that there are points to keep in mind not only for VCs for identity verification applications but also for general-purpose VCs, so I hope that you will discuss these points for reference without being too tied down. In particular, at the end of this meeting, I will set aside time to discuss use cases, but I hope that you will discuss these broadly, not only in identity verification but also including credentials and attribution.

I would like to ask about identity verification. As I explained earlier, the scope of this discussion is identity verification. The act of identity verification itself has existed for a long time, but due to the limitations and characteristics of the digital environment, I believe it is increasingly important to prove and confirm who is who and establish their identity, especially in the digital context.

I believe that it is still an important and difficult task to distinguish whether or not someone is a legitimate user and to set standards and definitions, including the current sophistication of deepfake and AI attack methods. However, I believe that it is necessary to organize and discuss the use of VCs based on these threats to ensure their reliability.

Regarding identity verification, which is the scope of this report, for more accurate discussion, I would like to use the terms "Identity Proofing" and "Authentication," as shown on this slide. The term "Identity Proofing" refers to the act of collecting, verifying, and registering user information at the time of initial registration, and the term "Authentication" refers to the act of confirming the identity of the person registered in advance. As for identity verification, I would like to refer to these two terms collectively.

In addition, as a reference for discussions on identity verification, we have included materials from the Advisory Panel on the Revision of the identity verification Guidelines, which is being held in Digital Agency, as a reference. This document summarizes the decomposition of the identification process, threats in each process, and countermeasures against them. We hope that you will use this document as necessary during discussions.

Then, I would like to summarize the relationship with the various regions, systems, and mechanisms in Chapter 3 and points to keep in mind. This time, as a reference for discussions on the utilization of VCs, I would like to roughly apply the IHV model to those related to identity verification in the existing laws and ordinances and those not limited to laws and ordinances, including mechanisms such as public key infrastructure, and organize them. I hope that you will refer to the discussions necessary to improve reliability, including mechanisms such as public key infrastructure and initiatives of industry organizations, not depending on the laws and ordinances laws and ordinances.

First, I would like to ask about the laws and ordinances and mechanisms for issuers. First of all, as I have mentioned many times, I believe that examples of PKIs and public key infrastructures include Electronic Signatures in Global and National Commerce Act and compliance with various standards, including the standards of the CA/Browser Forum. In addition, in addition to these standards, I believe that a governance system will be established to ensure compliance with the standards, including investigations, audits, examinations, and penalties. In addition to these, in the first place, with the revocation of certificates and the provision of CP / CPSs, I believe that certification authorities are reliable entities, including standardized technologies, peripheral technologies for the sound use of digital signatures in these PKIs, and practices, and that authenticity in this use has been built up. For reference, I have posted the standards required by the certification standards of the Electronic Signatures in Global and National Commerce Act. I will omit them due to time constraints.

Next, I would like to explain that there is an existing laws and ordinances that requires a identity verification document. For example, a laws and ordinances that requires a laws and ordinances document is required for administrative procedures and requests for disclosure of retained personal information, and I believe that this reduces the risk of lending, borrowing, or borrowing identity verification documents and increases the certainty of identification.
In addition, with regard to the concept of copying and deriving identity documents and IDs, I believe that one of the digital characteristics is that data can be copied and copied as the original. Even if it is not a copy, I believe that there are cases where another person issues and uses a certificate in the form of copying the contents of a certificate in the form of a derived ID or a Derived ID. In the case of a Derived ID, the certificate holder is the creator of the derivative, and there are some cases where the uniqueness from the original is lost and the management of the original is not sufficient. Therefore, I believe that it is difficult to distribute such documents as documents with the same characteristics as the original without taking additional measures to improve reliability.

Documents issued by public institutions, including the identity verification Documents mentioned earlier, are considered official documents and are treated as having been established by a civil court and as having been prepared based on the will of the person who prepared the document. On the other hand, private documents issued by the private sector, including VCs, are presumed provisions of Article 3 of the Electronic Signatures in Global and National Commerce Act, and I believe it is necessary to prove them by other methods. In order to ensure smooth transactions, including the evidential and substantive evidence of their contents, I believe it is necessary to establish standards and tools and a mechanism to ensure compliance with the standards according to the risks of each form of use and to improve their reliability.

Next, I would like to ask about the laws and ordinances and mechanism for the verifier. I believe that the actions of the identity verification have been conducted in the private sector in a way that does not depend on the laws and ordinances. In particular, for high-risk procedures and procedures that require reliable identity verification, for example, in the form of business laws, we have imposed obligations on the identity verification or established methods of identity verification based on the purpose of preventing fraud and sound development in the regulated industries. In this way, I believe that rules have been established for the verifier depending on the risk.

