ICP-Brasil — architecture

seed

Technical and institutional topology of ICP-Brasil. ITI operates the AC Raiz (Root CA); level 1 and 2 ACs issue certificates to holders; ARs identify holders in person (or via approved videoconference).

Institutional hierarchy

                   ┌────────────────────────────────┐
                   │  ICP-Brasil Steering Committee │ ← Decree 3.996/2001
                   │  (CG-ICP, Casa Civil)          │   defines standards
                   └──────────────┬─────────────────┘
                                  │
                   ┌──────────────▼─────────────────┐
                   │  ITI — AC Raiz                 │ ← Federal autarchy
                   │  AC Raiz V5 / V10 (current)    │   operates offline HSM
                   └──────────────┬─────────────────┘
                                  │
            ┌─────────────────────┼──────────────────────┐
            ▼                     ▼                      ▼
    ┌───────────────┐   ┌───────────────┐    ┌───────────────┐
    │  Level 1 AC   │   │  Level 1 AC   │ …  │  Level 1 AC   │   ← each is a legal
    │  (e.g. Serpro)│   │  (Serasa)     │    │  (Soluti)     │     entity, accredited
    └───────┬───────┘   └───────┬───────┘    └───────┬───────┘
            │                   │                    │
       ┌────┴────┐         ┌────┴────┐          ┌────┴────┐
       ▼         ▼         ▼         ▼          ▼         ▼
   ┌─────┐   ┌─────┐   ┌─────┐   ┌─────┐    ┌─────┐   ┌─────┐
   │ AC2 │   │ AC2 │   │ AC2 │   │ AC2 │    │ AC2 │   │ AC2 │  ← specialized sub-CAs
   └──┬──┘   └──┬──┘   └──┬──┘   └──┬──┘    └──┬──┘   └──┬──┘     (e-CPF / e-CNPJ / NF-e)
      │         │         │         │          │         │
      ▼         ▼         ▼         ▼          ▼         ▼
                          AR (Registration Authorities)
                                    │
                                    ▼
                       Holders (individuals + legal entities)

Active level 1 ACs (≈2026)

Full list at iti.gov.bricp-brasilestrutura.

Main ones by volume:

Level 1 AC Operator Dominant specialty
AC Serpro Serpro (government) e-CPF/e-CNPJ for civil servants and agencies
AC Caixa Caixa Econômica Federal Banking, FGTS
AC Certisign Certisign Certificadora General market, corporate e-CNPJ
AC SERASA-Experian Serasa Experian Mass market, retail
AC Soluti Soluti Net (Valid today) Digital retail, remote A1
AC Bry Bry Tecnologia Remote A1, SaaS integration
AC Imprensa Oficial SP Imprensa Oficial-SP SP state
AC Notarial Anoreg-BR Notary offices
AC Boa Vista Boa Vista Serviços Market
AC PRODEMGE Prodemge (MG state) MG civil servants and citizens
AC SOLUTI Múltipla Valid/Soluti Remote A1 operation at scale

AC Raiz ICP-Brasil — keys

Periodically, the ITI holds a public ceremony to generate a new root. History:

  • V1, V2, V3, V4 — discontinued
  • V5 — RSA-4096; certificates issued through ~2023
  • V10 — RSA-4096 — current; ceremony in 2023, valid through 2034 with a 2031–2034 transition

Distribution: Mozilla NSS, Microsoft Windows Update, Apple, and Java cacerts include the AC Raiz ICP-Brasil. Linux distros include it via ca-certificates.

Cross-signing with a commercial root program does not exist — ICP-Brasil is a chain parallel to the public TLS trust store. An ICP-Brasil cert is not automatically accepted as a TLS cert for a web site (and vice versa). They serve disjoint purposes: ICP is "digital signature with legal value"; public TLS is "web server authentication".

ICP-Brasil chain validation

An application validating an ICP signature needs to:

  1. Load the ICP-Brasil chain bundle — all level 1 and 2 ACs + root. The ITI publishes it at acraiz.icpbrasil.gov.brcredenciadasCertificadosAC.
  2. Build the path from the signer's cert up to the root.
  3. Check revocation via LCR (Lista de Certificados Revogados, equivalent to a CRL) — each AC publishes at acraiz.icpbrasil.gov.br/LCR/…. OCSP is optional in ICP-Brasil (present, but less reliable than the LCR for LTV).
  4. Check policy OIDs — each type (A1, A3, A4, e-CPF, e-CNPJ) has a specific OID in the 2.16.76.1.… namespace.

Common pitfalls in client applications

  • Stale bundle: ACs come and go; the chain bundle must be updated monthly. Libraries such as BryToolbox automate this.
  • Heavy LCR: some ICP LCRs exceed 100 MB. Local caching is mandatory; do incremental re-download via nextUpdate.
  • Rare OCSP: it exists but not every AC operates it. It cannot be trusted as a single source.
  • Non-LDAP-clean DN: holder names use UTF-8 parsing + Brazil-specific profiles. OU=CPF=...:..., etc. Spec in DOC-ICP-04.
  • Timestamp via ACT: for LTVarchival, embed a timestamp from an accredited ACT (Authority of Certification of Time) — see `08-timestamping` (planned).

Implications for Koder

If a Koder product is to read/validate an ICP-Brasil signature (typical case: receiving a signed PDF to attach to a case file):

  • Embed an up-to-date ICP bundle in the product (monthly auto-update).
  • Use an off-the-shelf lib — DSS (Java) or Lacuna RestPKI (proprietary, REST). In Go/Dart the ecosystem is weaker; likely an FFI bridge or a Go service wrapping DSS.
  • Never implement ICP-Brasil DN parsing from scratch — use a lib that already handles the OID 2.16.76.1.3.x profiles.

If the goal is to issue ICP-Brasil certs: see 03-legislation/01-brazil-mp-2200-2.kmd §"Implications for Koder products" — becoming an AC is expensive; the common path is partnership with an existing AC via API.

References