370 likes | 513 Views
Establishment of the Authentication platform in Japan. Noboru Machida IT Security Policy Office Commerce and Information Policy Bureau METI / Ministry of Economy, Trade and Industry March 7, 2003. 1. e-Japan Strategy 2. Laws and regulations 3. Authentication platform for
E N D
Establishmentof the Authentication platform in Japan Noboru Machida IT Security Policy Office Commerce and Information Policy Bureau METI/Ministry of Economy, Trade and Industry March 7, 2003
1. e-Japan Strategy 2.Laws and regulations 3.Authentication platform for the State Government 4.Digital signature law
Tackle with e-Japan Strategy ○ Enactment of IT Basic Law(Basic Law on Formation ofan advanced information communication network society) (Force on January 6, 2001) ・Stipulate basic principle, policy, important plan and set up of the IT Strategy Headquarter to form IT society. ○ Decision of 「e-JapanStrategy」 (January, 2001) ・ Make Japan the world's most advanced IT nation within five years. ○ IT Strategy Headquarter ○ Draw up of「e-Japan Priority Policy Program」 (March, 2001) ○ Draw up of「e-Japan Priority Policy Program-2002」 (June, 2001) ・Embody 「e-Japan Strategy」 ・Specify the whole picture of the measure the government should implement quickly and preponderantly. ○ Established the special board of inquiry about the future state of IT Strategy (November, 2002) ○ Revision of 「e-JapanStrategy」 Draw up of「New e-Japan Strategy」 (May - June, 2003 Plan) ○ Draw up of「e-Japan Priority Policy Program-2003」(June-July, 2003 Plan)
From Basic IT Strategy toe-Japan Priority Policy Program Basic IT Strategy IT strategy council (November 2000) Enable everyone to enjoy the benefits of IT e-Japan Strategy Reform economic structure and strengthen industrial competitiveness IT Strategy Headquarters (January 2001) World's most advanced IT nation within five years Realize affluent national life and creative community with vitality e-Japan Priority Policy Program IT Strategy Headquarters (March 2001) Contribute to the formation of an advanced information & Telecommunications network society on a global scale ○ Embody 「e-Japan Strategy」 ○ Specify the whole picture of the measure the government should implement quickly and preponderantly ○ Draw up of「e-Japan Priority Policy Program-2002」 (June 2001)
Promotion of R&D International cooperation and contribution Improvement of digital divide Correspondence to an employment problem etc. Measure of deepening an understanding of people Structure of ”e-Japan Priority Policy Program-2002” -Specify the enforcement term of a concrete measure by each ministry- 5 Priority Policy Area Crosscutting Issues Formation of the world’s most advanced information & telecommunication networks Promotion of education and development of human resources Promotion of e-commerce Promotion of full utilization of IT in the public sector Ensuring of security and reliability on advanced information and telecommunications networks
“e-Japan Priority Policy Program-2002”(Portion of Digital signature and Authentication) 5 Priority Policy Area 3. Facilitation of e-commerce ●Smooth enforcement of electronic signature and an authentication system ・Promotion of mutual recognition about authorization of authentication system ・Investigation research on evaluation of the technology concerning the safety and reliability of authentication system ・the spread and education activities to people ●Preparation for International e-commerce environment ・Prepare PKI in the Asian countries/ Regions 4.Digitization of administration and application of IT in other public areas ●Electronic provision of administration information ●Electronic procedure for application and notification, etc. ●Establishment of public individual authentication infrastructure ●Electronic procedure for Government procurement, etc. 5. Ensuring security and reliability on advanced information & telecommunication networks ● Construction of reliable e-government system etc.
Computerization of administrative procedures Concrete measure of computerization of administrative procedures in the 「e-Japan Priority Policy Program-2002」 ◆Enable it to perform substantially all procedures, such as application, notifications, etc. between people and administration, by the Internet etc. at an early stage as much as possible by the 2003 fiscal year. ◆Each ministry develop the common base system in connection with electronic procedure of application and notification (Authentication system and Multi purpose system applicable for plural reception and notification procedure) and start operation by the end of 2002 fiscal year.
