DECREE NO. 3,587, OF September 5, 2000.
Establishes standards for Public Key Infrastructure of the Federal Executive Power-ICP-Gov. and gives other arrangements.
THE PRESIDENT OF THE REPUBLIC, in the use of the assignments that gives you the art. 84, incisos IV and VI, of the Constitution.
Art. 1º A Infrastructure of Public Keys of the Federal Executive Power-ICP-Gov will be instituted pursuant to this Decree.
Art. 2º The ICP-Gov technology is expected to use asymmetric encryption to relate a digital certificate to an individual or an entity.
§ 1º The encryption will use two mathematically related keys, where one of them is public and, the other, private, for digital signature creation, with which it will be possible to carry out secure electronic transactions and the exchange of sensitive and classified information.
§ 2º The ICP-Gov Public Key Technology will viabilize, within the framework of the bodies and entities of the Federal Public Administration, the provision of secrecy services, the validity, the authenticity and data integrity, the irrevocability and irreproachability of electronic transactions and support applications that use digital certificates.
Art. 3º The ICP-Gov is expected to contemplate, among others, the set of rules and policies to be defined by the Policy Management Authority-AGP, which aim to establish technical, operational and security standards for the various processes of the Certifying Authorities-AC, members of the ICP-Gov.
Art. 4º To ensure compliance with the ICP-Gov rules, audit processes will be instituted, which check the relationships between the operational requirements determined by the characteristics of the certificates and the operational procedures adopted by the authorities of it integral.
Paragraph single. In addition to the technical, operational and security standards, ICP-Gov will define the types of certificates that can be generated by the AC.
DA ORGANIZATION OF ICP-GOV
Art. 5º The architecture of the ICP-Gov lies in the Annex I to this Decree.
Art. 6º À Policies Management Authority-AGP, member of ICP-Gov., competes:
I-propose the creation of the Root-AC Certifying Authority Root;
II-establish and administer the policies to be followed by the AC;
III-approve cross-certification agreement and policy mapping between ICP-Gov and other ICP external;
IV-establish criteria for accreditation of the AC and the Authorities of Registration-AR;
V-define the periodicity of audit in the AC and AR and the sanctions by the defulfillment of standards by it established;
VI-defining operational rules and standards relative to:
a) Certifying Authority-AC;
b) Registration Authority-AR;
c) digital signature;
d) cryptographic security;
e) repository of certificates;
f) revocation of certificates;
g) copy of security and retrieval of keys;
h) automatic update of keys;
i) history of keys;
l) support the system for warranty of reproachability of transactions or electronic operations;
m) period of validity of certificate;
n) client applications;
VII-update, adjust and revise the procedures and practices established for the ICP-Gov. in particular of the Politics of Certificates-PC and of the Practices and Rules of Operation of the Certifying Authority, so as to ensure:
a) service to the needs of the organs and of the entities of the Federal Public Administration;
b) compliance with the policies of security defined by the ICP-Gov; s executor organ; and
c) technological update.
Art. 7º To ensure the maintenance of the degree of trust established for ICP-Gov, the AC and AR should accredit themselves to AGP, in accordance with the standards and criteria by this established authority.
Art. 8º It is up to AC Root the issuance and maintenance of the AC certificates of organs and entities of the Federal Public Administration and the accredited private AC, as well as the Revoked Certificates List management-LCR.
Single paragraph. Differential levels of accreditation may be instituted for AC, of compliance with their purpose.
Art. 9º The AC must provide the following basic services:
I-issue of certificates;
II-revocation of certificates;
III-renewal of certificates;
IV-publication of in-directory certificates;
V-issue of Revoked Certificates List-LCR;
VI-publication of LCR in directory; and
VII-gerence of cryptographic keys.
Paragraph single. The provision of issued certificates and updated LCR will be provided upon use of secure and user-friendly directory.
Art. 10. It is up to the AR:
I-receive the certification or revocation requisitions by user, confirm the identity of these users and the validity of their application, and forward these documents to the responsible AC;
II-deliver the certificates signed by AC to their respective requesters.
