ICSS-DSV-KTH Master Thesis

Challenges and Opportunities with Open Source PKI In A Developing Country

Katthya Marques Åhlin
E-mail: katthya@telia.com

Supervisor: Matei Ciobanu Morogan (Dr.)

October, 2010 Royal Institute of Technology, Sweden Information and Communication System Security

This thesis corresponds to 20 weeks of full-time work

Inscription

I dedicate this work to my mother, Rosina Amélia Marques, eternal fighter in all fields of life, an example of dedication and hard work, inspiration, firmness and objectivity and wisdom, who was always by my side every moment of my life and was responsible for making my dreams a reality. Without her, I could not have achieved this purpose.

Acknowledgements

Thanks to my supervisor, Matei Ciobanu Morogan, for his guidance, time and advice. Thank you to the many people and organizations that granted information, feedback, and moral support through my research. Without them, this academic work would not have become a reality. Thank you to Melanie Anderson who reviewed a draft of this report, which contributed to my understanding of the written word and the overall readability of this text. All grammatical and spelling errors are my own. Thank you to friends who gave me financial and moral support when I travelled to Brazil to conclude my studies. I offer my regards and blessings to all of those who supported me in any respect during the completion of my studies. Thank you to several individuals, who responded to surveys regularly, commented on a draft questionnaire and those, who returned my emails, took my phone calls, and answered my questions with patience and enthusiasm. Thank you to staff and board members at the Brazilian government and private companies who took time out of their busy schedules to help me learn more about the work that they have been doing to make open source software and PKI become a reality in Brazil. I can only aspire to achieve the level of success and professionalism that they exhibit. Thank you to my husband, Mikael, who provides indisputable companionship in times of trouble and discouragement – thank you for making it all worthwhile. Thank you to my son, Gabriell, whose patience and tolerance of his mother’s long hours and absence from home; I am forever grateful. Thank you to my mother, brother and sisters, whose constant love and support and encouragement are blessings that I shall always treasure. Last but not the least; I thank the God for His protection throughout my studies. Katthya Åhlin

Epigraph

“In a world where knowledge, information, creativity and innovation are factors of wealth, cultural diversity is to be recognized and exploited as a factor of competitive advantage. On the basis of balanced development of the country, therefore, must be the achievement of local actions, oriented towards the use of diversity and specificities of each region. In this sense, the proximity of federal, state and local governments in relation to the demands of society and communities, promoting their involvement in developing strategies and action planning, is extremely important.”

Information Society in Brazil - Green Book

Abstract

Nowadays information security is a big challenge for most organizations, making them invest time, money and knowledge in deploying new technologies. On one hand, PKI is a technology that has always been tied to the notion of secrecy. On the other hand, open source software is a form of technology that aims to not keep secrets and to promote the possibility of open and accessible knowledge to everybody. From one standpoint, PKI solutions are often considered expensive, complex systems that are not easy to deploy, administer, and use. Those have been the impediments to widespread industrial use of PKI. In contrast, open source software is considered as a viable and coherent alternative for dissemination of technologies. This research handles about security. We know that have a lot of security technologies, but we also know that security, in most cases, is viewing as a financial decision. And that is a big issue when comes to developing countries. As the availability of open source software makes an attractive investment opportunity, especially in poor and developing countries, the research report discussed the current PKI situation and the current Open source software situation in Brazil bringing one interesting potential strategy for dealing with the above problems. There are challenges, but the opportunities are significant as well.

Keywords: Information Security, Open Source Software, PKI, Complex, Expensive, Developing country, Opportunities, Challenges

Table of contents
CHAPTER 1: INTRODUCTION .......................................................................................................................... 1 1.1. 1.2. 1.3. 1.4. 1.5. 1.6. 1.7. 1.8. BACKGROUND ........................................................................................................................................ 1 PROBLEM DEFINITION ............................................................................................................................ 1 PURPOSE................................................................................................................................................. 2 RESEARCH QUESTION............................................................................................................................. 2 GOAL...................................................................................................................................................... 2 TARGET AUDIENCE ................................................................................................................................ 2 RESEARCH METHODS ............................................................................................................................. 3 DISPOSITION OF THE REPORT ................................................................................................................. 4

CHAPTER 2: INFORMATION TECHNOLOGY OVERVIEW .................................................................................... 6 2.1. OPEN SOURCE SOFTWARE ...................................................................................................................... 6 2.1.1. Free software and open source software ...................................................................................... 6 2.1.2. Open Source Software Licensing .................................................................................................. 7 2.1.3. Open Source Software Advantages ............................................................................................... 9 2.1.4. Open Source Software Disadvantages ........................................................................................ 11 2.1.5. Open Source Software Community ............................................................................................. 12 2.2. PUBLIC KEY INFRASTRUCTURE (PKI) .................................................................................................. 13 2.2.1. Description ................................................................................................................................. 13 2.2.2. Digital Certificates ..................................................................................................................... 14 2.2.3. Certificate Authority ................................................................................................................... 16 2.2.4. Registration Authority................................................................................................................. 16 2.2.5. General PKI Architecture ........................................................................................................... 17 CHAPTER 3: OPEN SOURCE SOFTWARE AND PKI IN BRAZIL ........................................................................... 18 3.1. CURRENT OPEN SOURCE SOFTWARE SITUATION IN BRAZIL ................................................................. 18 3.1.1. Policies for Technological and Industrial Development............................................................. 20 3.1.2. Brazilian Public Software ........................................................................................................... 22 3.2. CURRENT PKI SITUATION IN BRAZIL ................................................................................................... 24 3.2.1. ICP-Brazil ................................................................................................................................... 24 3.2.2. E-ping - Interoperability ............................................................................................................. 26 3.2.3. Internet Rules and Regulations ................................................................................................... 27 3.2.4. Examples of PKI in Different Sectors in Brazil .......................................................................... 28 3.2.5. RIC – Unique National Identification ......................................................................................... 30 3.2.6. The Brazilian National PKI ........................................................................................................ 31 3.2.7. Seminars for Disseminating Information .................................................................................... 32 CHAPTER 4: SURVEY AND INTERVIEWS ........................................................................................................ 33 CHAPTER 5: CONCLUSION, DISCUSSION AND FUTURE WORK ....................................................................... 38 ABBREVIATIONS LIST ................................................................................................................................... 42 REFERENCES ................................................................................................................................................ 44 APPENDIX A – PROVISIONAL MEASURE 2.200 .............................................................................................. 52 APPENDIX B – QUESTIONNAIRE SURVEY ...................................................................................................... 58 APPENDIX C – INTERVIEWS .......................................................................................................................... 61

Chapter 1: Introduction 1.1. Background
The increasing use of electronic communications and technologies to drive business has provided significant benefit to industry. Many developing countries have a range of electronic commerce projects under development and many companies businesses are online. As the traffic of documents through the Internet has greatly increased, the security of information is a key factor in procuring knowledge to mitigate attacks that are becoming more and more sophisticated, putting at risk the systems and reputation of the companies. Information security is one of the most important concerns in today's business world as it has a direct influence on the activities of the global market. One aspect that has proved extremely relevant is the cost of information security. This fact leads many companies to not properly protect their information [87]. It is also clear that the later failures are detected and corrected, the greater the cost to be incurred. Nowadays governments and private companies are under increasing pressure to more effectively secure their electronic business transactions. Certainly information security is a major concern of governments and private companies. Strong authentication reduces the risk of unauthorized access and encryption of data limits the exposure of companies in cases of failure. Governments and many companies are deploying Public Key Infrastructure systems (PKI) to manage digital certificates for authenticating employees, encryption and digital signature [1], enabling them to do business with each other more securely. But PKI solutions have been considered prohibitively expensive and rather complex technology [2], which is economically unfeasible for some developing countries.

1.2. Problem Definition
PKI plays an important role in increasing the security by providing a much stronger identification of the person performing the transaction. However, PKI technology is relatively complex and costly to deploy and another main impediment to the widespread adoption of this technology has been the interoperability problems between different PKI applications.
1

Given these difficulties, many organizations are reluctant to consider the implementation of this technology [3].

1.3. Purpose
The purpose of this thesis is to investigate PKI current situation and open source software current situation, in Brazil, the developing country targeted, giving a comprehensive overview of the advances in the past decade, aiming to analyse whether open source PKI is feasible to implement and deploy, considering the problems above.

1.4. Research Question
This academic work aims to answer the following questions:  What are the attitudes of people in a developing country towards open source software?  What are the attitudes of people in a developing country towards PKI technology?  What are the attitudes of people in a developing country towards a necessity of open source PKI? During the literature review, we could conclude that the question has not been previously answered and according with the present moment in Brazil, regarding to PKI technology, is worth it to answer.

1.5. Goal
This thesis aims to highlight the feasibility of using open source PKI in Brazil, one developing country of many challenges and opportunities, and as well as the positive impact of encouraging the development of open source PKI across different industries. In other words, this research seeks to establish whether there is market that represents a set of opportunities for open source PKI software penetrate in business in one developing country.

1.6. Target Audience
The target audience for this research includes open source developers and communities, and government agencies (Federal, State and local sphere) from developing countries, as well as private entities that are concerned about information security. The audience is also the governments in developing countries to establish the importance of information security and make it a point that they should step in on this issue.
2

1.7. Research Methods
The research methodology used is both a qualitative as well as quantitative approach encompassing both case studies and survey and interviews. For the current situational analysis, we investigated the use of PKI technology in Brazil specifically. Apart from investigating such technology we also carried out surveys in Brazil to get insight of the situation, and also participated in seminars on specific topics. Moving forward, an empirical exploration of the open source software and PKI was preceded by a literature review and by face to face interviews held with several individuals who have a very good first-hand knowledge on both issues. The majority of the information gathered for this report was focused on the Brazilian IT industry. Internet links was much useful because there is a lack of available literature in books and white papers regarding the research topics focused in Brazil. The direction of the research came in the initial literature review which mainly focused on government support on open source software. The survey used in this report was an attempt to gather information on government and private companies regarding open source software and PKI technology aiming to bring up the issues related to Open Source PKI. It was not a criterion whether the companies already make use of PKI technology or open source software; however it was a criterion that all companies should have significant experience in IT area. This report also was undertaken through researcher's participation in three days seminars, conducted in Brazil, June/2010, and called ‘8º CertForum’. The seminars were focused on issues relating to the uses of digital certification. The interviewers were chosen for their large experience in open source software or PKI technology. Most interviews were arranged before the researcher started travelling to Brazil. Personal interview allowed others interviews, due to some personal contact between the interviewer and the respondent. Finally, an analysis was made in which we bring some challenges and opportunities associated with the impact and risks of using an open source PKI in Brazil.

3

The results from this research suggest an approach to future work be carried out. It is hoped that the information presented in this report will contribute to developers, users and aficionado of open source software and PKI technology, based in which future needs were identified.