In addition, as for the verifiers, there are cases where a laws and ordinances has been established. In the My Number Card electronic certification in Japanese Public Key Infrastructure and the electronic certification for User Signatures, signature verifiers who verify signatures in the form of ministerial certification are certified by the Minister after confirming that the business facilities and verification methods comply with the standards. Through these, there are cases where a mechanism has been established to ensure appropriate use.

In addition, I believe that it is not limited to VC utilization, but also related to laws and ordinances and mechanisms that do not depend on this process. For example, I believe that there are other points that require consideration for consumers, such as the Personal Information Protection Act, the Telecommunications Carriers Act, laws such as the Penal Code, the rules of app store operators, and other privacy issues. Regarding VC utilization, I believe that there may still be unresolved issues depending on the use case and the form of use, and I believe that these will need to be individually developed.

In addition, as a reference, I would like to introduce an example of credentials that can be used on smartphones regarding the substitute electronic or magnetic record for a card, which was stipulated by the revision of the My Number Act last spring. Regarding the substitute electronic or magnetic record for a card, the laws and ordinances regulates the issuance procedure, the transmission procedure from the user's devices, and the recipient's and verifier's procedures. To be specific, the J-LIS issues the substitute electronic or magnetic record based on the statutory procedures, and the Minister of Land, Infrastructure, Transport and Tourism certifies the program for transmission and the program for confirmation to ensure the reliability and security of its use. Also, as a reference, the My Number Card has various mechanisms in place to deal with unauthorized use as a highly reliable identification card. In general, we believe that there are issues with the reflection of derived IDs and derivative IDs when the original certificate is updated. In addition to the accuracy of the content, we believe that it is an important point of view to ensure the reliability of the issuer itself.

Let me summarize. Since you have time, I will skip this.

Next, I would like to explain what the Secretariat has organized, including the various laws and ordinances I mentioned earlier. First, there are considerations and problems when using VCs, and I believe that problems can arise in the issuance process, such as whether or not the contents of the credentials are true in the first place, and the reliability of the issued credentials. Another point is that even when the issued credentials are true and the contents of the credentials are correct, they are used incorrectly, which is a problem related to the issued credentials themselves and their distribution.

Regarding the identity verification of the process of issuing credentials, I believe that the reliability of the lifecycle and revocation management of credentials, which was also pointed out by the committee members, as well as the reliability of the issuers of credentials themselves exist. In addition, regarding the issues of the issued credentials themselves and their distribution, I believe that there are cases where the issuers and verifiers, in particular, misunderstand each other, misunderstand the performance, and misunderstand that these are the credentials that can be realized and use them.

Based on this, the Secretariat is organizing our response. First of all, there are various issues, but in the end, the Issuer needs to accurately understand what the VC is proving, and communicate it to the Verifier and users so as not to disclose it or misidentify it correctly, and the Verifier needs to accept the VC who can prove it sufficiently after accurately understanding the proof requirements for the purpose of verification and the risks for each use case.

Specifically, we organize information in terms of, for example, who manages the primary information source, whether the information listed is something that can be changed due to a move, such as an address, or something that can be trusted for a long time, even if it is changed, such as a name or gender, the reliability of the issuance process itself, and the disclosure and transparency of information.

In addition, regarding the Derived ID that has been discussed for a while, I have summarized it for your reference. I will omit this detailed explanation, but in the case of Derived ID, I have summarized that there will generally be more places to verify.

In addition, in the Verifier, we will use a VC that can accurately understand risks and provide necessary and sufficient proof according to the purpose. For example, regarding attribution information, attribution information stored in a VC, whether it is used as attribution information or as proof of attributes, whether it is used as proof of eligibility, or whether it is used as a identity verification, which is the scope of this case, I believe that requirements such as the strictness of identity and real-time characteristics will differ.

With regard to the relationship between identification and attributes, generally, identification cannot be done with certificates related to attributes alone, such as graduation certificates or vaccination certificates. We believe that identification must be combined with identity verification documents to confirm whether the person with the name on the identity verification document and the person who is about to apply right now are the same person, and then the name on the certificate related to attributes must be confirmed to match the name on the identity verification document. For such identification, generally, identification cards with photos or Japanese Public Key Infrastructure are used.

Next, the Verifier will accept VCs who can provide sufficient proof after accurately understanding the risks. For example, even if the same student register is a university or a school's student register is the primary source of information, and the issuer and the certificate holder are the same school, the purpose and various risks are different between the graduation certificate and the student ID. For example, there are credentials based on the same source, such as having a face photo, having an expiration date, and being tamper-proof, but I believe that there are various differences in response.

