ICSS-DSV-KTH

Master Thesis

Challenges and Opportunities with

Open Source PKI
In A Developing Country

Katthya Marques Åhlin

E-mail: katthya@telia.com

Supervisor: Matei Ciobanu Morogan (Dr.)

October, 2010
Royal Institute of Technology, Sweden
Information and Communication System Security

This thesis corresponds to 20 weeks of full-time work

Inscription

I dedicate this work to my mother, Rosina Amélia Marques,

eternal fighter in all fields of life,

an example of dedication and hard work,

inspiration, firmness and objectivity and wisdom,

who was always by my side every moment of my life

and was responsible for making my dreams a reality.

Without her, I could not have achieved this purpose.

Acknowledgements

Thanks to my supervisor, Matei Ciobanu Morogan, for his guidance, time and advice.

Thank you to the many people and organizations that granted information, feedback, and
moral support through my research. Without them, this academic work would not have
become a reality.

Thank you to Melanie Anderson who reviewed a draft of this report, which contributed to my
understanding of the written word and the overall readability of this text. All grammatical and
spelling errors are my own.

Thank you to friends who gave me financial and moral support when I travelled to Brazil to
conclude my studies. I offer my regards and blessings to all of those who supported me in any
respect during the completion of my studies.

Thank you to several individuals, who responded to surveys regularly, commented on a draft
questionnaire and those, who returned my emails, took my phone calls, and answered my
questions with patience and enthusiasm.

Thank you to staff and board members at the Brazilian government and private companies
who took time out of their busy schedules to help me learn more about the work that they
have been doing to make open source software and PKI become a reality in Brazil. I can only
aspire to achieve the level of success and professionalism that they exhibit.

Thank you to my husband, Mikael, who provides indisputable companionship in times of

trouble and discouragement – thank you for making it all worthwhile.

Thank you to my son, Gabriell, whose patience and tolerance of his mother’s long hours and
absence from home; I am forever grateful.

Thank you to my mother, brother and sisters, whose constant love and support and
encouragement are blessings that I shall always treasure.

Last but not the least; I thank the God for His protection throughout my studies.

Katthya Åhlin
Epigraph

“In a world where knowledge, information, creativity and innovation are factors of wealth,
cultural diversity is to be recognized and exploited as a factor of competitive advantage. On
the basis of balanced development of the country, therefore, must be the achievement of local
actions, oriented towards the use of diversity and specificities of each region. In this sense, the
proximity of federal, state and local governments in relation to the demands of society and
communities, promoting their involvement in developing strategies and action planning, is
extremely important.”

Information Society in Brazil - Green Book

Abstract

Nowadays information security is a big challenge for most organizations, making them invest
time, money and knowledge in deploying new technologies.

On one hand, PKI is a technology that has always been tied to the notion of secrecy. On the
other hand, open source software is a form of technology that aims to not keep secrets and to
promote the possibility of open and accessible knowledge to everybody.

From one standpoint, PKI solutions are often considered expensive, complex systems that are
not easy to deploy, administer, and use. Those have been the impediments to widespread
industrial use of PKI. In contrast, open source software is considered as a viable and coherent
alternative for dissemination of technologies.

This research handles about security. We know that have a lot of security technologies, but we
also know that security, in most cases, is viewing as a financial decision. And that is a big
issue when comes to developing countries. As the availability of open source software makes
an attractive investment opportunity, especially in poor and developing countries, the research
report discussed the current PKI situation and the current Open source software situation in
Brazil bringing one interesting potential strategy for dealing with the above problems. There
are challenges, but the opportunities are significant as well.

Keywords: Information Security, Open Source Software, PKI, Complex, Expensive,

Developing country, Opportunities, Challenges
 Table of contents
CHAPTER 1: INTRODUCTION .......................................................................................................................... 1
1.1. BACKGROUND ........................................................................................................................................ 1
1.2. PROBLEM DEFINITION ............................................................................................................................ 1
1.3. PURPOSE................................................................................................................................................. 2
1.4. RESEARCH QUESTION............................................................................................................................. 2
1.5. GOAL...................................................................................................................................................... 2
1.6. TARGET AUDIENCE ................................................................................................................................ 2
1.7. RESEARCH METHODS ............................................................................................................................. 3
1.8. DISPOSITION OF THE REPORT ................................................................................................................. 4
CHAPTER 2: INFORMATION TECHNOLOGY OVERVIEW .................................................................................... 6

2.1. OPEN SOURCE SOFTWARE ...................................................................................................................... 6

2.1.1. Free software and open source software ...................................................................................... 6
2.1.2. Open Source Software Licensing .................................................................................................. 7
2.1.3. Open Source Software Advantages ............................................................................................... 9
2.1.4. Open Source Software Disadvantages ........................................................................................ 11
2.1.5. Open Source Software Community ............................................................................................. 12
2.2. PUBLIC KEY INFRASTRUCTURE (PKI) .................................................................................................. 13
2.2.1. Description ................................................................................................................................. 13
2.2.2. Digital Certificates ..................................................................................................................... 14
2.2.3. Certificate Authority ................................................................................................................... 16
2.2.4. Registration Authority................................................................................................................. 16
2.2.5. General PKI Architecture ........................................................................................................... 17

CHAPTER 3: OPEN SOURCE SOFTWARE AND PKI IN BRAZIL ........................................................................... 18

3.1. CURRENT OPEN SOURCE SOFTWARE SITUATION IN BRAZIL ................................................................. 18
3.1.1. Policies for Technological and Industrial Development............................................................. 20
3.1.2. Brazilian Public Software ........................................................................................................... 22
3.2. CURRENT PKI SITUATION IN BRAZIL ................................................................................................... 24
3.2.1. ICP-Brazil ................................................................................................................................... 24
3.2.2. E-ping - Interoperability ............................................................................................................. 26
3.2.3. Internet Rules and Regulations ................................................................................................... 27
3.2.4. Examples of PKI in Different Sectors in Brazil .......................................................................... 28
3.2.5. RIC – Unique National Identification ......................................................................................... 30
3.2.6. The Brazilian National PKI ........................................................................................................ 31
3.2.7. Seminars for Disseminating Information .................................................................................... 32
CHAPTER 4: SURVEY AND INTERVIEWS ........................................................................................................ 33

CHAPTER 5: CONCLUSION, DISCUSSION AND FUTURE WORK ....................................................................... 38

ABBREVIATIONS LIST ................................................................................................................................... 42

REFERENCES ................................................................................................................................................ 44
APPENDIX A – PROVISIONAL MEASURE 2.200 .............................................................................................. 52
APPENDIX B – QUESTIONNAIRE SURVEY ...................................................................................................... 58
APPENDIX C – INTERVIEWS .......................................................................................................................... 61
Chapter 1: Introduction

1.1. Background
The increasing use of electronic communications and technologies to drive business has
provided significant benefit to industry. Many developing countries have a range of electronic
commerce projects under development and many companies businesses are online. As the
traffic of documents through the Internet has greatly increased, the security of information is a
key factor in procuring knowledge to mitigate attacks that are becoming more and more
sophisticated, putting at risk the systems and reputation of the companies.

Information security is one of the most important concerns in today's business world as it has
a direct influence on the activities of the global market. One aspect that has proved extremely
relevant is the cost of information security. This fact leads many companies to not properly
protect their information [87]. It is also clear that the later failures are detected and corrected,
the greater the cost to be incurred.

Nowadays governments and private companies are under increasing pressure to more
effectively secure their electronic business transactions. Certainly information security is a
major concern of governments and private companies.

Strong authentication reduces the risk of unauthorized access and encryption of data limits the
exposure of companies in cases of failure. Governments and many companies are deploying
Public Key Infrastructure systems (PKI) to manage digital certificates for authenticating
employees, encryption and digital signature [1], enabling them to do business with each other
more securely.

But PKI solutions have been considered prohibitively expensive and rather complex
technology [2], which is economically unfeasible for some developing countries.

1.2. Problem Definition

PKI plays an important role in increasing the security by providing a much stronger
identification of the person performing the transaction. However, PKI technology is relatively
complex and costly to deploy and another main impediment to the widespread adoption of
this technology has been the interoperability problems between different PKI applications.
1
Given these difficulties, many organizations are reluctant to consider the implementation of
this technology [3].

1.3. Purpose
The purpose of this thesis is to investigate PKI current situation and open source software
current situation, in Brazil, the developing country targeted, giving a comprehensive overview
of the advances in the past decade, aiming to analyse whether open source PKI is feasible to
implement and deploy, considering the problems above.

1.4. Research Question

This academic work aims to answer the following questions:
 What are the attitudes of people in a developing country towards open source software?
 What are the attitudes of people in a developing country towards PKI technology?
 What are the attitudes of people in a developing country towards a necessity of open
source PKI?

During the literature review, we could conclude that the question has not been previously
answered and according with the present moment in Brazil, regarding to PKI technology, is
worth it to answer.

1.5. Goal
This thesis aims to highlight the feasibility of using open source PKI in Brazil, one
developing country of many challenges and opportunities, and as well as the positive impact
of encouraging the development of open source PKI across different industries. In other
words, this research seeks to establish whether there is market that represents a set of
opportunities for open source PKI software penetrate in business in one developing country.

1.6. Target Audience

The target audience for this research includes open source developers and communities, and
government agencies (Federal, State and local sphere) from developing countries, as well as
private entities that are concerned about information security. The audience is also the
governments in developing countries to establish the importance of information security and
make it a point that they should step in on this issue.

2
 1.7. Research Methods
The research methodology used is both a qualitative as well as quantitative approach
encompassing both case studies and survey and interviews.

For the current situational analysis, we investigated the use of PKI technology in Brazil
specifically. Apart from investigating such technology we also carried out surveys in Brazil to
get insight of the situation, and also participated in seminars on specific topics. Moving
forward, an empirical exploration of the open source software and PKI was preceded by a
literature review and by face to face interviews held with several individuals who have a very
good first-hand knowledge on both issues.

The majority of the information gathered for this report was focused on the Brazilian IT
industry. Internet links was much useful because there is a lack of available literature in books
and white papers regarding the research topics focused in Brazil. The direction of the research
came in the initial literature review which mainly focused on government support on open
source software.

The survey used in this report was an attempt to gather information on government and
private companies regarding open source software and PKI technology aiming to bring up the
issues related to Open Source PKI. It was not a criterion whether the companies already make
use of PKI technology or open source software; however it was a criterion that all companies
should have significant experience in IT area.

This report also was undertaken through researcher's participation in three days seminars,
conducted in Brazil, June/2010, and called ‘8º CertForum’. The seminars were focused on
issues relating to the uses of digital certification.

The interviewers were chosen for their large experience in open source software or PKI
technology. Most interviews were arranged before the researcher started travelling to Brazil.
Personal interview allowed others interviews, due to some personal contact between the
interviewer and the respondent.

Finally, an analysis was made in which we bring some challenges and opportunities
associated with the impact and risks of using an open source PKI in Brazil.

3
The results from this research suggest an approach to future work be carried out. It is hoped
that the information presented in this report will contribute to developers, users and
aficionado of open source software and PKI technology, based in which future needs were
identified.

1.8. Disposition of the Report

The report is structured based on 5 chapters. Following is a brief description of each of the
chapters:

• Chapter 1: Introduction
This chapter gives an introduction of the background of the problem under consideration,
goals and aim of the thesis and methods used to carry out the thesis.

• Chapter 2: Information Technology Overview

In this chapter, information is given to provide a base knowledge of open source software
focusing on the advantages and disadvantages and presenting a holistic view of the Public
Key Infrastructure (PKI). The treatment of open source software and PKI in this chapter is
brief, almost to the point of being superficial, but truly comprehensive to the target
audience.

• Chapter 3: Open Source Software and PKI in Brazil

Here, is investigated the social aspects of Brazilian government efforts toward open
source adoption, as well as the governmental policies on the use of open source software,
and where PKI is implemented and used in various segments and how trust is currently
managed.

Although it is very difficult to capture the breadth of knowledge in these areas in this
thesis work, this chapter takes an overview approach that highlights the main points about
open source software and the PKI situation in Brazil. One of the most important aspects of
this chapter is the significance of how the Brazilian government treats PKI as a national
infrastructure and provides regulatory guidance to ensure the quality and sustainability of
certificate authorities.

4
• Chapter 4: Survey and Interviews
This is the most important chapter of the thesis because here it is covered the current
situation of PKI and the acceptance of open source software in Brazil. This chapter aims
to provide a concrete framework of PKI and open source in Brazil, in which the principal
source of data used for analysis and discussion are the interviews and surveys.

• Chapter 5: Conclusion and Recommendations

In the conclusion of the report, we have summarized what was made in this work and
provided recommendations for future direction of the thesis.

• Appendix
The appendix presents a variety of resources of additional information. It has a Brazilian
document, translated by the researcher – to provide the reader some official regulations
established by the Brazilian government as well as the survey questionnaire and full
interviews.

5
Chapter 2: Information Technology Overview

2.1. Open Source Software

In this section, an abstract background to this study is outlined by firstly highlighting a few
definitions used within the open source software field. This paper discusses the benefits
frequently cited as justification for adopting and implementing open source software. There
are not only companies that have begun to become interested in open source software, but
governments around the globe as well [4]. The choices that governments are making have a
widespread influence on society. Foremost, they spend very large amounts of money annually
on Information and Communication Technologies (ICT). The initial costs of adopting open
source software can allow governments to save money in terms of not having to buy licenses.
Secondly, the society in general, has a direct relationship with governments, using available
public services. Consequently, the choices that governments make have an impact on the
choices of its companies and citizens.

2.1.1. Free software and open source software

Different words convey different ideas. There are two main types of software that are
considered “open”. They are free software and open source software [5].

Free software is described by the free software community as software that is freely
accessible and can be freely used, changed, improved, copied and distributed by all who wish
to do so. The Free Software Foundation (FSF) is an organization with a worldwide mission to
promote computer user freedom and to defend the rights of all free software users. It was
created in 1985 by Richard Stallman [6].

Open source software is described by the open source initiative as a source which the core
aspects are [7]:
1. Free redistribution
2. Accessibility of the source code
3. Changeability of the code and re-use in new software
4. Inviolability of the original code
5. No discrimination of certain persons or groups

6
 6. No restrictions for certain areas of usage (especially restrictions to commercial sectors)
7. Distribution of the license
8. License must not be valid for a certain product (e.g., as part of a software distribution)
9. License must not compromise other software (that, e.g., is also included at the same
data storage; disclosure agreements)
10. License must be technology-neutral (no arrangement of the license may imply any
individual technology or style of interface)

It is important to keep the two concepts separate when discussing philosophies and values,
and also to understand that the two concepts do not compensate each other, but instead work
together in the advocating of free software and open source software.

Concerned about open source redistribution rights, programmers developed what is now
known popularly as “Open Source licensing”. The fundamental purpose of open source
licensing is to disclaim anybody the right to exclusively exploit a work [8].

In this study, we decided to use the term ‘open source software’ (OSS). The ‘open source
software’ in this study refers to liberty/freedom, not price. We is writing about the software
that is available, for free or commercialized, with the premise of freedom of installation, full
use, access to source code, and availability of changes / improvements for special needs, and
distribution of the original code or the modified code, with or without costs. There are
programs that can be obtained for free, but they may not be modified or redistributed.

2.1.2. Open Source Software Licensing

Distribution and use of software is based on licenses. The users of the software must agree
and accept the license associated with the software to use the codes that are there. These
licenses have the force of a contract of adhesion, in which the user undertakes to respect the
rules proposed by the owner of the software and can be processed in case of non-compliance
with them. The owner of the software can sue the user if it violates laws relating to copyright
to the associated license [9].
The rules defined in these licenses are what determine whether the software is considered free,
open source or non-free (proprietary). As previously mentioned, the licenses of open source
7
software allow any user to use, copy, modify and distribute the software, according to certain
rules. In general, proprietary software licenses allow the user to only use the software
according to the rules of the company that developed the software, prohibiting its
reproduction, multiple installation, alteration, sale, resale or redistribution without paying
extra.

Several open source software licenses are recognised under the Open Source Definition. The
most commonly cited and used is the GNU General Public License. The GNU’s, General
Public License (GNU-GPL), is one of the foundations for open source licenses. The GNU-
GPL was created by the Free Software Foundation (FSF), and it is the preferred license for
projects authorized by the FSF [10].

The GNU-GPL license defines the freedoms of the user of software: it can freely use, adapt
for their use, redistribute copies, implement improvements and spread improvement [11].

Briefly, in the foundations of the GPL, there are four categories of freedom to be preserved:
• The freedom to use the software for any purpose
• The freedom to study how the program works, and change the software to suit
your needs
• The freedom to share the software with your friends and neighbours
• The freedom to share the changes you make

It is also, important and appropriate to remark here the ‘copyleft’ concept. Nowadays, the
concept of copyleft is fundamental to many programming projects. Many creators in the
information society use it, from software developers and digital artists to content providers,
composers, and designers. Copyleft is a general license agreement conceded by a copyright
owner allowing anyone to freely use copyrighted property, but under specific terms. Common
terms of a copyleft license state that a copyleft work is freely available to all potential users.
Copyright is preserved, but the commercial rights (copy) are released, provided that this rule
is maintained for all future users [12]. It is important to emphasize that not all open source
software licenses impose copyleft.

8
 2.1.3. Open Source Software Advantages

Motivations for using and developing open source software are linked to philosophical and
ethical reasons, and pure practical issues [13].

Open source has an impact not just for governments, organizations budget, but also
potentially for developers, IT managers, suppliers, customers, and partners. Usually, the first
perceived advantage of open source software is the fact that open source software is made
available free or at a low cost, reducing the costs associated with proprietary licensing and
updates. Many surveys conducted by researchers have concluded that surprisingly the key
advantage of open source software is not its free or low price tag as many expected [14].
The following are some advantages without ranking them:

• The availability of the source code and the right to modify it:

It enables an infinite tuning and improvement of a software product. It also makes it

possible to install the code in new hardware, to adapt it, and to reach a detailed
understanding of how the system works. This is the reason that many experts are
reaching the conclusion that to really extend the lifetime of an application the source
code must be available. It is also much easier to find bugs and fix them, when the
source code is available [15].

• The right to redistribute modifications and improvements of the code:

The right to reuse other open source code gives a greater advantage due to the fact that
modified software can be shared by large communities [16].

• The right to use the software in any way [17]

This, combined with redistribution rights, ensures a large community of users. A large
community helps, in turn, to build up a market for support and customization of the
software, which can only attract more and more developers to work on the project.
This successively helps to improve the quality of the software, and improve its
functionality. All this combined will cause more and more users to give the product a
try, and probably to use it regularly.

• No one has the power to limit in a unilateral way how the software is used [18]
9
 Such a power manifests, for instance, when a proprietary software vendor decides not
to upgrade some software product for some old platform. In this case, customers can
only bind to the old version of the software, or turn to another product. Another case
can be that the software manufacturer closes its doors, or decides to discontinue the
development of the software (no one has the right to take over the program and
continue development on it, effectively killing its usability in the market). If open
source software is used, customers can also finance some development for the desired
platform, or look for other vendors to provide the upgrades of the very same product.

• No ‘Security through obscurity’ [19]

The approach of ‘Security through obscurity’ leaves too many open holes. Open
source software cannot be said to be relying on security through obscurity, although it
can also experience security disasters. But, by having the source code available, it is
possible to perform a thorough auditing and find vulnerabilities, and then get the
vulnerabilities fixed. It is absolutely impossible for any citizen, or company, or
government agency to audit all their software codes, hence, the importance of open
source along with strong participation of communities of practice.

• Scalability

Anyone can use the current code base to start new projects. Working knowledge,
mainly from communities, can be gathered at a minimal cost. Here, it is worthwhile
mentioning the Internet software systems: the Internet is a good example of a software
system that was built by the community that was never constituted formally; people
have participated for many different reasons. From an economic point of view, when
we look at the internet today, we see a universal platform used for e-commerce and e-
business that was not intended by the founders of the mainly military ARPA net [20].