1.8. Disposition of the Report
The report is structured based on 5 chapters. Following is a brief description of each of the chapters: •

Chapter 1: Introduction This chapter gives an introduction of the background of the problem under consideration, goals and aim of the thesis and methods used to carry out the thesis.

Chapter 2: Information Technology Overview In this chapter, information is given to provide a base knowledge of open source software focusing on the advantages and disadvantages and presenting a holistic view of the Public Key Infrastructure (PKI). The treatment of open source software and PKI in this chapter is brief, almost to the point of being superficial, but truly comprehensive to the target audience.

Chapter 3: Open Source Software and PKI in Brazil Here, is investigated the social aspects of Brazilian government efforts toward open source adoption, as well as the governmental policies on the use of open source software, and where PKI is implemented and used in various segments and how trust is currently managed.

Although it is very difficult to capture the breadth of knowledge in these areas in this thesis work, this chapter takes an overview approach that highlights the main points about open source software and the PKI situation in Brazil. One of the most important aspects of this chapter is the significance of how the Brazilian government treats PKI as a national infrastructure and provides regulatory guidance to ensure the quality and sustainability of certificate authorities.
4

Chapter 4: Survey and Interviews This is the most important chapter of the thesis because here it is covered the current situation of PKI and the acceptance of open source software in Brazil. This chapter aims to provide a concrete framework of PKI and open source in Brazil, in which the principal source of data used for analysis and discussion are the interviews and surveys.

Chapter 5: Conclusion and Recommendations In the conclusion of the report, we have summarized what was made in this work and provided recommendations for future direction of the thesis.

Appendix The appendix presents a variety of resources of additional information. It has a Brazilian document, translated by the researcher – to provide the reader some official regulations established by the Brazilian government as well as the survey questionnaire and full interviews.

5

Chapter 2: Information Technology Overview
2.1. Open Source Software In this section, an abstract background to this study is outlined by firstly highlighting a few definitions used within the open source software field. This paper discusses the benefits frequently cited as justification for adopting and implementing open source software. There are not only companies that have begun to become interested in open source software, but governments around the globe as well [4]. The choices that governments are making have a widespread influence on society. Foremost, they spend very large amounts of money annually on Information and Communication Technologies (ICT). The initial costs of adopting open source software can allow governments to save money in terms of not having to buy licenses. Secondly, the society in general, has a direct relationship with governments, using available public services. Consequently, the choices that governments make have an impact on the choices of its companies and citizens. 2.1.1. Free software and open source software Different words convey different ideas. There are two main types of software that are considered “open”. They are free software and open source software [5].

Free software is described by the free software community as software that is freely accessible and can be freely used, changed, improved, copied and distributed by all who wish to do so. The Free Software Foundation (FSF) is an organization with a worldwide mission to promote computer user freedom and to defend the rights of all free software users. It was created in 1985 by Richard Stallman [6].

Open source software is described by the open source initiative as a source which the core aspects are [7]: 1. Free redistribution 2. Accessibility of the source code 3. Changeability of the code and re-use in new software 4. Inviolability of the original code 5. No discrimination of certain persons or groups
6

6. No restrictions for certain areas of usage (especially restrictions to commercial sectors) 7. Distribution of the license 8. License must not be valid for a certain product (e.g., as part of a software distribution) 9. License must not compromise other software (that, e.g., is also included at the same data storage; disclosure agreements) 10. License must be technology-neutral (no arrangement of the license may imply any individual technology or style of interface)

It is important to keep the two concepts separate when discussing philosophies and values, and also to understand that the two concepts do not compensate each other, but instead work together in the advocating of free software and open source software.

Concerned about open source redistribution rights, programmers developed what is now known popularly as “Open Source licensing”. The fundamental purpose of open source licensing is to disclaim anybody the right to exclusively exploit a work [8].

In this study, we decided to use the term ‘open source software’ (OSS). The ‘open source software’ in this study refers to liberty/freedom, not price. We is writing about the software that is available, for free or commercialized, with the premise of freedom of installation, full use, access to source code, and availability of changes / improvements for special needs, and distribution of the original code or the modified code, with or without costs. There are programs that can be obtained for free, but they may not be modified or redistributed.

2.1.2. Open Source Software Licensing Distribution and use of software is based on licenses. The users of the software must agree and accept the license associated with the software to use the codes that are there. These licenses have the force of a contract of adhesion, in which the user undertakes to respect the rules proposed by the owner of the software and can be processed in case of non-compliance with them. The owner of the software can sue the user if it violates laws relating to copyright to the associated license [9]. The rules defined in these licenses are what determine whether the software is considered free, open source or non-free (proprietary). As previously mentioned, the licenses of open source
7

software allow any user to use, copy, modify and distribute the software, according to certain rules. In general, proprietary software licenses allow the user to only use the software according to the rules of the company that developed the software, prohibiting its reproduction, multiple installation, alteration, sale, resale or redistribution without paying extra.

Several open source software licenses are recognised under the Open Source Definition. The most commonly cited and used is the GNU General Public License. The GNU’s, General Public License (GNU-GPL), is one of the foundations for open source licenses. The GNUGPL was created by the Free Software Foundation (FSF), and it is the preferred license for projects authorized by the FSF [10].

The GNU-GPL license defines the freedoms of the user of software: it can freely use, adapt for their use, redistribute copies, implement improvements and spread improvement [11].

Briefly, in the foundations of the GPL, there are four categories of freedom to be preserved: • • • • The freedom to use the software for any purpose The freedom to study how the program works, and change the software to suit your needs The freedom to share the software with your friends and neighbours The freedom to share the changes you make

It is also, important and appropriate to remark here the ‘copyleft’ concept. Nowadays, the concept of copyleft is fundamental to many programming projects. Many creators in the information society use it, from software developers and digital artists to content providers, composers, and designers. Copyleft is a general license agreement conceded by a copyright owner allowing anyone to freely use copyrighted property, but under specific terms. Common terms of a copyleft license state that a copyleft work is freely available to all potential users. Copyright is preserved, but the commercial rights (copy) are released, provided that this rule is maintained for all future users [12]. It is important to emphasize that not all open source software licenses impose copyleft.

8

2.1.3. Open Source Software Advantages Motivations for using and developing open source software are linked to philosophical and ethical reasons, and pure practical issues [13].

Open source has an impact not just for governments, organizations budget, but also potentially for developers, IT managers, suppliers, customers, and partners. Usually, the first perceived advantage of open source software is the fact that open source software is made available free or at a low cost, reducing the costs associated with proprietary licensing and updates. Many surveys conducted by researchers have concluded that surprisingly the key advantage of open source software is not its free or low price tag as many expected [14]. The following are some advantages without ranking them: • The availability of the source code and the right to modify it: It enables an infinite tuning and improvement of a software product. It also makes it possible to install the code in new hardware, to adapt it, and to reach a detailed understanding of how the system works. This is the reason that many experts are reaching the conclusion that to really extend the lifetime of an application the source code must be available. It is also much easier to find bugs and fix them, when the source code is available [15]. • The right to redistribute modifications and improvements of the code: The right to reuse other open source code gives a greater advantage due to the fact that modified software can be shared by large communities [16]. • The right to use the software in any way [17] This, combined with redistribution rights, ensures a large community of users. A large community helps, in turn, to build up a market for support and customization of the software, which can only attract more and more developers to work on the project. This successively helps to improve the quality of the software, and improve its functionality. All this combined will cause more and more users to give the product a try, and probably to use it regularly. • No one has the power to limit in a unilateral way how the software is used [18]
9

Such a power manifests, for instance, when a proprietary software vendor decides not to upgrade some software product for some old platform. In this case, customers can only bind to the old version of the software, or turn to another product. Another case can be that the software manufacturer closes its doors, or decides to discontinue the development of the software (no one has the right to take over the program and continue development on it, effectively killing its usability in the market). If open source software is used, customers can also finance some development for the desired platform, or look for other vendors to provide the upgrades of the very same product. • No ‘Security through obscurity’ [19] The approach of ‘Security through obscurity’ leaves too many open holes. Open source software cannot be said to be relying on security through obscurity, although it can also experience security disasters. But, by having the source code available, it is possible to perform a thorough auditing and find vulnerabilities, and then get the vulnerabilities fixed. It is absolutely impossible for any citizen, or company, or government agency to audit all their software codes, hence, the importance of open source along with strong participation of communities of practice. • Scalability Anyone can use the current code base to start new projects. Working knowledge, mainly from communities, can be gathered at a minimal cost. Here, it is worthwhile mentioning the Internet software systems: the Internet is a good example of a software system that was built by the community that was never constituted formally; people have participated for many different reasons. From an economic point of view, when we look at the internet today, we see a universal platform used for e-commerce and ebusiness that was not intended by the founders of the mainly military ARPA net [20]. • Lower software costs Most open source software generally requires no licensing fees. A few open source software charge a small fee for their use. Some open source distributors charge for a business or mass use license, but many do not. The logical extension is no maintenance fees. The only expenditures are for media, documentation, and support, if required [21].
10

IT decision makers recognize that open source software is not really free. Administration and support costs obfuscate the initial software license cost. The cost that is minimized by open source is maintenance free. “Whether open source software is less costly to administer than proprietary software depends largely on a ready pool of resources trained on the system, the availability of administration tools that allow system administrators to manage a greater number of systems, and the number of version upgrades and patches that are issued by the developer. In this regard, open source software may have little if any advantage over proprietary software, although the situation varies from application to application. Therefore, low cost, although important, is not the key advantage of open source” [22]. 2.1.4. Open Source Software Disadvantages Presumably, the most essential characteristic of open source software is that the source code can be studied and modified, which provides software developers the opportunity to adapt software to their personal needs and preferences and to fix bugs. There are reported limitations and inconveniences in using open source software. The biggest reason to not deploy open source software is support issues [23]. A lack of external support for assisting in the migration also can be a barrier, if the required knowledge is not available in-house. Existential data on the impact of open source software, its use and development, is still quite limited. The FLOSSWorld [24], a study on the worldwide development and use of FLOSS software, has worked on projects to help fill in the gaps in our knowledge about why and how FLOSS is developed and used. FLOSS stands for Free/Libre/Open Source Software. Despite the fact that the projects have focused on Europe, the FLOSSWorld performed some global empirical studies of proven relevance to Europe and developing countries. In conducting the survey, FLOSSWord, defined thresholds for 400 E-Government institutions across 8 countries. They achieved 306 responses, which were distributed as follows: Argentina 48, Bulgaria 11, Brazil 26, China 25, Croatia 50, India 23, Malaysia 114, and South Africa 9. The survey was conducted over the period May-2005 to June-2007 [25]. As a result FLOSSWorld’s survey pointed out that only Malaysian respondents used FLOSS because it is cheap rather than because it is useful. They also fear the cost and time efforts aligned with training people to use FLOSS. Croatians are reluctant towards FLOSS because
11

they fear that they would become isolated when they migrate to FLOSS and others do not (“first mover problem”). They also fear training costs. Bulgarian and Argentinean respondents fear that they would not find technical support when their organizations would migrate towards FLOSS. Indian respondents also fear the first mover problem. Further analysis at FLOSSWorld research revealed that the first precursor problem is strongly correlated with the fear of a lack of technical support. A lack of external support for assisting in the migration can be a barrier, if the required knowledge is not available in-house. Another issue, sometimes considered a disadvantage, is the possibility of forking. In software engineering, a project fork happens when developers take a legal copy of source code from one software package and start independent development on it, creating an alternative code based in the current one, resulting in a distinct piece of software. This can confuse users over which forked package to use [26]. 2.1.5. Open Source Software Community The ability of the communities to shape software is a significant benefit of the open source movement. The role of online communities is a key element in open source software and a basic factor in the success of the open source software development model. There are great numbers of reasons why people participate in the open source software community. This thesis work does not want to present detailed data about individual motivations. Several authors have deeply focused on it, and with the reader’s permission, this study would like to mention a book regarding this -- “Emerging free and open source software” [27]. There, the reader can find a framework which splits motivation into three categories: technological, economical, and socio-political along with addressing more holistic issues regarding the motivation of open source software participants. However, when writing about open source software, one needs to write about the community associated with it. It is absolutely impractical for any citizen, or company, or government agency to audit all their software codes; hence, the importance of open source along with strong participation of communities of practice. It is this community that will audit, improve the source code and check deviations. However, it is impossible to say that an open source software code contains no errors. Creation, engagement and transparency of communities related to open source software are keys to ensuring the viability of open source software.
12

