The Digital Agency's revised identity verification guidelines have been compiled as an interim report for fiscal year 5 (streamed on YouTube on Friday night)

On July 7th, the Digital Agency announced:DS-500 Identity Verification Guidelines" Experts' Meeting on¹Revision of the policy byFY2023 Interim Reportwas announced. Overall, it is a very well-organized document.

The outline of the interim report is as follows:

Overview of the Interim Report

Introduction

• This document is an interim summary of the guideline revision policy (including proposals) as of fiscal year 5, along with items for future consideration, and is not a finalized revision policy.
• The final revision policy will be reviewed based on the opinions of experts and then finalized after coordination with relevant parties.

Terminology and notation

• The terms and expressions used in this document are defined within this document and do not define the terms in the revised Identity Verification Guidelines.

Future considerations

About terminology definition

1. Reexamination of the translation of the word "Validation"
2. Reexamination of the translation of the word "Federation"
3. Reexamination of the translation of the term "Biometric Comparison"
4. Review and update of the definitions of terms in the current guidelines

Overview of the proposed revision of the identity verification guidelines

Main changes

1. Changes to the scope and name of the guidelines
2. Explaining basic concepts such as mission execution
3. Define and explain the identity verification framework
4. Review of some of the assurance levels and measures standards
5. Completely overhauling the risk assessment process

Table of contents of the proposed revised guidelines

1. Introduction
2. Identity Verification Framework
3. How to consider identity verification methods
   • 3.1 Business process restructuring (BPR) of target procedures with digitalization in mind
   • 3.2 Identifying risks related to identity verification
   • 3.3 Determining the Assurance Level
   • 3.4 Choice of identity verification method
   • 3.5 Documentation of study results
   • 3.6 Continuous Evaluation and Improvement

• Reference materials for identity verification guidelines
  • Reference Material 1: Risk Assessment Worksheet for Identity Verification
  • Reference Material 2: Examples of identity verification methods corresponding to assurance levels

Key revisions to the identity verification guidelines

① Changes to the scope and name of the guidelines

• Include face-to-face identity verification in addition to "online identity verification"
• "Individuals or Corporations" has been split into separate volumes for individuals and corporations
• Consider future expansion from "administrative procedures" to internal affairs

② Explain basic concepts such as mission execution

• "1.5 Basic Concept" has been newly established to explain mission achievement, fairness, privacy, usability, etc.

③ Defining and explaining the identity verification framework

• Added definitions and explanations of identity verification, identity authentication, and authentication linkage
• Added explanation of the general model when using authentication federation

④ Review of some of the assurance levels and measures standards

• Review of identity assurance levels and identity authentication assurance levels based on the revision of xAL in NIST SP 800-63-4

⑤ Completely review the risk assessment process

• The entire risk assessment process will be reviewed to ensure that methods are selected with consideration given to fairness, privacy, etc.
• Expanded reference materials to assist risk assessment

Impressions and Comments

As many of you may know, I also sit at the bottom of the panel of experts. Therefore, I am truly grateful to the secretariat who compiled this document. On the other hand, many of the points raised at this meeting are included in the "Future Considerations" that are presented from time to time in the materials. I would like all readers to carefully read these pages.

For example, in the "Wallet Model" on page 19, there is something called a "registry" and behind it is an ID provider. This registry is not very clear, is it? In reality, there is an operator, and in the EU Digital Identity Framework, it is called a wallet provider. It is very important to be aware that there is an operator here, and it has been pointed out in Europe that wallet providers are also ID providers. In that sense, there is a problem with writing the ID provider behind the wallet provider. In the EU Digital Identity Framework, the "ID provider" referred to here is an "attribute attestation provider" (called a claims provider in OpenID terminology). This is written in "Continued consideration of the wallet model (tentative name)" on page 23.

Youtube Live Streaming

It's been a month since my last YouTube Live broadcast. I'm worried that I might forget how to do it, so I'd like to hold a reading session over a drink this Friday around 23pm.

1. Experts' meeting to revise identity verification guidelines