Brazil — MP 2.200-2/2001 (ICP-Brasil)
Provisional Measure 2.200-2 of 08242001. Creates the Brazilian Public Key Infrastructure (ICP-Brasil). Still in force (Provisional Measures issued before 2001-09-11 do not lapse, by virtue of Constitutional Amendment 32). The foundation of every Brazilian digital signature carrying a presumption of authenticity.
What it establishes
- Art. 1: institutes ICP-Brasil to guarantee the authenticity, integrity, and legal validity of electronic documents.
- Art. 2: creates the Comitê Gestor da ICP-Brasil (CG) (ICP-Brasil Steering Committee), reporting to the Casa Civil (Chief of Staff Office).
- Art. 3: defines the Autoridade Certificadora Raiz (AC Raiz) (Root Certification Authority) — exercised by ITI (Instituto Nacional de Tecnologia da Informação / National Institute of Information Technology), a federal agency.
- Art. 4: defines the powers of the AC Raiz: to issue, dispatch, distribute, revoke, and manage the certificates of the immediately subsequent ACs; to audit; to oversee.
- Art. 5: ACs (Autoridades Certificadoras / Certification Authorities) issue, dispatch, distribute, revoke, and manage certificates for end users.
- Art. 6: ARs (Autoridades de Registro / Registration Authorities) perform the in-person identification of the applicant and the binding to the AC.
- Art. 10: establishes the presumption:
- §1 — electronic documents signed with an ICP-Brasil certificate are presumed true with respect to their signatories.
- §2 — does not preclude the use of another means of proof, including those that use certificates not issued by ICP-Brasil, provided it is admitted by the parties as valid or accepted by the person against whom the document is asserted.
§2 is the legal basis for private signatures (DocuSign, non-ICP Clicksign, Koder's embedded signature, etc.) to carry value between the parties — but with a heavier evidentiary burden.
Resulting hierarchical structure
ITI (AC Raiz / Root CA)
├── Level-1 AC (Serpro, Caixa, SERASA, Soluti, Certisign, …)
│ ├── Level-2 AC (specialized sub-ACs)
│ │ └── AR (in-person point / approved videoconference)
│ │ └── Certificate holder (individual or legal entity)ITI publishes:
- DOC-ICP-01 — Certification Practice Statement of the Root CA
- DOC-ICP-04 — Minimum requirements for certificate policies within ICP-Brasil
- DOC-ICP-15 — Overview of ICP-Brasil digital signatures (profiles AD-RB, AD-RT, AD-RV, AD-RC, AD-RA — the Brazilian PAdESXAdESCAdES variants)
Living documents at iti.gov.bricp-brasillegislacao.
Certificate categories (ICP-Brasil CG Resolution)
| Type | Key media | Typical validity | Use cases |
|---|---|---|---|
| A1 | Software (.pfx / .p12 file) |
1 year | NF-e (e-invoice), eSocial, income-tax return |
| A3 | Hardware (smart card, USB token, HSM) | 1–5 years | Attorney-in-fact, accountant, lawyer |
| A4 | Hardware with RSA key ≥ 4096 or EC ≥ 384 | 1–5 years | Banking, high volume |
| S1S3S4 | Equivalent to A1A3A4 but for confidentiality (encryption), not signing | — | Rare |
| T3/T4 | Time type — timestamping only | — | Restricted to ACTs |
Details in 05-icp-brasil/02-tipos-de-certificado.kmd (planned).
Common identities
- e-CPF — individual, binds the certificate to the holder's CPF
- e-CNPJ — legal entity, binds to the CNPJ
- NF-e — e-CNPJ variant for fiscal issuance
Interaction with Law 14.063/2020
MP 2.200-2 remains in force. Law 14.0632020 (see 02-brazil-law-14063.kmd) adds 3 levels (simpleadvanced/qualified) for the citizen↔government relationship. Qualified = ICP-Brasil. The two laws coexist.
Implications for a Koder product
For a future Koder Sign to carry full legal validity in Brazil:
- Accept ICP-Brasil A1/A3 certificates → the product becomes a client application (simplest).
- Integrate with an accredited AC (Soluti, Certisign, Bry, Birdid, etc.) via API for remote A1 issuance → the product becomes coupled.
- Become an accredited AC within ICP-Brasil → extremely high regulatory cost, the same order of magnitude as becoming a TLS CA (
06-ssl-and-tls/05-creating-a-letsencrypt-style-ca.kmd), but with ITI auditing in place of WebTrust. Audit by an accredited OAC (≈ R$ 200-400k/year). - Non-ICP for B2B flows where the parties agree (Art. 10 §2) → unblocks the product, but requires clear UX about the legal value.
Recommended initial route: the (1)+(4) combo — accept ICP-Brasil for formal flows + native signing for private contracts, both with the same UX.