2.2. Public Key Infrastructure (PKI) 2.2.1. Description The reader should have a basic understanding of public key infrastructure (PKI). For this reason, it is included this section. Some of the hardest problems of internet communication are trust, privacy and security. Almost all sectors of economy need some tool or formula that would provide trusted and private secure transmission of electronic data between any two parties. This implies that a range of risks need to be satisfactorily addressed. Managing those risks requires infrastructure to support problems as listed above. One important factor here is the need for strong authentication of individuals and entities. An efficient way of overcoming these problems, nowadays, has been the use of public key infrastructure. Public key infrastructure (PKI) is a system for creating and managing public keys used for encrypting data and exchanging those keys among users. PKI is about distributing keys in a secure way and providing secure authentication [28]. The public key is published to the world, in the form of a certificate, and the private key is kept in a secure place. These keys can be used for authentication, encryption, or digitally signing electronic data. The process involves an operating system, client software, certificate authorization server software, cryptographic hardware, database, policies governing how the certificate authorities issue, manage and revoke certificates and store key, digital certificates and their keys and applications that are able to use the PKI. Public key infrastructure is based on an encryption system that generates a digital certificate that works as a virtual identification card [29]. PKI utilizes a variety of technologies to provide the following security services [30]: • • • • Data integrity: means that data cannot be modified without authorization Authentication: ensures that parties involved are who they claim to be Confidentiality: used to prevent the disclosure of information to unauthorized individuals or systems Non-repudiation: implies one's intention to fulfil their obligations to a transaction, and also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction.
13

PKI is essentially an arrangement surrounding the issuance of digital certificates and the assignment of public keys. The major components of the PKI system include the Certificate Authority, the Registration Authority and digital certificates [31]. 2.2.2. Digital Certificates Digital certificates (known as a public key certificate or identity certificate) are trusted electronic documents that bind a public encryption key to their identity for the purpose of public trust [32].

A digital certificate contains an entity’s name, address, serial number, public key, expiration date and digital signature, among other information. Digital certificates are available in different levels of trust, depending upon the amount of identity verification done by the Certificate Authority (CA). Digital certificates are used not only to identify people, but also to identify web sites, servers and resources over networks such as the internet [33]. The main purpose of the digital certificate is to ensure that the public key contained in the certificate belongs to the entity to which the certificate was issued. The digital certificate would have the following properties [34]: • • • • • • • • • It could be distributed over the internet and processed automatically It would contain the name of the user who holds the private key, identify the user’s company or organization, and include contact information It would be easy to determine if the certificate was issued recently It would be created by a trusted party rather than the user who holds the private key Since the trusted party might create a lot of certificates, even for the same user, it should be easy to tell them apart It would be easy to determine if the certificate were genuine or forged It would be tamper-proof so no one could change its contents It would be immediately determined if the information on the certificate is no longer current We could determine from the certification the applications to which it applies

There are several kinds of certificates included [35]: • X.509 - Public key certificates
14

• • •

Simple Public Key Infrastructure (SPKI) certificates Pretty Good Privacy (PGP) certificates Attribute certificates

One of the most common certificates implemented in PKI is X.509 v3. The series of stages during the process of managing a key or a certificate is called a key/certificate life cycle. Life cycles cover all the major aspects of the life of a key or a certificate from the time it’s generated until the time it’s retired. There are 10 stages of a key’s life cycle [36]: • • • • Key generation Key storage and distribution Key escrow: is the process where keys are made available to law enforcement or other authorized agencies to utilize them to conduct an investigation. Key expiration: key expires when it reaches the end of its life cycle. An expired key may be reissued using a rollover process, but generally this is considered a bad practice because the longer a key is used, the more likely it is to be broken. • • Key revocation: key or certificate can be revoked when it has been identified as corrupt, compromised or lost. Key suspension: keys are suspended to disable them for a period of time. It may occur because the key holder has become ill or has taken time off. A key can be unsuspended and reused. • Key recovery and archival: key recovery is the ability to recover a lost key or to use a previously active key. Three types of keys must be considered in this process: current keys, previous keys and archived keys. An organization can use a key archival system to recover information that has been encrypted using older keys. • • • Key renewal Key destruction: is the process of destroying a key unusable. Software keys and smart card keys should have their key files erased to prevent them from being used. Key usage

15

2.2.3. Certificate Authority
A Certificate Authority (CA) is an entity responsible for issuing, revoking and distributing certificates. These certificates are digitally signed with the private key of the issuing CA [37]. It is an example of a trusted third party. For example, if Paul wants to send Anna a private message, there should be a mechanism to verify to Anna that the message received from Paul is really from Paul. If a third party is trusted, then, Anna can assume that the message is authentic because the third party says so. The specific actions of a Certificate Authority include the following [38]: • • • • Managing digital certificates for their whole life cycle Issuing certificates by binding a user’s or system’s identity to a public key with a digital signature Scheduling expiration dates for certificates Ensuring that certificates are revoked when necessary by publishing certificate revocation list CA can be either private or public. The function of a CA can be done in-house or by a commercial service or a trusted third party. The CA is who implements the PKI policy on certificates [39]. The process of providing certificates to users requires a variety of services. Over time, the CA can become overloaded and need assistance. An additional element, the Registration Authority (RA), is available to help transfer work from the CA. The registration Authority also acts as an interface between a user and a Certificate Authority [40].

2.2.4. Registration Authority
The Registration Authority (RA) captures and authenticates the identity of a user and then submits a certificate request to the appropriate CA. A RA offloads some of the work from a CA operating as an intermediary in the process: it can distribute keys, accept registrations for the CA and validate identities [41]. An approved certificate should be sent directly to the requestor avoiding the RA from falsifying and issuing certificates. Many CAs have strong an auditing capability, which documents all the activities of an RA.

16

2.2.5. General PKI Architecture

Figure 1: Summary of general PKI architecture [42]

1 or 2  the user requests a certificate. The user can requests a certificate direct to the Certificate Authority (step 1) or in some cases physical presence is necessary (step 2). 3  The Registration Authority (RA) captures and authenticates the identity of a user and then submits a certificate request to the appropriate CA 4  The certificate is delivered, on request to the Registration Authority 5  The certificate is stored at Central Registration Authority (cRA) database 6  User downloads the certificate

17

Chapter 3: Open Source Software and PKI in Brazil
3.1. Current Open Source Software Situation in Brazil The emergence of virtual network communities of developers and users, organized by different groups with different motivations, and the existence of new forms of software licensing have signalled the introduction of new variables in the software industry. The open source software model has aroused interest and raised debate in various areas (government, academia, businesses, etc.) in Brazil [43]. Open source software is emerging as a strategic option for the technological development aiming to social inclusion, based on successful experiences in various locations in Brazil.

The Brazilian government is actively encouraging, or even requiring, future IT projects to consider open source as an option. The Brazilian government is stimulating the use of open source software in the public sphere by using free alternatives and giving preferential treatment by encouraging the development of open source software by Brazilian developers [44].

The main motivations of the Brazilian government to develop a program to adopt open source software in the public sector include aspects such as: software cost savings, to ensure greater security of government information, the expansion of autonomy and technological capacity of the country, act as a facilitator for communications and dissemination of the local community’s activities and support initiatives by means of representation, and promoting of software exports.

In 2000, the Brazilian Government launched the foundation of a “digital society” by creating an inter-ministerial committee in order to examine and propose policies, guidelines and standards related to a new electronic government [45].

Following are the guidelines for the Implementation of open source software in the Brazilian federal government [46]:

1. Prioritize solutions, services and programs based on open source software which promote the optimization of resources and investments in information technology
18

2. Prioritize the web platform in the development of systems and user interfaces 3. Adopt open standards in the information technology and communications development, as well as multiplatform development of services and applications 4. Propagate the use of open source software 5. Increase the network services provided to citizens through open source software 6. Guarantee to every citizen the right of access to public services without requiring them to use specific platforms 7. Use open source software as the basis for digital inclusion programs 8. Ensure full audit ability and security systems, respecting confidentiality and security laws 9. Pursue interoperability with legacy systems 10. Restrict the growth of the legacy based on proprietary technology 11. Perform a gradual migration from proprietary systems 12. Prioritize the acquisition of hardware compatible with open platforms 13. Ensure free distribution of open source software systems in a collaborative and voluntary manner 14. Strengthen and share existing open source software inside and outside government 15. Encourage and promote the national market to adopt new business models in information technology and communications based on open source software 16. Promote the conditions for changing the organizational culture towards the adoption of open source software 17. Promote capacity / training of civil servants in using open source software 18. Formulate a national open source software policy An aggressive open source software policy was formed in 2003 by the Brazilian government. The document “Strategic planning for implementation of open source software” [47] discloses the results of several workshops promoted by the Free Software Technical Implementation Chamber, coordinated by ITI – the Brazilian National Institute of Information Technology, and presented the strategic guidelines that should be followed for the implementation of open source software in the federal government through the formulation of national policy. The Brazilian president Mr. Luiz Inácio Lula da Silva, in the Enactment of October 29, 2003[88], established eight technical committees in order to articulate and coordinate the planning and implementation of open source software, digital inclusion and integration of systems, among other issues. Increasingly, Brazil's federal government and state government agencies are abandoning proprietary software in favour of open source software [48].