• Lower software costs

Most open source software generally requires no licensing fees. A few open source
software charge a small fee for their use. Some open source distributors charge for a
business or mass use license, but many do not. The logical extension is no
maintenance fees. The only expenditures are for media, documentation, and support, if
required [21].
10
 IT decision makers recognize that open source software is not really free.
Administration and support costs obfuscate the initial software license cost. The cost
that is minimized by open source is maintenance free. “Whether open source software
is less costly to administer than proprietary software depends largely on a ready pool
of resources trained on the system, the availability of administration tools that allow
system administrators to manage a greater number of systems, and the number of
version upgrades and patches that are issued by the developer. In this regard, open
source software may have little if any advantage over proprietary software, although
the situation varies from application to application. Therefore, low cost, although
important, is not the key advantage of open source” [22].

2.1.4. Open Source Software Disadvantages

Presumably, the most essential characteristic of open source software is that the source code
can be studied and modified, which provides software developers the opportunity to adapt
software to their personal needs and preferences and to fix bugs. There are reported
limitations and inconveniences in using open source software. The biggest reason to not
deploy open source software is support issues [23]. A lack of external support for assisting in
the migration also can be a barrier, if the required knowledge is not available in-house.

Existential data on the impact of open source software, its use and development, is still quite
limited. The FLOSSWorld [24], a study on the worldwide development and use of FLOSS
software, has worked on projects to help fill in the gaps in our knowledge about why and how
FLOSS is developed and used. FLOSS stands for Free/Libre/Open Source Software. Despite
the fact that the projects have focused on Europe, the FLOSSWorld performed some global
empirical studies of proven relevance to Europe and developing countries.

In conducting the survey, FLOSSWord, defined thresholds for 400 E-Government institutions
across 8 countries. They achieved 306 responses, which were distributed as follows:
Argentina 48, Bulgaria 11, Brazil 26, China 25, Croatia 50, India 23, Malaysia 114, and South
Africa 9. The survey was conducted over the period May-2005 to June-2007 [25].

As a result FLOSSWorld’s survey pointed out that only Malaysian respondents used FLOSS
because it is cheap rather than because it is useful. They also fear the cost and time efforts
aligned with training people to use FLOSS. Croatians are reluctant towards FLOSS because

11
they fear that they would become isolated when they migrate to FLOSS and others do not
(“first mover problem”). They also fear training costs. Bulgarian and Argentinean respondents
fear that they would not find technical support when their organizations would migrate
towards FLOSS. Indian respondents also fear the first mover problem.

Further analysis at FLOSSWorld research revealed that the first precursor problem is strongly
correlated with the fear of a lack of technical support. A lack of external support for assisting
in the migration can be a barrier, if the required knowledge is not available in-house.

Another issue, sometimes considered a disadvantage, is the possibility of forking. In software

engineering, a project fork happens when developers take a legal copy of source code from
one software package and start independent development on it, creating an alternative code
based in the current one, resulting in a distinct piece of software. This can confuse users over
which forked package to use [26].

2.1.5. Open Source Software Community

The ability of the communities to shape software is a significant benefit of the open source
movement. The role of online communities is a key element in open source software and a
basic factor in the success of the open source software development model. There are great
numbers of reasons why people participate in the open source software community. This
thesis work does not want to present detailed data about individual motivations. Several
authors have deeply focused on it, and with the reader’s permission, this study would like to
mention a book regarding this -- “Emerging free and open source software” [27]. There, the
reader can find a framework which splits motivation into three categories: technological,
economical, and socio-political along with addressing more holistic issues regarding the
motivation of open source software participants.

However, when writing about open source software, one needs to write about the community
associated with it. It is absolutely impractical for any citizen, or company, or government
agency to audit all their software codes; hence, the importance of open source along with
strong participation of communities of practice. It is this community that will audit, improve
the source code and check deviations. However, it is impossible to say that an open source
software code contains no errors. Creation, engagement and transparency of communities
related to open source software are keys to ensuring the viability of open source software.

12
 2.2. Public Key Infrastructure (PKI)

2.2.1. Description
The reader should have a basic understanding of public key infrastructure (PKI). For this
reason, it is included this section.

Some of the hardest problems of internet communication are trust, privacy and security.
Almost all sectors of economy need some tool or formula that would provide trusted and
private secure transmission of electronic data between any two parties. This implies that a
range of risks need to be satisfactorily addressed. Managing those risks requires infrastructure
to support problems as listed above. One important factor here is the need for strong
authentication of individuals and entities. An efficient way of overcoming these problems,
nowadays, has been the use of public key infrastructure.

Public key infrastructure (PKI) is a system for creating and managing public keys used for
encrypting data and exchanging those keys among users. PKI is about distributing keys in a
secure way and providing secure authentication [28].

The public key is published to the world, in the form of a certificate, and the private key is
kept in a secure place. These keys can be used for authentication, encryption, or digitally
signing electronic data. The process involves an operating system, client software, certificate
authorization server software, cryptographic hardware, database, policies governing how the
certificate authorities issue, manage and revoke certificates and store key, digital certificates
and their keys and applications that are able to use the PKI. Public key infrastructure is based
on an encryption system that generates a digital certificate that works as a virtual
identification card [29].

PKI utilizes a variety of technologies to provide the following security services [30]:

• Data integrity: means that data cannot be modified without authorization

• Authentication: ensures that parties involved are who they claim to be
• Confidentiality: used to prevent the disclosure of information to unauthorized
individuals or systems
• Non-repudiation: implies one's intention to fulfil their obligations to a transaction, and
also implies that one party of a transaction cannot deny having received a transaction
nor can the other party deny having sent a transaction.
13
PKI is essentially an arrangement surrounding the issuance of digital certificates and the
assignment of public keys. The major components of the PKI system include the Certificate
Authority, the Registration Authority and digital certificates [31].

2.2.2. Digital Certificates

Digital certificates (known as a public key certificate or identity certificate) are trusted
electronic documents that bind a public encryption key to their identity for the purpose of
public trust [32].

A digital certificate contains an entity’s name, address, serial number, public key, expiration
date and digital signature, among other information. Digital certificates are available in
different levels of trust, depending upon the amount of identity verification done by the
Certificate Authority (CA). Digital certificates are used not only to identify people, but also to
identify web sites, servers and resources over networks such as the internet [33].

The main purpose of the digital certificate is to ensure that the public key contained in the
certificate belongs to the entity to which the certificate was issued. The digital certificate
would have the following properties [34]:

• It could be distributed over the internet and processed automatically

• It would contain the name of the user who holds the private key, identify the user’s
company or organization, and include contact information
• It would be easy to determine if the certificate was issued recently
• It would be created by a trusted party rather than the user who holds the private key
• Since the trusted party might create a lot of certificates, even for the same user, it
should be easy to tell them apart
• It would be easy to determine if the certificate were genuine or forged
• It would be tamper-proof so no one could change its contents
• It would be immediately determined if the information on the certificate is no longer
current
• We could determine from the certification the applications to which it applies

There are several kinds of certificates included [35]:

• X.509 - Public key certificates
14
 • Simple Public Key Infrastructure (SPKI) certificates
• Pretty Good Privacy (PGP) certificates
• Attribute certificates

One of the most common certificates implemented in PKI is X.509 v3.

The series of stages during the process of managing a key or a certificate is called a
key/certificate life cycle. Life cycles cover all the major aspects of the life of a key or a
certificate from the time it’s generated until the time it’s retired. There are 10 stages of a key’s
life cycle [36]:

• Key generation
• Key storage and distribution
• Key escrow: is the process where keys are made available to law enforcement or other
authorized agencies to utilize them to conduct an investigation.
• Key expiration: key expires when it reaches the end of its life cycle. An expired key
may be reissued using a rollover process, but generally this is considered a bad
practice because the longer a key is used, the more likely it is to be broken.
• Key revocation: key or certificate can be revoked when it has been identified as
corrupt, compromised or lost.
• Key suspension: keys are suspended to disable them for a period of time. It may occur
because the key holder has become ill or has taken time off. A key can be
unsuspended and reused.
• Key recovery and archival: key recovery is the ability to recover a lost key or to use a
previously active key. Three types of keys must be considered in this process: current
keys, previous keys and archived keys. An organization can use a key archival system
to recover information that has been encrypted using older keys.
• Key renewal
• Key destruction: is the process of destroying a key unusable. Software keys and smart
card keys should have their key files erased to prevent them from being used.
• Key usage

15
 2.2.3. Certificate Authority

A Certificate Authority (CA) is an entity responsible for issuing, revoking and distributing
certificates. These certificates are digitally signed with the private key of the issuing CA [37].
It is an example of a trusted third party.

For example, if Paul wants to send Anna a private message, there should be a mechanism to
verify to Anna that the message received from Paul is really from Paul. If a third party is
trusted, then, Anna can assume that the message is authentic because the third party says so.

The specific actions of a Certificate Authority include the following [38]:

• Managing digital certificates for their whole life cycle

• Issuing certificates by binding a user’s or system’s identity to a public key with a
digital signature
• Scheduling expiration dates for certificates
• Ensuring that certificates are revoked when necessary by publishing certificate
revocation list

CA can be either private or public. The function of a CA can be done in-house or by a

commercial service or a trusted third party. The CA is who implements the PKI policy on
certificates [39]. The process of providing certificates to users requires a variety of services.
Over time, the CA can become overloaded and need assistance. An additional element, the
Registration Authority (RA), is available to help transfer work from the CA. The registration
Authority also acts as an interface between a user and a Certificate Authority [40].

2.2.4. Registration Authority

The Registration Authority (RA) captures and authenticates the identity of a user and then
submits a certificate request to the appropriate CA. A RA offloads some of the work from a
CA operating as an intermediary in the process: it can distribute keys, accept registrations for
the CA and validate identities [41]. An approved certificate should be sent directly to the
requestor avoiding the RA from falsifying and issuing certificates. Many CAs have strong an
auditing capability, which documents all the activities of an RA.

16
 2.2.5. General PKI Architecture

Figure 1: Summary of general PKI architecture [42]

1 or 2  the user requests a certificate. The user can requests a certificate direct to the
Certificate Authority (step 1) or in some cases physical presence is necessary (step 2).
3  The Registration Authority (RA) captures and authenticates the identity of a user and
then submits a certificate request to the appropriate CA
4  The certificate is delivered, on request to the Registration Authority
5  The certificate is stored at Central Registration Authority (cRA) database
6  User downloads the certificate

17
Chapter 3: Open Source Software and PKI in Brazil

3.1. Current Open Source Software Situation in Brazil

The emergence of virtual network communities of developers and users, organized by

different groups with different motivations, and the existence of new forms of software
licensing have signalled the introduction of new variables in the software industry. The open
source software model has aroused interest and raised debate in various areas (government,
academia, businesses, etc.) in Brazil [43]. Open source software is emerging as a strategic
option for the technological development aiming to social inclusion, based on successful
experiences in various locations in Brazil.

The Brazilian government is actively encouraging, or even requiring, future IT projects to

consider open source as an option. The Brazilian government is stimulating the use of open
source software in the public sphere by using free alternatives and giving preferential
treatment by encouraging the development of open source software by Brazilian developers
[44].

The main motivations of the Brazilian government to develop a program to adopt open source
software in the public sector include aspects such as: software cost savings, to ensure greater
security of government information, the expansion of autonomy and technological capacity of
the country, act as a facilitator for communications and dissemination of the local
community’s activities and support initiatives by means of representation, and promoting of
software exports.

In 2000, the Brazilian Government launched the foundation of a “digital society” by creating
an inter-ministerial committee in order to examine and propose policies, guidelines and
standards related to a new electronic government [45].

Following are the guidelines for the Implementation of open source software in the Brazilian
federal government [46]:

1. Prioritize solutions, services and programs based on open source software which
promote the optimization of resources and investments in information technology
18
 2. Prioritize the web platform in the development of systems and user interfaces
3. Adopt open standards in the information technology and communications
development, as well as multiplatform development of services and applications
4. Propagate the use of open source software
5. Increase the network services provided to citizens through open source software
6. Guarantee to every citizen the right of access to public services without requiring them
to use specific platforms
7. Use open source software as the basis for digital inclusion programs
8. Ensure full audit ability and security systems, respecting confidentiality and security
laws
9. Pursue interoperability with legacy systems
10. Restrict the growth of the legacy based on proprietary technology
11. Perform a gradual migration from proprietary systems
12. Prioritize the acquisition of hardware compatible with open platforms
13. Ensure free distribution of open source software systems in a collaborative and
voluntary manner
14. Strengthen and share existing open source software inside and outside government
15. Encourage and promote the national market to adopt new business models in
information technology and communications based on open source software
16. Promote the conditions for changing the organizational culture towards the adoption of
open source software
17. Promote capacity / training of civil servants in using open source software
18. Formulate a national open source software policy

An aggressive open source software policy was formed in 2003 by the Brazilian government.
The document “Strategic planning for implementation of open source software” [47] discloses
the results of several workshops promoted by the Free Software Technical Implementation
Chamber, coordinated by ITI – the Brazilian National Institute of Information Technology,
and presented the strategic guidelines that should be followed for the implementation of open
source software in the federal government through the formulation of national policy. The
Brazilian president Mr. Luiz Inácio Lula da Silva, in the Enactment of October 29, 2003[88],
established eight technical committees in order to articulate and coordinate the planning and
implementation of open source software, digital inclusion and integration of systems, among
other issues. Increasingly, Brazil's federal government and state government agencies are
abandoning proprietary software in favour of open source software [48].

19
 3.1.1. Policies for Technological and Industrial Development

Digital Inclusion is the democratization of access to information technologies, to enable the

inclusion of everyone in the information society. Following are the three basis tools that are
necessary for the digital inclusions to happen [49]:

• Computer
• Network access
• Mastery of above tools

The use of open source software in digital inclusion programs generates a large economy due
to the non-payment of licenses. The policy of digital inclusion in Brazil is strongly related to
the use of open source software. The Brazilian Government is implementing and supporting
efforts for digital inclusion through a number of programs and agencies, including [50]:

• Brazilian Digital Inclusion Program

The Brazilian government’s efforts to use open source software as a model of digital culture
to develop new forms of digital inclusion resulted in a merger of all actions and programs of
digital inclusion being implemented in Brazil into a single program called the Brazilian
Digital Inclusion Program. The objective of the program is to facilitate computer purchases
through a reduction in price and increase the number of users of computers that have access to
the internet.

The program has created community managed centres that offer free internet access using
open source software. Training in using open source software, free of charge, was given to
civil servants. The aim of the courses is not only to give the civil servants the skills they need
to use open source software in government offices, but also to give them knowledge over
open source software that they can then share with the larger community.

• Computers for all

Targeted to class C, this initiative allows industry and retailers to offer computers and Internet
access at subsidized prices, with a specific line of financing, in addition to exemption of some
taxes. The equipment must use open source software.

• Computers for Inclusion Project

20
A national system of refurbishing used computers, donated by the public and private
initiatives, refurbished for low-income youth in vocational training, and distributed to
telecentres, schools and libraries around the country.

• Digital Culture

The Digital Culture activity allows the installation of equipment and training of local staff for
producing and exchanging video, audio, photography and digital multimedia products using
open source software, plus connection to the Internet.

• Brazil House

Multifunctional spaces of knowledge and citizenship in communities of low Human

Development Index, through partnerships with local institutions. In each unit “Brazil House”
there is a telecentre, using open source software, and at least two other modules, which can be
a public library, an auditorium, a multimedia studio, a radio broadcasting centre, a laboratory
for popularizing science or a workshop for maintenance of computer equipment, and a space
for community activities, as well as a module of banking inclusion in localities where possible.

• Telecentres

Public and community telecentres are spaces that provide public and free access to
information and communication technologies, with computers connected to the Internet,
available to multiple users, including free and assisted navigation, courses and other activities
for promoting the local development in its diverse dimensions. Telecentres are supposed to be
maintained by public entities or private with no profit purposes. The telecentres are placed in
shopping malls or other public places.

• National Broadband Plan

National Broadband Plan is an initiative from the Brazilian government to provide broadband
internet access throughout the country to individuals, government institutions, businesses and
civil societies that do not have access to this service yet.

The government aims to reduce both social and economic inequalities besides generating
more jobs and get a competitive advantage in the international business by setting up the

21
necessary infrastructure that allows data communication in non-metropolitan areas of the
country.

3.1.2. Brazilian Public Software

The concept of Brazilian Public Software is used as one of the foundations to set the use
policy and development of software by public sector in Brazil. This policy includes the
relationship between the public entities, in all units of the federation, and other spheres of
government, and those with private companies and society [51].

The information collected on this sub-item was obtained from the text that describes the
experience of the Consortium for Software Development CACIC, coordinated by the
Secretariat of Logistics and Information Technology Ministry of Planning of the Brazilian
government. The CACIC is a software of inventory hardware and software, and it was the
first public software from Brazilian federal government [52]. CACIC states for ‘Auto
Configurator and Computer Information Collector’. The software CACIC was the protagonist
of a new business model in the software segment, called Brazilian Public Software [53].

The state of Rio Grande do Sul was pioneered in the institutionalization of the development
and use of open source software in Brazil. In 2001, the PROCERGS, a public company of
data processing in Rio Grande do Sul, developed and released as open source software one
solution to e-mail. The justification for such software being available as open source software
was that as it was using public resources, then it should be available publicly.

However, in 2003, with the change of the State government the PROCERGS disallowed
access to the software code, based on legal issues. This fact caused a great impact on all other
government agencies who wanted to release some of their solutions as open source software.

With the second version of the General Public License (GPL), which strengthened
conceptually free software, Brazilian governments (federal, state and municipal) began to
seek ways of utilizing such a license or other similar licenses to sustain the basis of sharing
their solutions among public sector institutions. However, there were still obstacles of judicial
order to complete the process of liberating for society the programs managed by public funds.

22
Among the restrictions to make open source software as the solutions developed by
government authorities, there were aspects of financial, cultural, technological and legal. It is
best cited as follows:

• Fear of the developer institution regarding:

o Overloaded by demands for support services and customization by other users
of the solution, without reimbursement
o Possible legal restrictions arising from the transfer and use of goods produced
within the public sector
o Risks regarding the safety of government information managed by the solution
due to the publication of source code
o Appropriation of source code by private institutions, with the consequent lock
access to improvements made
o Sustaining the quality of the solution to meet the increasing demands
• Fear of potential users regarding changes in rules of access to software, and
discontinuity of the solution, etc.
• Lack of universal standards to develop and document programs
• Lack of knowledge of similar good practices
• Complex relationships between the sectors: public, private, non-profit and individual
contributor, where all the actors have their roles included for the full functioning of a
community.

So, with all this background, as you can see, there was the need for a standard contract of
copyright that provided legal support to the development of open source software by the
Brazilian government.

The software CACIC represented an important step to consolidate the concept of Public
Software in Brazil and led to a significant widening of interest in open source software,
which now include students, universities, private companies, NGOs, state governments,
municipal and legislative and judicial institutions. In other words, what seemed, at first, to be
strictly a demand of the Federal Public Administration, was of interest to a significant
segment of society, including playing a major role in the adhesion of open source software
from governments of Argentina, Paraguay, and Venezuela.

23
In 2007, the Brazilian Public Software Portal was established for the materialization of the
concept of Public Software. The purpose of the portal was to create a virtual space to bring
the demand for services and supply into better balance, for the solutions available on the
portal. The portal has a national scope and meets all segments of society and the economy and
all government institutions [54].

3.2. Current PKI Situation in Brazil

The Brazilian public sector is undergoing unprecedented changes with increasing emphasis on
efficient and economic service delivery focused on citizens. The Brazilian government is
reforming its public services to anticipate a new era of e-Government. At the same time the e-
Government initiatives are implemented in the public sector, organizations are faced with new
challenges that involve much more than just the provision of electronic services to citizens
and companies [55]. There is a strong focus on improving processes and technologies used in
providing these public services. Information security, protection of infrastructure and
compliance with regulations and laws are important items in the new reform process [56]. The
Brazilian government has taken several steps forward in enhancing the development of
internet-related issues, in particular e-government, thus creating the Brazilian Public Key
Infrastructure (ICP-Brazil) to implement digital certificates [57]. Digital certificates ensure
confidentiality, authenticity and integrity to perform electronic transactions with greater
security [58].