Let me summarize. Based on these discussions, in order for VCs to be used in general society, I believe it is important that they are safe and secure for users and Verifiers. For example, even if they are distributed technologies that can realize privacy-conscious use cases, if they are not used correctly and accidents occur, I believe it will hinder their widespread use. From this perspective, the Secretariat has summarized it in the form of recommending cases with few considerations and significant benefits as initial use cases for VCs. For example, as for the recommended initial use cases for VCs, the requirements and characteristics of cases that are considered to have few considerations and significant benefits, for example, those related to attributes for which the issuer controls the information source and the issuer itself is the certifier, documents used for procedures with a high risk of unauthorized use, trails, and attributes that are not currently available in a machine-readable format and are not accompanied by digital signatures, I believe they can be recommended as initial use cases for VCs.

What I would like you to discuss today is, based on the secretariat's organization, what points should be kept in mind in order to promote safe and secure utilization of VCs for identity verification purposes, in relation to the various laws and ordinances, systems, and mechanisms I have explained so far. I would also like you to discuss from the perspective of what measures are desirable for each business operator, industry, and country to build environments that can be used safely and securely. In addition, as the secretariat in the second half, I would like you to discuss from the perspective of whether the secretariat's organization is appropriate, whether more appropriate measures cannot be considered, and whether there are high-priority points, omitted points, and challenges regarding the contents that I have organized based on the contents of Chapter 3. In addition, finally, based on the discussions so far, I would like you to discuss from the perspective of whether the nature of the initial use cases of VCs that are recommended based on the viewpoints that should be considered is appropriate, whether there are other requirements that must be added even if they are the minimum, and what specific use cases can be considered based on these, in each public and private sector.

That's all the explanation from the office. I'll give it back to Mr. Nakamuraza.

Chairman Sosuke Nakamura: Thank you very much, Secretariat.

Finally, regarding the points summarized in the discussion, please divide it into three main points and discuss them in the next few minutes. First of all, please raise your hands if you have any points or opinions on the "Relationship with various laws and ordinances, systems, and mechanisms and points to keep in mind," which you explained at the beginning.
Then, Mr. Fuji Sakae, please.

Dr. Sakae Fuji: There were some in , I would like to talk about just one point so that it doesn't get too long. As stated in the document, the biggest problem is that the VC has become vague and it is difficult for verifiers and users to understand what it is used for. On top of that, when we consider the scope of this identity verification document, the biggest problem is that it is difficult for users and verifiers to understand the difference between certificates of My Number Card digitalisation, so-called electronic or magnetic records in place of cards, and digital certificates that indicate identity verification in My Number Card. This is a fairly big problem.

In that case, for example, in the Banking Act, there are legal provisions on the use of the name "bank," and I feel that it is necessary to consider, including the possibility of using some kind of regulations to limit the use of Verifiable Credentials, which have names that remind us of My Number Card. So, I would like to express my opinion on what points should be kept in mind, as stated in A above, such as whether it is possible to make it impossible to use names that are likely to mislead users, and whether it is possible to respond to this with some kind of regulations.

Chairman Sosuke Nakamura: Thank you very much, . If there is no need to answer in the middle, I would like to ask the secretariat to answer at the end. Next, Mr. Kasai, please.

Committee Member Kasai:

On the other hand, in the case of alcohol and tobacco, which I am in charge of, although age verification is required, the method has not been decided. In various business laws, there are differences not only in terms of risks but also in the way laws are supposed to be, so I think it is necessary to sort this out.

In addition, although it may be a legal matter, I felt that the government should take the lead in sorting out the situation from the perspective of whether or not any problem will arise regarding the spread of information that only some people have access to through VCs. In some cases, I believe that it may be necessary for the Digital My Number Card Agency to sort out the rules across the board, including from the perspective of the spread of radio stations, in the sorting out of business laws that I mentioned earlier.

Chairman Sosuke Nakamura: Thank you very much, . Next, Mr. Itakura, please.

Committee member Yoichiro Itakura: One of the attributes that scheme, there is nothing decided about identity verification in general, and people may be thinking about it at a different level, but since the Criminal Proceeds Act was mentioned, at this point the enforcement regulations of the Criminal Proceeds Act are in the direction of being revised severely. This is being done in the context of comprehensive measures to protect the people from fraud. For example, if the eKYC system is discontinued, the insurance card will also be discontinued. It is easy to say that the minimum level has been reached, but it is also easy to say that it is technically safe, but it is about whether it is safe, including in the context of actual use.
Considering this, as I have already given a general conclusion, I do not think we are in a situation where we can immediately say that the Ordinance for Enforcement of the Criminal Proceeds Act is OK, while the parties concerned are saying that the ecosystem will not be active at this point in the identity verification, which involves the transfer of money.

I would like to reiterate that in the case of a certain financial institution and a certain telecommunications carrier in the past, two companies that represented Japan and had to take responsibility until the very end all made serious mistakes, and I do not believe that the Ordinance for Enforcement of the Criminal Proceeds Act has been modified for the purpose of encouraging new entrants at this point.