19

3.1.1. Policies for Technological and Industrial Development Digital Inclusion is the democratization of access to information technologies, to enable the inclusion of everyone in the information society. Following are the three basis tools that are necessary for the digital inclusions to happen [49]: • • • Computer Network access Mastery of above tools

The use of open source software in digital inclusion programs generates a large economy due to the non-payment of licenses. The policy of digital inclusion in Brazil is strongly related to the use of open source software. The Brazilian Government is implementing and supporting efforts for digital inclusion through a number of programs and agencies, including [50]: • Brazilian Digital Inclusion Program

The Brazilian government’s efforts to use open source software as a model of digital culture to develop new forms of digital inclusion resulted in a merger of all actions and programs of digital inclusion being implemented in Brazil into a single program called the Brazilian Digital Inclusion Program. The objective of the program is to facilitate computer purchases through a reduction in price and increase the number of users of computers that have access to the internet. The program has created community managed centres that offer free internet access using open source software. Training in using open source software, free of charge, was given to civil servants. The aim of the courses is not only to give the civil servants the skills they need to use open source software in government offices, but also to give them knowledge over open source software that they can then share with the larger community. • Computers for all

Targeted to class C, this initiative allows industry and retailers to offer computers and Internet access at subsidized prices, with a specific line of financing, in addition to exemption of some taxes. The equipment must use open source software. • Computers for Inclusion Project
20

A national system of refurbishing used computers, donated by the public and private initiatives, refurbished for low-income youth in vocational training, and distributed to telecentres, schools and libraries around the country. • Digital Culture

The Digital Culture activity allows the installation of equipment and training of local staff for producing and exchanging video, audio, photography and digital multimedia products using open source software, plus connection to the Internet. • Brazil House

Multifunctional spaces of knowledge and citizenship in communities of low Human Development Index, through partnerships with local institutions. In each unit “Brazil House” there is a telecentre, using open source software, and at least two other modules, which can be a public library, an auditorium, a multimedia studio, a radio broadcasting centre, a laboratory for popularizing science or a workshop for maintenance of computer equipment, and a space for community activities, as well as a module of banking inclusion in localities where possible. • Telecentres

Public and community telecentres are spaces that provide public and free access to information and communication technologies, with computers connected to the Internet, available to multiple users, including free and assisted navigation, courses and other activities for promoting the local development in its diverse dimensions. Telecentres are supposed to be maintained by public entities or private with no profit purposes. The telecentres are placed in shopping malls or other public places. • National Broadband Plan

National Broadband Plan is an initiative from the Brazilian government to provide broadband internet access throughout the country to individuals, government institutions, businesses and civil societies that do not have access to this service yet. The government aims to reduce both social and economic inequalities besides generating more jobs and get a competitive advantage in the international business by setting up the

21

necessary infrastructure that allows data communication in non-metropolitan areas of the country. 3.1.2. Brazilian Public Software The concept of Brazilian Public Software is used as one of the foundations to set the use policy and development of software by public sector in Brazil. This policy includes the relationship between the public entities, in all units of the federation, and other spheres of government, and those with private companies and society [51]. The information collected on this sub-item was obtained from the text that describes the experience of the Consortium for Software Development CACIC, coordinated by the Secretariat of Logistics and Information Technology Ministry of Planning of the Brazilian government. The CACIC is a software of inventory hardware and software, and it was the first public software from Brazilian federal government [52]. CACIC states for ‘Auto Configurator and Computer Information Collector’. The software CACIC was the protagonist of a new business model in the software segment, called Brazilian Public Software [53]. The state of Rio Grande do Sul was pioneered in the institutionalization of the development and use of open source software in Brazil. In 2001, the PROCERGS, a public company of data processing in Rio Grande do Sul, developed and released as open source software one solution to e-mail. The justification for such software being available as open source software was that as it was using public resources, then it should be available publicly. However, in 2003, with the change of the State government the PROCERGS disallowed access to the software code, based on legal issues. This fact caused a great impact on all other government agencies who wanted to release some of their solutions as open source software. With the second version of the General Public License (GPL), which strengthened conceptually free software, Brazilian governments (federal, state and municipal) began to seek ways of utilizing such a license or other similar licenses to sustain the basis of sharing their solutions among public sector institutions. However, there were still obstacles of judicial order to complete the process of liberating for society the programs managed by public funds.

22

Among the restrictions to make open source software as the solutions developed by government authorities, there were aspects of financial, cultural, technological and legal. It is best cited as follows: • Fear of the developer institution regarding: o Overloaded by demands for support services and customization by other users of the solution, without reimbursement o Possible legal restrictions arising from the transfer and use of goods produced within the public sector o Risks regarding the safety of government information managed by the solution due to the publication of source code o Appropriation of source code by private institutions, with the consequent lock access to improvements made o Sustaining the quality of the solution to meet the increasing demands • • • • Fear of potential users regarding changes in rules of access to software, and discontinuity of the solution, etc. Lack of universal standards to develop and document programs Lack of knowledge of similar good practices Complex relationships between the sectors: public, private, non-profit and individual contributor, where all the actors have their roles included for the full functioning of a community. So, with all this background, as you can see, there was the need for a standard contract of copyright that provided legal support to the development of open source software by the Brazilian government. The software CACIC represented an important step to consolidate the concept of Public Software in Brazil and led to a significant widening of interest in open source software, which now include students, universities, private companies, NGOs, state governments, municipal and legislative and judicial institutions. In other words, what seemed, at first, to be strictly a demand of the Federal Public Administration, was of interest to a significant segment of society, including playing a major role in the adhesion of open source software from governments of Argentina, Paraguay, and Venezuela.

23

In 2007, the Brazilian Public Software Portal was established for the materialization of the concept of Public Software. The purpose of the portal was to create a virtual space to bring the demand for services and supply into better balance, for the solutions available on the portal. The portal has a national scope and meets all segments of society and the economy and all government institutions [54]. 3.2. Current PKI Situation in Brazil The Brazilian public sector is undergoing unprecedented changes with increasing emphasis on efficient and economic service delivery focused on citizens. The Brazilian government is reforming its public services to anticipate a new era of e-Government. At the same time the eGovernment initiatives are implemented in the public sector, organizations are faced with new challenges that involve much more than just the provision of electronic services to citizens and companies [55]. There is a strong focus on improving processes and technologies used in providing these public services. Information security, protection of infrastructure and compliance with regulations and laws are important items in the new reform process [56]. The Brazilian government has taken several steps forward in enhancing the development of internet-related issues, in particular e-government, thus creating the Brazilian Public Key Infrastructure (ICP-Brazil) to implement digital certificates [57]. Digital certificates ensure confidentiality, authenticity and integrity to perform electronic transactions with greater security [58]. 3.2.1. ICP-Brazil

ICP is the acronym in Brazil to PKI - Public Key Infrastructure - the name "Brazil" refers to this infrastructure created in Brazil, or even the National Digital Certification System [59]. ICP-Brazil is a structure composed of one or more certifying units denominated as Certificate Authorities - CA, through a set of techniques and procedures supporting a cryptographic system based on digital certificates, which ensures the identity of a user of electronic media or to secure the authenticity of a document supported or maintained in electronic media [60]. The various Infrastructure Public Keys existing in the world today can in fact ensure the authenticity of digital signatures currently used in the worldwide computer network. They enable, with a very high level of security, ensuring that a mail user, for example, is actually
24

the originator of the message and the receiver is actually who they claim to be. In the Brazilian case, the ICP-Brazil is characterized by the presence of a vertical or hierarchical system, where there is the presence of a CA-root (role performed by the National Institute of Information Technology - ITI), which accredits and audits the CAs belonging to the system (Appendix A). The ICP-Brazil was created by a Provisional Measure (M2.200 2-August 24, 2001). From that Provisional Measure (PM), regulations governing the activities of entities that are members of the Brazilian Public Key Infrastructure were prepared: resolutions of the Management Committee of the ICP-Brazil, the regulatory instructions and other documents. For a Certificate Authority to use the certification process of ICP-Brazil, it must be accredited by the first authority in the system of Brazilian certification, the CA-Root [61]. Once accredited by the CA-Root, it is the responsibility of the Certificate Authorities to issue, dispatch, distribute, revoke and manage certificates and make available to the users lists of revoked certificates and other relevant information and maintain records of their operations [61]. The CA-Root, the first Certificate Authority of ICP-Brazil, does not issue certificates to end users only for the various Certificate Authorities that are accredited by it [61]. The other CAs accredited by the CA-Root can issue digital certificates. The generation of the cryptographic key pair is always made by the holder [61]. Since the creation of ICP-Brazil, which was the cornerstone for the growth of digital certification in Brazil, the biggest challenge of entities related to that market has been the popularization of the theme for various areas of society. One of the great initiatives of visibility was the launch of the first versions of the e-CPF and e-CNPJ, which allow the user to access the services of the Brazilian Revenue Service (IRS) available at the Virtual Center for Taxpayer Access (e-CAC), which previously only was allowed to be done in person or by post [62]. The e-CPF is the electronic version of the CPF (Individual Taxpayer Identification Number), which guarantees the authenticity and integrity in electronic transactions of individuals [63]. The e-CNPJ is the electronic version of the CNPJ (Federal Company Taxpayer Number), which guarantees the authenticity and integrity of electronic transactions of corporations [64].
25

The project’s most prominent nationwide release by the federal government that makes use of PKI technology is the NF-e (electronic invoices). Electronic Invoicing (NF-e) is the delivery of invoices electronically, which legal validity is ensured by digital signatures. It was instituted, in Brazil, in 07/2007. The implementation of NF-e resulted in a great benefit for the taxpayer in the sense that it de-bureaucratized processes. On the government side, the NF-e strengthens the control and supervision through the exchange of information between tax administrations [65].

3.2.2. E-ping - Interoperability
Brazilian Electronic Government Interoperability Standards (e-PING) architecture is a set of premises, policies and technical specifications that regulate the usage of Information and Communication Technology (ICT) regarding interoperability of electronic government

services, establishing conditions for them to interact with the remaining branches and spheres of government and with society in general [66]. The areas covered by e-PING are segmented in: • • • • • Interconnectivity Security Means of Access Organization and Exchange of Information Areas for Electronic Government Integration

Clearly defined policies and specifications for interoperability and information management are essential to facilitate the connection of the government, both internally and in contact with society and, to a greater level of coverage, with the rest of the world - other governments and companies operating in world market [67]. In Brazil, according to Resolution n.36 of 21/10/2004, the media that store digital certificates and their readers, the systems and equipment required for the implementation of digital certification, shall meet the minimum technical standards and specifications, to ensure the interoperability and reliability of information security resources they use [68].