3.2.1. ICP-Brazil

ICP is the acronym in Brazil to PKI - Public Key Infrastructure - the name "Brazil" refers to
this infrastructure created in Brazil, or even the National Digital Certification System [59].

ICP-Brazil is a structure composed of one or more certifying units denominated as Certificate

Authorities - CA, through a set of techniques and procedures supporting a cryptographic
system based on digital certificates, which ensures the identity of a user of electronic media or
to secure the authenticity of a document supported or maintained in electronic media [60].

The various Infrastructure Public Keys existing in the world today can in fact ensure the
authenticity of digital signatures currently used in the worldwide computer network. They
enable, with a very high level of security, ensuring that a mail user, for example, is actually
24
the originator of the message and the receiver is actually who they claim to be. In the
Brazilian case, the ICP-Brazil is characterized by the presence of a vertical or hierarchical
system, where there is the presence of a CA-root (role performed by the National Institute of
Information Technology - ITI), which accredits and audits the CAs belonging to the system
(Appendix A).

The ICP-Brazil was created by a Provisional Measure (M2.200 2-August 24, 2001). From that
Provisional Measure (PM), regulations governing the activities of entities that are members of
the Brazilian Public Key Infrastructure were prepared: resolutions of the Management
Committee of the ICP-Brazil, the regulatory instructions and other documents.

For a Certificate Authority to use the certification process of ICP-Brazil, it must be accredited
by the first authority in the system of Brazilian certification, the CA-Root [61].

Once accredited by the CA-Root, it is the responsibility of the Certificate Authorities to issue,
dispatch, distribute, revoke and manage certificates and make available to the users lists of
revoked certificates and other relevant information and maintain records of their operations
[61].

The CA-Root, the first Certificate Authority of ICP-Brazil, does not issue certificates to end
users only for the various Certificate Authorities that are accredited by it [61]. The other CAs
accredited by the CA-Root can issue digital certificates. The generation of the cryptographic
key pair is always made by the holder [61].

Since the creation of ICP-Brazil, which was the cornerstone for the growth of digital
certification in Brazil, the biggest challenge of entities related to that market has been the
popularization of the theme for various areas of society. One of the great initiatives of
visibility was the launch of the first versions of the e-CPF and e-CNPJ, which allow the user
to access the services of the Brazilian Revenue Service (IRS) available at the Virtual Center
for Taxpayer Access (e-CAC), which previously only was allowed to be done in person or by
post [62].

The e-CPF is the electronic version of the CPF (Individual Taxpayer Identification Number),
which guarantees the authenticity and integrity in electronic transactions of individuals [63].
The e-CNPJ is the electronic version of the CNPJ (Federal Company Taxpayer Number),
which guarantees the authenticity and integrity of electronic transactions of corporations [64].
25
The project’s most prominent nationwide release by the federal government that makes use of
PKI technology is the NF-e (electronic invoices). Electronic Invoicing (NF-e) is the delivery
of invoices electronically, which legal validity is ensured by digital signatures. It was
instituted, in Brazil, in 07/2007. The implementation of NF-e resulted in a great benefit for the
taxpayer in the sense that it de-bureaucratized processes. On the government side, the NF-e
strengthens the control and supervision through the exchange of information between tax
administrations [65].

3.2.2. E-ping - Interoperability

Brazilian Electronic Government Interoperability Standards (e-PING) architecture is a set of

premises, policies and technical specifications that regulate the usage of Information and
Communication Technology (ICT) regarding interoperability of electronic government
services, establishing conditions for them to interact with the remaining branches and spheres
of government and with society in general [66].

The areas covered by e-PING are segmented in:

• Interconnectivity
• Security
• Means of Access
• Organization and Exchange of Information
• Areas for Electronic Government Integration

Clearly defined policies and specifications for interoperability and information management
are essential to facilitate the connection of the government, both internally and in contact with
society and, to a greater level of coverage, with the rest of the world - other governments and
companies operating in world market [67].

In Brazil, according to Resolution n.36 of 21/10/2004, the media that store digital certificates
and their readers, the systems and equipment required for the implementation of digital
certification, shall meet the minimum technical standards and specifications, to ensure the
interoperability and reliability of information security resources they use [68].

26
 3.2.3. Internet Rules and Regulations

In the mid-90s, with the emergence of the Internet home in Brazil, and an expansion of its
use, previous restricted in the institutional sphere, raised the need to evolve the Law to follow
the technological innovations. From this need came the Law 11 419/2006, concerning the
computerization of the judicial process and promoting changes in the Brazilian Civil
Procedure Code [69]. The law in question sets the basic guidelines imposed on all instances of
the country to computerize the process, eliminating the paper document and introducing laws
to manage the digital document.

However, Brazil does not have enough rules and regulations that govern the operations of the
internet. There is a lack of a specific legislation for the protection, save and confidentiality of
personal data. There is, in Brazil, only sector regulations, which do not address directly the
issue of privacy [70].

The protection of consumers’ data is important not only for shopping, via Internet, but also in
practices of physical consumption. With the absence of regulations in Brazil, there are
companies that put sales services on the Internet and do not establish a clear relationship with
the consumers about the usage policy data and personal information. Companies and Brazilian
consumers do not know what is permitted or prohibited regarding the usage of the Internet.

In Brazil, despite massive investments made by financial institutions in preventing and

combating electronic fraud, this type of crime causes losses of many millions every year to
banks. The most common frauds are applied on cards, and frauds via the internet represent
almost 30% of the total [71].

The amount lost through frauds and expense required to combat them effectively represent a
cost to society. The effects are felt directly by the institutions and indirectly by consumers
who suffer, for example, through high tariffs [72]. Concerned about the problem, the Brazilian
government is restructuring to improve the legislation, supervise and punish with the utmost
rigor.

Currently, in Brazil, there are open debates and discussions on Internet issues, from which the
federal government, will set new rules and regulations to govern the operations of the internet.

27
 3.2.4. Examples of PKI in Different Sectors in Brazil

Examples of practical use of electronic signature with digital certification in Brazil [73]:

• Federal Revenue of Brazil – IRS

o Consultation on Tax situation of Individuals and corporations

o Change of address for Individuals
o Postal Address: report of procedures occurred to Physical Person (PF) or
Juridical Person (PJ)
o Payment of Taxes Made PF and PJ
o Monitor the processing of the declaration of individual income tax

• Judiciary

o Digital signature on petitions and cases processed by the national justice

o Judicial Expertise: Protocol electronically petitions and expert reports, as well
as challenges and enable all types of legal action

• HomologNet - Approval of rescission of a work contract

o Government project provides for the approval of rescission of a work contract

online and using the digital certificate

• Notary's office

o Protests negative protest certificate or certificate of protest

o Civil Registration: Birth, marriage and death

• Financial System
o In the banking transactions by electronic means, with a high level of security
and greater protection for the account holder access to a variety of services

• Electronic Government

o SICAF (cadastral information system suppliers)

o Participation in Electronic Auction with the digital certificate
28
 o The Electronic Stock Trading (BEC)
o NSA (National Agency of Supplemental Health)
o Ministry of Labour

• City Hall - Secretary of Finance

o System Access Electronic Invoice

o Integrated Information System Social Security (Siprev)

• E-Commerce
• E-mail
• INPI - National Institute of Intellectual Property

Most users are unaware that they are making use of PKI technology. This is the case in many
banking applications. Currently in Brazil, the most obvious example of its applicability is the
electronic invoice (NF-e). The NF-e project aims to implement a national model for electronic
tax documents that will replace the current system. In other words, replace paper documents
by digital documents, with legal validity guaranteed by the digital signature of the sender.

Another major expectation of the use of digital certification is in the health care area with the
approval of Electronic Medical Records for users of the Unified Health System (SUS). The
Electronic Medical Records will facilitate access to information for citizens and improve the
management of health. Among the requirements is the use of a digital certificate [74].

The use of a digital certificate is already popular for medium and large corporations, on
systems that do not exist without digital signature, such as for electronic invoices and
declaration of income tax. The challenge now is to popularize the use of digital certificates
among the lawyers who will be the first group of professionals using a variety of procedural
practices online [75].

29
 3.2.5. RIC – Unique National Identification

The identity card, known popularly as ID or RG (from Registro Geral, General Registry), is
the national document of civil identification in Brazil. It contains the name, date of birth, date
of issue, parenthood, photograph, signature and thumbprint of the right holder [76].

State governments are responsible for issuing the RG, so, the identity card is valid throughout
the national territory. Interestingly, there is no legal restriction to request another RG in
another state of the federation - just go to the responsible agency, take the necessary
documentation, and request it. So, not only is it possible for one to have the same
identification number as a person from another state (which is usually dealt with by
specifying the state which issued the identification card), but it is also possible to (legally)
have more than one civil identification, from different states. It is possible that citizens have
more of an identity document in different states, all fully valid throughout the country.

The Brazilian government signed on 05/05/2010 the Enactment n.7.166 establishing the
National Registry of Civil Identification, establishing its Management Committee and other
matters [77]. The new Civilian Identity Registry (RIC) will prevent the multiplicity of identity
cards requested by a citizen in various states of the Federation. From the standpoint of
security, the great change is the technology involved in creating the RIC, which will resemble
a credit card.

By this date, 25/08/2010, the technical specifications of the new document are not yet fully
defined. The objective is to deliver 150 million new identity cards in nine years beginning the
process in 2011, with the projection to reach all Brazilian cities headquarters of the World
Cup in 2014. There is a consensus among the organizers of the Management Committee of
the RIC that the cards will have a minimum durability of 10 years. It will store in its chip
biometric and biographical information about the citizen, as well as a digital certificate that
will identify the citizen in virtual transactions. This was said by Mr. Renato Martini, president
of the Institute of Information Technology (ITI), during an interview (Brasilia - 2010/06/08) 1.

1
After this research was concluded, it was approved the inclusion of the digital certificate in RIC (new Brazilian
Civilian Identity Registry), 2010/09/15 - Available at
http://www.iti.gov.br/twiki/bin/view/Noticias/PressRelease2010Sep16_230856, last checked 2010/10/07.

30
“Besides the strategic and social importance of having a reliable national civil registry, the
RIC is a real possibility of having a virtual identity for all citizens; a digital certificate in each
new RIC means adopting a mass policy of digital certification. The digital certificate built in
the RIC will facilitate the citizens identification in online transactions when necessary
providing security and speed in certain processes”, said Mr. Renato Martini.

3.2.6. The Brazilian National PKI

João-de-Barro is the name of the platform cryptographic developed for the Root Certificate
Authority of Brazilian Public Key Infrastructure (ICP-Brazil). This platform, also known by
the security module, consists of hardware and software that was developed with national
technology and is responsible for the issuing and revocation of the certificate of CA-Root, and
managing the certificates of Certificate Authorities on the first level [78].

The major motivation for developing this new platform was that the old platform that
generated and enabled the full certificate system in Brazil belonged to a multinational
company with proprietary software, which precluded the audit, according with Mr. Renato
Martin (see interview).

The Resolution No. 20 of 08 May 2003 established this new platform (hardware and software)
which should be open, ensuring its full auditing, as well as the auditing of embedded systems
present in hardware [79].

An Open Platform does not mean it is Open Source. An Open Platform can comprise of
software components or modules that are either commercial or open source or both. An open
platform presupposes that the developer allows, and perhaps supports, the ability to do this
[80].

With the migration from proprietary software to open source software, the Brazilian
Government, through ITI, developed and disseminated solutions and applications in open
source software, aiming to reduce dependence on monopolies and reduce costs and promote
the Brazilian technological development in industry, bringing with this development, social
inclusion. Following this conception, the “João-de-barro” was established [81]. The João-de-
Barro project is an example of the need for separation between property and knowledge.

31
 3.2.7. Seminars for Disseminating Information

The Brazilian government has been running, annually since 2002, a series of seminars
throughout Brazil on Digital Certificate and its uses. The objective of the seminars is to
deepen the knowledge of Brazilian society about the possibilities that the digital certificate
can offer to citizens, businesses and government. The target audience for the seminars is
formed by solution developers, experts, academics, students, managers of the three
governmental levels (federal, state and municipal), and consumers of the technology, among
others.
Topics discussed at the seminars included:

• Why companies must acquire a digital certificate?

• What are the main contributions of digital certificate for the tax authorities? What is
the role of the counter professional?
• What are the advantages of paying bills by electronic means?
• Capillary network and number of licenses issued.
• What are the main scenarios for using the digital certificate?
• João-de-Barro: the Brazilian open platform cryptographic model
• Other possibilities of the use of certification: paperless solution, electronic document
management, digital signing of documents, among others.

Currently, they are organized every year, in Brazil, many events involving the issue of open
source software. The country established itself as an international reference in the use of this
technology including the adhesion of the private segment in particular the retail sector, which
already begins the process of adopting open source software in large scale [82].

32
Chapter 4: Survey and Interviews

The survey questionnaire and interviews, that we held were designed to collect
comprehensive data about open source software and PKI technology practices in Brazil, in
order to provide a realistic state of these two topics by respondents. The questions asked in
both the survey and the interviews were developed by the researcher based on previous
literature study. The survey contains 4 closed questions, where participants were asked to
choose from a number of possible answers and 11 open questions (see Appendix B). It was
designed to take approximately 30 minutes to complete, and it was sent by email. The sectors
covered are Government Agencies, Manufacturing, Transport, Certificate Authorities,
Telecommunication, Financial, Justice and Health Care. It was not a criterion if the
companies already make use of PKI technology or open source software. It was a criterion
that all companies should have significant experience in the IT area.

The survey conducted was sent to 359 companies located across Brazil, of which 61
responded to it. 18 responders answered that they are unaware of the PKI technology and
open source software. So, 43 surveys feedback were analyzed. Among the companies that
responded to the survey there were several large corporations, such as ITI, Serpro, Certising,
PROCERGS, MaxxData and Tecnoworld.

The full interviews are available in Appendix C, in the order they were performed. The whole
experience of the interviews is reported in this research report in order to strengthen elements
that would bring reflections to the readers. After translation and transcription of each
interview, it was sent to the interviewee asking them to read and authorize it.

Through interviews and research conducted (43 questionnaires, 17 interviews, direct and
indirect observations), it is clear that with respect to the open source software that the most
important goals are to achieve technological autonomy and to establish collaborative practices
for development.

From the technical point of view the respondents think that Open Source PKI aims to provide
convenience to the IT industry by providing flexibility to decide which software to adopt
based upon a technical evaluation of the software code instead of choosing closed software
relying on security through obscurity. At the same time Open Source PKI can provide the
opportunity to develop local technology by sharing knowledge.

33
According to the respondents, from a social benefit point of view, Open Source PKI can
contribute to generate more jobs and increase income as it can represent a response to grow
global demand for PKI technology in the sense that it can decrease cost and complexity.

The entire respondents highlighted that the open source concept has an important role
regarding security and interoperation issues. They told them that open source increases
security because the code is available and decreases interoperability because many open
source software are making use of open standards.

However, there are some issues to consider when deploying open source, such as the
following:

• Some respondents (5%) pointed as one obstacle to large companies adopting open
source software is the way that updates are available. According to them, open source
software developers are not concerned with the large-scale facilities due to the fact
that for each new version they must install the whole program again.

• Majority of the entire respondents (60%) told that legacy systems and support
decrease the adoption of open source software.

• 48% of the respondents told that the company must have in mind that open source
software is not free and to adopt it depends on the investment necessary and the result
that the company can get with it.

• 35% of respondents agree that it is necessary that companies which adopt open source
software have a skilled technical team in-house.

Asked about what can increase the adoption of open source software, 60 percent of the entire
respondents told that end-users still have a large resistance to adopt open source software and
this may be minimized if the schools provide more contact with it.

A high percentage of respondents (69%), agree that when the government adopts open source
software as a state policy, it is in some way influencing the Brazilian society in general,
including businesses.

Regarding PKI technology the vast majority of respondents (93%) said:

• Most important PKI applications in Brazil are:

34
  Web Server Security
 Document Signing
 Electronic Commerce

• Less important PKI application is Secure Wireless LAN

• The major obstacles to PKI deployment and usage indentified by the survey are:
 Software application don’t support IT
 PKI poorly understood
 Hard for end users to use
 Hard to get started – too complex
 Cost too high and return on investment difficult to be measured
 One respondent told: “Actually the biggest challenge in Brazil is to offer a large
scale Registration Authority location for validation process based on the Brazilian
requirements (certificate validation process under physical presence).”

About the Brazilian open platform cryptographic model (João-de-Barro) 68% of respondents
told that they are not aware of the issue. The others told that it is a very good initiative which
offers an increase of trust to the Brazilian market and also to those communities which use
digital certificates for electronic transactions and it increases the knowledge in the area. They
agree that this platform still has a long way to go in development issues to achieve the
necessary adoption.

Other open source PKI that were identified as being deployed in Brazil are EJBCA and open
source Bouncy Castle. EJBCA [83] is an enterprise class PKI Certificate Authority built on
J2EE technology and Bouncy Castle [84] is a collection of APIs used in cryptography. It
includes APIs for both the Java and the C# programming languages.

• 38% of the respondents who answered the question about “Open Source PKI” stated:
 Open source software PKI is good to encourage people to get start with PKI and
also encourage research institutions to master and develop technologies associated
with PKI.

35
  Open source permits a complete audit of the code, offering an increase in trust to
the market and to those who use digital certificates. In the particular case of PKI,
we believe that open source PKI is essential for security.
• Respondents were asked about the future of PKI technology in Brazil, they stated:
 It will be a great challenge to popularize the use of digital certificates among the
common people
 PKI can reach its full potential within the companies when used to authenticate
people, avoiding the need to remember many PINs and passwords and making the
system more secure
 Change the digital certificate trade. An alternative was pointed out: instead of
charging for issuing the digital certificate, the services provided by using the
certificates should be charged.

Essentially, we can summarize the state of PKI in Brazil as follows:

Challenges:
• High cost of PKI solutions
• Lack of skilled PKI experts
• Dissemination of digital certificates
• Applications with auditability, traceability and interoperability
• Lack of understanding of PKI mainly among general public servants, lawyers and
accountants
• Many applications are not already PKI enabled or PKI aware
• Other ways of using PKI technology, not digital certificates, seemed to be still quite
unknown for the vast majority of Brazilian companies
• Network improvement
• Not well-defined rules and regulations that govern the operations over the internet

Benefits:
• Greater speed of bureaucratic procedures
• Cost reduction
• Reduction in paper use

36
Opportunities:
• Strong government leadership and commitment
• Existence of e-government services that need PKI based transaction security
• Starting PKI relevant businesses earlier than the other neighbouring countries
• Unique national identification (RIC)

Strengths:
• Increased government involvement in Information and Communications Technology
sectors
• Strong will of the relevant agencies in charge of PKI technology construction
• PKI is based on the authentication, or trust, of the digital credential. The creation of
ICP-Brazil is significant for higher levels of trust
• There is, by the Brazilian government, a great effort to reach reasonable criteria for
interoperability thus discards technologies that do not interoperate

37
Chapter 5: Conclusion, Discussion and Future Work
Conclusions

The central question that guides this work refers to the relationship, or not, between the two
topics highlighted: PKI and open source software. It is evident that both topics integrate a
group of common strategies aimed to establishing and implementing public policies, in Brazil.
For these public policies have a democratic use, they must be included in a broader context of
the development and not only in a product or application.

As the survey and interviews pointed out the main motivation for the adoption of open source
software is still the high cost of the proprietary software, but the fact of the code being open
brings new reasons, such as adjusting it as necessary, greater security, capacity of it being
audited, and including beneficial impacts on social issues.