DO OPERATING MODEL
Art. 11. The issuance of certificates will be preceded by process of user identification, second criteria and varied methods, as per the type or in function of the largest or lesser degree of its complexity.
Art. 12. In the AC accreditation process, they should be used, in addition to criteria established by the AGP and internationally recognized technical standards, additional aspects related to:
II-policy and security plan, logic and human;
IV-financial capacity of the proposer;
V-reputation and degree of reliability of the bidder and its managers;
VI-antecedents and history in the market; and
VII-levels of protection to users of their certificates, in terms of legal coverage and insurance against damage.
Paragraph single. The provisions of the incisos IV to VII does not apply to the accreditations of Public AC.
Art. 13. Adhered to AGP's specifications, the organs and entities of the Federal Public Administration will be able to deploy their own ICP or offer ICP-integrated services to ICP-Gov.
Art. 14. Private AC, to provide service to the Federal Public Administration, shall observe the same guidelines of the Government AC, save other demands that come to be fixed by the AGP.
OF THE CERTIFICATION POLICY
Art. 15. Types of certificates will be defined, within the framework of ICP-Gov. that meet the general needs of most applications, so as to enable interoperability between distinct computational environments within the Public Administration Federal.
§ 1º Will be created digital signature and secrecy certificates, by assigning them the following levels of security, depending on the process involved:
§ 2º The certificates, in addition to others that AGP will be able to establish, will have use for:
I- digital signature of electronic documents;
II-mail message signing electronic;
III-authentication for access to electronic systems; and
IV-exchange of keys for establishment of encrypted session.
Art. 16. To the AGP it competes to make the necessary arrangements for the documents, data and records stored and transmitted by electronic, optical, magnetic or similar to pass the same validity, recognition and authenticity that gives to its original equivalents on paper.
OF THE FINAL PROVISIONS
Art. 17. For institution of ICP-Gov. it should be carried out the existing demands on government bodies as to the typical services derived from Public Key technology, such as, authentication, secrecy, data integrity and irreproachability of electronic transactions.
Art. 18. The Glossary constant of Annex II presents the meaning of the terms and siglas in Portuguese, which are used in the Public Keys system.
Art. 19. It is incumbent on the Gestor Committee for Information Security and design, specification and coordination of the implementation of ICP-Gov, as disposed of in art. 4º, inciso XIV, of the Decree No. 3,505, of June 13, 2000.
Art. 20. It is established the period of one hundred and twenty days, counted from the date of publication of this Decree, for specification, dissemination and initiation of the implementation of the ICP-Gov.
Art. 21. Implemented the procedures for the digital certification of which it treats this Decree, the Civil House of the Presidency of the Republic will set timetable with views to the progressive replacement of the receipt of physical documents by means electronics.
Art. 22. This Decree comes into effect on the date of its publication.
Brasilia, September 5, 2000; 179º of Independence and 112º of the Republic.
FERNANDO HENRIQUE CARDOSO
Guilherme Gomes Dias
Alberto Mendes Cardoso
ARCHITECTURE OF ICP-GOV
Process used to confirm the identity of a person or entity, or to guarantee the source of a message
Certifying Authority-AC Authority (Certification Authority-CA)
Entity that issues certificates in accordance with the practices set out in the Declaration of Operational Rules-DRO. It is commonly known for its abbreviation-AC.
Registration Authority-AR (Registration Authority-RA)
Entity of record. It may be physically located in an AC or be a remote registration entity. It is an integral part of an AC.
Digital Signature (Digital Segnature)
Mathematical transformation of a message through of the use of a mathematical function and asymmetric cryptography of the result of this with the private key of the subscriber entity.
Obtaining rights, including the ability to access a specific information or resource in a particular way.
Private Key (Private Key)
Key of a pair of keys kept secret by its owner and used in the sense of creating signatures to cipher and decipher messages with the corresponding Public Keys.