26

3.2.3. Internet Rules and Regulations

In the mid-90s, with the emergence of the Internet home in Brazil, and an expansion of its use, previous restricted in the institutional sphere, raised the need to evolve the Law to follow the technological innovations. From this need came the Law 11 419/2006, concerning the computerization of the judicial process and promoting changes in the Brazilian Civil Procedure Code [69]. The law in question sets the basic guidelines imposed on all instances of the country to computerize the process, eliminating the paper document and introducing laws to manage the digital document. However, Brazil does not have enough rules and regulations that govern the operations of the internet. There is a lack of a specific legislation for the protection, save and confidentiality of personal data. There is, in Brazil, only sector regulations, which do not address directly the issue of privacy [70]. The protection of consumers’ data is important not only for shopping, via Internet, but also in practices of physical consumption. With the absence of regulations in Brazil, there are companies that put sales services on the Internet and do not establish a clear relationship with the consumers about the usage policy data and personal information. Companies and Brazilian consumers do not know what is permitted or prohibited regarding the usage of the Internet. In Brazil, despite massive investments made by financial institutions in preventing and combating electronic fraud, this type of crime causes losses of many millions every year to banks. The most common frauds are applied on cards, and frauds via the internet represent almost 30% of the total [71]. The amount lost through frauds and expense required to combat them effectively represent a cost to society. The effects are felt directly by the institutions and indirectly by consumers who suffer, for example, through high tariffs [72]. Concerned about the problem, the Brazilian government is restructuring to improve the legislation, supervise and punish with the utmost rigor.

Currently, in Brazil, there are open debates and discussions on Internet issues, from which the federal government, will set new rules and regulations to govern the operations of the internet.
27

3.2.4.

Examples of PKI in Different Sectors in Brazil

Examples of practical use of electronic signature with digital certification in Brazil [73]: • Federal Revenue of Brazil – IRS o Consultation on Tax situation of Individuals and corporations o Change of address for Individuals o Postal Address: report of procedures occurred to Physical Person (PF) or Juridical Person (PJ) o Payment of Taxes Made PF and PJ o Monitor the processing of the declaration of individual income tax •

Judiciary o Digital signature on petitions and cases processed by the national justice o Judicial Expertise: Protocol electronically petitions and expert reports, as well as challenges and enable all types of legal action

HomologNet - Approval of rescission of a work contract o Government project provides for the approval of rescission of a work contract online and using the digital certificate

Notary's office o Protests negative protest certificate or certificate of protest

o Civil Registration: Birth, marriage and death •

Financial System o In the banking transactions by electronic means, with a high level of security and greater protection for the account holder access to a variety of services

Electronic Government o SICAF (cadastral information system suppliers) o Participation in Electronic Auction with the digital certificate
28

o The Electronic Stock Trading (BEC) o NSA (National Agency of Supplemental Health) o Ministry of Labour •

City Hall - Secretary of Finance o System Access Electronic Invoice o Integrated Information System Social Security (Siprev)

• • •

E-Commerce E-mail INPI - National Institute of Intellectual Property

Most users are unaware that they are making use of PKI technology. This is the case in many banking applications. Currently in Brazil, the most obvious example of its applicability is the electronic invoice (NF-e). The NF-e project aims to implement a national model for electronic tax documents that will replace the current system. In other words, replace paper documents by digital documents, with legal validity guaranteed by the digital signature of the sender.

Another major expectation of the use of digital certification is in the health care area with the approval of Electronic Medical Records for users of the Unified Health System (SUS). The Electronic Medical Records will facilitate access to information for citizens and improve the management of health. Among the requirements is the use of a digital certificate [74].

The use of a digital certificate is already popular for medium and large corporations, on systems that do not exist without digital signature, such as for electronic invoices and declaration of income tax. The challenge now is to popularize the use of digital certificates among the lawyers who will be the first group of professionals using a variety of procedural practices online [75].

29

3.2.5. RIC – Unique National Identification

The identity card, known popularly as ID or RG (from Registro Geral, General Registry), is the national document of civil identification in Brazil. It contains the name, date of birth, date of issue, parenthood, photograph, signature and thumbprint of the right holder [76]. State governments are responsible for issuing the RG, so, the identity card is valid throughout the national territory. Interestingly, there is no legal restriction to request another RG in another state of the federation - just go to the responsible agency, take the necessary documentation, and request it. So, not only is it possible for one to have the same identification number as a person from another state (which is usually dealt with by specifying the state which issued the identification card), but it is also possible to (legally) have more than one civil identification, from different states. It is possible that citizens have more of an identity document in different states, all fully valid throughout the country. The Brazilian government signed on 05/05/2010 the Enactment n.7.166 establishing the National Registry of Civil Identification, establishing its Management Committee and other matters [77]. The new Civilian Identity Registry (RIC) will prevent the multiplicity of identity cards requested by a citizen in various states of the Federation. From the standpoint of security, the great change is the technology involved in creating the RIC, which will resemble a credit card.

By this date, 25/08/2010, the technical specifications of the new document are not yet fully defined. The objective is to deliver 150 million new identity cards in nine years beginning the process in 2011, with the projection to reach all Brazilian cities headquarters of the World Cup in 2014. There is a consensus among the organizers of the Management Committee of the RIC that the cards will have a minimum durability of 10 years. It will store in its chip biometric and biographical information about the citizen, as well as a digital certificate that will identify the citizen in virtual transactions. This was said by Mr. Renato Martini, president of the Institute of Information Technology (ITI), during an interview (Brasilia - 2010/06/08) 1.

After this research was concluded, it was approved the inclusion of the digital certificate in RIC (new Brazilian Civilian Identity Registry), 2010/09/15 - Available at http://www.iti.gov.br/twiki/bin/view/Noticias/PressRelease2010Sep16_230856, last checked 2010/10/07.

1

30

“Besides the strategic and social importance of having a reliable national civil registry, the RIC is a real possibility of having a virtual identity for all citizens; a digital certificate in each new RIC means adopting a mass policy of digital certification. The digital certificate built in the RIC will facilitate the citizens identification in online transactions when necessary providing security and speed in certain processes”, said Mr. Renato Martini. 3.2.6. The Brazilian National PKI João-de-Barro is the name of the platform cryptographic developed for the Root Certificate Authority of Brazilian Public Key Infrastructure (ICP-Brazil). This platform, also known by the security module, consists of hardware and software that was developed with national technology and is responsible for the issuing and revocation of the certificate of CA-Root, and managing the certificates of Certificate Authorities on the first level [78]. The major motivation for developing this new platform was that the old platform that generated and enabled the full certificate system in Brazil belonged to a multinational company with proprietary software, which precluded the audit, according with Mr. Renato Martin (see interview). The Resolution No. 20 of 08 May 2003 established this new platform (hardware and software) which should be open, ensuring its full auditing, as well as the auditing of embedded systems present in hardware [79]. An Open Platform does not mean it is Open Source. An Open Platform can comprise of software components or modules that are either commercial or open source or both. An open platform presupposes that the developer allows, and perhaps supports, the ability to do this [80]. With the migration from proprietary software to open source software, the Brazilian Government, through ITI, developed and disseminated solutions and applications in open source software, aiming to reduce dependence on monopolies and reduce costs and promote the Brazilian technological development in industry, bringing with this development, social inclusion. Following this conception, the “João-de-barro” was established [81]. The João-deBarro project is an example of the need for separation between property and knowledge.

31

3.2.7. Seminars for Disseminating Information The Brazilian government has been running, annually since 2002, a series of seminars throughout Brazil on Digital Certificate and its uses. The objective of the seminars is to deepen the knowledge of Brazilian society about the possibilities that the digital certificate can offer to citizens, businesses and government. The target audience for the seminars is formed by solution developers, experts, academics, students, managers of the three governmental levels (federal, state and municipal), and consumers of the technology, among others. Topics discussed at the seminars included: • • • • • • • Why companies must acquire a digital certificate? What are the main contributions of digital certificate for the tax authorities? What is the role of the counter professional? What are the advantages of paying bills by electronic means? Capillary network and number of licenses issued. What are the main scenarios for using the digital certificate? João-de-Barro: the Brazilian open platform cryptographic model Other possibilities of the use of certification: paperless solution, electronic document management, digital signing of documents, among others.

Currently, they are organized every year, in Brazil, many events involving the issue of open source software. The country established itself as an international reference in the use of this technology including the adhesion of the private segment in particular the retail sector, which already begins the process of adopting open source software in large scale [82].

32

Chapter 4: Survey and Interviews
The survey questionnaire and interviews, that we held were designed to collect comprehensive data about open source software and PKI technology practices in Brazil, in order to provide a realistic state of these two topics by respondents. The questions asked in both the survey and the interviews were developed by the researcher based on previous literature study. The survey contains 4 closed questions, where participants were asked to choose from a number of possible answers and 11 open questions (see Appendix B). It was designed to take approximately 30 minutes to complete, and it was sent by email. The sectors covered are Government Agencies, Manufacturing, Transport, Certificate Authorities, Telecommunication, Financial, Justice and Health Care. It was not a criterion if the companies already make use of PKI technology or open source software. It was a criterion that all companies should have significant experience in the IT area. The survey conducted was sent to 359 companies located across Brazil, of which 61 responded to it. 18 responders answered that they are unaware of the PKI technology and open source software. So, 43 surveys feedback were analyzed. Among the companies that responded to the survey there were several large corporations, such as ITI, Serpro, Certising, PROCERGS, MaxxData and Tecnoworld. The full interviews are available in Appendix C, in the order they were performed. The whole experience of the interviews is reported in this research report in order to strengthen elements that would bring reflections to the readers. After translation and transcription of each interview, it was sent to the interviewee asking them to read and authorize it. Through interviews and research conducted (43 questionnaires, 17 interviews, direct and indirect observations), it is clear that with respect to the open source software that the most important goals are to achieve technological autonomy and to establish collaborative practices for development. From the technical point of view the respondents think that Open Source PKI aims to provide convenience to the IT industry by providing flexibility to decide which software to adopt based upon a technical evaluation of the software code instead of choosing closed software relying on security through obscurity. At the same time Open Source PKI can provide the opportunity to develop local technology by sharing knowledge.
33

According to the respondents, from a social benefit point of view, Open Source PKI can contribute to generate more jobs and increase income as it can represent a response to grow global demand for PKI technology in the sense that it can decrease cost and complexity. The entire respondents highlighted that the open source concept has an important role regarding security and interoperation issues. They told them that open source increases security because the code is available and decreases interoperability because many open source software are making use of open standards. However, there are some issues to consider when deploying open source, such as the following: • Some respondents (5%) pointed as one obstacle to large companies adopting open source software is the way that updates are available. According to them, open source software developers are not concerned with the large-scale facilities due to the fact that for each new version they must install the whole program again. • Majority of the entire respondents (60%) told that legacy systems and support decrease the adoption of open source software. • 48% of the respondents told that the company must have in mind that open source software is not free and to adopt it depends on the investment necessary and the result that the company can get with it. • 35% of respondents agree that it is necessary that companies which adopt open source software have a skilled technical team in-house. Asked about what can increase the adoption of open source software, 60 percent of the entire respondents told that end-users still have a large resistance to adopt open source software and this may be minimized if the schools provide more contact with it. A high percentage of respondents (69%), agree that when the government adopts open source software as a state policy, it is in some way influencing the Brazilian society in general, including businesses. Regarding PKI technology the vast majority of respondents (93%) said: • Most important PKI applications in Brazil are:
34

 Web Server Security  Document Signing  Electronic Commerce • •

Less important PKI application is Secure Wireless LAN

The major obstacles to PKI deployment and usage indentified by the survey are:  Software application don’t support IT  PKI poorly understood  Hard for end users to use  Hard to get started – too complex  Cost too high and return on investment difficult to be measured  One respondent told: “Actually the biggest challenge in Brazil is to offer a large scale Registration Authority location for validation process based on the Brazilian requirements (certificate validation process under physical presence).”