Here is an appropriate time to write an interesting thought of Mr. Renato Martini: “Patterns
established in technical standards are necessarily public; if they are proprietary (secret) they
do not have the status of a pattern.”Proprietary pattern" is nonsense – from a logical
viewpoint, this is a contradiction in terms. They are uneconomic, do not favour the industry
and are unusable for governments” [85]. With that statement Mr. Martini wants to say that a
standard is not truly open if it does not have a complete free/open source reference
implementation available.

The general opinion from respondents, brings a clear result that the most beneficial thing with
an open source product is that, in most cases, it has higher quality than a corresponding
proprietary product. They responded that, the high quality in open source software is not only
because the communities reports bugs in the code and help in improving the code, but due to
the fact that the open source product is tested in more production and tested installation, with
often very skilled users giving a better feedback to the development of the product. This
feedback is often done in public forums, mail list, and blogs and so on. According to
respondents, with these discussions the product is reaching higher quality and meets new
requirements faster than a corresponding proprietary product as for proprietary products these
kind of discussions are much less common.

It is clearly that the Brazilian government initiative for the adoption of open source software
as a model to be embraced to promote digital inclusion has proved a successful experience,
38
redefining the relationship between government and citizen, and it is also undeniable the
stimulus that open source software offers to increase the sale of services instead of the
software itself. Professionals who are interested in one specific open source software can run
consulting businesses selling services. Open source software offers a unique opportunity for
professionals living in developing countries because they can increase their income selling
services as evidenced in the Brazilian Public Software Portal. Creative attitudes and practices
are fundamental to promote innovation, leveraging economic and social development.

Discussion

Many companies and government agencies have rules for security, but the risk is still high
that the information ends-of in the hands of people who should not have access to them.
About information security, most people don’t know what's really going on, and many people
who do know aren't telling. In today's world where information is the basis for everything,
security and access to it is primordial.

Encryption algorithms are linked to the idea of secret, this follows from the fact that the
digital certificate has been created in very restricted environment. There are numerous debates
and discussions on issues of ‘secure’ algorithms that have recently been found to be
cryptographically weak. Specialists are concluding that an encryption algorithm should
always be made available to everyone, allowing people to exploit flaws in the encryption.
Also, they have widely publicized that non-open code software can hide viruses or harmful
instructions.

Although many companies are reluctant in adopt open source software due the lack of
support, fortunately this is becoming less of a problem, as the number of open source software
distributors and hardware vendors that integrate open source software grows. These
companies offer support and maintenance contracts that guarantee assistance and expertise be
given when needed.

Open source software may improve the core value of PKI technology, because it can
substantially increase knowledge, promote development of applications with auditability,
traceability and interoperability, and disseminate PKI at low cost.

39
Open Source PKI may create a huge value to the market decreasing cost and complexity, and
increasing interoperability, representing a significant savings for Brazil and a decisive
impulse in the development of domestic technologies.

40
Future Work

After this research was concluded, it was approved the inclusion of the digital certificate in
RIC (new Brazilian Civilian Identity Registry), 2010/09/15 [86]. It is expected that this fact
will represent a great development and applications implementation using PKI technology.

Based on the results presented in this thesis report, one interesting direction that we would
like to recommend, as further action, is a case study of implementation and evaluation of one
particular open source software PKI, investigating several different aspects.

41
Abbreviations List

PKI Public Key Infrastructure systems

ICT Information and Communication Technologies

FSF Free Software Foundation

OSS Open Source Software

GPL General Public License

FSF Free Software Foundation

CA Certificate Authority

SPKI Simple Public Key Infrastructure

PGP Pretty Good Privacy

RA Registration Authority

cRA Central Registration Authority

ICP-Brazil Brazilian Public Key Infrastructure

(ICP from Infraestrutura de Chaves Públicas, Portuguese)

CACIC Auto Configurator and Computer Information Collector

(from Configurador Automático e Coletor de Informações Computacionais, in
Portuguese)

PM Provisional Measure

IRS Brazilian Revenue Service

e-CAC Virtual Center for Taxpayer Access

CPF Individual Taxpayer Identification Number

CNPJ Federal Company Taxpayer Number

NF-e electronic invoices

e-PING Brazilian Electronic Government Interoperability Standards

ICT Information and Communication Technology

SICAF Cadastral Information System Suppliers

42
BEC Electronic Stock Trading

NSA National Agency of Supplemental Health

Siprev Integrated Information System Social Security

SUS Unified Health System

RG General Registry

RIC Civilian Identity Registry

ITI Institute of Information and Technology

43
References
[1] Andreas Mitrakas (2006),
“Secure E-Government Web Services”, pp. 169, IGI Publishing Hershey, PA, USA

[2] Amanda Andress (2003),

“Surviving security: how to integrate people, process, and technology”, pp 82, Taylor
and Francis

[3] Carlisle Adams (2002),

Steve Lloyd, “Understanding PKI: concepts, standards, and deployment
considerations”, pp. 272, Addison-Wesley Professional

[4] Moreno Muffatto (2006),

“Open Source – A Multidisciplinary Approach”, pp 133, Imperial College Press;
illustrated edition edition

[5] K.S. Sampathkumar,

“Understanding Free Open Source Software” , K.S.Sampathkumar

[6] GNU Operating System - The Free Software Definition,

Available at http://www.gnu.org/philosophy/free- sw.html, last checked 2010/03/15

[7] Open Source Initiative,

Available at http://www.opensource.org/docs/osd, last checked 2010/03/15

[8] Andrew M. St. Laurent (2004),

“Open Source & Free Software Licensing”, pp 4, O'Reilly Media

[9] Gene K. Landy (2008),

“The IT/Digital Legal Companion”, pp 253, Syngress

[10] Andrew M. St. Laurent (2004),

“Open Source & Free Software Licensing”, pp 35, 2004, O'Reilly Media

[11] GNU General Public License,

Available at http://www.gnu.org/licenses/gpl.html, last checked 2010/04/26

[12] Steve Jones (2003),

“Encyclopedia of new media: an essential reference to communication and
technology”, Rolf Janke

[13] Richard Stallman,

“Why software should not have owners, 1998”, Available at
http://www.gnu.org/philosophy/why-free.html, last checked 2010/02/17
44
[14] Survey conducted by Computer Economics entitled
“Key Advantage of Open Source is Not Cost Savings”, Available at
http://computereconomics.com/custom.cfm?name=postPaymentGateway.cfm&id=104
6&CFID=6776415&CFTOKEN=57718952, last checked 2010/04/15

[15] Kirk St. Amant, Brian Still (2007),

“Handbook of research on open source software: technological, economic, and social
perspectives”, pp 564, IGI Global

[16] Kirk St. Amant, Brian Still (2007),

“Handbook of research on open source software: technological, economic, and social
perspectives”, pp 362, IGI Global

[17] Francis Buttle (2008),

“Customer Relationship Management”, pp 85, Butterworth-Heinemann, 2 edition

[18] The open source movement,

Available at http://www.dei.isep.ipp.pt/~i030551/pros_cons.html, last checked
2010/04/16

[19] Security through obscurity,

Available at http://en.wikipedia.org/wiki/Security_through_obscurity, last checked
2010/04/17

[20] Bernd Carsten Stahl (2004),

“Responsible management of information systems”, pp 59, IGI Global

[21] Jerri Ledford, Yvette Davis (2009),

“Web Geek's Guide to Google Chrome”, pp 107, Que

[22] Survey conducted by Computer Economics entitled

“Key Advantage of Open Source is Not Cost Savings”, Available at
http://computereconomics.com/custom.cfm?name=postPaymentGateway.cfm&id=104
6&CFID=6776415&CFTOKEN=57718952, last checked 2010/04/22

[23] Sean Convery (2004),

“Network security architectures”, pp 272, Cisco Press; 2nd edition

[24] FLOSSWorld,
Available at http://www.flossworld.org/, last checked 2010/04/22

[25] Free/Libre and Open Source Software: Worldwide Impact Study – D32: Track 3
International Report E-Government Study, Available at
http://www.flossworld.org/deliverables/D32%20-
%20Track%203%20International%20Report%20-%20E-government%20Study.pdf,
last checked 2010/04/22
45
[26] Fork software development,
Available at http://en.wikipedia.org/wiki/Fork_(software_development), last checked
2010/05/03

[27] Sulayman K. Sowe, Loannis G. Stamelos, and Loannis M. Samoladas, (2007)

“Emerging free and open source software practices”, pp 72, IGI Publishing; 1 edition

[28] Theodore Gyle Lewis (2006),

“Critical Infrastructure Protection in Homeland Security”, pp 451, Wiley-Interscience

[29] Isaca (2009),

“CISA review manual”, pp 330

[30] I.A.Dhotre V.S.Bagad (2006),

“Information Security”, pp 2-44, Technical Publications

[31] Carl F. Endorf (2002),

“Secured Computing: A Sscp Study Guide”, pp 112, Trafford Publishing

[32] Public Certificate,

Available at http://en.wikipedia.org/wiki/Public_key_certificate last checked
2010/04/28

[33] Vern A. Dubendorf (2003),

“Wireless data technologies”, pp 192, Wiley

[34] David L. Cannon (2008),

“CISA Certified Information Systems Auditor Study Guide”, Sybex; 2 edition

[35] Carlisle Adams, Steve Lloyd (2002),

“Understanding PKI: concepts, standards, and deployment considerations”, pp 70,
Addison-Wesley Professional; 2 edition

[36] Emmett Dulaney,

“CompTIA Security+ Study Guide”, 4th Edition, pp 369, 2006

[37] Carlisle Adams, Steve Lloyd (2002),

“Understanding PKI: concepts, standards, and deployment considerations”, pp 85,
Addison-Wesley Professional; 2 edition

[38] Charles P. Pfleeger, Shari Lawrence Pfleeger (2003),

“Security in computing”, pp 437, Prentice Hall PTR; 3 edition

[39] Charles P. Pfleeger, Shari Lawrence Pfleeger (2003),

“Security in computing”, pp 437, Prentice Hall PTR; 3 edition

46
[40] Emmett Dulaney (2008),
“CompTIA Security+ Study Guide: Exam SY0-201”, pp 332, Sybex; 4 edition

[41] Emmett Dulaney (2008),

“CompTIA Security+ Study Guide”, pp 333, Sybex; 4 edition

[42] General PKI Architecture,

Available at http://www.dcoce.ox.ac.uk/images/RequestSummaryloRes.png, last
checked 2010/10/03

[43] The New York Times, “Brazil: Free Software's Biggest and Best Friend”,
Available at http://www.nytimes.com/2005/03/29/technology/29computer.html, last
checked 2010/10/01

[44] Benedicte Bull, Desmond McNeill, University of Warwick (2006),

“Development issues in global governance: public-private partnerships and market
multilateralism”, pp 123, Routledge; New edition

[45] Guia Livre – Referência de Migracao para Software Livre do Governo Federal”
(Free Guide - Reference migration to free software from the Federal Government)
Available at
http://www.dnocs.gov.br/php/util/downloads_file.php?&dir=&file=/home/util/livres/e
books/software_livre/guia_livre_ipiranga_v095.pdf, pp 24, 2004, last checked
2010/10/01

[46] Planejamento Estratégico para Implementação de Software Livre

(Strategic Planning for the Implementation of Free Software) Available at
http://www.softwarelivre.gov.br/clientes/softwarelivre/softwarelivre/planejamento-
cisl/planejamentos-anteriores-1/copy_of_index_html, last checked 2010/10/01

[47] Guidelines on Implementation of Free Software in the Federal Government,

Available at
http://www.softwarelivre.gov.br/clientes/softwarelivre/softwarelivre/planejamento-
cisl/planejamentos-anteriores-1/copy_of_index_html, last checked 2010/05/16

[48] Ashish Arora, Alfonso Gambardella (2006),

“From Underdogs to Tigers:
The Rise and Growth of the Software Industry in Brazil, China, India, Ireland, and
Israel”, pp 117, Oxford University Press, USA

[49] Digital Inclusion

Available at http://pt.wikipedia.org/wiki/Inclus%C3%A3o_digital, last checked
2010/10/01

[50] Digital Inclusion,

Available at http://inclusaodigital.gov.br/outros-programas#projeto-computadores-
para-inclusao, last checked 2010/06/26

47
[51] Brazilian Public Software
Available at http://www.softwarepublico.gov.br/O_que_e_o_SPB, last checked
2010/10/01

[52] Software CACIC

Available at http://softwarepublico.gov.br/ver-comunidade?community_id=3585, last
checked 2010/08/02
[53] Public Software,
Available at http://www.softwarepublico.gov.br/spb/ArtigoMatConceitoSPB, last
checked 2010/08/02

[54] Materialization of the Concept of Brazilian Public Software

Available at http://www.softwarepublico.gov.br/O_que_e_o_SPB, last checked
2010/10/01

[55] Brazilian Electronic Government - Actions and Activities

Available at http://www.governoeletronico.gov.br/acoes-e-projetos, last checked
2010/10/01

[56] Brazilian Electronic Government

Available at http://www.governoeletronico.gov.br/o-gov.br/historico, last checked
2010/10/01

[57] ICP-Brazil – Brazilian Electronic Government

Available at
http://pt.wikipedia.org/wiki/Instituto_Nacional_de_Tecnologia_da_Informa%C3%A7
%C3%A3o, last checked 2010/10/01

[58] Dennis Campbell (2006),

“The Internet: Laws and Regulatory Regimes”, pp 137, Lulu.com

[59] ICP-Brazil,
Available at http://www.iti.gov.br/twiki/bin/view/ITI/Apresentacao, last checked
2010/08/23

[60] ICP-Brazil
Available at http://pt.wikipedia.org/wiki/ICP-BRASIL, last checked 2010/10/02

[61] The Brazilian Provisional Measure 2.200-2 – ICP-Brazil (2001),

Available at
http://www.iti.gov.br/twiki/pub/Certificacao/MedidaProvisoria/MEDIDA_PROVIS_R
IA_2_200_2_D.PDF, last checked 2010/10/07

[62] Digital Certificates

Available at
http://www.receita.fazenda.gov.br/atendvirtual/InformacoesBasicas/certificados_digita
is_v6.html, last checked 2010/10/02

48
[63] e-CPF Definition
Available at http://en.wikipedia.org/wiki/Cadastro_de_Pessoas_F%C3%ADsicas, last
checked 2010/10/02

[64] e-CNPJ Definition

Available at http://pt.wikipedia.org/wiki/IN_969, last checked 2010/10/02

[65] NF-e (Electronic Invoice)

Available at http://computerworld.uol.com.br/gestao/2010/06/21/nf-e-sera-obrigatoria-
para-1-milhao-de-empresas-ate-dezembro/, last checked 2010/10/02

[66] Interoperability Standards for Electronic Government,

Available at http://www.governoeletronico.gov.br/acoes-e-projetos/e-ping-padroes-de-
interoperabilidade, last checked 2010/08/20

[67] Interoperability Standards for Electronic Government

Available at http://www.governoeletronico.gov.br/acoes-e-projetos/e-ping-padroes-de-
interoperabilidade, last checked 2010/10/02

[68] Reference Document of the e-PING – Version 2010

Available at http://www.governoeletronico.gov.br/anexos/e-ping-versao-4.0, pp 38,
last checked 2010/10/02

[69] Alexandre Atheniense (2010),

“Comments on Act 11 419/06 and the Practice and Procedure by Electronic Means in
Brazilian Courts”, pp 29, Jurua Editora

[70] Interview with Mr. Alexandre Atheniense, question n.6, see Appendix B

[71] Scam web accounts for 30% of electronic fraud,

Available at http://softwarelivre.org/portal/golpes-via-web-representam-30-das-
fraudes-eletronicas, last accesses 2010/09/23

[72] Bank Fraud,

Available at
http://www.febraban.org.br/p5a_52gt34++5cv8_4466+ff145afbb52ffrtg33fe36455li54
11pp+e/sitefebraban/Seguran%E7a%20Um%20compromisso%20de%20bancos%20e
%20clientes.pdf, last accessed 2010/08/19

[73] Examples of PKI in Brazil (part of list from the website),

Available at
http://correios.com.br/produtos_servicos/certificacaoDigital/informacao.cfm, last
accessed 2010/07/21

49
[74] Patient Electronic Medical Record
Available at
http://www.senado.gov.br/noticias/verNoticia.aspx?codNoticia=%20100512&codApli
cativo=2, last checked 2010/10/02

[75] Practical Examples of the Use of Digital Certification in Brazil

Available at http://www.dnt.adv.br/noticias/documento-eletronico/conheca-exemplos-
praticos-do-uso-do-certificado-digital-no-brasil/, last checked 2010/10/02

[76] Brazilian Identity Card

Available at http://pt.wikipedia.org/wiki/C%C3%A9dula_de_identidade, last checked
2010/10/02

[77] Enactment n. 7166,

Available at http://www.planalto.gov.br/ccivil_03/_Ato2007-
2010/2010/Decreto/D7166.htm, last checked 2010/08/20

[78] João-de-Barro Project,

Available at http://www.iti.gov.br/twiki/bin/view/Swlivre/JoaoDeBarro, last checked
2010/08/22

[79] Resolution n. 20/May/2003,

Available at
http://www.iti.gov.br/twiki/pub/Certificacao/Resolucoes/RESOLU__O_20_DE_08_05
_2003.PDF, last checked 2010/08/28

[80] Open Platform description,

Available at http://en.wikipedia.org/wiki/Open_Platform, last checked 2010/08/28

[81] Joao-de-Barro: Open Platform,

Available at http://www.cgu.gov.br/Publicacoes/BGU/2004/Volume1/C%20-
%20002.pdf, pp c-21, last checked 2010/08/28

[82] Free Guide - Reference Migration to Free Software,

Available at http://www.governoeletronico.gov.br/acoes-e-projetos/guia-livre, Free
Guide Version 1.0, 2005 pp. 7, last checked 2010/08/18

[83] EJBCA descritpion,

Available at http://www.primekey.se/Products/EJBCA+PKI/, last checked 2010/08/19

[84] Bouncy Castle description,

Available at http://en.wikipedia.org/wiki/Bouncy_Castle_(cryptography), last checked
2010/08/19

50
[85] Renato Martini (2008),
“Technology and Digital Citizenship -Technology, Society and Security” pp 15,
BRASPORT

[86] Brazilian citizen will have electronic identity

Available at
http://www.iti.gov.br/twiki/bin/view/Noticias/PressRelease2010Sep16_230856, last
checked 2010/10/07

[87] Avdesh Gupta Anurag Malik, 2005

“Management Information Systems”, pp 242, Firewall Media

[88] Decree of 29 October 2003,

Available at http://www.governoeletronico.gov.br/o-gov.br/legislacao/decreto-de-29-
de-outubro-de-2003, last checked 2010/10/28

51
Appendix A – Provisional Measure 2.200

The PKI Brazil was legally created by Provisional Measure 2.200, last issued on August 24th
2001.

Below, the full text of the Provisional Measure

Source available at:
http://www.iti.gov.br/twiki/pub/Certificacao/MedidaProvisoria/MEDIDA_PROVIS_RIA_2_200_2_D.PDF, last
checked 2010/08/16

Provisional Measure 2.200-2, August 24th 2001.

Establishing the infrastructure of Brazilian Public Key - PKI-Brazil, transforms the National
Institute of Information Technology in local authority and other provisions.

The President of the Republic, in use of the empowerments set forth by Article 62º of the
Constitution, enacts the following Provisional Measure, with force of law:

Art. 1. It is henceforth created the Brazilian Public Key Infrastructure - PKI Brazil (ICP-
Brazil), to ensure the authenticity, integrity and juridical validity of documents in electronic
media, of supporting applications and enabled applications which utilize digital certificates, as
well as the implementation of secure electronic transactions.

Art. 2. The ICP-Brazil, whose organization shall be defined in by regulations, shall be

composed by manager policies and by the chain of certifying authorities composed by the
Root Authority (CA-Root), by the Certificate Authorities (CA) and by the Registration
Authorities (RA).