Of course, if you have a counterargument, you can say that you will do your best, but for the time being, I would like you to try other things in identity verification that do not involve the transfer of money, and if you can say that you have exceeded all the methods of the Ordinance for Enforcement of the Criminal Proceeds Act that are currently prepared, I think you can use it.

Chairman Sosuke Nakamura: Thank you very much, . Next, Commissioner Taki, please.

Committee Member Taki: and Professor Itakura, but I also think that the expressions in this identity verification are based on the Criminal Proceeds Act, and in a sense, some of them are the most strict type. Others are treated as just reference information, and even if they are not related to the Criminal Proceeds Act, they do identity verification, and it would be fine if there is a little trust. There are various gradations in identity verification, for example, there are no rental videos recently, but there is an act of confirming the identity of a person even at the level of making a membership card at such a place. Therefore, I thought that there is a need for discussions in line with those gradations.

For example, when I make a credit card, I write the name of the company I belong to, and in some cases, I receive a phone call from the credit card company to confirm that I am registered. I think this is credit information to confirm that I am registered. Belonging to a large company is a guarantee of a very high level of creditworthiness in Japanese society, so I have one comment that I think it is necessary to explore the point that there is a lot of flavor in such gradation, because I think it is only when such things are used a lot that they become convincing.

Professor Itakura also talked about money transfers. This is similar to the previous discussion about invoices. For example, when you want to send money via Internet banking, depending on the bank, the type of two-factor authentication and when to trigger a high-risk transaction are correct, but I think they are different for each bank.

I would like to apologize for the API debate, but the UK and other countries are doing things like aligning UX. Also, it is very inconvenient to judge risks too strictly. For example, in Europe, parking meters are allowed to take risks. Depending on the ease of use, allowing a little leniency will inevitably occur in areas related to convenience, especially fund transfers. In such a gradation, I thought it would be good to judge something that seems to have many users.

Chairman Sosuke Nakamura: Thank you very much, . Ms. Keiko Itakura, please.

As the DID/VC Co-Creation Consortium mentioned earlier, I think it would be good to sort out the points of discussion on how to ensure the eligibility of the issuer. I think it would be good to check who actually examines the eligibility and how, or in terms of audit-resistance, what kind of organization the company should organize in the internal audit.

Also, in terms of dissemination, from the users' point of view, in terms of privacy, if there is no transparency about how the data is stored, who is responsible for it, and how it works, I think it will be a blocker for dissemination, so I think it will be a very important point in the dissemination of VCs to be able to explain this to users with transparency.

Chairman Sosuke Nakamura: Thank you very much, . Now that you have all the questions, I would like to hear the comments from the secretariat.

Secretariat (Tonami): This is the , thank you very much for your comments. I am Tonami from the secretariat.

First of all, as Commissioner Fuji Sakae pointed out, I believe it is important to develop environments where people can use the service safely and securely. Also, this time, he pointed out that it is becoming difficult to distinguish between the electronic or magnetic record of the My Number Card card substitute and the certification of identity verification in My Number Card. In this regard, the electronic or magnetic record of the card substitute will be actually used in some places in the future, so we hope to take necessary measures based on the prevalence of VCs.

Next, Commissioner Kasai also pointed out that the perspective of why VCs are used is important. I believe that other committee members also made similar comments, but I believe that there are risks that have been established for each industry depending on how they are treated and how they are used, so I think it is difficult to organize all VCs in the same way, but first, as an actual use case, I would like to organize them in order from the most likely one.

In addition, I believe that I have already been able to show through this meeting and other events that there is such a difference in level, and I believe that I have been actively working on these matters.

With regard to the Ordinance for Enforcement of the Criminal Proceeds Act that Attorney Itakura pointed out, we are not under the jurisdiction of the Criminal Proceeds Act, so it is difficult for us to make specific comments. For example, we are aware that identity verification's methods, such as comprehensive measures to protect the public from fraud and threats to identity verification, including the deepfakes and AI that I mentioned in my initial explanation, are gradually increasing in level, including the fact that attacks are becoming more sophisticated. In light of this, I believe that it is necessary to clearly indicate to the actual issuers and verifiers what threats VCs are able to respond to in terms of VC utilization.

In addition, Commissioner Taki also pointed out that the use case where a little trust is enough has been conducted in a way where the involvement of the national government is not necessary. There is a question as to how far the national government can go about what I am going to say now, but I hope that the hurdles will be removed in the future for the case where it can be done more efficiently digitally, such as the phone call to confirm enrollment that you mentioned as an example.

Lastly, I understand that Commissioner Itakura pointed out that privacy, who is in charge of data, accountability, and the point of decomposition of responsibility should be clarified. I hope that such points can be reflected in the summary of the results of this meeting so that we can explain to users in a transparent manner. That is all the response from the secretariat. I will return it to Director Nakamuraza.