3.Facilitation of e-commerce Future Policies Evaluation • Enhancement of e-commerce frameworks • Thorough check of regulations hindering online • transactions of companies [CY2002] • Dissemination of e-commerce guideline for actual use • among private companies and consumers [FY2002] ◎Completed the preparation of basic institution for e-commerce in general ◎Although the market size about e-commerce is the 2nd in the world, there is a big difference with the U.S. • Accelerated promotion of e-commerce • Facilitation of IT utilization in private companies >Promotion of IT-related investment, including the • identification of tax-incentives [by FY2003] • >Creation of 10,000 leading cases of IT utilization • [by FY2005] • Facilitation of distribution of digital content • >Development of a digital rights management system • [FY2002] Implemented Policies Review of regulations • Revision of Commercial Code to enable the use of the Internet in sending invitations to shareholders' meetings • Introduction of the "No-action Letter" Creation of new rules • Clarification of closing timing of electronic contracts • Formulation of rules on the scope of liabilities of internet Service Providers (ISPs) Appropriate protection and use of intellectual property rights • Provision to broadcasters of the right to give permission on sending information by third parties • Clarification of Views as to the protection of software being • distributed over the internet • Enhancement of consumer protection • Establishment of an Alternative Dispute Resolution • (ADR) framework over B to C e-commerce • [FY2002]
4. Digitization of administration and application of IT in other public areas Future Policies Evaluation • Foundations of electronic government have been steadily constructed. • Regarding the IT application in public areas, such as healthcare, ITS and GIS, its direction was clarified, and its implementation is expected from now. • Digitization of the administration jointly promoted • by central and local governments • Formulation of action plans for electronic filing of all • governmental procedures by each ministry [FY2002] • Introduction of electronic tendering and bid-opening • for all projects of public works under ministerial • jurisdiction [by FY2003] • Establishment of government structures for promotion • of e-government [FY2002] Implemented Policies Digitization of the administration • Introduction of electronic tendering and bid-opening for public works • Formulation of a basic plan toward the "single window” for import/export and harbor-related procedures • Submission to the Diet of the laws aiming at enabling all administrative services available online Application of IT in other public areas • Formulation of a strategic grand design for digitization in the healthcare field • Revision of Road Traffic Law to enable private services to provide the data of road and traffic information • Support to local government • Presentation to local government of standard • procedures for online transactions of major services • such as passport issuance [by FY2003] • Promotion of the use of ASP for the operation of co- • mmon systems of e-local government [from FY2002] • Application of IT in other public areas • Formulation of a roadmap toward the world's most • advanced intelligent Transport System [FY2002] • Promotion of digital archiving of cultural assets and • artworks [by FY2005] • Enhancement of information provision services on • reliability of food [from FY2003]
Kasumigaseki WAN METI Internet Net Banking Internet Local government WAN IT image of administration for e-Japan Priority Policy Program Central/ Local Government Policies for e-government 国民、企業の接点 People/ Enterprise ・Simplification, efficiency and transparency ・Paperless operation ・Information literacy and consciousness reform l Mutual Recognition ・Enrich public services with the use of IT ・High quality of administration service ・Enter into related business Commercial Registration CA Bridge CA Authentication Platform Government post certificate Authentication Service Private CA 行政情報電子的提供 Digitizing information delivery e-application and notification e-Procurement e-annual revenue/expenditure 歳入・歳出の子化 Support of Local Government Review of Legislation/Action Plan Outsourcing
1. e-Japan Strategy 2.Laws and regulations 3.Authentication platform for State Government 4.Digital signature law
Establishment of related legal system ●Fundamental policy ・Advanced information communication network society formation organic act (IT organic law) (Law No. 144, 2000) ●Promotion of e-commerce ・Law which revises a part of Commercial Registration Law (Law No. 40, 2000) ・The law about electronic signature and authentication work (Law No. 102, 2000) ・The law about maintenance of the related law for use of the technology of the information communication about grant of a document etc. (the IT document bundling-up law) (Law No. 126, 2000) ・The law about the special case of Civil Code about an electronic consumer contract and the notice of electronic consent (Law No. 95, 2001) etc. ● Digitization of administration and full use of IT in public sector ・The law about use of the information communication technology in administration procedure etc. (Law No. 151,2002) ・The law about maintenance of the related law accompanying enforcement of the law about use of the technology of the information communication in administration procedure etc. (Law No. 151,2002) ・The law about the authentication work of the municipal corporation concerning electronic signature (Law No. 153, 2002) etc.