Art. 3. The function of the managing political authority shall be exercised by the Management
Committee of ICP-Brazil, subordinated to the Civil House of the President of the Republic
and composed by five representatives of civil society, members of interested sectors,
appointed by the President of the Republic, and one representative from each of the following
bodies, designated by their principals:

52
I - Ministry of Justice;
II - Ministry of Finance;
III - Ministry of Development, Industry and Foreign Trade;
IV - Ministry of Planning, Budget and Administration;
V- Ministry of Science and Technology;
VI - House of the Presidency of the Republic, and
VII - Institutional Security Cabinet of the Presidency.

§ 1º
The coordination of the Management Committee of the ICP-Brazil shall be exercises by the
representative of the Civil House of the Presidency of Republic.

§ 2º
The representatives of civil society shall be assigned for a period of two years, allowed to
extend

§ 3º
The participation in the Management Committee of the ICP-Brazil is of relevant public
interest and shall not be paid for.

§ 4º
The Management Committee of the ICP-Brazil shall have an Executive-Office, as prescribe in
the form of regulation.

Art. 4. The following are competences of the Management Committee of ICP-Brazil:

I. to adopt necessary measures to create the ICP-Brazil;

II. to establish the policy, criteria and technical standards for accreditation of CAs, RAs
and other service providers to support the ICP-Brazil, in all levels of the certification
chain;
III. to establish the policy of certification and the operational rules of CA-Root;
IV. to homologate, audit and supervise the Root CA and its service providers;

53
 V. to establish guidelines and technical norms for implementation of polices of
certificates and operational rules of CAs and RAs and define levels in the certification
chain.
VI. to approve certificate policies, certification practices and operational rules, habilitate
and authorize the operations of CAs and RAs, as well as authorize the CA-Root to
issue the respective certificate;
VII. to identify and evaluate the policies of external PKIs, negotiate and approve
agreements of bi-lateral certification, crossed certification, rules of inter-operability
and other means of international cooperation, certificate, as needed, their compatibility
with the PKI-Brazil, respected the provisions of international treaties, agreements or
acts;
VIII. to update, adjust and revise procedures and practices established for ICP-Brazil,
overlook their compatibility and promote the technological updating of the system and
its conformity with security policies.

Sole paragraph - The Management Committee may delegate assignments to CA-Root.

Art. 5.
The CA-Root, highest authority of the certification chain, executive of the Certification
Policies and technical and operational rules approved by the Management Committee of ICP-
Brazil, is competent to issue, distribute, revoke and manage the certificates of the CA one
level below, manage the list of issued, revoked and expired certificates, and execute auditing
activities of the CA and the RA and the service providers, in conformity with the technical
guidelines and rules established by the Management Committee of the ICP-Brazil, and
exercise other attributions assigned by the manager authority.

Sole Paragraph - The CA-Root is forbidden from issuing certificates to the final users.

Art. 6.
The CAs, entities authorized to issue digital certificates linking pairs of cryptographic keys to
the respective holders, are competent to issue, distribute, revoke and manage the certificates,

54
as well as making available to users the lists of revoked certificates and other information
regarding the recording of operations.

Sole Paragraph - The pair of cryptographic keys shall be generated always by the very holders
and the private key shall be of their exclusive control, use and knowledge.

Art. 7.
The RAs, entities operationally subordinated to CAs, are competent to identify the users in
their presence, request certifications to the CAs and keep records of their operations.

Art. 8.
Observed the criteria to be established by the Management Committee of the ICP-Brazil, both
public bodies and private persons may be habilitated as CA and RA.

Art. 9.
The CAs are forbidden from certifying any level other than the one immediately below,
except in cases of side certification or crossed certification, previously approved by the
Management Committee of ICP-Brazil.

Art. 10.
The electronic documents mentioned by this Provisional measure shall be considered, for all
legal purposes, public or private documents.

§ 1º
The statements appearing in electronic documents produced with utilization of certification
processes overlooked by ICP-Brazil are presumed truthful in regards to the signers, as
provided by art. 131 of Law 3.071, January 1st 1916 - Civil Code.

§ 2º
The provisions of this Provisional Measure shall not preclude the utilization of other means of
attestation of authorship and integrity of electronic documents, including means which utilize
certificates not issued by ICP-Brazil, as long as the means are admitted as valid by the parties
or accepted as valid by the person to whom the document is opposed.
Art. 11.
55
The utilization of electronic documents for tax purposes shall observe, additionally, the
provisions of art. n.100 of Law 5.172, October 25th 1966 - National Tax Code.

Art. 12.
The National Institute of Information Technology (ITI), with seat in the Federal District, has
status of autarchy, subordinated to the Ministry of Science and Technology.

Art. 13.
ITI shall be the Root Certificate Authority of the Brazilian Public Key Infrastructure.

Art. 14.
In the exercise of the respective assignments, ITI shall conduct auditing activities, applying
penalties, as prescribed by law.

Art. 15.
The basic structure of the ITI shall comprise a President, a Director of Information
Technology, a Director of Public Keys Infrastructure and a General Attorney.

Sole paragraph - The Directors of ITI may be established in the city of Campinas, State of São
Paulo.

Art. 16.
To pursue their objectives, ITI shall be allowed to, as prescribed in law, contract third party
services.

§ 1º

The Director-President of ITI may request, for office in the Directorship of Public Key
Infrastructure, for term not longer than one year, civil servants or militaries, and employees of
entities of Federal Public Administration, for any necessary duty.

§ 2º
The persons requested as per this article shall have assured all rights and benefits of their
original offices.
Art. 17.
56
The Executive Power is authorized to transfer to ITI:

I. The technical assets, the rights and duties of the ITI; and
II. Remove or reorganize the budget of the budgetary law of 2001 to adjust to the new
legal frame.

Art. 18.
While the General Attorney is not created, the ITI shall be represented in Court by the
General Advocate of the Union.

Art. 19.
All acts practiced under Provisional Measure 2.200-1 are co-validated.

Art. 20.
This Provisional Measure shall be valid since the date of publication.

Brasília, August 24th 2001.

Fernando Henrique Cardoso

Jose Gregori Martus Tavares

Ronaldo Mota Sardenberg Pedro Parente

57
Appendix B – Questionnaire Survey
1. How many persons are employed at the organization?
o 1 – 99
o 100 – 499
o 500 – 999
o 1000 – 9999
o 10.000 or more

2. How would you rate your knowledge of PKI?

A. Low
B. Medium
C. High

3. In your opinion, what are the primary obstacles to PKI deployment and usage?
Not an Obstacle Minor Obstacle Major Obstacle

Costs Too High _ _ _

Poor Interoperability _ _ _

Hard to Get Started - Too Complex _ _ _

Hard for IT to Maintain _ _ _

Hard for End Users to Use _ _ _

Lack of Management Support _ _ _

Too Much Legal Work Required _ _ _

Software Applications Don't Support It _ _ _

PKI Poorly Understood _ _ _

Other (described below) _ _ _

Please describe others, if applicable:

58
4. In your opinion which PKI applications are more important to Brazilian organizations?
Check all that apply
Not Important Important Most Important

Web Server Security _ _ _

Single Sign On _ _ _

Document Signing _ _ _

Electronic Commerce _ _ _

Virtual Private Network _ _ _

Secure Email _ _ _

Code Signing _ _ _

Secure Remote Secure Call (RPC) _ _ _

Web Services Security _ _ _

Secure Wireless LAN _ _ _

Other (describe below) _ _ _

Please describe others, if applicable:

5. In your opinion what are the biggest challenges regarding PKI in Brazil?

6. If your organization is making use of PKI:

a) What happens when the user loses a certificate, or forgets a pass-phrase necessary for
its use?
b) Do you have procedures for key recovery?
c) What is your process for revoking end user certificates?
d) What is your process for renewing end user certificates and how often?

7. Please, can you share your thoughts about exchanging public keys and saving private key?

8. Briefly, what are your main feelings towards the open source concept?

59
9. What in your opinion increase and decrease the acceptance associated with the adoption
of open source software solution?

10. Strong authentication reduces the risk of unauthorized access and encryption of data limits
the exposure of companies in case of failure. As the Brazilian government is encouraging
open source it is believed that this may be a key factor in determining policy objective of
investment in technological resources and also in information security.
a) Has this fact influenced your organization? To what degree?
b) How can new users be educated to begin to understand open software from the
school?
c) What would you say to students of secondary and higher school to enter in this market?
d) How to encourage companies to use open software?

11. Briefly, what can you tell about the ‘João-de-Barro’ open source PKI?

12. Are you aware of other open source PKI?

13. Please, write some comments regarding open source PKI.

14. What is the importance of open source software for society?

60
Appendix C – Interviews
Note: The researcher would also like to make a special thanks to Mr. Pedro Paulo Lemos
Machado – Director of Audit, Fiscalization and Normatization, that made an effort to
schedule some interviews resulting in more valuable information.

I thanks immensely to Mr. Mário Ribeiro, IT manager at SBF Group, and to Mr. Humberto
Martins, MAXXDATA president, which gave valuable information about the studied area.
Both interviews were used for analysis, but were not translated; this means that they are not
part of Appendix C. This is because both contain many technical and regional data that would
be a bit complicated for the reader to understand.

Due to various reasons the name of one interviewee was not disclosed in this study.

61
Mr. Weber Kai – Federal Savings Bank (CEF)

Note: This is a person’s opinion interview.

1. What is your experience with open source software?

I started having contact with open source software 13 years ago, to use at home. I mean to try
it. I had no notion of command line. I didn’t know about command line. Soon I lost interest,
because I found it a little bit complicated.

2. Why have you lost interest in open source software?

The internet connection was not broadband and I did occasionally get a bad connection. That
represented a big problem because I could not get the information easily. That was a big
problem.

So, for a while I didn’t use it, but deep down I still had a desire to know it.

3. Is open source software user-friendly and ready for the customer?

Everything is a matter of learning.

Open source refers to both the concept and practice. Many features distinguish open source
software from proprietary software. Although the use of open source software is growing,
most end-users only interact with proprietary software.

I had problems installing open source software, and then I lost the interest. Nowadays, many
schools have adopted open source software bringing the students onto a different platform and
awakening the interest of open source software. I know kids who are using open source
software at school and have no problem with it.

4. How is the technical support of open source software currently?

I cannot tell you if support for the open source software has changed or if there is a lack of it.
But access to information has changed enormously.

62
Today, we have much more facilities to update information, such as broadband and e-learning.
On the Internet, we can normally reach developers who can help us with any problems we
might have.

5. Are you member in any open source community?

After my tough start in the open source software world, I returned and I tried working with it.
Besides working with open source software in the company I also was a member of some
communities. But now due to lack of time, I stopped.

Nowadays, I have been reading posts of open source programmers or following discussions in
newsgroups, but not developing.

6. Are Brazilian open source software communities very active? Can you give
examples?

Yes, they are very active. Many participants receive financial incentives to engage fully in the
project development. The government itself has created communities where it is established
that each one will develop. Within the Federal Savings Bank (CEF), I do use open source
software. We have many applications that are developed in open source software.

The FLISOL – Latin American festival of Free Software Installation – is the largest event to
promote open source software in Latin America.

7. How it was the migration to open source software within of Federal Savings Bank
(CEF)?

Here in my department, we are end-users. We use many open source software applications.
And often we do not know whether the application is open source software, I mean, when we
start using it is like any other software that we do not feel the difference.

From an end-user perspective, we do not see much difference in the operating system. It could
be UNIX, BSD, Microsoft Windows or Linux.

8. Are there many private companies moving towards open source? Can you give
examples?

63
With the growing commitment of the Federal Government migrating their computers to the
Linux operating system, surprisingly, the number of private companies adopting the Linux
operating system is growing.

The government of the Rio Grande do Sul, in the south of Brazil embraced successful work in
implementation and dissemination of open source software with the participation of schools,
universities and private companies.

The federal government also has encouraged the development of open source software
through scholarships and research grants for students and university professors.

9. When is open source software useful and when should it be avoided?

Open source software brings many advantages, but each company must analyze its reality and
verify if it will give value to the company. For instance, if migration of the systems is very
difficult then this is also a very important factor to be considered. Another thing to be
observed is if there is skilled technical support.

Being free is not essential. Freedom of expression is an advantage - in proprietary applications

you cannot adapt it to any use and distribute it to others. Another advantage is that open
source software is secure and problems are fixed faster and updates are quicker.

10. What is the importance of open source software for society?

I see a lot of strength. Among them I would like to mention:

• Open source software has a key role in government policies regarding digital inclusion.
• In Brazil, many telecentres have been created because they have lower costs with the
use of open source software thus more people will have more access to information.
• Services providers – the use of open source software can be a great encouragement for
numerous local companies that can surface, capable to configure, develop solutions
and provide others services.
• Great potential of open source software for embedded device development.

In my opinion, the Brazilian society will only achieve full development by investing in
education and technology.

64
Dataprev

Technology and Information Social Security Company (Dataprev) is a Brazilian public

company responsible for maintaining statistics related to social security, including retirement,
pensions, services provided, work-related accidents and finances, as well as processing social
security benefits and claims.

Mr. Érico José Ferreira – Manager and Advisor of Open source Software Development
Mr. Eduardo Santos – Technical Coordinator of Brazilian Public Software Portal
Mr. Claudio Filho – Creator and Leader of the Community ‘BrOffice.org’

1. A decade ago, many European countries began experimenting with open-source

software, but France has been the only one that is constantly advocating open-source
software, especially in the government and educational sector. The French
government said in December 2006 that it will “make Paris a centre of excellence for
open-source software development” and that “the goal of the centre will be to
develop a healthy and profitable open-source software industry”. Are the
approaches in Brazil similar?

Yes, because the use of open source software is among the priorities of the Brazilian
government and Dataprev has distinguished itself in adopting open source software.

Governmental agencies have demonstrated support and engagement not only when they use
open source software, but also when they start to make available to the population and
communities many applications as open source software.

With open source software, we are focusing to reach sustainability. Sustainability and the
future of open source software depend strictly on juridical legality and professional
institutions and communities that promote new technologies related to the segment. This
should be obtained, according to Cláudio Filho, through measures such as promoting know-
how and technology transfer, and actions against tax evasion for consulting services, and
independence from foreign suppliers.

Another aspect in this context is the solidarity of the Latin people. Beyond the technical issues,
there are also social concerns aggregated to the development of open source software in
Brazil. For instance, the experience of the inventory application CACIC, the first open source
65
software, in all government expects, available from DATAPREV, demonstrates how the
vision of sharing was extended to all of society. At the start of its implementation, the CACIC
was aimed at satisfying internal demands of the Brazilian government. But, then the
DATAPREV identified that the demand for this product was unusually strong among the
society.

When DATAPREV released this application as open source software, it gave conditions to
make possible for many small and medium companies to deploy and install this software
previously inaccessible due to lack of funds. Also, some people saw this as a niche market, as
they studied the code and began to make money by selling services, such as training and
support and also as an embedded application.

2. How is the culture of open source software in Brazil? Does Brazil have laws and
legislations about open source software?

First, a document was created by the Government Committee providing the procedures to be
followed to release software as open source software. This document tries to assist
government agencies by providing practical information and approaches to consider when
making available open source solutions.

Second, yes, we have some problems about copyright. What is important to underline is that
the law and legislation regarding open source software is evolving with its growing popularity.
This involves issues of international law and to adapt the Brazilian legislation to those
standards.

3. How is the relationship between Brazil and other South American countries about
open source software? Are there other countries in Latin America trying to use open
source software?

It is great. For instance, our open source CACIC, won the accession by the governments of
Argentina, Paraguay and Venezuela. We have held several events with open space for debates
and reflections on the use of open source software in Latin America.

An important point to be emphasized in this relationship among countries in Latin America is

that this activity between society and government, in parallel, only exists here in Brazil.
66
And as Brazil is working on a functional model that is the case of public Software and is also
working on a series of government actions, regarding open source software, Brazil is serving
as a legal and political precedent for our neighbours in Latin America.

The big challenge among the countries that are starting to join the open source software is to
internalize the concept: learning to work together so that everyone wins with the exchange of
experience, knowledge and ideas.

4. Are there many barriers to overcome toward open source software adoption?

Today, our biggest problem with open source software in general, I would say, is the
Brazilian businessmen, because they are coming from decades of life in a structure that we all
know that is the concentration of income. That is, the monopoly prevails. With the change to
open source software the imperialism is over, because in this new concept anyone can use the
software and do business with it, as already mentioned, through the sale of services.

Then, enterprises are no longer companies marketing products, but become technology
companies, because there is aggregate intelligence. This is a very difficult change in mentality
to be accepted. It is necessary that companies understand that they must work in partnership.

5. How is the dynamic in communities of open source software in Brazil? Does the
Brazilian government have any influence over them?

Currently, there is no way to deny that the government has a very large portion of the
software in the market. In Brazil, today, 60% of all software market segments are
governmental. This automatically generates money for anyone involved in the process. And, it
is important to stress that this does not generate income for a single company but for everyone
interested in participating, selling services. The interest depends on the software in question
and the community generally grows in line with the business opportunities that the software
generates.
6. Are there many private companies adopting open source software?

67
Yes, quite a lot. But, like I have observed, (says Mr. Érico José Ferreira), there are many
companies that have the mentality that open source software is free. Open source software is
not free, but allows different kinds of budget decisions than proprietary software. In terms of
cost, since the companies have the source code, they have complete control in deciding what
services they pay for.

Many companies do not disclose that they use open source software because it represents a
competitive benchmark. For example, a supermarket chain uses in all its outlets Linux. Their
profit margin is better than one that uses a proprietary solution because using open source
software may reduce costs. However, this supermarket that uses open source solutions prefers
not to reveal this information because they do not want to show their profit margin.

The advantage of an open source solution is the access to an increased number of

programmers and developers. Open source programs are typically written in the most
common programming languages, making resources easier to find and not so costly.

7. Open source software that most of the companies have been adopting is Linux.
Some surveys pointed out that Linux is more expensive than Windows in an
enterprise. Can you comment on this issue?

One thing that creates this false impression is that when you do a migration process from a
Windows environment to Linux nothing can be done overnight. It is a process of change. You
cannot get off a hardware terminal, do another installation and in the next moment turn it on
and say to the staff: – Ok you can continue working.
No. There are phases that need to be evaluated and followed. We can mention, for instance,
Petrobrás (a Brazilian company focused on oil exploration and production operation).

It took over six months for Petrobrás to complete the process of installing open source
software BrOffice in 90 000 computers. Six months, from approval to installation. The
estimate is that the process generates a reduction of at least 40% compared to a paid license of
equivalent proprietary software.

68
The migration costs can be higher in the first year. And, in many cases, this cost which
includes training and adaptation of software among others, is higher than the cost of licensing
of current proprietary software.

However, what companies are seeing is that on the one hand means spending, on the other
hand means investing. Investment in new technology, in short, is the main difference that has
no corporate monopoly, including monopolizing knowledge.

8. Is there a bill that forces government agencies to embrace open-source software?

There is a normative statement that states that before making the hiring of IT, the manager
should check the existence of open source software or public software. This normative
statement also defines a set of rules for the manager, which justifies the contract of a given IT
solution. The TCU (Superior Audit Office of Brazil) is the government agency responsible for
audits at the federal government level. If it detects any anomaly, the organization responsible
for hiring IT will be penalized. And, we have seen it happen a lot.

9. Were there impediments arising from users within the Dataprev concerning open
source software adoption?

Yes, we had. Dataprev is a pioneer in a matter of open source software in government. Today,
we have about 3500 servers running Linux.

This process was not easy, but also was not traumatic. It was not easy due to capacity and
mainly cultural issues. We have a live example here in this room. “This” colleague, for
instance, when she came to work with us, was used to working only with Windows. On the
door, there is a sign "Unit of open source software" and when I opened the door she had a
station with Windows installed. The difficulty was more cultural than technical to change the
habits of employees familiarized with certain programs.

In general, the tools are similar in both types of programs. The best ways to face this problem
are: gradual migration, management support, extensive training and frequent support, which
concerns both users and technicians.

69
For the user, the greatest impact in terms of migration is when the operating system is
involved. Then, the case is won when the migration is done by other applications first, for
example: browser, BrOffice and email software.