Chairman Sosuke Nakamura: Thank you very much, Secretariat.

As for the next point of discussion, in the materials, you explained the content explained in 4-1 to 4-3 from the viewpoint of "use of VC based on various laws and ordinances, systems, and mechanisms." If there are any committee members who have opinions or comments on this content, please raise your hand and let us know. Now, Committee Member Kasai, please.

Committee Member Kasai: As a point to pay particular attention to, I think it depends on how often the Verifier uses VCs, but for example, if the Issuer is no longer a business operator or the Wallet is no longer a holder, it will be a big problem for the Verifier to use.

Therefore, on page 34, the expiration mechanism and insufficient management of the expiration date are presented as issues, but I think it would be easier to discuss if we focus on what kind of confirmation is required when this function is needed on a sustained basis.
For your reference, for example, the verification mechanism is set forth in the Electronic Power of Attorney Handling Operations of the Electronic Power of Attorney Act, and I believe that such a point will serve as a reference for the expiration mechanism.

I believe that interoperability will be mentioned as an extension of this discussion. What kind of data format will be used for long-term distribution and whether it can be safely distributed are issues that need to be resolved.

Another thing is that it may not be a high priority because it may only be in my industry, but for example, if the business that uses this target VC is used only in the same industry, I am very concerned about whether it will not fall under the Antimonopoly Act. On the other hand, there are some places where it is not possible to have an unspecified number of Verifiers using VCs, so I am very worried about it, but I will present it as a challenge.

Chairman Sosuke Nakamura: Thank you very much, Yes, thank you very much. Mr. Fuji Sakae, please.

Dr. Sakae Fuji: There were some in , but how to confirm the reliability of the Issuer? The CP/CPS was also mentioned as an example. In addition, I think the point will be to consider how to make it machine-readable. For example, in Italy, a method of tracing the trust chain using the OpenID Federation spec and confirming related information is being considered, so I thought it would be good if we could use such a method well.

On the other hand, you mentioned that the identification documents and attribute verification documents listed on page 39 for reference are basically presented together in many cases. Assuming that each certificate is presented at the same time, I believe it is urgent to establish a method that can confirm the binding problem of whether or not the certificates represent the same entity.

Since the EU and other countries are also considering ways to do this, I believe that we should consider keeping in step with other countries, including from the perspective of interoperability, which Mr. Kasai mentioned earlier, and I think it would be good if you could also keep in step with other countries in terms of technical aspects.

Chairman Sosuke Nakamura: Thank you very much, . Next, Mr. Itakura, please.

Committee member Yoichiro Itakura: One of the attributes that As I said earlier, if such a mechanism is introduced, the DID/VC Co-Creation Consortium's opinion is that the issuer will be limited to banks, which is based on the premise that there is a certain degree of permanence and social responsibility, but it will be a wallet.

As a whole, in the discussion on the revision of the Act on the Protection of Personal Information Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ (s) Held by Administrative Organ identity verification

In Japan, the service provider is often driven. The vendor has technical, legal, and human resources, and it is common for the vendor to approach the user company to provide the service, which is a slightly perverse situation. It is good as long as the vendor provides various services with considerable social responsibility, but I don't know much about Wallet, but it is easy for new entrants to enter the market, and if it becomes a business because of identity verification at a high cost, there is no need to manage the member stores, and it may be said that it is not so, but it seems to be such a situation, so I will repeat that I would like you to do it on the premise that you properly supervise the contractor for Wallet, do not use it where it doesn't make sense, and properly manage the member stores.

Chairman Sosuke Nakamura: Thank you very much, . Next, Commissioner Taki, please.

Committee Member Taki: This may be a little different from the previous theme, but in terms of whether users will actively update the attribute information that is currently being projected, I think it is quite difficult to do so without some kind of procedure and an incentive to suffer a disadvantage if something goes wrong, as is the case with tax returns at this time of the year. Therefore, without taking any active action such as push notifications or Webhooks, I think it will be possible to retain fresh information for the first time with a mechanism to automatically update your information properly.

Next, I would like to talk about Issuer. There are two topics. The token that says it is OK to obtain data on this person's bank account from a bank in the electricity agency business (electronic payment service business) has been circulating for about seven years since the system started, with a cycle in which the holding company receives monitoring from the bank once a year. It is not realistic to receive different monitoring from a hundred and several dozen banks each year, so it is not enough to simply standardize the content and obtain a report from an audit firm on the standardized content. In a sense, a self-regulatory organization comes to see the content once every five to ten years, so it is a practical situation that it secures audits by people who handle such VCs, not banks. The electricity agency business is currently a system that maintains trust at the level of mainly taking a copy of a passbook, but I think that there is only one frequency that can be used as a reference.