About the Brazilian open platform cryptographic model (João-de-Barro) 68% of respondents told that they are not aware of the issue. The others told that it is a very good initiative which offers an increase of trust to the Brazilian market and also to those communities which use digital certificates for electronic transactions and it increases the knowledge in the area. They agree that this platform still has a long way to go in development issues to achieve the necessary adoption. Other open source PKI that were identified as being deployed in Brazil are EJBCA and open source Bouncy Castle. EJBCA [83] is an enterprise class PKI Certificate Authority built on J2EE technology and Bouncy Castle [84] is a collection of APIs used in cryptography. It includes APIs for both the Java and the C# programming languages. • 38% of the respondents who answered the question about “Open Source PKI” stated:  Open source software PKI is good to encourage people to get start with PKI and also encourage research institutions to master and develop technologies associated with PKI.

35

 Open source permits a complete audit of the code, offering an increase in trust to the market and to those who use digital certificates. In the particular case of PKI, we believe that open source PKI is essential for security. • Respondents were asked about the future of PKI technology in Brazil, they stated:  It will be a great challenge to popularize the use of digital certificates among the common people  PKI can reach its full potential within the companies when used to authenticate people, avoiding the need to remember many PINs and passwords and making the system more secure  Change the digital certificate trade. An alternative was pointed out: instead of charging for issuing the digital certificate, the services provided by using the certificates should be charged. Essentially, we can summarize the state of PKI in Brazil as follows:

Challenges:
• • • • • • • • • High cost of PKI solutions Lack of skilled PKI experts Dissemination of digital certificates Applications with auditability, traceability and interoperability Lack of understanding of PKI mainly among general public servants, lawyers and accountants Many applications are not already PKI enabled or PKI aware Other ways of using PKI technology, not digital certificates, seemed to be still quite unknown for the vast majority of Brazilian companies Network improvement Not well-defined rules and regulations that govern the operations over the internet

Benefits:
• • • Greater speed of bureaucratic procedures Cost reduction Reduction in paper use

36

Opportunities:
• • • • Strong government leadership and commitment Existence of e-government services that need PKI based transaction security Starting PKI relevant businesses earlier than the other neighbouring countries Unique national identification (RIC)

Strengths:
• • • • Increased government involvement in Information and Communications Technology sectors Strong will of the relevant agencies in charge of PKI technology construction PKI is based on the authentication, or trust, of the digital credential. The creation of ICP-Brazil is significant for higher levels of trust There is, by the Brazilian government, a great effort to reach reasonable criteria for interoperability thus discards technologies that do not interoperate

37

Chapter 5: Conclusion, Discussion and Future Work Conclusions
The central question that guides this work refers to the relationship, or not, between the two topics highlighted: PKI and open source software. It is evident that both topics integrate a group of common strategies aimed to establishing and implementing public policies, in Brazil. For these public policies have a democratic use, they must be included in a broader context of the development and not only in a product or application. As the survey and interviews pointed out the main motivation for the adoption of open source software is still the high cost of the proprietary software, but the fact of the code being open brings new reasons, such as adjusting it as necessary, greater security, capacity of it being audited, and including beneficial impacts on social issues. Here is an appropriate time to write an interesting thought of Mr. Renato Martini: “Patterns established in technical standards are necessarily public; if they are proprietary (secret) they do not have the status of a pattern.”Proprietary pattern" is nonsense – from a logical viewpoint, this is a contradiction in terms. They are uneconomic, do not favour the industry and are unusable for governments” [85]. With that statement Mr. Martini wants to say that a standard is not truly open if it does not have a complete free/open source reference implementation available. The general opinion from respondents, brings a clear result that the most beneficial thing with an open source product is that, in most cases, it has higher quality than a corresponding proprietary product. They responded that, the high quality in open source software is not only because the communities reports bugs in the code and help in improving the code, but due to the fact that the open source product is tested in more production and tested installation, with often very skilled users giving a better feedback to the development of the product. This feedback is often done in public forums, mail list, and blogs and so on. According to respondents, with these discussions the product is reaching higher quality and meets new requirements faster than a corresponding proprietary product as for proprietary products these kind of discussions are much less common. It is clearly that the Brazilian government initiative for the adoption of open source software as a model to be embraced to promote digital inclusion has proved a successful experience,
38

redefining the relationship between government and citizen, and it is also undeniable the stimulus that open source software offers to increase the sale of services instead of the software itself. Professionals who are interested in one specific open source software can run consulting businesses selling services. Open source software offers a unique opportunity for professionals living in developing countries because they can increase their income selling services as evidenced in the Brazilian Public Software Portal. Creative attitudes and practices are fundamental to promote innovation, leveraging economic and social development.

Discussion
Many companies and government agencies have rules for security, but the risk is still high that the information ends-of in the hands of people who should not have access to them. About information security, most people don’t know what's really going on, and many people who do know aren't telling. In today's world where information is the basis for everything, security and access to it is primordial. Encryption algorithms are linked to the idea of secret, this follows from the fact that the digital certificate has been created in very restricted environment. There are numerous debates and discussions on issues of ‘secure’ algorithms that have recently been found to be cryptographically weak. Specialists are concluding that an encryption algorithm should always be made available to everyone, allowing people to exploit flaws in the encryption. Also, they have widely publicized that non-open code software can hide viruses or harmful instructions. Although many companies are reluctant in adopt open source software due the lack of support, fortunately this is becoming less of a problem, as the number of open source software distributors and hardware vendors that integrate open source software grows. These companies offer support and maintenance contracts that guarantee assistance and expertise be given when needed. Open source software may improve the core value of PKI technology, because it can substantially increase knowledge, promote development of applications with auditability, traceability and interoperability, and disseminate PKI at low cost.

39

Open Source PKI may create a huge value to the market decreasing cost and complexity, and increasing interoperability, representing a significant savings for Brazil and a decisive impulse in the development of domestic technologies.

40

Future Work
After this research was concluded, it was approved the inclusion of the digital certificate in RIC (new Brazilian Civilian Identity Registry), 2010/09/15 [86]. It is expected that this fact will represent a great development and applications implementation using PKI technology. Based on the results presented in this thesis report, one interesting direction that we would like to recommend, as further action, is a case study of implementation and evaluation of one particular open source software PKI, investigating several different aspects.

41

Abbreviations List

PKI ICT FSF OSS GPL FSF CA SPKI PGP RA cRA ICP-Brazil

Public Key Infrastructure systems Information and Communication Technologies Free Software Foundation Open Source Software General Public License Free Software Foundation Certificate Authority Simple Public Key Infrastructure Pretty Good Privacy Registration Authority Central Registration Authority Brazilian Public Key Infrastructure (ICP from Infraestrutura de Chaves Públicas, Portuguese) Auto Configurator and Computer Information Collector (from Configurador Automático e Coletor de Informações Computacionais, in Portuguese) Provisional Measure Brazilian Revenue Service Virtual Center for Taxpayer Access Individual Taxpayer Identification Number Federal Company Taxpayer Number electronic invoices Brazilian Electronic Government Interoperability Standards Information and Communication Technology Cadastral Information System Suppliers
42

CACIC

PM IRS e-CAC CPF CNPJ NF-e e-PING ICT SICAF

BEC NSA Siprev SUS RG RIC ITI

Electronic Stock Trading National Agency of Supplemental Health Integrated Information System Social Security Unified Health System General Registry Civilian Identity Registry Institute of Information and Technology

43

References
[1] Andreas Mitrakas (2006), “Secure E-Government Web Services”, pp. 169, IGI Publishing Hershey, PA, USA [2] Amanda Andress (2003), “Surviving security: how to integrate people, process, and technology”, pp 82, Taylor and Francis [3] Carlisle Adams (2002), Steve Lloyd, “Understanding PKI: concepts, standards, and deployment considerations”, pp. 272, Addison-Wesley Professional [4] Moreno Muffatto (2006), “Open Source – A Multidisciplinary Approach”, pp 133, Imperial College Press; illustrated edition edition [5] K.S. Sampathkumar, “Understanding Free Open Source Software” , K.S.Sampathkumar [6] GNU Operating System - The Free Software Definition, Available at http://www.gnu.org/philosophy/free- sw.html, last checked 2010/03/15 [7] Open Source Initiative, Available at http://www.opensource.org/docs/osd, last checked 2010/03/15 [8] Andrew M. St. Laurent (2004), “Open Source & Free Software Licensing”, pp 4, O'Reilly Media [9] Gene K. Landy (2008), “The IT/Digital Legal Companion”, pp 253, Syngress [10] Andrew M. St. Laurent (2004), “Open Source & Free Software Licensing”, pp 35, 2004, O'Reilly Media [11] GNU General Public License, Available at http://www.gnu.org/licenses/gpl.html, last checked 2010/04/26 [12] Steve Jones (2003), “Encyclopedia of new media: an essential reference to communication and technology”, Rolf Janke [13] Richard Stallman, “Why software should not have owners, 1998”, Available at http://www.gnu.org/philosophy/why-free.html, last checked 2010/02/17
44

[14] Survey conducted by Computer Economics entitled “Key Advantage of Open Source is Not Cost Savings”, Available at http://computereconomics.com/custom.cfm?name=postPaymentGateway.cfm&id=104 6&CFID=6776415&CFTOKEN=57718952, last checked 2010/04/15 [15] Kirk St. Amant, Brian Still (2007), “Handbook of research on open source software: technological, economic, and social perspectives”, pp 564, IGI Global [16] Kirk St. Amant, Brian Still (2007), “Handbook of research on open source software: technological, economic, and social perspectives”, pp 362, IGI Global [17] Francis Buttle (2008), “Customer Relationship Management”, pp 85, Butterworth-Heinemann, 2 edition [18] The open source movement, Available at http://www.dei.isep.ipp.pt/~i030551/pros_cons.html, last checked 2010/04/16 [19] Security through obscurity, Available at http://en.wikipedia.org/wiki/Security_through_obscurity, last checked 2010/04/17 [20] Bernd Carsten Stahl (2004), “Responsible management of information systems”, pp 59, IGI Global [21] Jerri Ledford, Yvette Davis (2009), “Web Geek's Guide to Google Chrome”, pp 107, Que [22] Survey conducted by Computer Economics entitled “Key Advantage of Open Source is Not Cost Savings”, Available at http://computereconomics.com/custom.cfm?name=postPaymentGateway.cfm&id=104 6&CFID=6776415&CFTOKEN=57718952, last checked 2010/04/22 [23] Sean Convery (2004), “Network security architectures”, pp 272, Cisco Press; 2nd edition [24] FLOSSWorld, Available at http://www.flossworld.org/, last checked 2010/04/22 [25] Free/Libre and Open Source Software: Worldwide Impact Study – D32: Track 3 International Report E-Government Study, Available at http://www.flossworld.org/deliverables/D32%20%20Track%203%20International%20Report%20-%20E-government%20Study.pdf, last checked 2010/04/22
45