The most significant is that Dataprev is changing the culture of the users in relation to open
source software promoting the thought that open source software is an investment in
technology in the country.

10. “Business software companies will incur losses, thus resulting in a sizeable hole
in the economy, if too many jump onto “the open source software revolution”
rather than purchasing genuine licenses from technology companies that provide
proprietary solutions, it might cause another worrying issue.” Please can you
comment on the above statement?

It will be a loss for business owners; this we have no doubt. And it may even affect the
economy of other countries, but not the Brazilian economy.

In 1999, the government and mainly the Secretariat of Logistics and Information Technology
(SLTI) of the Ministry of Planning standardized the use of Windows in all workstations. That
represented a great technical set back in Brazil. For example, small companies that were
developing an operation system or databases went bankrupt because it was not a Windows
platform. In this sense, several small domestic technologies didn’t stand as progressive
diffusion because the government is 60% of the market, so, the market follows the trend of
what companies are doing with their "core businesses". The government also stopped
collecting tax from those mentioned small companies when they closed.

For the economy as a whole, there is a decrease in the size of large companies and an increase
in the number of small companies. Iin my view, this is not at all bad because with a large
number of small companies pursuing many different approaches, the chances of developing
optimal approaches will be higher than if only a small number of large companies are
involved and mainly because this promotes regional development and royalties that were
transferred out of the country. They are now circulating in the Brazilian market and therefore,
generate more jobs, said Eduardo Santos.

70
 11. Can you mention any experiences in open source software that were not
successful within Dataprev?

I would not say it was not successful. I would say that we didn’t use the best practices when
we tried to implement the BrOffice here some years ago. In some departments, the process
was well done but not in some other departments. The fact that Dataprev did not have a
security policy on computers that did not allow users to install new programs on their
machines without the assistance of technical support was a complicating factor, says Érico
José Ferreira.

Consequently, some staff resistant to implementation of BrOffice installed other programs,

which caused great discomfort within the company.

The software ‘CACIC’ was developed with the intention to make an inventory of hardware
and software in the sphere of federal government thus enabling the control of licenses in
workstations.

12. In your opinion what is the biggest challenge regarding open source software
within Dataprev?

Our biggest challenge is to implement open source software within the production process of
the company as a whole. There are certain applications that are linked to the operating system
or a particular technology. When you decide to use an alternative technology, this should not
generate losses to users, systems and environment.

71
Mr. Renato Martini – President of ITI

ITI – The National Institute of Information Technology is a federal agency linked to the Civil
Cabinet of the Presidency of Brazil.

Beyond the academic and professional involvement with the themes of ‘open source software’,
and ‘Public Key Infrastructure’ Mr. Renato Martini is author of two books: ‘Encryption and
Digital Citizenship’ and ‘Security Manual in Linux Networking’

1. What is your expectation to be the president of ITI?

The ITI is a federal agency linked to the Civil Cabinet of the Presidency of Brazil and was
created in 2001 by a Provisional Measure 2.200 (August 24th 2001) under President Fernando
Henrique Cardoso, with a very specific goal that is to deal with the theme of 'Digital
Certificate'.

I began my work at ITI in 2003, at the government of current President Lula, as director of
Public Key Infrastructure. I was called by Sérgio Amadeu, who was the president of ITI.

Sérgio Amadeu is a sociologist and was one of the major implementers of Telecentres in
Brazil. He became fascinated not only by the theme of 'Open Source Software’ but also the
theme 'Digital Inclusion'.

Then he called me to take care of ‘Digital Certificate’ at ITI and, during the time we worked
together, he participated actively encouraging the use of public software. When he left ITI, in
2005, I was designated his successor.

From 2003 until today, we have grown quantitatively throughout the structure of ICP-Brazil, I
mean, first level Certificate Authorities (CAs), Certificate Authorities of second level and
Registration Authorities (RAs). Brazil currently has nine CAs of first level, 1000 RAs. In total,
we have 30 CAs summing the first and second level, all over the national territory.

Two of these ACs are private and other governmental organizations. The private certificate
authorities are responsible for 80% of the issuance of digital certificates in Brazil. It is the
private sector which drives the digital certification market.

72
My relationship with open source software, today, is not as strong, I must confess, due to my
own stress.

Since 2000, I worked very much within the government sphere regarding the ‘open source
software’ theme giving a lot of training in the area of security attached to this issue.

My own stress has come because the world of open source software is extraordinarily exciting.
So much that Linux is a concrete result and is now a billionaire brand. We use open source
software within ITI. The platform at Root Certification Authority of the Brazilian PKI (ICP-
Brazil) is developed in open source software. Technologically, we have tangible results.
Apache is a reality. BrOffice is a reality. Then, the results are undeniable. The open source
software communities are very exciting. Ten exquisite developers will produce excellent
software. What about 10,000? What about a million of exquisite developers? So are the
communities. Time zone differences can be a great advantage. Midnight in Japan is noon here
in Brazil. This means that the community here is awake, working, and vice versa when it is
midnight in Japan the communities are awake, working. Not to mention that a community has
an immeasurable power to amplify the quality of software.

Those who enter in this world get involved, and the work ahead to digital certification is
another world very engaging too, one that absorbs much of our energy. Hence, the reason why
I'm not too much involved with open source software.

2. Some analysts have reported that the reaction regarding open source software, in
Brazil, has been just a touch too euphoric. There was much excitement in the
beginning, around 2003, but that euphoria now is much less. Do you agree with
those analysts?

2003 and 2004, in Brazil, were years of much ideological effervescence, not necessarily years
of result. This subject was getting in the government sphere. Then you need to think about the
specialty of Brazil, because here the government has a much stronger, greater power over the
people. The government buys 80% of the technology in Brazil. I mean, Petrobrás, Federal
Savings Bank, Bank of Brazil and many other government institutions. Then the power
inductor of the government is too big. It is our culture, unlike the Anglo-Saxon world, for
example.

73
At that time, this subject raised a great ideological wave within the federal government.
Passed the effervescence, we entered into a time of production and development. I mean,
while some articulated the debate, others were programming, improving, being trained. Then,
three - four years after the results appeared, because technology is not made within ten
minutes.

The platform of the Root CA-Brazil that we used to generate the certificates was proprietary
software. We took six years to develop another one using our technology. It takes time for one
to develop and test and train ... get the software stable to be used. Open source software has
good products and technological successes, but only technological debates are not enough.
However crazy as it might seem, but it is obvious to say that debate does not make software.
It does not make hardware. It does not produce systems. It does not migrate platforms, and it
does not migrate the legacy of many years of information technology in the Brazilian state.
These things are very complex. So, this is what happened, after the debates we entered into a
traditional line building quality, and training and critical mass within the Brazilian state,
which is not necessarily something emblematic of newspaper and the media.

3. There is some controversy between the terms 'free software' (Free Software
Foundation) and “Open source software” (Open Source Initiative). Many people
use both terms as if they are the same thing. Could you tell us what the Brazilian
government is adopting?

In fact the Brazilian state is not as unified in technology. Each government agency has its own
power of decision. A government agency, when working with open source software, must
respect the software license. For pieces of code that we (the Brazilian government) have
created, we preserve so the code is not misappropriated because we believe that software is
public. This belief generated another discussion in Brazil which is resulting in a new concept
for open source software within the scope of government, called ‘Software Public’.

I personally believe that open source software should be seen in a technical way and that
those who produce open source software must be vigilant to meet the demands. People must
put aside the emotion, sometimes almost a religious fervour and prejudice in order to analyze
the open source software in a technical way to see what real benefits it offers. It is impossible

74
for a manager of technology to guide and take decisions on planning applications that are not
technical.

4. What led ITI to develop the João-de-Barro platform?

The João-de-Barro project is an open source platform. It is one platform because it is a set of
hardware and software. The platform we had before had gone through four companies.

One went into bankruptcy. Then, it was bought by another that went into bankruptcy. Then, it
was bought by another.... And what was worse is that they only had two companies in the
world who could give support to that legacy software and hardware. We had no access to
anything and we could not hire another company to give us support. We were completely tied
to them. So, why did we take the decision to develop this platform?

Just because we needed to have autonomy to be free. We needed to have an independent

supplier. We needed to be able to change. We needed autonomy to make any implementation
or security validation in the software. We needed freedom to change the support when
necessary.

The João-de-Barro platform has many meanings for the national system of digital certification,
the ICP-Brazil, but the biggest is the fullness of technological autonomy.

5. What was the biggest challenge facing the João-de-Barro platform project?

It is human nature to share knowledge. However, the administrative and bureaucratic

structures of government, which are composed of people, often have difficulty to share
information and build knowledge together.

So, to answer your question, the greatest challenge was to bring together the group that
participated in the project, and make this group work as a community that should cooperate
mutually and share experience and information. It was difficult because it is not of the nature
of the state to do this. Our country has enormous areas of expertise and often we do not know
what they are doing.

After overcoming this difficulty, the accession was very high, which gave us the desired result.

75
 6. What are your expectations regarding the João-de-Barro platform?

The platform cryptographic João-de-Barro will be available in the Brazilian Public Software
Portal as soon as the ITI completes the process of registration of the mark in the National
Institute of Industrial Property (INPI) to ensure the copyright of the ITI, to ensure that nobody
misappropriates it. Our interest is in the spread of this technology both in a national and
international market.

We have joined efforts to try to make the diffusion and enlarge this platform in Latin America.
We do not want to sell software because this is not the role of the ITI. The business of the
government is not selling software. What we want is to spread the idea. We want to aggregate
partners so that together we can share and improve technology and know-how.

The interesting part of the Brazilian Public Software Portal is that it has a strategy and
structure to create communities of users and developers around the government’s projects.
However, I do not have great hopes of forming large communities around the João-de-Barro
platform, because it is a very specific solution to certificate authorities. It would be another
case if João-de-Barro was a solution to be used within companies or by companies that use
digital certification in commercial transactions. I mean an application of more universal use.
Then, yes, the communities would be immense.

Talking like this, you see, if the government had not invested financially in this product, it
would not exist. The project was fully funded by the government. A project of this size has no
way to be developed by communities that are not funded. Many Open Source projects are
supported by community effort, but today, most of the open source large projects are funded
by some institution.

The João-de-Barro platform has a great importance for the ITI and for Brazil because it was
all developed with our own technology, using open source software, which allows a full audit
of the process.

The whole project aimed to provide full security for the digital certification of ICP-Brazil;
therefore, it was built in compliance with international safety standards.

76
 7. Do you believe that the use of digital certification will become popular? The new
Civilian Identity Registry (RIC) is a promising initiative for this popularity?

The big challenge of the Brazilian government is the dematerialization. That is, to replace the
paper document by the electronic document. This is the revolution that I'm engaged in now.

I tell you that the RIC is the largest civilian electronic identity project in the world. It's a
project for 150 million identities.

The RIC was instituted by a law authored by Senator Pedro Simon in 1997. This project was
in discussion for 13 years and only now is it being leveraged. This is because we were not
mature enough for this project. This is because the RIC is a very challenging project. We have
many challenges ahead such as standardization of different AFIS Systems, and our network
infrastructure and budget.

The RIC is a document more secure and more robust. It is a document based on biometrics
and digital certification. We expect that in 10 years, which is the deadline for its
implementation, it will be fully accepted in the country and thus the institutions and society
will see no need to issue other documents.

An embedded digital certificate on RIC offers a unique window of opportunity for effectively
mass distributing digital certification technology in Brazil. However, the digital certificate to
the citizen is still a frontier to be explored. Our systems are all migrating to the Internet. The
civilian life is going to the internet; therefore, it is necessary that Brazil has an ostensive and
unequivocal identification in large networks of computers. 90% of frauds are born with the
falsification of identity because an individual exercises rights when it identifies. Brazil needs
to give citizens a more secure way to identify themselves. The RIC will solve this issue.

77
Mr. Y

1. What are the differences between free source software and public software?

The concept of public software is not fully closed. We are in the process of debates about it to
build a new model. The concepts of public software and open source software are not exactly
alike, but share motivations. Open source software still lives with the dichotomy between free
and gratuity. I can say that the public software is free.

Public software is treated as a public good and allocates responsibilities to government

entities in making available a solution. Our understanding is that software can be a citizen's
right and as a public good a set of services become mandatory.

Public software is not a competitive model. It is an alternative model. The term ‘public’
provides the insertion of government in the process of providing solutions.

The idea of treating the software as a public good is precisely to create a set of prerogatives
that must be met before, during and after the release of the software.

A company can define when it will discontinue a solution, even though there are customers
interested in remaining in the solution. The public software can become a way of continuity of
projects and software development, ensuring the longevity of the solutions. This brings
greater security and confidence for users, and consequently increases the adoption of software
in various segments.

2. The public software has a differentiated license?

Debates about property are still very deep. Who sets the licensing rule is the original
developer of the solution. For now, we are adopting the GPL license as the basis for making
available the solutions by the federal government.

3. Doesn’t it mean that this concept is “state-owned”?

No. Public software is a common good and accessible by all. Any citizen or company can
provide and / or use public software. We have several private companies that made available
software as public. It is a new form of business marketing.

78
Mr. Ruy Ramos – Technical Advisory Board of Public Key infrastructure at ITI

1. How long have you been working at the João-de-Barro project?

I have been working in this project since March 2008.

2. What were the biggest challenges at the beginning of the project?

The project was already underway when I entered, but through reports, I can say that the
biggest problems were: definitions of methodologies, identification of institutions that would
participate in the project, allocate work teams and financial resources. This at first was quite
complicated. After my entry, we had some points about schedules, but nothing critical that I
could enumerate.

3. Briefly, what are your main feelings towards the open source concept?

By the nature of the internet today that is a great forum for debate and exchange of ideas and
experiences. I think this is the essence that guides the development of open source software.
What is interesting in open source software is the collective collaboration, where developers
are not worried about the amount by which you must pay for access to that product.

It's very interesting the participation of individuals in the elaboration and development of
projects and then see the shared results of these projects so others can enjoy. It's not just the
sharing of ideas, values and ideals, but also the sharing of the developed product. Such
practice is extremely beneficial.

But open source software has some key characteristics such as free, low cost, easy
accessibility that are quite critical for the government sphere and even for private companies.
What I mean by that is it’s not enough to understand or to think that simply downloading open
source software that we will not have costs. And, this error will be a complicating factor over
time.
Companies, government and institutions that adopt open source software need to understand
that they must maintain an internal team that can absorb, retain and continue this technology.

79
Today, the concept of open source software is more mature, but companies need to prepare
for the use of it.

4. What opportunities do you detect in João-de-Barro with an open platform?

If we analyze this platform, only in the framework of ICP-Brazil, that is the root certificate
authority or certifying authorities of first and second level, I would say that the applicability is
very limited. This project already brought benefits to the federal government because its
solutions are being used in the Certification Authority of the Federal Revenue in Brazil, and
AC-JUS and SERPRO.

However, a public or private enterprise, or an online certification authority can use this
software making the appropriate changes to assemble their internal certification authorities.
Then, companies can benefit from this platform, since commercial solutions of this nature are
very expensive on the market. Some business models involve the initial purchase of the
product and a dividend payment for each license, what we call royalties.

5. Can you draw a parallel between open source software PKI solutions and
proprietary PKI solutions?

Here, at ITI, we experienced expensive and inflexible proprietary solutions, due to this reason
we developed the João-de-Barro platform. We recognized the technical and economic benefits
of open source software for our PKI deployment.

However, I would emphasize that we cannot retain only on a trade issue, in other words the
cost of the solution. Cost is important because it affects the budget. But the most important is
the maintenance, support and perspective of longevity of the solution.

Nowadays, many open source software are sponsored by governments and private sector
companies, which brings greater long-term sustainability. It is impossible for the government
or even for a company dependent on open source software that does not give a guarantee of
longevity. Of course, there is the risk of discontinuity, for any reason, of a proprietary solution.

80
In conclusion, I think in the future there will not be major changes in terms of open source
PKI solutions and proprietary PKI solutions in this regard.

I think and I am a great defender that the government as well as all certificate authorities of
the ICP-Brazil, that is more interesting and relevant and even more safe, develop their
solutions or use a public solution (open) because they can guarantee the continuity and
autonomy of development of the solution.

6. What is the government's strategy to promote the development of PKI solutions

in Brazil?

The ITI maintains as a strategic definition, the focus to encourage and develop the market for
PKI in the sense that the digital certificate may be more widely used in Brazil, and
applications developed. And, also encourage academia and research institutions to continue
investing in this technology to capacitate manpower. In fact, this strategy is implicit in the
work that is developed in ITI.

The ITI also provides to interested segments its open source software in order to encourage
domestic industry and to train a critical mass of knowledge in the country concerning
information security and digital certification.

7. Are there a number of open source PKI offerings available? What is most needed?
The market has many business models. A cloud computing data centre is one such model that
is spreading a lot. But, the most sensitive data may not be guaranteed in public cloud
computing data centres. Data is transferred, processed and stored by external cloud providers.
However, data owners are very sceptical to place their data outside their own control.

Then, I think that one next step is to have these data centres in conformity with ICP-Brazil. I
mean making use of digital certificates homologated by one certificate authority of ICP-Brazil.
Because these data centres following the rules of ICP-Brazil will guarantee that the data are
encrypted, signed with a digital certificate making impossible any attempt of fraud. The
information is guarded. So, I think it will emerge PKI applications that will give support to
this new business.

81
Mr. Djalma Valois Filho

Manager of Center for Diffusion of Technology and Knowledge (CDTC)

General Coordinator of Operations of the National Institute of Information Technology / Civil
House / Presidency of the Republic

Note: Throughout this paper the researcher has been using the term 'open source software’,
however for translation of this interview it was used the term ‘free software’ as the
interviewee preferred.

“We see free software as means to promote social inclusion”

Djalma Valois Filho

1. Working with free software in the government sphere, what was the biggest
problem you faced?

One of the early problems we faced was the unavailability of material content that we could
qualify people. We realize initially that it was very difficult to implement a public policy for
use of free software without having people knowing that it was free software.

I do not speak from the viewpoint of evangelization in terms of explaining ‘what free software
is’ or ‘why free software is good or bad’. No, what we needed was to say to government
employees that there was certain free software and we needed to show how to use it.

Then, we created the Center for Diffusion of Technology and Knowledge (CDTC). The
CDTC is a project of ITI, which the purpose is a joint effort between the public and private
sectors and academics aiming to expand the knowledge society in the use of free software.

2. There is some controversy between the terms 'free software' (Free Software
Foundation) and “Open source software” (Open Source Initiative). Many people
use both terms as if they are the same thing. Does it matter? And about public
software?

82
The movement 'open source software' and 'free software' are distinguished more by the
application of a social standpoint. It is the vision that exists about the result. There is no
difference under the technological point of view. The movement 'open source software' says
that it is good to use this software because it is reliable; it is a very technical speech. The free
software says the same thing with the difference that this is all good because we change the
society to become a better world. The free software movement is a politicized movement that
sees technology as a tool to improve the world. The open source movement has no vision of a
social standpoint. Inside of the government sphere, we have both movements. I for example
say free software. There are other people who will say open source.

The term 'software public' was a solution given by staff of the ministry of planning that
aggregated all the concepts that are around the world free software / open source making the
State responsible for maintaining this software. There is no public software unless the license
is free. All software that is published in the ‘Public Software Portal’ has an entire structure
and it is assured the continuity of it. The origin of the software can be from government or
from private companies. The Brazilian public software model is still under discussion.

3. Critiques have argued that free software in Brazil was a great euphoria around
the year 2004, but now the euphoria is about to end. Do you agree with them?

The point is that we stopped talking and we start doing.

To give you an idea about it, two years ago, Brazil has sold more than 260 000 computers, all
with free software. It was a government program that facilitated and cheapened the cost of
equipment in production, provided access to financing, but only for computers that were sold
with free software. It was to continue the government initiatives in relation to free software
that the CDTC was created, in 2004.