When we do this, I think financial institutions are in the position of receiving VC issues in a way, but the major issue is personnel changes. Lastly, to ensure that the content is appropriate, there is a person in charge, and if he or she can get through on the phone, or if we can ask him or her to coordinate to solve the problem when we have a problem, but personnel changes happen once every two or three years, and it often happens that information is not updated properly at that time. Therefore, from now on, when we decide to properly authenticate the issuer, it is necessary to make sure that we can withstand personnel changes, which I think is important.

Chairman Sosuke Nakamura: Thank you very much, . I would like to ask Ms. Keiko Itakura, a member of the committee.

Chairman Sosuke Nakamura: Thank you very much, . I would like to ask Committee Member Tatsuya Nakamura.

Committee Member Tatsuya Nakamura: It's a little bit rough, but overall, I'm concerned about the Verifier's incentive, or the incentive for the Verifier to use this scheme correctly, and without it, it won't spread, or it could be used in a strange way and accidents could happen.

Specifically, I think Issuer is strong overall, but Verifier is used by a wide variety of services. That is also a kind of good thing about Verifiable Credential, but in the first place, in the case of companies that do not have much development cost or resources, how and with what kind of motivation they can properly operate the various issues of Verification that are raised here.

There are often discussions such as selective disclosure, and I think there are cases where only a part of the data is verified by zero knowledge proof. However, I am concerned about how many companies are willing to implement the verification of zero knowledge proof, which is quite difficult, in the clinical part and ensure security by doing so, so I think it would be good to have discussions on that.

Chairman Sosuke Nakamura: Thank you very much, Thank you very much. I have received your general comments. Overall, I think there will be various points of view, such as how VCs can be used as an extension of the identification and authentication that we have been doing until now, what we need to be careful about, how to improve the accuracy by becoming a VC, what we need to be careful about, how to do what we could not do until now, and so on, so I thought it would be good if there is some sort of document that summarizes how the secretariat as a VC views these points.

Now that we have received your general comments, I would like to ask the secretariat to comment collectively.

Secretariat (Tonami): This is the Secretariat. Thank you again for your various comments.

First of all, Commissioner Kasai pointed out that we need to consider the risk of losing Wallet and Issuer. I think this will depend on the application, but for example, if it is permanent, it may be compatible with blockchain, or it may increase the number of issues, including the set of technologies to be combined, but I think we should proceed with consideration including such issues. In addition, the secretariat has not been able to grasp the issues of the Antimonopoly Act, so thank you for pointing them out.

Regarding the point made by Committee Member Sakae Fuji, I believe that interoperability can be achieved both within the industry and internationally, and I would like to hear your opinions and knowledge on how to balance the discussions.

I believe that Attorney Itakura also pointed out the supervision of cloud services. This is a difficult issue, but I believe that it would be more appropriate if a mechanism such as the certification of Wallet providers is established in the future, and that such matters should be considered in the future.

In addition, I am aware that Rep. Taki pointed out that there are no incentives or disincentives that would be disadvantageous at the wrong time. As pointed out by Commissioner Nakamura, there are some points that cannot be reflected in the materials of this meeting, so I hope that these points can be sorted out in the future.

Thank you very much for the examples given by Commissioner Taki as well. I believe that there are many such examples that the secretariat has not been able to grasp, so I would appreciate it if you would provide us with such examples again.

In addition, as Commissioner Itakura pointed out, the document did not fully reflect the points that the future scope should be easy to understand and that there are differences in identity confirmation and personal authentication, so I hope we can take care of these points so that they are not omitted.

Lastly, Commissioner Nakamura's opinion, as I mentioned earlier about incentives and disincentives, there are a wide variety of people who are physically strong on the issuer side and physically weak on the verifier side in some cases, and I think there is also a question of what kind of certificates will be used. Including such incentives and disincentives mentioned earlier, I hope that we can build a system that can raise trust and a system that can receive incentives for the verifier more than the current system of paper, telephone, and verbal. This is the response from the secretariat. I will return it to President Nakamuraza.

Chairman Sosuke Nakamura: Thank you very much, . Professor Itakura has raised his hand. Do you have any comments?

Committee member Yoichiro Itakura: One of the attributes that Secretariat and in the discussions by Committee Member Sakae Fuji, but in the sense of identity verification, the only thing a VC can do is "identity verification at a certain point in time," and blockchains don't go very well with that. If this is used to confirm attributes, if it's about things that won't change for the rest of your life, things that you've graduated from school, or things about qualifications that you can't be stripped of, it may be good to say that blockchains don't disappear, but I think it's an inappropriate use case that "identity verification at a certain point in time" information is circulated forever without disappearing, which would rather cause confusion.

