Brazil — MP 2.200-2/2001 (ICP-Brasil)

seed

Provisional Measure 2.200-2 of 08242001. Creates the Brazilian Public Key Infrastructure (ICP-Brasil). Still in force (Provisional Measures issued before 2001-09-11 do not lapse, by virtue of Constitutional Amendment 32). The foundation of every Brazilian digital signature carrying a presumption of authenticity.

What it establishes

  • Art. 1: institutes ICP-Brasil to guarantee the authenticity, integrity, and legal validity of electronic documents.
  • Art. 2: creates the Comitê Gestor da ICP-Brasil (CG) (ICP-Brasil Steering Committee), reporting to the Casa Civil (Chief of Staff Office).
  • Art. 3: defines the Autoridade Certificadora Raiz (AC Raiz) (Root Certification Authority) — exercised by ITI (Instituto Nacional de Tecnologia da Informação / National Institute of Information Technology), a federal agency.
  • Art. 4: defines the powers of the AC Raiz: to issue, dispatch, distribute, revoke, and manage the certificates of the immediately subsequent ACs; to audit; to oversee.
  • Art. 5: ACs (Autoridades Certificadoras / Certification Authorities) issue, dispatch, distribute, revoke, and manage certificates for end users.
  • Art. 6: ARs (Autoridades de Registro / Registration Authorities) perform the in-person identification of the applicant and the binding to the AC.
  • Art. 10: establishes the presumption:
    • §1 — electronic documents signed with an ICP-Brasil certificate are presumed true with respect to their signatories.
    • §2 — does not preclude the use of another means of proof, including those that use certificates not issued by ICP-Brasil, provided it is admitted by the parties as valid or accepted by the person against whom the document is asserted.

§2 is the legal basis for private signatures (DocuSign, non-ICP Clicksign, Koder's embedded signature, etc.) to carry value between the parties — but with a heavier evidentiary burden.

Resulting hierarchical structure

ITI (AC Raiz / Root CA)
├── Level-1 AC (Serpro, Caixa, SERASA, Soluti, Certisign, …)
│   ├── Level-2 AC (specialized sub-ACs)
│   │   └── AR (in-person point / approved videoconference)
│   │       └── Certificate holder (individual or legal entity)

ITI publishes:

  • DOC-ICP-01 — Certification Practice Statement of the Root CA
  • DOC-ICP-04 — Minimum requirements for certificate policies within ICP-Brasil
  • DOC-ICP-15 — Overview of ICP-Brasil digital signatures (profiles AD-RB, AD-RT, AD-RV, AD-RC, AD-RA — the Brazilian PAdESXAdESCAdES variants)

Living documents at iti.gov.bricp-brasillegislacao.

Certificate categories (ICP-Brasil CG Resolution)

Type Key media Typical validity Use cases
A1 Software (.pfx / .p12 file) 1 year NF-e (e-invoice), eSocial, income-tax return
A3 Hardware (smart card, USB token, HSM) 1–5 years Attorney-in-fact, accountant, lawyer
A4 Hardware with RSA key ≥ 4096 or EC ≥ 384 1–5 years Banking, high volume
S1S3S4 Equivalent to A1A3A4 but for confidentiality (encryption), not signing Rare
T3/T4 Time type — timestamping only Restricted to ACTs

Details in 05-icp-brasil/02-tipos-de-certificado.kmd (planned).

Common identities

  • e-CPF — individual, binds the certificate to the holder's CPF
  • e-CNPJ — legal entity, binds to the CNPJ
  • NF-e — e-CNPJ variant for fiscal issuance

Interaction with Law 14.063/2020

MP 2.200-2 remains in force. Law 14.0632020 (see 02-brazil-law-14063.kmd) adds 3 levels (simpleadvanced/qualified) for the citizen↔government relationship. Qualified = ICP-Brasil. The two laws coexist.

Implications for a Koder product

For a future Koder Sign to carry full legal validity in Brazil:

  1. Accept ICP-Brasil A1/A3 certificates → the product becomes a client application (simplest).
  2. Integrate with an accredited AC (Soluti, Certisign, Bry, Birdid, etc.) via API for remote A1 issuance → the product becomes coupled.
  3. Become an accredited AC within ICP-Brasil → extremely high regulatory cost, the same order of magnitude as becoming a TLS CA (06-ssl-and-tls/05-creating-a-letsencrypt-style-ca.kmd), but with ITI auditing in place of WebTrust. Audit by an accredited OAC (≈ R$ 200-400k/year).
  4. Non-ICP for B2B flows where the parties agree (Art. 10 §2) → unblocks the product, but requires clear UX about the legal value.

Recommended initial route: the (1)+(4) combo — accept ICP-Brasil for formal flows + native signing for private contracts, both with the same UX.

Canonical references