[26] Fork software development, Available at http://en.wikipedia.org/wiki/Fork_(software_development), last checked 2010/05/03 [27] Sulayman K. Sowe, Loannis G. Stamelos, and Loannis M. Samoladas, (2007) “Emerging free and open source software practices”, pp 72, IGI Publishing; 1 edition [28] Theodore Gyle Lewis (2006), “Critical Infrastructure Protection in Homeland Security”, pp 451, Wiley-Interscience [29] Isaca (2009), “CISA review manual”, pp 330 [30] I.A.Dhotre V.S.Bagad (2006), “Information Security”, pp 2-44, Technical Publications [31] Carl F. Endorf (2002), “Secured Computing: A Sscp Study Guide”, pp 112, Trafford Publishing [32] Public Certificate, Available at http://en.wikipedia.org/wiki/Public_key_certificate last checked 2010/04/28 [33] Vern A. Dubendorf (2003), “Wireless data technologies”, pp 192, Wiley [34] David L. Cannon (2008), “CISA Certified Information Systems Auditor Study Guide”, Sybex; 2 edition [35] Carlisle Adams, Steve Lloyd (2002), “Understanding PKI: concepts, standards, and deployment considerations”, pp 70, Addison-Wesley Professional; 2 edition [36] Emmett Dulaney, “CompTIA Security+ Study Guide”, 4th Edition, pp 369, 2006 [37] Carlisle Adams, Steve Lloyd (2002), “Understanding PKI: concepts, standards, and deployment considerations”, pp 85, Addison-Wesley Professional; 2 edition [38] Charles P. Pfleeger, Shari Lawrence Pfleeger (2003), “Security in computing”, pp 437, Prentice Hall PTR; 3 edition [39] Charles P. Pfleeger, Shari Lawrence Pfleeger (2003), “Security in computing”, pp 437, Prentice Hall PTR; 3 edition
46

[40] Emmett Dulaney (2008), “CompTIA Security+ Study Guide: Exam SY0-201”, pp 332, Sybex; 4 edition [41] Emmett Dulaney (2008), “CompTIA Security+ Study Guide”, pp 333, Sybex; 4 edition [42] General PKI Architecture, Available at http://www.dcoce.ox.ac.uk/images/RequestSummaryloRes.png, last checked 2010/10/03 [43] The New York Times, “Brazil: Free Software's Biggest and Best Friend”, Available at http://www.nytimes.com/2005/03/29/technology/29computer.html, last checked 2010/10/01 [44] Benedicte Bull, Desmond McNeill, University of Warwick (2006), “Development issues in global governance: public-private partnerships and market multilateralism”, pp 123, Routledge; New edition [45] Guia Livre – Referência de Migracao para Software Livre do Governo Federal” (Free Guide - Reference migration to free software from the Federal Government) Available at http://www.dnocs.gov.br/php/util/downloads_file.php?&dir=&file=/home/util/livres/e books/software_livre/guia_livre_ipiranga_v095.pdf, pp 24, 2004, last checked 2010/10/01 [46] Planejamento Estratégico para Implementação de Software Livre (Strategic Planning for the Implementation of Free Software) Available at http://www.softwarelivre.gov.br/clientes/softwarelivre/softwarelivre/planejamentocisl/planejamentos-anteriores-1/copy_of_index_html, last checked 2010/10/01 [47] Guidelines on Implementation of Free Software in the Federal Government, Available at http://www.softwarelivre.gov.br/clientes/softwarelivre/softwarelivre/planejamentocisl/planejamentos-anteriores-1/copy_of_index_html, last checked 2010/05/16 [48] Ashish Arora, Alfonso Gambardella (2006), “From Underdogs to Tigers: The Rise and Growth of the Software Industry in Brazil, China, India, Ireland, and Israel”, pp 117, Oxford University Press, USA [49] Digital Inclusion Available at http://pt.wikipedia.org/wiki/Inclus%C3%A3o_digital, last checked 2010/10/01 [50] Digital Inclusion, Available at http://inclusaodigital.gov.br/outros-programas#projeto-computadorespara-inclusao, last checked 2010/06/26
47

[51] Brazilian Public Software Available at http://www.softwarepublico.gov.br/O_que_e_o_SPB, last checked 2010/10/01 [52] Software CACIC Available at http://softwarepublico.gov.br/ver-comunidade?community_id=3585, last checked 2010/08/02 [53] Public Software, Available at http://www.softwarepublico.gov.br/spb/ArtigoMatConceitoSPB, last checked 2010/08/02 [54] Materialization of the Concept of Brazilian Public Software Available at http://www.softwarepublico.gov.br/O_que_e_o_SPB, last checked 2010/10/01 [55] Brazilian Electronic Government - Actions and Activities Available at http://www.governoeletronico.gov.br/acoes-e-projetos, last checked 2010/10/01 [56] Brazilian Electronic Government Available at http://www.governoeletronico.gov.br/o-gov.br/historico, last checked 2010/10/01 [57] ICP-Brazil – Brazilian Electronic Government Available at http://pt.wikipedia.org/wiki/Instituto_Nacional_de_Tecnologia_da_Informa%C3%A7 %C3%A3o, last checked 2010/10/01 [58] Dennis Campbell (2006), “The Internet: Laws and Regulatory Regimes”, pp 137, Lulu.com [59] ICP-Brazil, Available at http://www.iti.gov.br/twiki/bin/view/ITI/Apresentacao, last checked 2010/08/23 [60] ICP-Brazil Available at http://pt.wikipedia.org/wiki/ICP-BRASIL, last checked 2010/10/02 [61] The Brazilian Provisional Measure 2.200-2 – ICP-Brazil (2001), Available at http://www.iti.gov.br/twiki/pub/Certificacao/MedidaProvisoria/MEDIDA_PROVIS_R IA_2_200_2_D.PDF, last checked 2010/10/07 [62] Digital Certificates Available at http://www.receita.fazenda.gov.br/atendvirtual/InformacoesBasicas/certificados_digita is_v6.html, last checked 2010/10/02
48

[63] e-CPF Definition Available at http://en.wikipedia.org/wiki/Cadastro_de_Pessoas_F%C3%ADsicas, last checked 2010/10/02 [64] e-CNPJ Definition Available at http://pt.wikipedia.org/wiki/IN_969, last checked 2010/10/02 [65] NF-e (Electronic Invoice) Available at http://computerworld.uol.com.br/gestao/2010/06/21/nf-e-sera-obrigatoriapara-1-milhao-de-empresas-ate-dezembro/, last checked 2010/10/02 [66] Interoperability Standards for Electronic Government, Available at http://www.governoeletronico.gov.br/acoes-e-projetos/e-ping-padroes-deinteroperabilidade, last checked 2010/08/20 [67] Interoperability Standards for Electronic Government Available at http://www.governoeletronico.gov.br/acoes-e-projetos/e-ping-padroes-deinteroperabilidade, last checked 2010/10/02 [68] Reference Document of the e-PING – Version 2010 Available at http://www.governoeletronico.gov.br/anexos/e-ping-versao-4.0, pp 38, last checked 2010/10/02 [69] Alexandre Atheniense (2010), “Comments on Act 11 419/06 and the Practice and Procedure by Electronic Means in Brazilian Courts”, pp 29, Jurua Editora [70] Interview with Mr. Alexandre Atheniense, question n.6, see Appendix B [71] Scam web accounts for 30% of electronic fraud, Available at http://softwarelivre.org/portal/golpes-via-web-representam-30-dasfraudes-eletronicas, last accesses 2010/09/23 [72] Bank Fraud, Available at http://www.febraban.org.br/p5a_52gt34++5cv8_4466+ff145afbb52ffrtg33fe36455li54 11pp+e/sitefebraban/Seguran%E7a%20Um%20compromisso%20de%20bancos%20e %20clientes.pdf, last accessed 2010/08/19 [73] Examples of PKI in Brazil (part of list from the website), Available at http://correios.com.br/produtos_servicos/certificacaoDigital/informacao.cfm, last accessed 2010/07/21

49

[74] Patient Electronic Medical Record Available at http://www.senado.gov.br/noticias/verNoticia.aspx?codNoticia=%20100512&codApli cativo=2, last checked 2010/10/02 [75] Practical Examples of the Use of Digital Certification in Brazil Available at http://www.dnt.adv.br/noticias/documento-eletronico/conheca-exemplospraticos-do-uso-do-certificado-digital-no-brasil/, last checked 2010/10/02 [76] Brazilian Identity Card Available at http://pt.wikipedia.org/wiki/C%C3%A9dula_de_identidade, last checked 2010/10/02 [77] Enactment n. 7166, Available at http://www.planalto.gov.br/ccivil_03/_Ato20072010/2010/Decreto/D7166.htm, last checked 2010/08/20 [78] João-de-Barro Project, Available at http://www.iti.gov.br/twiki/bin/view/Swlivre/JoaoDeBarro, last checked 2010/08/22 [79] Resolution n. 20/May/2003, Available at http://www.iti.gov.br/twiki/pub/Certificacao/Resolucoes/RESOLU__O_20_DE_08_05 _2003.PDF, last checked 2010/08/28 [80] Open Platform description, Available at http://en.wikipedia.org/wiki/Open_Platform, last checked 2010/08/28 [81] Joao-de-Barro: Open Platform, Available at http://www.cgu.gov.br/Publicacoes/BGU/2004/Volume1/C%20%20002.pdf, pp c-21, last checked 2010/08/28 [82] Free Guide - Reference Migration to Free Software, Available at http://www.governoeletronico.gov.br/acoes-e-projetos/guia-livre, Free Guide Version 1.0, 2005 pp. 7, last checked 2010/08/18 [83] EJBCA descritpion, Available at http://www.primekey.se/Products/EJBCA+PKI/, last checked 2010/08/19

[84] Bouncy Castle description, Available at http://en.wikipedia.org/wiki/Bouncy_Castle_(cryptography), last checked 2010/08/19

50

[85] Renato Martini (2008), “Technology and Digital Citizenship -Technology, Society and Security” pp 15, BRASPORT [86] Brazilian citizen will have electronic identity Available at http://www.iti.gov.br/twiki/bin/view/Noticias/PressRelease2010Sep16_230856, last checked 2010/10/07 [87] Avdesh Gupta Anurag Malik, 2005 “Management Information Systems”, pp 242, Firewall Media [88] Decree of 29 October 2003, Available at http://www.governoeletronico.gov.br/o-gov.br/legislacao/decreto-de-29de-outubro-de-2003, last checked 2010/10/28

51

Appendix A – Provisional Measure 2.200
The PKI Brazil was legally created by Provisional Measure 2.200, last issued on August 24th 2001. Below, the full text of the Provisional Measure Source available at: http://www.iti.gov.br/twiki/pub/Certificacao/MedidaProvisoria/MEDIDA_PROVIS_RIA_2_200_2_D.PDF, last
checked 2010/08/16

Provisional Measure 2.200-2, August 24th 2001.