The specific objective of CDTC is to assist the Federal Government in the implementation of
the national non-proprietary software and open source, identifying and mobilizing groups of
opinion leaders among civil servants and political agents of the Federal Government,
stimulating and encouraging the domestic market to adopt new business models of
information technology and new business communications based on non-proprietary software
83
and open source. This provided specific capability for technicians, support professionals and
civil servant users creating groups of civil servants who will train other public officials and
act as advocates and supporters of non-proprietary software products and open source code,
providing technical content for online support services, tools for developing software products
and non-proprietary and its free source code, articulating networks of third parties (within and
outside government) providing education, research, development and testing of free software
products.
As a result of this work that we have developed, today, we have over 200 courses being
offered, about 50,000 students, placed in more than 1400 Brazilian cities. We have over 3200
private companies using the CDTC for training their employees. And, 1,800 public
institutions that get from CDTC the necessary support for the qualification of their employees.

The CDTC offers, besides basic workshops, free software, a web radio and manuals to
download.

4. Is free software secure?

I do not agree with the opinion that due to the fact that free software is conducted by a
community of volunteers it receives less security treatment than proprietary software. It is the
opposite. Most proprietary software we do not know how they work. The problem with
security through obscurity is that perverse developers can introduce malicious code into
software and we do not have access to the code. As the code is not available so bugs or
security flaws may be hard to check.

A free software, however, might have tens of thousands of downloaders around the world.
Each one of the downloaders can audit the code and then it is much easier to discover a bug or
security flaw and submit the report back to the projects core maintainers. Free software is
more heavily tested than proprietary software. Free software is highly reliable, flexible and
secure.
Free software is not a product of one company or one person. It is collectivized. Many people
think that free software is like a no man's land, where anyone would be able to add code to it
without supervision or guidance. Actually, free software projects implement a rigorous system
of self-governance in which participation is voluntary but managed, and new code
84
contributions are closely examined. In terms of security, the overriding concern of
communities of free source is not only with malicious code, but also with poorly-written code.
Large numbers of collaborations are not accepted because there are others that are more
efficient or just because they do not meet the criteria for coding the project.

In practice, monitoring the quality of software is a heavy task. Code quality is the success of
many free software projects such as the Linux kernel.

5. Is there any free software PKI solution already available in the CDTC?

Yes, the CTDC developed modules that allow the administrator of various content
management applications replace the traditional login-password by using the standard X509
digital certificates. An important factor in making this product available is to encourage
society to adopt the digital certificate in their transactions via the Internet.

We also have courses in the digital certification area. The course objective is to regulate and
standardize the skills of the professional who receives and guides and checks the documents
and delivers the digital certificate to the person interested in acquiring it.

6. Business software companies will incur losses. Thus, resulting in a sizeable hole in
the economy if too many jump onto “the open source software revolution” rather
than purchasing genuine licenses from technology companies, that provide
proprietary solutions. It might cause another worrying issue. Please can you
comment?

It is perhaps worrying for the Americans, but not for Brazil. The preoccupation is reversed. If
we stop buying licenses from American’ proprietary software developers, then the American
companies will lose business.
The money spent by the government on the purchase of proprietary software licenses can be
reverted to social actions of the government to make the basic structure of the state for
anything else in support of the Brazilian State. When we use the free software, we are paying
for the services, but not royalties.

85
 7. What was your biggest problem in relation to free software? What is the biggest
barrier to overcome toward free software adoption?

The first major challenge I had regarding to free software was I understand myself. I have
worked in the area since 1978, and the dream of everyone who worked with the computer was
to develop a computer program that no one had developed before and win a lot of money with
it, living from selling licenses for the rest of my life, as Bill Gates. This was the expectation of
many professionals in this area.

So, the big dilemma that I faced with free software was to know, understand, and assume that
it is the correct way to work. The free software vision makes me change my mind.

Anyone who works with computers spends most of their lives producing for employers or for
a company of shareholders. When producing free software, the one is producing for the whole
community and for the society. It was then that I began to really understand what was behind
the free software, the concepts, the new forms of behaviour, and especially the interaction.

Free software is far superior, in terms of cost, capacity and quality. In the long term, there is
another huge benefit: a great potential for learning in using free software that does not exist in
proprietary software. Because when the source code is proprietary, it is not known by the
general population. This takes away the population a great opportunity for learning.

Another difficulty was having an idea of the high volume of free software produced. It means
that you can find free software for almost everything you need.

The great struggle that lies ahead is the issue of patents. The protection relating to the
patentability of software is not harmonized internationally. Due to this, there is a need for a
discussion of patent law on the national and international scene. The growth in the monopoly
of a patent increases the private benefit and, in turn, reduces the public benefit.

86
Mr. Wesley Rodrigues da Siva – Network Administrator at SBF Group

SBF Group – The largest group of Latin America in the sport equipment store chain. It owns
the BY Tennis Chain and the license of the Nike Store in Brazil.

1. How long have you been working with open source software?

I have been working with open source software since 1999. I am a Linux expert. One of my
responsibilities is to analyze the solutions we have in the company to migrate these solutions
to Linux or open source based solutions, generating savings for the company.

2. How is the migration to open source software within the SBF group?

The process of change is always difficult. In our group, before, there was a conception that
Linux was to run on a server and it was only command lines. Then they thought it was
difficult to adapt. And, it is not like that. Today the developers of open source software are a
major concern regarding the usability and accessibility. In the beginning there was a certain
bias to accept solutions based on open source software, both from other administrators and by
directors boards.

The solution I found to migrate was having a test environment where everything was installed,
analyzed and shown to decision makers in order to have a good acceptance and reduce the
impact in case of changes. Because only talking, I was unable to convince them. We just
finished a big migration project. We are using Linux, some open source security solutions and
open source software to emails, navigator and media playback among others.

But this work started to have value now. Two years ago I faced much resistance. With the
arrival of a new manager, Mário Ribeiro, open source software has gained a major ally in the
company.

3. Can you mention any successful experiences regarding to open source software?

It happened some. But I can tell that it was not about incompatibility of systems. It lacked
time to establish and test the entire cycle of the systems used by the user.
87
Since then, we create policies related to development, migration and implementation of open
source software within the company. Today, users see advantages in using Linux because they
can customize in the way they want.

4. Are you a member in any open source community?

Yes. I am an active developer of OpenSuSE. It is a distribution of the Linux operating system.

I also collaborate on development by participating in various forums of open source software.

5. Which motives have been for you to join the open source community?

First, I felt frustrated because I could not solve problems with proprietary software, because I
didn’t have access to code. When I started working with open source software, I realized that
I could improve products of other developers. All that led me to learn and develop new skills.

6. Which motives keep you staying in this community?

It is to notice that large companies are increasingly using open source software. As a
consumer, I do not think we should be limited to only one option.

7. Do you have good technical support for open source software that you use in the
company?

Yes and no.

When we buy the license to have access to the support, then it is great.

But, we have some technical support problems when we are limited to the communities. We
still have problems when we explore online technical support of open source software by a
study of postings to discussion boards. We have skilled professionals, but there is a lack of
professionals in the marketing who have a broad vision. I mean the one who knows about
operating systems, security and infrastructure. To solve this problem, it is important to have a
skilled team in-house.

88
The SBF group opted to have the support of distributors and train a team internally. With
regard to the distributors, we have support in the development and migration.

And we have other good news, for instance, it is emerging a vast number of certification
programs in Linux and open source. Certificates tend to lead to higher performance.
8. What is the main barrier to overcome toward open source software adoption?

Support is one, but it is not the biggest. The biggest challenge is the change of culture, mainly
for open source software running on desktops.

Linux, for example, is highly consolidated on servers. However on desktops we have

problems with users reluctant to use non-proprietary software. And we also have some
problems in connection with electronic exchange. Issues of interoperability are still a
stumbling block to widespread adoption. In my opinion, this problem would be minimized
with the collaboration of manufacturers of hardware and software. Hardware manufacturers
should focus more on offering to the consumers other models more compatible and
developers to create distributions optimized to run on desktops.

9. What is the importance of open source software for society?

First, it has the option to choose a non monopolized product. Second, one can change a
solution to better suit ones needs, since one has access to the code. Third, people who had no
access to a particular solution for reasons of cost with open source software this problem is
minimized.

10. Is open source software secure?

Yes and no. Where we download open source software, we know that the software was
revised by several people around the world. We know what is behind the code. This is a
guarantee of reliability.

However, if the company does not have an in-house skilled technical staff of its own, the
company does not have support from distributors of the open source software this company

89
may incur great risks. Using open source, we can adapt the solution to solve specific problems
of the company, but an erroneous implementation can bring serious damage.

11. What opportunities do you see for open source software in the next few years?

In my opinion, open source software will play a vital role in cloud computing by allowing
some basic software elements, for example, virtual machine images and appliances to be
created from easily accessible components.

90
Mr. Felipe Montezano – Network Administrator – SBF Group

1. How has the SBF Group been using the PKI technology?

So far, the SBF Group uses PKI technology in the digital certificate issuing electronic
invoices and transactions with the government. Electronic invoices are only legally valid
when guaranteed by digital signature - process that verifies the integrity and originator of an
electronic file.

Today, we have three types of certificates: A3 in which the data is generated, stored and
processed on a smart card with password access; A1 in which information is generated and
stored on a server; and a SSL certificate that is used for e-commerce that is also installed on
the server. With the certificate A3, we use to make transactions with the government and also
for our import and export transactions. Only authorized persons within the company have
access to use those digital certificates.

2. There is the possibility of a smartcard containing more than one certificate?

You can install up to three certificates in the same smartcard, according to one we have been
using.

3. What is the time taken for the revocation of digital certificates?

By getting in touch with our Certificate Authority and request revocation of a digital
certificate, it is revoked immediately making it impossible to use from now on. Up to now, we
didn’t need to revoke any digital certificate. We need to care about the passwords that we
need to use along with the digital certificate. To be honest, we always have a certain fear
when we use a digital certificate.

The Smart Card has two security passwords, PIN and PUK. The PIN is the password to use
the card that we changed on the time of validation and the PUK is an emergency password. If
we miss the PIN three times, this password is locked and can only be unlocked using the PUK.

91
 4. On what operating systems can you use the digital certificate?

On Linux or Mac OS, we have read-only access of digital certificate. When it is necessary to
perform the issuance of a new certificate, it can only be performed in the Windows platform
following system requirements defined by our CA.

5. What is the average cost of a digital certificate?

It is 169 USD for three years, without the card reader.

6. You view other future applicability of PKI technology within the company?

No, in the near future I see no other applicability of this technology within the company. If
not for the cost, the company might be able to use a digital certificate to provide access for the
employee to the company as well as the systems. Among other things, the digital certificate
could be used to inhibit employees from accessing information that they have no authority to
access. The use of PKI technology is very new and quite unknown.

7. Have you been noticing if the digital certificates have been increasing in the
market?

Personally I do not know anyone who owns a digital certificate, only digital certificates from
companies.

However, I think that this market is increasing a lot because before I could get support to
come to the company two weeks after I required it, but now I don’t get it before one month. In
other words, it seems that demand is increasing. I believe that this demand is due to
requirements of government agencies to carry out transactions via the Internet.

92
Mrs. Margarida Nunes da Costa Pedra – SBF Group IT Director

1. What were the challenges in the initial deployment of digital certificates in the
company?

First, one must understand the process of obtaining a digital certificate. This was difficult
because we had to read what the obligations that the Federal Revenue of Brazil (IRS) was
imposing in relation to the use of digital certification. So, many times we had to contact the
IRS to obtain certain information and clarify doubts. In other words, we had to clarify the
process and at the beginning there were only two Certificate Authorities, which led to a lot of
time spent with the IRS. I think it was a learning period for everyone involved. I can say that
we learned together.

Today, we can hire services from one Registration Authority in order to come to our company
and assist us. This service greatly facilitated the process of obtaining a digital certificate. Also
today, the IRS Web site information is clearer and the staff is better prepared to answer
questions and meet the needs of taxpayers.

Another aspect is that digital certificates were not cheap – taking into account the whole
process such as digital certificate, card reader, and a professional visit to the company (the last
it was our option).

One thing I would stress is that there were many doubts regarding the use of a digital
certificate and how to deal with it.

2. Does the SBF Group make use of the digital certificate for other purposes?

We began to adopt digital certificates within the SBF Group complying with the Brazilian
Government's requirement for an electronic invoice. This has generated a movement to
standardize the delivery of electronic documents and digital signatures.

At the time, that we started the process of digital certification in the company, as required by
the federal government, the SBF Group had an e-commerce shop. With the learning acquired
by using digital certificates and taking into account the security that this technology brings,
the SBF Group tried to obtain a digital certificate to increase the reliability of electronic
commerce with our customers. We purchased a digital certificate to ensure secured

93
transactions when using our site. So, our customers could feel safer when using their credit
cards without fear of fraud caused in such transactions.

By following successful innovative technologies, the SBF Group is always seeking

mechanisms to protect its customers as transacting with it. And in this case, one Certificate
Authority accredited by ICP-Brazil gives us this support.

3. From the beginning until today, what can you tell us of positives and / or
negatives in the process of digital certification?

First, the digital certificates provided greater flexibility in tax processes. Now we do not need
to mobilize human resources to go to service centres of government agencies, whether federal,
state or municipal for delivering a tax obligation. Today we resolved almost everything we
need with a computer, a card reader and a digital certificate.

It led to a saving of printing, savings in handling and storage accounting books and others
documents, due to the fact that bookkeeping and tax accounting now is made and maintained
in digital media and validated through digital certification. And, for the government, it is a
chance to increase the quality of surveillance and thereby obtain greater control over tax
evasion.

4. In terms of costs, is it expensive to obtain a digital certificate?

Not today.

At first we were paying around 285 USD to obtain a digital certificate, valid for three years.
Today this value has fallen to around 170 USD. This is pretty low compared to the benefits
we got.

We use a digital certificate not only for digital signatures. It is also the passport validation for
us to have access to many government websites to obtain information that before it was only
in person.

The word I can use to define the benefits that digital certificate brought to us is ‘AGILITY’.
Before we had to go to a service station, wait a long time to be attended then go to another
department to stamp the document and so on. Remembering that, it meant going from one
sector to another within a public agency and sometimes even to another public agency.

94
 5. Do you still have some problems regarding digital certificates in the company?

Today the digital certificate within the SBF Group generates no insecurity. Now we have
science that has only helped us. And the maturity that we acquired with the use of digital
certification leads us to have bigger goals with respect to the use of this technology.

6. Digital certificates generate a process of dematerialization, in other words,

enabling the substitution of paper documents for an electronic document digitally
signed. This for many people can mean difficulty. How the SBF Group analyzes
this issue?

Many papers have been eliminated, but we still issue a voucher every time a document is
delivered electronically. The voucher is archived for future validations. Thus, the difficulty
has a legal nature.

The tendency is to avoid printing because it eliminates costs.

7. What is the future of digital certification within the SBF Group?

Today, within the SBF Group, every employee has its own badge which is their identification
within the company. This badge has a number that is tied to the employee record in the
Ministry of Labour. In the future, all information that is available on this badge along with
many others may be used in a digital certificate giving greater reliability and transparency in
all processes within the company. This is our goal for the future.

However, today, the badge represents a low cost solution compared to the digital certificate.
Although we believe that this cost does not mean spending, but investment. This investment is
still high for us to opt for this alternative to the company at this time.

8. How is the market with respect to skilled professionals in digital certification?

The technology area is increasingly segmented. Today, we hardly managed to hire a generalist
professional, what more the market demands today are specialists. The specialization courses
are expensive but the professionals are increasingly investing in them. Despite a lack of
specialists, when a company defines the professional profile it needs, the company finds
her/him and manage to bring this professional to be a collaborator. And the PKI technology is
still a relatively new field for us.

95
Mr. Glauco de Paula – System Engineer at Empresa1

Empresa1 – electronic ticketing systems. Today, the company is a reference in the national
market in this segment. It is present in over 80 Brazilian cities.

1. Is Empresa1 using open source software?

Yes it is. But this is not my specialty.

2. How is Empresa1 making use of PKI technology?

We use PKI technology in transaction processing solutions based on smart cards, with all data
recorded protected through encryption to prevent tampering as well as non-repudiation of all
collected transactions.

The system is based on encryption and public keys, which can be used only by the key holder.
Among other security features with the use of PKI technology, we could guarantee more
security in the transaction and eliminate the use of passwords. Passwords are still the basis in
which many information systems attach their safety, because it is the main mechanism used to
authenticate human users to computer systems. However, there are several problems such as
the difficulty that people have in choosing passwords difficult to guess or remember
passwords randomly generated by the system.

Our concern is always focused on providing secure transactions for our customers

3. It was very expensive to deploy this technology in the system?

We spent one year to develop this current application in our system. There was consequently
cost with staff which required better skilled professionals. The utilization of PKI technology
put us in a different level in relation to our competitors because it ensures greater transaction
security for our customers.

4. What was the biggest challenge working with PKI technology?

The success of a PKI implementation depends on how well people interact with the system
and how the system is implemented. The biggest challenge to me was to understand the PKI
technology.

96
 5. What is the future of PKI technology within the Empresa1?

Evolve the PKI technology within the current system to ensure security of the application
within all terminals.

6. In your opinion what is the future of PKI technology?

This technology is starting in the Brazilian market. There are still few who are working
deeply with this technology. I believe that a promising area for utilization of PKI technology
will be in our electoral vote system. However, the Internet is a great channel, because there is
a lot of information travelling but very little security in the transactions.

97
Mr. Jerson Souto – Technology Business Manager (Professional Outsourced expert in
Open Source Software)

1. How is your experience with open source software?

I started working with open source a long time ago. I was selling Linux and suddenly we
could download it from the Internet. From that, we had the code in our hands. I was fascinated
with that and then I started to use extensively open source software, basically Linux.

But today, what else fascinates me when we talk about open source software is its connection
with digital inclusion, and the dissemination of information this entails. I think there is a
revolution of cognition. The possibility of providing open source software to more people
makes the digital inclusion more tangible.

2. Are you a member of some open source software community?

I should do that more. At first, I followed a few things, mainly doing validations, tests,
downloading beta software and exchanging opinions. It wasn’t anything much officially. All
along much more as a user and enthusiast of everything around open source software.

I do not have a leadership profile, but I think I am an opinion leader. Often people around me
feel curiosity, begin to use and adopt open source software on their own workstation, and then
this is the way I participate.

In fact, when we work with system development, it is so absorbing that we stop trying other
things. My recent times have been like that. When I worked with the support team, then yes, I
knew a little of this world, that is huge.

3. What roles have Brazilian government played regarding open source software?

The government has invested heavily in digital inclusion. How will you provide computers
for a vast majority of the population which has no way to pay an operating system (even one
that is subsidized)?

The government has subsidized the hardware, but that didn’t solve the problem about having
one computer. So, the brilliant solution has been the adoption of open source software.

98
In my opinion, we have been very reckless in trusting all strategic information in a single
company. Imagine, almost all decisions, political and economic, are in Excel, an application
that we do not know what may have behind the code.

Another important thing with respect to open source software is that we do not have to
transfer foreign exchange out of the country. We can hire services in our own country.

So, it is good the government gives the example adopting open source software, others, for
sure will follow it.

4. Is open source software secure?

To me what is secure? Is what I see and what I can check or something that comes in a sealed
box and I cannot see?

Yes, open source software is secure. And once more, it has technical support infinitely better
than any support that is given by a single company. The support is immediate and widespread.
It does not depend on anyone's timetable or country. And the most important is that the code
is fully auditable. It is something completely different from what exists in the proprietary
world.

5. Is it true that open source software is hard to install and configure?

These things are very controversial because no one installs Windows. Everyone buys the
computer that has Windows installed. Nobody studies Windows. People just use it because
someone has taught or because since childhood they have been using it and so on. Most
people do not know anything about Windows. They only use those basic functions and surfing
on the internet.

Today, for example, the Linux installation is fairly intuitive except managing the disk
partitions. The problem is that we all have resistance to change at some levels. The open
source software interfaces must be different from proprietary software including as a matter of
copyright. But if we are not open for change, we will not grow.