Online procedure of administrative application (example) ○ Notification about acquisition and loss of unemployment insurance qualification(10 M/year) ○ Grant application of a passport (about 5.8M/ year) ○ Grant claim of family register transcript (about 36M/year) When the administration procedure online law is enforced and an information system is fixed, procedures such as applications and notifications, will always be done through internet in a house or a company. ○ On the occasion of application/ notification, presentation of copy of resident card become unnecessary ○ Improvement of national convenience ○ Simplification/Efficiency of Gov. office Action Plan of each Ministry ◆About52,000procedures were carried out by means of online ○ About 21,000procedures are belong to G-to-C and G-to-B (application /notification) →All administrative procedure will be shifted to online By FY2003 About 6,700of Government procedures among 13,500will be shifted to online within FY2002 ○ About 31,000 procedures are belong to G-to-G (Other than application /notification) →All of them will be shifted to online By FY2003 in principle
Point of “Law about the use of information communication technology in administration procedure etc.” ●Outline ・ Law was newly improved which enable about 52,000 administration procedure, such as an application, a notification, etc. between the people etc. and governmental agencies which have a basis to a statute, online process adding to document process ・Online administration procedure is aimed at attaining the simplification and the increase in efficiency of administration management and improve in national convenience ・The regulation for a governmental agency performing inspection and perusal, and creation and preservation of documents by the electromagnetic record was also fixed. ・Unsuitable process for online was listed in the attached table, and excluded from applying above regulation (Face-to-face process, Process which require actual thing) ・Enforce from February 3, 2003
Establishment of public individual authentication platform system Law about authentication work of municipal corporation related to electronic signature (December 6, 2002 enactment) • ○Institutional purpose • ・ Improvement of national convenience • ・ Promotion of e-process and increase in efficiency of • government and municipal corporation • ○Institutional structure • ◆ Adopting Electronic signature • ・Signature by asymmetrical key code system (digital signature) • ◆Management organization • ・Mayors is in charge of identification work of applicant and governor is in charge of • Electronic certificate issue / revocation information management work • ◆People who can receive issue of electronic certificate • ・People who are recorded in the basic resident register • ◆ Verification person of signature • ・Governmental agency etc.(joint processing of plural prefectures is also possible) • ・Private CA who performs specific authentication business and also have • certain amount of reliability(Appointed certificate authority) • ○Enforcement • ・From the day set by the government ordinance of within the limits which measures • from the day of proclamation (December 13, 2002) and does not exceed • two years to enforcement
Outline of public individual authentication service system served by municipal corporation Prefectural CA VA Validity check of electronic certificate (inquiry to CRL) <Consignment of authentication work> (utilize to identify the resident) Governor(certificate issue / revocation info. Mng. organization) Prefectures can select the appointed CAto which they committhe following works ・Electronic computer process to offer issue/revocation information of electronic certificate ・Preservation of issue record etc. CRL Governmental agencies K-WAN/LGWAN etc. K-WAN/LGWAN etc. Private CA … Mayors (ID Check) Internet window Issue application for Electronic certificate (4 basic information +Public key) E-application Electronic certificate digital signature (signed using residents' private key) Certificate (with resident’s public key) Application (flat document) + + Resident Four basic information: Name, Birth date, Sex, Address
1. e-Japan Strategy 2.Laws and regulations 3.Authentication platform for State Government 4.Digital signature law
Composition image of authentication platform in Japan (G-to-G) K-WAN Private BCA A Ministry (G-to-C) Internet BMinistry Local governing bodies CA CMinistry ... XMinistry YMinistry Ministry of Justice (Commercial registration) CA CA corporation representative's authentication (G-to-C) (G-to-B) E-Commerce (B-to-C) ※BCA:Bridge Certification Authority Electronic application (Agent) Individual Authentication Corporation Authentication Electronic application Internet Electronic bid Internet Private Enterprise X Agent Enterprise Y Internet Judicial scrivener public notary lawyer tax accountant Client Client Client CA Company CA Company CA ・Individual Authentication E-Commerce ・Grant of agent right from a corporation (B-to-C) • entrust Employee Employee E-Commerce ・Individual authentication in a corporation (B-to-B)
Purpose of government authentication platform (GPKI) • Structure for checking the rightness and completeness of the electronic document exchanged through Internet etc. • Apply digital certificate created by public key encryption/decryption method • Consists of Bridge CA(BCA) managed by MHA and Ministry/Agency CAs managed by each ministry/agency • Mutual recognition between BCA and Ministry/Agency CAs • Mutual recognition among Ministry/Agency CAs and Private CAs through BCA (build a trust chain)