Key Certificate Public (Certificate)
Declaration digitally signed by an AC, containing, at a minimum: l the distinguished name (DN-Distinguished Name) of an AC, which issued the certificate; l the name distinct from a subscriber for whom the certificate has been issued; l the Public Key of the subscriber; l the period of operational validity of the certificate; l the serial number of the certificate, unique within AC; and l a digital signature of the AC that has issued the certificate with all the information cited above.
Public Key (Public Key)
Key of a cryptographic key pair that is disclosed by the its owner and used to check the digital signature created with the corresponding private key or, depending on the asymmetrical cryptographic algorithm used, to cipher and decipher messages.
Transformation process of an original text (?plaintext?) in an incomprehensible form (?ciphertext?) using a cryptographic algorithmic and a key cryptographic.
Process for approval of policies and procedures of an AC, so that it is authorised to participate in an ICP.
Discipline that deals with the principles, means and methods for the transformation of data, so as to protect the information against unauthorized access to your content.
Public Key Cryptography (Public Key Cryptography)
Type of encryption that uses a pair of mathematically related cryptographic keys. Public Keys may become available to anyone who wants to cite information to the owner of the private key or for verification of a digital signature created with the corresponding private key. The private key is held in secret by its owner and can decipher information or generate digital signatures.
Statement of Operational Rules-DRO (Certification Practice Statement-CPS)
Document that contains the practices and activities that an AC implements to issue certificates. It is the certifying entity's statement regarding the details of its accreditation system and the practices and policies that substantiate the issuance of certificates and other related services.
Certificate issuance (Certificate Issuance)
Issue of a certificate by an AC after validation of your data, with the subsequent notification of the applicant about the contents of the certificate.
Certificate Management (Certificate Management)
Actions taken by an AC, based on your DRO after the issuance of the certificate, as storage, dissemination and the subsequent notification, publication and renewal of the certificate. An AC considers certificates issued and accepted as valid from its publication.
Public Key Infrastructure infrastructure-ICP (Public Key Infrastructure-PKI)
Architecture, organization, techniques, practices, and procedures that support, jointly, the implementation and operation of a certification system based on Public Key Cryptography.
Integrity of Message (Message Integrity)
Warranty that the message was not changed during your transfer, from the sender of the message to your receiver.
Warranty that the sender of the message will not later deny the authorship of a message or participation in a transaction, controlled by the existence of the digital signature that only it can generate.
List of Revoked Certificates-LCR (Certification Revocation List-CRL)
List of the serial numbers of the revoked certificates, which is digitally signed and published in a repository. The list still contains the date of the issuance of the revoked certificate and other information, such as the specific reasons for its revocation.
Registration containing a digital representation of the information, such as a data created, sent, received and stored in electronic form.
Pair of Chaves (Key Pair)
Private and public Chaves of an asymmetric cryptographic system. The Private Key and its Public Key are mathematically related and have certain properties, among them that it is impossible to deduction the Private Key from the known Public Key. The Public Key can be used for verification of a digital signature that the corresponding Private Key has created or the Private Key can decipher to a cipher message from its corresponding Public Key.
Certification Policy-PC (Certificate Police-CP)
Document that establishes the level of security of a given certificate.
First AC in a certification chain, whose certificate is self-signed, and it may be verified through specific mechanisms and procedures, without linkages with this one.
Information recorded in a tangible medium (a document) or stored in an electronic medium or any other noticeable medium.
trustworthy and affordable system? online? to store and retrieve certificates and related information with certificates.
Certificate Revogation (Certificate Revogation)
Closure of the period operating of a certificate, and may be, under certain circumstances, implemented before the previously defined operational period.
Condition on which sensitive data is kept secret and disclosed only to the authorized parties.
Asymmetric Cryptographic System (Asymmetric Criptosystem)
System that generates and uses a pair of secure keys, consisting of a private key for creating digital signatures or decoding messages cryptogrades and a Public Key for verification of digital signatures or encoded messages.