Changes need to be motivated. And motivation is a tricky business because one of the great
thing that drives motivation is marketing. Open source software does not do marketing.

99
 6. Did you observe some difference after the government started encouraging the
practice of open source software?

Yes, sure. Mainly because, as a result of government policies, I see that schools are beginning
to encourage the use of open source software.

It is important to give to students the opportunity to see how their tools work and examine the
inner workings of software. We are just into the beginnings of the information age. It is time
for the opening of the tools that will be needed to build this new age. Who does not change,
stays behind.

Brazil is a country of continental dimensions. And only 10% to 15% of the population has
access to technology. Then, we see the real necessity of government initiatives regarding
digital inclusion.

7. Are there many private companies moving towards open source? Can you give
examples?

Yes. Most companies adopt open source software on servers and many small companies
because they want to reduce costs.

Companies are finding that with open source software also there is the possibility to change
suppliers without losing the aggregate knowledge in their systems, and this increases the
bargaining power.

8. In your opinion what are the biggest challenges regarding open source software
adoption in Brazil?

It is a paradigm shift. The Internet is challenging the software world that we all know. The
challenge is to do what the government is doing: a foundation work, creating a new culture.
And do not change a culture with a decree.

In my opinion, the big challenge is to continue this work that began. I believe in the long-term
jobs, jobs that do not last the life of a person, but that last the life of many people, a
succession of things. The great achievements are done like that.

100
Mr. Fernando Augusto Medeiros – LinuxPlace

LinuxPlace provides support, training, consultancy and development, always using open
source software tools. The LinuxPlace is a reference and a pioneer in spreading the Linux
operating system on the Brazilian market, having participated in several projects linked to
public and private development and information security.

1. How long have you been working with open source software?

Eleven and a half years.

2. Briefly, what are your main feelings towards the open source concept?

During this time I have carried the flag of open source software I must admit that I was more
active before.

Indeed, I believed in open source software as a matter of ideology. Today, I have surpassed
the ideology and have come to be the real strength of open source software. It is no longer an
alternative, but reality. It is a rarity, today, to find a company that has no open source software.

Open source software is a collaborative work carried out by motivated programmers around
the world. We always will find faster solutions to problems of systems development than any
proprietary software. We must think about the models cathedral and bazaar.

However, I do not believe that open source software will dominate the proprietary software.
There will be a market for both models. Open source software today is consolidated on the
market. Many companies are opting for open source software not only about the cost but
because they have more control.

3. When is open source software useful and when should it be avoided?

Open source software should not be adopted when the customer does not want to have any
development work, which involves staff training and when there is incompatibility in the
system. Otherwise, the company that wants to use open source should hire someone to do it
for them as the proprietary model.

101
One needs to have strategy when adopting open source software. The important thing to
remember is that its use requests installation, configuration and other services that can mean
costs.

4. Critics have argued that open source software in Brazil had a great euphoria
around the year 2004, but now the euphoria is about to end. Do you agree with
them?

In the beginning, people talked too much, but did little in practice. It is the opposite now.

5. There is some controversy between the terms 'free software' (Free Software
Foundation) and “Open source software” (Open Source Initiative). What is your
opinion about it?

It is linked to ideological issues. I think that Richard Stallman had a key role in the free
software movement. But I'm not in favour of radicalism. The conflict will always exist.

Yes, I question whether in practice free software/open source software licenses will work as
designed.

6. Are there many private companies moving towards open source? Can you give
examples?

They are a few. Despite recent efforts, Brazil still has not developed much open source
software. We use much more than we develop.

But this is not a problem related to open source software. In the 80's and early 90’s, when the
government imposed severe restrictions on entry of hardware in Brazil, there was a demand
for domestic production of it. But, when it started in Brazil a trade liberalization process,
many hardware companies in Brazil had to shrink considerably or simply close the doors.
With the latest government policies, this picture is turning a bit.

Today, the government, be it federal or state, is using its buying power as an incentive to
produce technology. This is tremendously good.

7. How is it about professional support (training, consulting, and implementation)

regarding open source software?

102
Many people say that they do not adopt open source software because it is hard to get
technical support and that is one barrier to overcome.

Yes, we have problems with technical support because they are not enough. But people forget
to get in contact with those who developed the software. Those who developed the software
are best to help when you need support. And they are there for it. They want to help you. It is
how they will sell their services.

And then, I again repeat, open source software is not free. It has a cost.

8. In your opinion what are the biggest challenges regarding open source software
adoption in Brazil?

The professional is one of the biggest challenges.

The technology professional in Brazil is difficult in any area. It is not only a problem of open
source software. For example, you will find professionals who work and support Linux, but,
for example, if you need support for the proprietary software AIX, then you will have many
difficulties.

The proprietary software offers some advantages that are not so easily found in open source
software. Among these advantages, the one that stands out is technical support. Due to this
fact, many companies choose proprietary software.

103
Prodemge

Prodemge is a Certification Authority accredited by ITI for issuing digital certificate

standards ICP-Brazil, including e-CPF and CNPJ and NF-e in the hierarchy of Federal
Revenue in Brazil (IRS).

Respondents:
Mr. Sergio de Melo Daher – Superintendent of Technology
Mrs. Jacira dos Reis Xavier – Manager, PKI expert

1. How do you describe how you're using PKI technology at Prodemge?

This technology is fully consolidated at Prodemge. We have been working with PKI
technology for 5 years and we are a certificate authority linked to ICP-Brazil. In Brazil, we
had a period of adaptation and today this technology is being widely used in public
administration. PKI has been increasingly used to ensure the safety and reliability of
information and virtual operations.

2. What it was the biggest challenge regarding PKI?

Our biggest challenge was with relation to changing culture. Why do we need a digital
certificate? How can we integrate the existing systems to a PKI system? How can we manage
certificate lifecycle? These questions were in the mind of users when we started to implement
PKI. And the process from paper to digital documents was a big issue. The method of
dissemination of PKI technology, at Prodemge, was a vital role to consolidate the use of
digital certificates in our systems.

Another challenge was regarding the cost. The cost was very high. It is still expensive to
operate and maintain, but now we have been providing services of quality at a cost-effective
rate because we have high-volume transactions.

3. Has Prodemge provided any PKI application for users and private companies?

The Prodemge acts more as a provider of solutions for government agencies. The invoice of
the municipality of Belo Horizonte, for instance, was provided by Prodemge. The Prodemge

104
has an accredited Certificate Authority for issuing digital certificate standards ICP-Brazil,
including e-CPF, e-CNPJ and NF-e.

4. How are companies experiencing electronic invoices?

The acceptance was very high. As electronic invoices can be delivered via email or FTP from
any location, at any hour of the day or night, it increased value and satisfaction for companies.
The electronic invoices brought efficiency and effectiveness with simplification of procedures.

Another consequence is the dematerialization of documents by transforming paper documents

into electronic files.

5. Has another application within this scope that you could highlight?

Yes, one is the implementation of the practice of electronic processes by the judiciary and
another is one implemented by DETRAN-MG (Traffic Department of Minas Gerais).

Providing services in electronic form and using technology that ensures security – both
regarding the information and by identifying safely who is accessing the information – has
drastically reduced the time and bureaucracy in the processes.

6. Did you have any problem regarding users and their private key?

No. Prodemge had no report about it. The only problem is that users often forget the password,
and then you need to issue a new certificate. The user can change the password whenever
he/she wants.

We always warned the holder of the digital certificate that the private key must be of its
exclusive control, use and knowledge.

7. PKI is rapidly maturing as a security solution, how do you envision the future for
PKI?

I think that many applications will emerge for individuals with new Civilian Identity Registry
(RIC). Mainly because many citizens say they can't justify purchasing a digital certificate due
to cost. As every citizen will have RIC and it will have an embedded digital certificate then
more services will be available and then can be the massification of PKI technology.

105
 8. Were PKI applications running within Prodemge developed by you or were
bought in the market?

Most solutions were developed by Prodemge because we have specific systems of the Minas
Gerais state. Private companies have many solutions with reasonable prices.

9. How is the qualification of professionals in the areas of PKI, in the Brazilian

market?

In 2004 when we started developing a project using this technology, there was a concern
about training professionals. Today we have a great team that has absorbed this technology.
This team studies, implements and provides new projects.

The market has few professionals in this area.

10. Has Prodemge adopted open source software?

Prodemge is a big user of open source software. Open source software inside the Prodemge
was happening gradually, it was not a strategic decision. It was being incorporated day-to-day
into the company.

We started using Linux. Today 70% of our network servers are running Linux, and we use
Apache too. And we have many open source software applications. We use some open source
software that are free of cost but the great majority we pay for the use of license in terms of
technical support. Others, as we have knowledge, we don’t pay to have technical support.

11. How was the acceptance associated with the adoption of open source software?

Sometimes it was complicated. For example, we had a difficult period when we started
working with Java. There was a lot of training. Today, I can say that, open source is very well
accepted within the company.

When a new professional joins the workforce all support is given to him/her, so he/she can
work comfortably.

106
 12. Do you agree or disagree that open source software is secure?

I consider open source software secure because the code is open. This means that it can be
seen by everyone and then errors can be easily found and corrected. The auditability is very
important.

Dangerous are proprietary software that we do not know what may be embedded within.

13. Are there many barriers to overcome toward open source software adoption?

I could say that is support. All software needs a good support infrastructure behind it, be it
open source software or a proprietary one.

One cannot download open source software and think that it will work without any problem.
One should not only worry when problems arise. To adopt open source software you need a
team with deeper knowledge.

14. Does Prodemge make use of open source PKI?

No.

15. Do you think of some advantage in using open source software PKI?

To make it happen Prodemge needs to have intellectual resources. I mean, we need to have a
team ready to audit and verify if this software is framed within our business rules and within
the technical standards required.

16. In your opinion, what are the biggest challenges regarding PKI in Brazil?

I think that our biggest challenge is to meet the expectations of the RIC project. It's a fantastic
project which means a lot in terms of citizenship.

107
Mr. Alexandre Atheniense

Lawyer, IT Law Professor, Consultant, Writer, Speaker. Specialised in matters related to Law
and Information Technology, Internet law and Intellectual property

1. Briefly, what are your main feelings towards the open source concept and how do
you see open source in government and in Brazil in general?

To talk about open source in Brazil and mainly in the government sphere I need to mention
the name of Sérgio Amadeu. He, as president of ITI, defended substantially the use and
dissemination of open source software. He always believed in open source software as a
business model for the Brazilian executive branch. After Amadeu left ITI, the market didn’t
slowdown, but the theme open source software has not been treated in the same way as when
Amadeu was ahead of ITI.

I have taught some lectures on the subject and I have been following the path of open source
in Brazil. I even participated in a project to sell PCs with lower prices by using operating
systems developed in open source software.

We have one unique state law in the Brazilian state called ‘Rio Grande do Sul’. This law
determines the preferential use of open source software in public administration directly and
indirectly in that state. But this law is being contested.

We have one purview based on 11419/2006 law which states that the Brazilian courts should
preferably make use of systems based on open source software to develop routine procedural
practices.

Brazil is a pioneer in terms of having a specific law on judicial processes electronically. That
is, allows a prosecution from the beginning to the end in digital format. Several courts have
already regulated at least a procedural practice, but, unfortunately, few lawyers are capable to
work in this new scenario yet.

The adoption of open source software in the Judiciary is in constant discussions, but lobbies
of proprietary software companies are very strong. Currently, the vast majority of Brazilian
courts buy proprietary software. As each court has an autonomous decision, they can decide
what track to take over their systems.
108
 2. In your opinion, open source software is good for society?

Yes, without a doubt. The use of open source software is of great importance to meet the
interests and aspirations of society for a fair access to knowledge. It is extremely reliable. For
a given type of application open source software is fantastic.

3. Do you have or have you had any lawsuit filed against open source software?

No. I didn’t have any lawsuit about violation of open source license yet.

All my work in this area occurred constructively, making licensing agreements of open source
software. I mean, it was always based on prevention. It was never due to a dispute yet.

4. Would you describe how you're using PKI technology?

I started having contact with this technology since 1999. Along with other lawyers we created
an independent Certificate Authority for the OAB (Brazilian Bar Association). This certificate
authority named ICP-OAB was intended to issue digital certificates to lawyers. It didn’t
follow the ICP-Brazil standards. It operated in the states of São Paulo, Minas Gerais and
Rondônia.

The Brazilian law which defines digital document as original not prohibit other types of
electronic identification and certification apart of ICP-Brazil standard. It can be accepted as
valid by the parties or accepted by the person to whom the document is raised. However, the
Certification Authority that we created could not continue operating, It was determined that
any digital certification system used by the federal government or the Judiciary could only be
provided within the requirements of ICP-Brazil.

After a long period of discussions we abandoned the project of independent certificate

authority of OAB. There is much commercial interest behind this - interest to sell digital
certificates.

We also initiated a work of evangelisation of the Brazilian lawyers in order to show them the
practical benefits that the digital certificate may provide, such as, demonstrating that certain
routines could be performed remotely and by replacing the paper electronically.

109
 5. In your opinion, what is the current significant impediment to the widespread
adoption of PKI technology?

I believe that the use of digital certificates could take off in Brazil much more if not for the
price. We have a demand for services but the prices charged by digital certificates are
unviable to use on a commercial scale.

I did research, and I counted 150 systemic features allowed by law 11419/2006 that should be
developed with the purpose of substituting paper by digital documents, many of those using
digital certificates. It is a huge amount of applications needed to attend to the demand we have.

6. Are, in Brazil, the data protection principals adequate for the processing of
personal data concerning PKI technology? Are there bills, regarding data
protection, being processed? Is there already electronic crime legislation in Brazil?

In recent legislative reforms, it has been increasingly included electronic procedures in

forensic practice. For example, our laws on election advertising on the Internet are very
advanced.

It is true that we need some new laws for new types that emerged after the use of information
technology. We need a law to regulate in more detail online privacy.

The current Brazilian legislation includes a series of conduct of impact that happens in the
area of information technology. There are 20 different types of crimes committed on the
Internet that already are foreseen in our legislation.

7. In case of dispute, lawyers will have to rely on experts to investigate the digital
evidence to determine whether an electronic signature was used. Do you think
that in Brazil everybody (technologists, individuals, lawyers …) connected with
electronic signatures and variants of signature available have been well trained to
use and treat properly digital signatures?

Law and technology are two worlds that I'm seeing increasingly interacting, by the state in the
imposition of society. For example, we, as a lawyer, today, need to understand how Facebook,
Twitter or Orkut works, to know which way to take when making a decision. Or even to
advise a client regarding the benefits and hazards of dealing with social networking.

110
The Law of Information Technology is interlacing increasingly with the more traditional
branches of law, in a way that requires from professionals in the field of law the need of
specialisation on new subjects, which were not and are still not being addressed by the Law
Universities in Brazil.

We, lawyers, need to be aware that we will have a greater connection with electronic evidence
than evidence on paper.

8. Are the Brazilian states able to legally accept digital documents?

It was created in 2001 the Provisional Measure 2200/02, which established criteria so that we
can consider as valid the documents generated in digital format. This Provisional Measure,
which has force of law, stipulates that if the document was digitally signed using asymmetric
cryptography, so this document is accepted as original.

We need to solve the situation of document that is generated on paper and converted to digital.
We have a bill that is moving to establish the appropriate criteria.

The digital document is increasingly gaining space in our daily lives. The 11419 law allowed
the conduct of judicial proceedings without paper. It’s a great advancement towards
dematerialisation – that is replacing the paper document by the digital document. Another
area that dematerialisation is happening with great success is the accounting.

Brazil is the world's first country to have legislation that allows the processing of an
electronic judicial process from start to finish. Several countries have procedural moments,
but not as complete. We are the only ones.

9. In your opinion what are the biggest challenges regarding PKI in Brazil?

The biggest challenge is to make people have the same trust relationship with the digital
document in the same way they have with the paper document.

The lawyer today is a great enemy of digital certification, because he/she still prefers the
paper document. We need to spread the culture of digital certification among lawyers. Today,
the OAB, has 700 000 lawyers registered, but only 20 000 have a digital certificate issued by
ICP-Brazil.

111
The benefits of Digital Certificates to the lawyers become evident to the extent that the
Brazilian courts are moving fast in the deployment of the judicial process paperless. We are in
a phase of cultural transition in which the lawyers, as effective opinion-makers, need to
acquire a trust relationship with the electronic document and encourage their customers to
make business at a distance by electronic means using the digital signature.

This change begins to happen from the moment that certain courts establish guidelines and
regulations imposing that a particular practice only be done electronically. We are in the
process at our Superior Court (STJ).

10. How can we preserve honesty in a cyberspace where anonymity grows? Is PKI
one solution?

Unsurprisingly say that the weakest link in the chain of information security in electronic
medium is the human being. We should aggregate several items related to information
security in order to have an effective risk management.

The one who will provide electronic services should always be concerned to exercise a trust
relationship with the party interested in the service. One of the most important benefits of the
digital signature is to provide integrity and security in the exchange of information over
network.

112
Professor Jeroen van de Graaf

Researcher in cryptography, doctor in the area from University of Montreal, Canada

Professor at Federal University of Ouro Preto, Ouro Preto, Brazil
Note: The names of the companies were not disclosed by this report avoiding exposing them.

1. Briefly, what are your main feelings towards the open source PKI?

I have several feelings. The company A for instance, is one leader company in PKI solutions,
with over 10 years operating in Brazil and exclusive Brazilian affiliate of an American
company. With the experience of these companies, I believe that they don’t have motivations
to adopt open source software because they are based software Development Company. This
means that any issues will be resolved very quickly by themselves.

I worked on two projects open source PKI. One of them is ICP-EDU (ICP is PKI in English),
which main objective is to create conditions necessary for implementation of an ICP within
academia, facilitating mutual recognition of X509 certificates issued by universities or other
academic organizations, thus facilitating the authentication, authenticity, integrity and non-
repudiation of communications.

Providing, at no cost, digital certificates for students, teachers, staff and academic researchers
brings a great benefit because it eliminates the cost of buying digital certificates issued by a
commercial ICP. This project is all based on open source software.

The other project is one to implement an ICP to company B in Minas Gerais State. The initial
plan was to develop a software from scratch, but after some problems it was decided to
implement another open source PKI, the EJBCA, which was developed by one Swedish
company.

When I finished working in those projects, as I like more theoretical issues, I decided to
continue as a teacher and research.

I believe that today, PKI does not present many technological challenges, because it is a well
established technology. The challenges of PKI solutions are cultural, for example, a challenge
as how to encourage Brazilian people to use PKI, to rely on this technology. Those are the
biggest challenges regarding PKI in Brazil.
113
2. What roles do universities play in the development of skills related to open source
PKI?

Many projects have formed the participation of universities in research and development in
the area of infrastructure of public keys. And many of these projects offer scholarships. The
‘João-de-Barro’ project, for instance, that is an open source PKI platform, was developed with
the participation of some universities. This promotes an exchange of experiences very large
and intense.

3. Surveys have pointed out that PKI is complex, very expensive and suffers
interoperability issues. Do you think that open source software can minimize those
problems?

PKI has been around for a long time, but it has not taken off except in a few high security
niches. Yes, it is expensive. You see, it is a needed operating system, client software,
cryptographic hardware, database, safe room, qualified professionals among others. Given
this, open source software is just one small aspect. Then, in this case, I don’t believe that open
source software can influence costs.

But for me, I act in the security area and I am extremely worried about this question. I believe
that we cannot trust in software which code is not open. PKI cannot generate one killer
application for open source software. However, I am not an idealist regarding to open source
software, I think that the government should have reservations when adopting software,
especially those software that generate public and private keys. Then, mainly in this case open
source should be adopted.

4. PKI is rapidly maturing as a security solution, how do you envision the future for
PKI?

I believe that the PKI solution is healthy. However, I do not agree with the adopted model. I
mean, the way that the digital certificates are issued. I think that we should pay for the
services, not buying a digital certificate.

114