Whole image of authentication platform Commercial Registry CA Foreign Government CA’s Accredited Private CA’s Applicant's authentication platform Bridge CA Public individual CA Ministry/ Agency CA Local Government CA’s Other State organization CA Right-of-disposal person’s authentication platform (GPKI)
Circumstance of the establishment of Ministry/Agency CA • Realization of e-government • 「About Millennium project (new 1000 period)」(The Prime Minister determined on December 19, 1999) • Realization of Paperless administration procedure using the Internet • Establishment of government authentication platform(GPKI) • 「Fundamental framework for promotion of electronic application/notification procedure」(Consented by the administration information system each ministry agency liaison conference on March 31, 2000) • MHA, METI and MLIT were required to establish Ministry/Agency CA in precedence • 「 e-Japan Priority Policy Program」 (March 29, 2000IT Strategy Headquarter) • ALL Ministry/Agency are required to establish their own CA By the end of FY 2002
Relationship between e-Government plan and PKI Mitigation of the national burden in administration procedure, improvement in administration service Electronic procedure • Problem is how to check ID In the process. Realization of e-Government < Establishment of Authentication platform using PKI (Public Key Infrastructure)>Application, notification, etc. to Government → GPKI(Government PKI) Application, notification, etc. to Local Government → LGPKI(LocalGPKI) 【 Electronic processing of various certificates】 ・ Commercial registration transcript, Real estate register transcript(Legislative Bureau) → Commercial registration electronic authentication system Internet registration information provide service ・ A resident card, family register transcript → Public individual authentication platform
Role of Ministry/Agency CAs • Issue government post certificate and open to the public • Issue of the digital certificate of each government post, such as minister and bureau chief • government post certificate is equivalent to the electronic official seal of an official document • Issue actual result ( in case of METI)Minister of METI (June 13, 2001)Director-General of the SME Agency (October 22, 2001) • Open to the public of government post certificate • Certificates are stored in integrated repository of BCA exhibited on the Internet • Validity of a certificate is guaranteed • Provision of CRL information
FY2001 FY2002 20FY2003 Structure of window general-purpose reception system Authentication platform Ministry/Agency CA Bridge CA e-authentication system based on commercial registration private CA on electronic signaturelaw Public individual Authentication service E-payment of Commission construct network LGWAN Law/Regulation Non public works(e-bid / check) procurement Public works (e-bid / check) Timetable of e-Government for state government Fundamental specification Each Ministry/Agency start in-use by FY2002 Each Ministry/Agency Install their own CA by FY2002 application and notification E-Government for for state government In-use (Prefectural capital) In-use (District main city) In-use (Whole country) In-use preparation In-use Development of e-Revenue payment system In-use In-use (Prefecture) Networking between K-WAN and LGWAN Fully In-use by FY 2003 Maintained by each Ministry/Agency Procurement • In-use • Integrated procurement DB Each Ministry/Agency Complete by FY 2003 Partially in-use Enhancement Fully In-use
FY2001 FY2002 FY2003 LGWAN Basic resident register network LGPKI Public individual authentication platform Prepare for live run (Model experiment) In-use E-application system Timetable of e-Government for local government E-Government for for local government In-use (prefectures) enhancement (connect to K-WAN etc.) In-use by FY2003 (All organization) In-use of network Grant of residents basic card In-use and enhancement (prefectures) In-use by FY2003 (All organization) Model experiment (precedence organization) In-use (precedence organization) In-use (Other organization)
Online application/notification processing using government authentication platform Applicant Minister etc. Notice Application Currently performing mutual recognition with BCA (as of the end of December, 2002) Did applicant truly draw application? Did the right person draw up the notice truly? internet Application/notification certification Aren't the application altered during transmitting? Aren't the application altered during transmitting? Notice of permission, approval, etc certification Issue of Government post certificate Issue of an Applicant certificate • impersonate Alteration Certification Certification confirmation confirmation Gov. Authentication platform MHA CA MLIT CA Mutual recognition Mutual recognition Commercial Registration CA Bridge CA METI CA Private CA(JCSI) MHLW CA Private CA Ministry/Agency CAs
申請書 申請書 • Effectiveness of Mutual recognition • <Precondition> • Each CA is attested mutually. • Mr. Suzuki is attested by the private CA. • The bureau chief ○○ is attested by METI-CA. People/Company METI ② Truly Mr. Suzuki? ① Application Applicant (Mr. Suzuki)) General-purpose electronic application system ⑦ Is he truly the bureau chief ○○? 許可 許可 ⑥ Response METI○○局長 • notice • notice ⑩This government post certificate is ○○ of the METI. ⑤ Is he truly Mr. Suzuki? ⑧ Private CA trusts Bridge CA. Mutual recognition ③ METI-CA trusts Bridge CA. Private CA (Applicant) METI-CA (Government) Applicant DirectoryB PrivateCA DirectoryD Government post DirectoryA GCA DirectoryD Bridge CA (BCA) ⑨ Bridge CA trusts METI-CA. BCA Directory C ④Bridge CA trusts Private CA.
