Digital Certification in Brazil

Below, advertising

Valid HTML 4.01!

Valid CSS!

Advertising by Google

PKI Brazil - Law

Read also:
«Digital ID in Brazil.
«Laws in Brazil.

The PKI Brazil was legally created by Provisional Measure 2.200, last issued on August 24th 2001.

Below, full text of the MP.
Original text is in black.

Comments by the author of this page are in blue.

Provisional Measure 2.200-2, August 24th 2001.

Institutes the Brazilian Infrastructure of Public Keys - ICP-Brasil, changes the National Institute of Information Technology into an autarchy and adopts other measures.

Site of ITI:

The President of the Republic, in use of the enpowerments seth forth by Article 62 of the Constitution, enacts the following Provisional Measure, with force of law:

Art. 1. It is henceforth created the Brazilian Public Key Infrastructure - PKI Brasil (ICP-Brasil), to guarantee authenticity, integrity and juridical validity of documents in electronic media, of supporting applications and habilitated applications which utilize digital certificates, as well as the implementation of secure electronic transactions.

In Portuguese, PKI translates as ICP - Infra estrutura de Chaves Públicas.
Brazilian official documents make reference to ICP - Brasil only; the English PKI - Brazil is used by technical people outside the Government; in this document we may use ICP - Brasil or PKI - Brazil.

Art. 2. The ICP-Brasil, whose organization shall be defined in by-rules, shall be composed by a policy gestor authority and by the chain of certifying authorities composed by the Root Certifying Authority - AC Raiz, by the Certifying Authorities - AC and by the Register Authorities - AR.

In Portuguese, the English terms Root CA, CA and RA are often used by technical people outside the Governmetn, but official documents refer only to AC Raiz, AC and AR.

Art. 3. The function of the policy gestor authority shall be exercized by the Gestor Committee of ICP-Brasil, subordinated to the Civil House (Chief of Staff) of the President of the Republic and composed by five representatives of civil society, members of interested sectors, appointed by the President of the Republic, and one representative fromeach of the following bodies, appointed by their principals:
I - Ministry of Justice;
II - Ministry of Finances;
III - Ministry of Development, Industry and Foreign Trade;
IV - Ministry of Planning, Budget and Administration;
V- Ministry of Science and Technology;
VI - Civil House of the Presidency of Republic;
VII - Office of Institutional Security of the Presidency of Republic.
§ 1º The coordination of the Gestor Committee of the ICP-Brasil shall be exercizes by the representative of the Civil House of the Presidency of Republic.
§ 2º The representatives of civil society shall be assigned for a period of two years, the reconduction being permitted.
§ 3º The participation in the Gestor Committee of the ICP-Brasil is of relevant public interest and shall not be paid for.
§ 4º The Gestor Committee of the ICP-Brasil shall have an Executive-Office, as prescribe in by-laws.

This articles shows that the ICP Brasil should be managed by several sectors of the Government.
However, even though the Gestor Committee had the above composition, there are a few key members: the Chief of Staff (the interface between the Government, the Congress and the society), the Office of Institutional Security (the Military Advisory to the President) and the Ministry of Finances, particularly the powerful revenue agency Receita Federal (probably the main reason for the creation of ICP-Brasil had been the attempt to increase tax collections in Brasil - read more here).

Art. 4. The following are competences of the Gestor Committee of ICP-Brasil:
I - to adopt necessary measures to create the ICP-Brasil;
II - to establish the policies, the criteria and the technical rules for the habilitation of the ACs, ARs and other support services of the ICP-Brasil, in all levels of the certification chain;
III - to establish the policy of certification and the operational rules of AC Raiz;
IV - to homologate and audit the AC Raiz and respective service providers;
V - to establish guidelines and technical norms for implementation of polices of certificates and operational rules of ACs and ARs and define levels in the certification chain.
VI - to approve certificate policies, certification practices and operational rules, habilitate and authorize the operations of ACs and ARs, as well as authorize the AC Raiz to issue the respective certificate;
VII - to identify and evaluate the policies of external PKIs, negotiate and approve agreements of bi-lateral certification, crossed certification, rules of inter-operability and other means of international cooperation, certificate, as needed, their compatibility with the PKI-Brasil, respected the provisions of international treaties, agreements or acts; and VIII - to update, adjust and revise procedures and practices established for PKI-Brasil, overlook their compatibility and promote the technological updating of the system and its conformity with security policies.
Sole paragraph. The Gestor Committee may delegate assignments to AC Raiz.