That's why we are discussing mainly in identity verification, so I can't help thinking that way. For example, regardless of identity verification, what banks can offer is that this person is a VIP or wants to use it for membership. This kind of pattern is usually done in analog, and it's called status match, and if you earn miles and become an advanced member, you can try it at a hotel for up to three months as an advanced member. I think it's good for such things, but in identity verification, in terms of what to combine with, I feel that blockchains are not compatible at all.

Chairman Sosuke Nakamura: Thank you very much, . I would like to move on to the third point of contention. Based on the discussions I have just had, what are the recommended forms of use of VCs, and what are their uses and use cases? Please tell us your points and opinions. Please tell us about Commissioner Sako.

Mr. Sako: , up until now, the first and second points have been very specific to identity verification, so as you all said, I was listening to you because I thought the operation would have to be strict from the perspective of protecting consumers.

From that point of view, I agree very much with what Mr. Fujiei said at the beginning, "A new name should be given to a VC specializing in identity verification." When I worked at a private company before, PKI was operated fairly strictly, so even when I proposed a system using public key cryptography, I experienced that everyone shunned the technology just by hearing the three letters PKI, saying, "Public key cryptography? PKI? It's impossible. It's impossible."

When Bitcoins came out, and it became known that Bitcoins also use public key cryptography, I think the sense of rejection of public key cryptography has decreased a little. However, I am worried that the same kind of thing will happen if we discuss VCs limited to identity verification. VCs are just digital data signed by someone else and verified by another person as a format. I think that Commissioner Taki mentioned earlier that there are various gradations in the use of such lightweight VCs, but I thought it would be good to separate those that are strict and those that are not so strict by name so as not to block the use of various gradations.

I would like to make another comment. The topic I talked about earlier is the use of VC based on various laws and ordinances, systems, and mechanisms. As VC is realized digitally, it is possible to do things that could not be done with conventional paper. Commissioner Nakamura also mentioned this earlier. Perhaps the goals of the current laws and ordinances, systems, and mechanisms are consumer protection and fairness. I understand that the essence is very good, but the means are also written in detail. I think that we can achieve the same goals even if the means are slightly different because they are digital, while maintaining the essence. It would be good if we could take this opportunity to review the existing mechanisms.

Chairman Sosuke Nakamura: Thank you very much, . I feel that it is quite difficult to say whether the expression "recommended" in this section is preferable from a Digital Agency perspective. As you have already expressed your opinion, there are points to be noted in various use cases, and what should be done first considering what has been done in the past. In this context, I feel that it is not good to use the expression "recommended" carelessly, unless I clarify my stance and state that I should pay attention to conventional approaches and utilization from this point of view, or that I should not say anything in particular about uses that will expand dreams for the future or things that are not issues such as personal authentication.
Then, Mr. Taki, please start.

Committee Member Taki: I would like to repeat what I said to the DID/VC Co-Creation Consortium at the beginning, but to put it in the place written on the right, most of the invoices are not accompanied by a digital signature, and the company that received them is very afraid to transfer money to this account every time, especially at the first transaction.

It's a strange story, but in the sense that we receive invoices in PDF, we input numbers in the corporate internet banking, and send money while thinking whether this is correct, and we do it because the company name is just like this, it is very pain, or there is a risk in the first place, and there is a possibility that it is used illegally, and in the sense that it is not accompanied by a signature, I thought it would be a type that meets quite a lot here.

Of course, there have been discussions recently about how to attach it, for example, whether it can be attached to a digital invoice, or whether it should be an e-seal instead of a VC because it is a digital invoice, so there are various ways to do it, but since Mr. Digital Agency is in charge of digital invoices, there are things that cannot be satisfied by this alone, such as the spread of bank APIs, and various other things are necessary, but I thought it was one of the items I wanted to nudge rather than a recommendation.

Another good point of the current model is that the company that takes the last risk is the one that sends the money. Therefore, I think it is also good that we can make a decision that is not based on the Criminal Proceeds Act by business judgment, big or small. As a business operator, there is a good point that it will be recognized that it will simply make the business easier and less troublesome. Therefore, in that aspect, what I came up with as soon as I saw the first document here was the use case, so I think there is a part that I am expressing a naive opinion, so I think it would be good to deepen the discussion, including going into it, and I will present it.

Chairman Sosuke Nakamura: Thank you very much, . Mr. Itakura, please.