1. e-Japan Strategy 2.Laws and regulations 3.Authentication platform for State Government 4.Digital signature law
Certificate What is electronic signature and authentication work Electronic signature Measures performed in order to show a creator of electromagnetic information and it will be a verifiable method of an alteration Authentication work Business proving the user performed electronic signature using his own code key A B Order 100 computers A company Order 100 computers A company Order 100 computers A company Transmission Reception Electronic signature Electronic signature Encryption A’s private key (Only A owns) Electronic signature Decryption A’s public key Verify alteration A’s public key • Private key and public key are pair keys. Encrypted data with one key can only be decrypted with the other key • A requests authentication entrepreneur to issue the electronic • certificate. By it, he proves that he is a owner of the public key • B checks the validity of the received electronic certificate. • If effective, he decrypt electronic signature using the public • key of A, and verify the alteration of it. A’s public key (Anyone can know)
Image of electronic signature and authentication work based on a public-key crypto system A’s public key A’s public key A’s public key Certificate Certificate Certificate Certification Authority(CA) Register electronic certificate Register CRL Request Registration (Identify applicant) Issue (Digital certificate) Repository (Provision of CRL information) Issue Receipt of Electronic certificate Validity check of electronic certificate Application (Issue of electronic certificate ) Receiver B(Verifier) User A(CA user) Effective public key of A Digital Data (Flat text) Electronic signature Electronic signature Digital Data (Flat text) Transmission Reception A’s public key (pair of private key) Decryption Digital Data (Flat text) Message Digest Coincide ⇒ Non alteration Don’t coincide ⇒Alteration Encryption Hash Function Electronic signature Hash Function Message Digest Message Digest
Contents of the Electronic Signatures Law (enacted on May 31, 2000、enforced from April 1, 2001) Presumption that the rightness of an electromagnetic record was approved Clarify the handling of electronic signature on the law Presume the rightness of an electric document to which electronic signature by him is given was approved ( Article 3) A Authorization system about specific authentication work Introduce the authorization system over reliable authentication work ① Authorization of authentication work ( Article 4-16 ) ② Appointed examination organization etc( Article 17-32 ) ③ Penalty regulations( Article 41- 47 ) B Other necessary things ① Assistance to the specific authentication work by the minister in charge etc( Article 33) ② National measure,educational activities to people and Publicity work ( Article 34) C By achieving the smooth use of e-signature, accelerate the information circulation and information processing using the electromagnetic medium Carry out the social economy activity smoothly through network Improvement of the people’s life, and healthy development of national economy
APresumption of the authenticity of an digital document [handwriting signature and sealing] ○Code of Civil Procedure (Article 228 Paragraph 4) 「private document is presumed to be what was materialized correctly when there is a signature or sealing of him or its representative 」 (Document) • Presume that document was approved to be right ( made based on his intention) A When there is [signature or sealing of him ] ( Sign) or ( Seal) Implementation of similar structure ○The Electronic signatures Law, Article3 「The information created by the electromagnetic record is presumed to be what was materialized correctly when the electronic signature of it is done by him」 ※Electronic signature : Measures performed in order to show a maker of electromagnetic information and it will be a verifiable method if there is an alteration [Electronic Signatures] Presume that electromagnetic document was approved to be right Info When there is ( electronic signature of him) Electronic Signature