Art. 5. The AC Raiz, highest authority of the certification chain, executive of the Certification Policies and technical and operational rules approved by the Gestor Committee of PKI-Brasil, is competent to issue, distribute, revoke and manage the certificates of the AC one level below, manage the list of issued, revoked and expired certificates, and execute auditing activites of the AC and the AR and the service providers, in conformity with the technical guidelines and rules established by the Gestor Committee of the PKI-Brasil, and exercize other attributions assigned by the gestor authority.
Sole paragraph. The AC Raiz is forbidden from issuing certificates to the final users.

The Root Certificate of ICP-Brasil was issued and is guarded by SERPRO, a federal State owned company which was created about 40 years ago to be the technological branch of Receita Federal.
The ITI is in close relations with Receita, which in turn is in close relations with SERPRO.

Art. 6. The ACs, entities authorized to issue digital certificates linking pairs of criptographic keys to the respective holders, are competent to issue, distribute, revoke and manage the certificates, as well as making available to users the lists of revoked certificates and other information regarding the recording of operations.
Sole paragraph. The pair of criptographic keys shall be generated always by the very holders and the private key shall be of their exclusive control, use and knowledge.

Any organization, public or private, which satisfies the demands of ITI can apply to become an AC. This page lists the most important ACs. Among current ACs, we see: Certisign, the Brazilian branch of world leader Verisign; SERPRO and Receita Federal; SERASA, the largest (private) rating company in Brazil; Caixa Econômica Federal, a large federal saving accounts bank; other public organizations, subordinated to the Government, the Congress, the Justice.
Besides complying with the requirements of ITI, starting an AC requires money (a high fee must be paid), reaching (the AC must have access to a large number of clients), knowledge (to setup the structure and find capable workers); responsibilities are high (see article 10 below). So, it is unlikely that we ever see a large number of ACs in Brazil.
The sole paragraph of this article makes it clear that the users must generate their own pair of keys; usually, the pair is generated by a smart cart. That pair is brought to the AR (see article 7) and, after the AR agent confirms identity of the user, the public key is sent to the AC to generate the digital certificate, and the private key remains stored in the smart card (the private key never leaves the card). Read more about key generations in comments to article 7.

Art. 7. The ARs, entities operationally subordinated to ACs, are competent to identify the users in their presence, request certifications to the ACs and keep records of their operations.

Each AC maintains their own group of ACs, and respective agents.
The ARs have the incumbence of checking the identity of individuals and corporations, and request the issuing of the respective certificates. There are strict rules issued by ITI and the ACs which determines whe way that an AR must opeate.
The most important point is: the candidates to a certificate must come in person before an AR and produce documents which prove their identities.
Individuals must bring physical IDs, photos and an address proof; they must sign the certificate request before the AR agent. Corporations must send representatives with due procurements, proof of existence (such as social contract), proof of address.
If the AR is fully convinced of the identity of the applicant, then a request is sent to the AC to validate the keys and generate the Certificate.
Within a few days, the AC creates the certificate (by signing the public key of the user with the AC private key) and sends a message to the user and the AR; the user can then connect to the AC site and download the certificate to its card.
As mentioned in article 6, the users must bring their own pair of keys. However, what happens most of the time, is that the AR sells the smart card and helps the user create the pair of keys; later, when the certificate is ready, the AR helps the user download the certificate to the smart card.
Currently (early 2009), only SERASA and SERPRO sell certificates to individuals and corporations; the other ACs only issue certificates to internal users. A typical certificate, valid for three years, including smart card and car reader, is going (early 2009) for R$ 380 (or R$ 123 per year, or about US$ 60 per year). Check out prices of digital certificate in Brazil.

