November 1 2001

New Resolutions Regulate Public Key Infrastructure

Barretto Ferreira e Brancher Sociedade de Advogados | E-commerce - Brazil

Ricardo Barretto Ferreira da Silva

Resolution 1
Resolution 2
Resolution 3
Comment


Before the enactment of Provisional Executive Act 2200 of June 28 2001 no legislation governed the legal validity of electronic documents produced between individuals, although several bills of law had been discussed in the Legislative Branch. The act established the Public Key Infrastructure (ICP-Brazil) and addressed the validity of electronic documents executed online.

Relevant aspects of the act are summarized in Provisional Executive Act Acknowledges Validity of Electronic Documents.

On September 25 2001 three complementary resolutions of ICP-Brazil's Management Committee were enacted. These regulations define the structure and operation of ICP-Brazil, and outline the procedure for issuing certificates and security keys. ICP-Brazil uses asymmetrical cryptography in order to guarantee the authenticity and integrity of electronic documents.

Resolution 1

Resolution 1 of September 25 2001 establishes the practices and procedures employed by ICP-Brazil's Root Certification Authority (Root CA) and adopts the RFC 2527 standard (Internet X.509 Public Key Infrastructure - Certificate Policy and Certification Practices Framework).

The Root CA issues ICP-Brazil's highest-level certificate, which contains the public key that corresponds to its private key. The private key is used to sign:

  • the Root CA's own certificates;
  • the certificates of its lower certification authorities; and
  • its list of revoked certificates.

Resolution 1 regulates only certificates that are issued by the Root CA for itself or its immediately lower authorities.

The objectives of these certificates are the identification of the Root CA or immediately superior certification authorities and the disclosure of its public keys in a secure manner.

A certification authority that has received a certificate from the Root CA must operate in accordance with the relevant declaration of certification practices. It will also have to observe the forthcoming Requirements for its Declaration of Certification Practices of the Certification Authority, and the Minimum Requirements for Certificate Policies in ICP-Brazil.

Root-CA
The Root CA's obligations include:

  • generating and managing its cryptographic keys;
  • issuing and distributing its certificates;
  • issuing, delivering and distributing the certificates of its superior certification authorities;
  • publishing and revoking certificates issued by it;
  • maintaining and publishing its list of revoked certificates;
  • overseeing and auditing the certification authorities and authorized service providers for conformity with the criteria established by ICP-Brazil's Management Committee;
  • implementing crossed certification agreements as necessary;

Further, the Root-CA must adopt the necessary security and control measures (including the procedures of the ICP-Brasil Security Policy), and maintain emergency plans, and the integrity, secrecy and security of the information that it handles. Generally, it must carry out its duties pursuant to the prevailing legislation, including the rules of the ICP-Brasil Management Committee.

The Root CA is liable for any damage that it causes. By virtue of the fact that liability of state entities is strict and the Root CA is a central body of ICP-Brazil, any failure or unlawful act could generate enormous liability.

Audits
In order to ensure ICP-Brazil's continued integrity, Resolution 1 establishes that the Root CA and its service providers are subject to regular audits, which are conducted prior to the accreditation of the certification authorities and annually thereafter.

The audit procedure is extensively regulated in terms of scope, the entities qualified to audit and the submission of audit results.

In cases of non-conformity, the audited entity must comply with the the recommedations of the auditors within a certain timescale. Failure to comply with the recommendations within the stipulated term, will give rise to the cancellation of the audited entity's accreditation.

Confidentiality
Resolution 1 addresses issues of confidentiality. It classifies information in terms of non-confidentiality (ie, certificates, list of revoked certificates and relevant corporate or personal information) and confidentiality (ie, all the other information which, generally, is not disclosed).

Certificate holders and their legal representatives may access their own data and identifications, and may authorize the disclosure of their records to others.

Operational aspects
Certification authorities are accredited before the Root CA, which grants their certificates and authorization to operate. Neither the accreditation nor authorization of certification authorities are regulated yet. The next step is the issuance of a certificate by the Root CA, which take place in a specific ceremony with a witness and other formalities established in the resolution.

By accepting a certificate, its holder is deemed to:

  • accept the responsibilities, obligations and duties imposed on it by the relevant agreement and resolution;
  • guarantee that, to its knowledge, no unauthorized person has access to the associated private key; and
  • affirm that all the information during the accreditation process is true and is reproduced correctly on the certificate.

Revocation
A certification authority's certificate may be revoked at any time, either at the request of its holder or the Root CA.

A certificate will be revoked when:

  • it is found to have been issued in improper circumstances;
  • it must be altered;
  • the holder of the certificate is dissolved; or
  • a certification authority's private key or method of storage is interfered with.

Other issues
Resolution 1 also addresses the following issues:

  • security auditing procedures;
  • emergency contingency plans;
  • physical, procedural and personnel security controls; and
  • various technical standards and procedures.

Resolution 2

Resolution 2 of September 28 2001 establishes the security policies that will be adopted by ICP-Brazil's participating entities. The main objectives are to:

  • define the objective of the entities' security;
  • organize security in order to reduce risks and guarantee the integrity, confidentiality and availability of all information systems and resources;
  • permit the adoption of integrated security solutions; and
  • serve as a reference for the examination, apportioning and evaluation of liabilities.

Resolution 3

Resolution 3 of September 28 2001 stipulates that 10 members of the commission must be selected for the task of auditing the Root CA and its service providers.

Comment

Provisional Executive Act 2200 is the first to address the legal validity of electronic documents that are produced under ICP-Brazil. Implementation depends on extensive regulation, which has begun to be produced in terms of Resolutions 1, 2 and 3, but it is likely to be some time before ICP-Brazil is entirely operational.

The government has opted for a centralized certification system, precluding the possibility of granting legal validity to other forms of certification or electronic documents that are produced by public key infrastructures.

It is not yet possible to use validly any kind of certification since no implementing framework exists.


For further information on this topic please contact Ricardo Barretto or José Leça at Barretto Ferreira, Kujawski, Brancher e Gonçalves – Sociedade de Advogados by telephone (+55 11 3066 5999) or by fax (+55 11 3167 4735) or by email ([email protected] or [email protected]).