B-1Authorization system about specific authentication work • Nation [Law about electronic signature and authentication work ] Standard of authorization ・system of electronic signature ・Equipment for office work ・Way to identify an applicant is truth or not ・Other way of office work Reexamination of authorization standard ・ Ensure the safety of electronic signature ・Cope with the new electronic signature system ・Cope with the new business model Etc ○Introduction of an arbitrary authorization system (Article 4) Show the judgment standard of the reliability about attestation business ○Specific authentication work (Article2 Clause 3) Performed about electronic signature which suits certain standard Application(voluntary) Authorization(Office site surveycan be carried out by the appointed research institute specified by the state) Image of digital signature and authentication work Notes: A foreign authentication entrepreneur is also able to receive authorization Authentication entrepreneur Issue Certificate Sender Apply for issue of an electronic certificate Validation check of Certification Receiver Send a e-signed electronic document with attaching certificate By displaying the authorized work, It become possible to identify applicant is true or not
B-2Necessary condition,result and duty for authorization 1. Necessary condition for receiving authorization(Article 6 Clause 1) ①Equipment used for business (No. 1) ・ Severe storage of the private key used for authentication business ・ Use of equipment which has safety and reliability etc ②Check method weather the applicant is true or false (No. 2) ・ Ask for presentation of the certificate which a public organization issues ③Other business process ( No. 3) ・ Define business management regulation and attempt suitable authority distribution ・ Suitable indication of CRL etc Those who were condemned to the punishment beyond confinement or the punishment by this violation of a method, or canceled authorization, cannot receive authorization during a fixed period. 2. Result of authorization ○Can display that concerned business has got authorization.(Article 13 Clause 1) ・ Trust standard of authorized company ○In case of judge, article 3 ( presumption) becomes easy to be effective. 3. Duty of authorized authentication entrepreneur ○Preservation duty of Check data whether the applicant is true or false etc (File preservation duty) (Article 11) ○Using of applicant check data for other purpose is forbidden (article 12) etc 4. Penal regulations ○Penal regulation about the act to which user does faithless proof to an authorized authentication entrepreneur etc (3 or less years of penal servitude, or 2M\ or less fine) (Article 41) etc
① Evaluation method of digital signature technology (code technology etc.) ② Evaluation method about the means of security maintenance fort authentication business COther necessary things 1. Assistance about authorized authentication business etc (Article 33) Investigation and research by the minister in charge 1) Offer information and advice to authorized authentication business provider and it’s user, and other assistance 2) Reflect to the standard of authorization system ◆Establishment of a procedure required for international mutual recognition of authorized authentication business ◆Notification of CA public key information ◆Reexamination of digital signature system ◆Issue of the certificate by the user discernment function 2.Measure performed by the state government (Article 34 ) Educational activities and publicity work by the state government • Brew the understanding of people • 2) Promote smooth utilization of digital signature and authentication business ①Nudge about digital signature handling and proper key management ・Treat same manner as handwriting signature and sealing ・Prevent the disclosure of private key etc ②Make well-known the authorization system of authentication business
Legal system of each countries about digital signature Decide upon the legal system about digital signature and authentication in every country in the world Canada EC (EU) UN (UNCITRAL) Korea Japan Malaysia USA (Federal law) Member nations are working jointly to establish the unified legal system within the areaabout digital signature and authentication according to the EC Directive Singapore Adopted the digital signature model act in order that each countries promote to prepare the act related to digital signature Australia New Zealand It is the world tendency which adopt what has the following functions as a definition of digital signature like the definition of the digital signature law of Japan. ・Peculiar to an individual and possible to specify an individual. ・A signature means is under control of a signer completely ・Technically neutral ・The existence of an alteration is verifiable.
Thank you http://www.meti.go.jp/policy/netsecurity/ Office of IT Security Policy, METI, Japan TEL: +81-3-3501-0397 FAX: +81-3-3501-6639 mailto: machida-noboru@meti.go.jp