Art. 8. Observed the criteria to be established by the Gestor Committee of the PKI-Brasil, both public bodies and private persons may be habilitated as AC and AR.

Art. 9. The ACs are forbidden from certifying any level other than the one immediately below, except in cases of side certification or crossed certification, previously approved by the Gestor Committee of PKI-Brasil.

Art. 10. The electronic documents mentioned by this Provisional measure shall be considered, for all legal purposes, public or private documents.
§ 1º The statements appearing in electronic documents produced with utilization of certification processes overlooked by PKI-Brasil are presumed thruthful in regards to the signers, as provided by art. 131 of Law 3.071, January 1st 1916 - Civil Code.
§ 2º The provisions of this Provisional Measure shall not preclude the utilization of other means probatory of authorship and integrity of electronic documents, including means which utilize certificates not issued by PKI-Brasil, as long as the means are admitted as valid by the parties or accepted as valid by the person to whom the document is opposed.

This is probably the most important article of this Law.
First, it gives legal status of document to all the files signed by a key generated under ICP-Brasil.
So, while formerly there could be a dispute whether an e-mail message could or not be considered a legal document (presented in a Court, for example), now there is no doubt: if the message is signed with an ICP-Brasil key, then it is a document.
Furthermore, the § 1º of this article assigned to the digital signature the exact same legal value as the hand signature. The article 131 of the Civil Code is the one which established that statements undersigned by a person are presumed thruthful in regards to the signer. Notice: a new Civil Code was approved in Brazil, Law 10406, January 10th 2002; the article regarding validity of hand signatures changed article, but maintained the content; check out article 219 of the New Civil Code.
This means that any situation in which a hand signature was valid, now a digital signature is also valid, with exactly the same legal force.
These two facts combined (namely: digital documents have the same value as paper documents; and digital signatures have the same value as hand signatures) establish a new legal frame for transactions in the digital world.
The § 2º leaves a door open for other PKIs to be accepted as legally binding. However, because other PKIs would lack the credibility of Government backed ICP-Brasil, it is very unlikely that any would prosper. It is possible, however, that another country creates their own PKI, which could be recognized in a transaction involving parties from both countries.

Art. 11. The utilization of electronic documents for tax purposes shall observe, additionally, the provisions of art. 100 of Law 5.172, October 25st 1966 - National Tax Code.

Art. 12. The Instituto Nacional de Tecnologia de Informação - National Institute of Information Technology, with seat in the Federal District, has status of autarchy, subordinated to the Ministry of Science and Technology.

Art. 13. ITI shall be the Root Certyfing Authority of the Brazilian Public Key Infrastructure.

Art. 14. In the exercize of the respective assignments, ITI shall conduct auditing activities, applying penalties, as prescribed by law.

Art. 15. The basic structure of the ITI shall comprise a President, a Director of Information Technology, a Director of Public Keys Infrastructure and a General Attorney.
Sole paragraph. The Directors of ITI may be established in the city of Campinas, State of Sao Paulo.

Art. 16. To pursue their objectives, ITI shall be allowed to, as prescribed in law, contract third party services.
§ 1º The Director-President of ITI may request, for office in the Directorship of Public Key Infrastructure, for term not longer than one year, civil servants or militaries, and employees of entities of Federal Public Administration, for any necessary duty.
§ 2º The persons requested as per this article shall have assured all rights and benefits of their original offices.

Art. 17. The Executive Power is authorized to transfer to ITI:
I - the technical assets, the rights and duties of the Instituto Nacional de Tecnologia da Informação; and
II - remove or reorganize the budget of the budgetary law of 2001 to adjust to the new legal frame.

Art. 18. While the General Attorney is not created, the ITI shall be represented in Court by the General Advocate of the Union.

Art. 19. All acts practiced under Provisional Measure 2.200-1 are co-validated.

Art. 20. This Provisional Measure shall be valid since the date of publication.

Brasília, August 24th 2001.
Fernando Henrique Cardoso.

Back to Top