Committee member Yoichiro Itakura: One of the attributes that financial institutions can provide is that they are not anti-social forces, but there is a question of whether it is good in the first place, and the opposite is good, I think. In other words, if you ask a credit card company, you can get a place where only VIPs can go, and if you make a mistake, as long as the store pays, there will be no damage, so why don't you start around that point? In other words, third party provision of VIP membership attributes, but that way of doing things doesn't hurt anyone, or at least doesn't run away. When restaurants do it only by word of mouth, it is through regular customers to prevent them from not coming even though they have made a reservation at a restaurant, but if it is an introduction from a bank, it is more like a good customer coming than asking for a reservation randomly, so there is a need, and basically, restaurants and such services for VIPs are provided to an unspecified number of people, and they are not very interested in anyone, and the risk is low, so I thought it would be good to consider it.

Chairman Sosuke Nakamura: Thank you very much, . This is not about the VC itself, but rather a business model-like topic, so I thought it would be difficult to sort it out, and I was listening to you. Based on that, I thought it would be good if we could provide information on how VC would spread well.

Please tell us if the Secretariat has any comments on the third point of discussion.

Secretariat (Tonami): This is the Secretariat.

First of all, I believe that you are absolutely right that the opinions expressed by Commissioner Sako this time were specific to identity verification, so they were all strict from the perspective of protecting consumers. In the discussions thus far, I believe you have pointed out various levels and gradations, but in terms of other gradations, what should we be careful about? In the last point given by Attorney Itakura, for example, I believe it is possible for banks to prove that a person is a VIP member, and in the worst case, it would be fine as long as he or she pays, but I believe that we should expand the discussions based on lighter use cases in the future.

In addition, Mr. Sako pointed out that VCs can do things that have not been possible in the past because they are digital. He pointed out that the ultimate goal is fairness, and even if it is consumer protection, it does not mean that all the details required by PKIs must be required. Including those points, in the previous discussion, I mentioned, for example, blockchain and how it can be combined with other technologies to realize what can be achieved, and I believe that sorting out by combinations of such technologies will become even more necessary. In addition, regarding combinations of technologies, it is possible that various ways of use and various combinations of standards will be quite different, so I believe that it will be necessary to gradually align such things in the future.

Also, as Commissioner Taki pointed out, I have received examples of invoices. For such use cases, for use cases that have not been accompanied by a signature in the past, especially for use cases involving invoices or money, for example, even if a PDF invoice is accompanied by a signature, for example, if you type in the amount by hand and the 0 digit is wrong, an accident will occur, and there are use cases that are machine-readable, so I would like to organize them in the future based on such cases.

I think I mentioned what Mr. Itakura pointed out earlier. That's all the response from the secretariat. I will return it to Mr. Nakamuraza.

Chairman Sosuke Nakamura: Thank you very much, . I believe that we have discussed the three points of today's discussion in general, and I would like to return to the secretariat with this.

Secretariat (ISHII): Thank you, . On behalf of the secretariat, Mr. Kusunoki Digital Agency, Mayor of Group of Common Functions for Digital Society, will now address the plenary meeting.

Office (Kusunoki): Hello, . This is Kusunoki from Digital Agency.

First of all, I would like to thank the committee members for their active discussions. I would also like to thank the DID/VC Co-Creation Consortium and Maina Wallet, who participated as guests, for introducing the use cases that the private sector is actually working on and the issues that the private sector is facing.

Two years ago, the order was that government offices made rules and then various services came into the world, but recently, FinTech, RegTech, and various new things such as AI agents are coming out, and regardless of the speed of government offices, various new things are coming out from the private sector and around the world, so I think it is quite difficult for government offices to think not to be shaken down. In this sense, if there are any laws that need to be reviewed, I think they should be reviewed more and more. On the other hand, there have been various discussions on the lessons learned from PKI. While accredited certification authorities have been slow to grow, the history of various things, such as WebPKI, code signing, and witness type electronic contracts, has been growing rapidly. It was also during the COVID-19 pandemic, so I think that the government is moving forward with various concerns about how it will be involved in the future, and whether it can properly embrace private sector activities and promote innovation.

Identity verification, which was the main topic of discussion today, is an area where strict procedures are established by law, including the Criminal Proceeds Act. Therefore, it is difficult to lead to a specific regulatory reform without thorough discussions based on risks. On the other hand, I believe that there were suggestions that there are actually many things that can be done more conveniently and efficiently than now by making it easier to verify the content of data.

It remains to be seen how we will carry out our activities in the coming fiscal year. We would like to reflect the opinions and suggestions we received today in our future activities. We look forward to your continued guidance and encouragement.

Secretariat (ISHII): Thank you, . We will reflect the opinions we received today in the agenda and policies for the next meeting and beyond. Today's meeting minutes will be published on the Digital Agency website after being reviewed by the committee members at a later date.

In addition, regarding the future policy, including the holding of the next meeting, in order to organize the content of today's discussion, I will bring it back to the secretariat and announce it again. I would like to ask the committee members to continue their support.

This concludes the first meeting of the Advisory Panel on Governance in the Use of Verifiable Credentials (VC/VDC). Thank you very much.

Or more