Establishing the infrastructure of Brazilian Public Key - PKI-Brazil, transforms the National Institute of Information Technology in local authority and other provisions. The President of the Republic, in use of the empowerments set forth by Article 62º of the Constitution, enacts the following Provisional Measure, with force of law:

Art. 1. It is henceforth created the Brazilian Public Key Infrastructure - PKI Brazil (ICPBrazil), to ensure the authenticity, integrity and juridical validity of documents in electronic media, of supporting applications and enabled applications which utilize digital certificates, as well as the implementation of secure electronic transactions. Art. 2. The ICP-Brazil, whose organization shall be defined in by regulations, shall be composed by manager policies and by the chain of certifying authorities composed by the Root Authority (CA-Root), by the Certificate Authorities (CA) and by the Registration Authorities (RA). Art. 3. The function of the managing political authority shall be exercised by the Management Committee of ICP-Brazil, subordinated to the Civil House of the President of the Republic and composed by five representatives of civil society, members of interested sectors, appointed by the President of the Republic, and one representative from each of the following bodies, designated by their principals:

52

I - Ministry of Justice; II - Ministry of Finance; III - Ministry of Development, Industry and Foreign Trade; IV - Ministry of Planning, Budget and Administration; V- Ministry of Science and Technology; VI - House of the Presidency of the Republic, and VII - Institutional Security Cabinet of the Presidency. § 1º The coordination of the Management Committee of the ICP-Brazil shall be exercises by the representative of the Civil House of the Presidency of Republic.

§ 2º The representatives of civil society shall be assigned for a period of two years, allowed to extend § 3º The participation in the Management Committee of the ICP-Brazil is of relevant public interest and shall not be paid for.

§ 4º The Management Committee of the ICP-Brazil shall have an Executive-Office, as prescribe in the form of regulation. Art. 4. The following are competences of the Management Committee of ICP-Brazil: I. II. to adopt necessary measures to create the ICP-Brazil; to establish the policy, criteria and technical standards for accreditation of CAs, RAs and other service providers to support the ICP-Brazil, in all levels of the certification chain; III. IV. to establish the policy of certification and the operational rules of CA-Root; to homologate, audit and supervise the Root CA and its service providers;

53

V.

to establish guidelines and technical norms for implementation of polices of certificates and operational rules of CAs and RAs and define levels in the certification chain.

VI.

to approve certificate policies, certification practices and operational rules, habilitate and authorize the operations of CAs and RAs, as well as authorize the CA-Root to issue the respective certificate;

VII.

to identify and evaluate the policies of external PKIs, negotiate and approve agreements of bi-lateral certification, crossed certification, rules of inter-operability and other means of international cooperation, certificate, as needed, their compatibility with the PKI-Brazil, respected the provisions of international treaties, agreements or acts;

VIII.

to update, adjust and revise procedures and practices established for ICP-Brazil, overlook their compatibility and promote the technological updating of the system and its conformity with security policies.

Sole paragraph - The Management Committee may delegate assignments to CA-Root.

Art. 5. The CA-Root, highest authority of the certification chain, executive of the Certification Policies and technical and operational rules approved by the Management Committee of ICPBrazil, is competent to issue, distribute, revoke and manage the certificates of the CA one level below, manage the list of issued, revoked and expired certificates, and execute auditing activities of the CA and the RA and the service providers, in conformity with the technical guidelines and rules established by the Management Committee of the ICP-Brazil, and exercise other attributions assigned by the manager authority. Sole Paragraph - The CA-Root is forbidden from issuing certificates to the final users. Art. 6. The CAs, entities authorized to issue digital certificates linking pairs of cryptographic keys to the respective holders, are competent to issue, distribute, revoke and manage the certificates,

54

as well as making available to users the lists of revoked certificates and other information regarding the recording of operations. Sole Paragraph - The pair of cryptographic keys shall be generated always by the very holders and the private key shall be of their exclusive control, use and knowledge. Art. 7. The RAs, entities operationally subordinated to CAs, are competent to identify the users in their presence, request certifications to the CAs and keep records of their operations.

Art. 8. Observed the criteria to be established by the Management Committee of the ICP-Brazil, both public bodies and private persons may be habilitated as CA and RA.

Art. 9. The CAs are forbidden from certifying any level other than the one immediately below, except in cases of side certification or crossed certification, previously approved by the Management Committee of ICP-Brazil.

Art. 10. The electronic documents mentioned by this Provisional measure shall be considered, for all legal purposes, public or private documents.

§ 1º The statements appearing in electronic documents produced with utilization of certification processes overlooked by ICP-Brazil are presumed truthful in regards to the signers, as provided by art. 131 of Law 3.071, January 1st 1916 - Civil Code. § 2º The provisions of this Provisional Measure shall not preclude the utilization of other means of attestation of authorship and integrity of electronic documents, including means which utilize certificates not issued by ICP-Brazil, as long as the means are admitted as valid by the parties or accepted as valid by the person to whom the document is opposed. Art. 11.
55

The utilization of electronic documents for tax purposes shall observe, additionally, the provisions of art. n.100 of Law 5.172, October 25th 1966 - National Tax Code.

Art. 12. The National Institute of Information Technology (ITI), with seat in the Federal District, has status of autarchy, subordinated to the Ministry of Science and Technology.

Art. 13. ITI shall be the Root Certificate Authority of the Brazilian Public Key Infrastructure.

Art. 14. In the exercise of the respective assignments, ITI shall conduct auditing activities, applying penalties, as prescribed by law. Art. 15. The basic structure of the ITI shall comprise a President, a Director of Information Technology, a Director of Public Keys Infrastructure and a General Attorney. Sole paragraph - The Directors of ITI may be established in the city of Campinas, State of São Paulo. Art. 16. To pursue their objectives, ITI shall be allowed to, as prescribed in law, contract third party services. § 1º The Director-President of ITI may request, for office in the Directorship of Public Key Infrastructure, for term not longer than one year, civil servants or militaries, and employees of entities of Federal Public Administration, for any necessary duty. § 2º The persons requested as per this article shall have assured all rights and benefits of their original offices. Art. 17.
56

The Executive Power is authorized to transfer to ITI:

I. II.

The technical assets, the rights and duties of the ITI; and Remove or reorganize the budget of the budgetary law of 2001 to adjust to the new legal frame.

Art. 18. While the General Attorney is not created, the ITI shall be represented in Court by the General Advocate of the Union.

Art. 19. All acts practiced under Provisional Measure 2.200-1 are co-validated.

Art. 20. This Provisional Measure shall be valid since the date of publication.

Brasília, August 24th 2001. Fernando Henrique Cardoso Jose Gregori Ronaldo Mota Sardenberg Martus Tavares Pedro Parente

57

Appendix B – Questionnaire Survey
1. How many persons are employed at the organization? o 1 – 99 o 100 – 499 o 500 – 999 o 1000 – 9999 o 10.000 or more

2. How would you rate your knowledge of PKI? A. Low B. Medium C. High

3. In your opinion, what are the primary obstacles to PKI deployment and usage? Not an Obstacle Minor Obstacle Major Obstacle Costs Too High Poor Interoperability Hard to Get Started - Too Complex Hard for IT to Maintain Hard for End Users to Use Lack of Management Support Too Much Legal Work Required Software Applications Don't Support It PKI Poorly Understood Other (described below)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Please describe others, if applicable:

58

4. In your opinion which PKI applications are more important to Brazilian organizations? Check all that apply Not Important Important Most Important Web Server Security Single Sign On Document Signing Electronic Commerce Virtual Private Network Secure Email Code Signing Secure Remote Secure Call (RPC) Web Services Security Secure Wireless LAN Other (describe below)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Please describe others, if applicable:

5. In your opinion what are the biggest challenges regarding PKI in Brazil?

6. If your organization is making use of PKI: a) What happens when the user loses a certificate, or forgets a pass-phrase necessary for its use? b) Do you have procedures for key recovery? c) What is your process for revoking end user certificates? d) What is your process for renewing end user certificates and how often?

7. Please, can you share your thoughts about exchanging public keys and saving private key?

8. Briefly, what are your main feelings towards the open source concept?

59

9.

What in your opinion increase and decrease the acceptance associated with the adoption of open source software solution?

10. Strong authentication reduces the risk of unauthorized access and encryption of data limits the exposure of companies in case of failure. As the Brazilian government is encouraging open source it is believed that this may be a key factor in determining policy objective of investment in technological resources and also in information security. a) Has this fact influenced your organization? To what degree? b) How can new users be educated to begin to understand open software from the school? c) What would you say to students of secondary and higher school to enter in this market? d) How to encourage companies to use open software?

11. Briefly, what can you tell about the ‘João-de-Barro’ open source PKI?

12. Are you aware of other open source PKI?

13. Please, write some comments regarding open source PKI.

14. What is the importance of open source software for society?

60

Appendix C – Interviews
Note: The researcher would also like to make a special thanks to Mr. Pedro Paulo Lemos Machado – Director of Audit, Fiscalization and Normatization, that made an effort to schedule some interviews resulting in more valuable information. I thanks immensely to Mr. Mário Ribeiro, IT manager at SBF Group, and to Mr. Humberto Martins, MAXXDATA president, which gave valuable information about the studied area. Both interviews were used for analysis, but were not translated; this means that they are not part of Appendix C. This is because both contain many technical and regional data that would be a bit complicated for the reader to understand. Due to various reasons the name of one interviewee was not disclosed in this study.

61

Mr. Weber Kai – Federal Savings Bank (CEF)
Note: This is a person’s opinion interview.

1. What is your experience with open source software? I started having contact with open source software 13 years ago, to use at home. I mean to try it. I had no notion of command line. I didn’t know about command line. Soon I lost interest, because I found it a little bit complicated. 2. Why have you lost interest in open source software? The internet connection was not broadband and I did occasionally get a bad connection. That represented a big problem because I could not get the information easily. That was a big problem. So, for a while I didn’t use it, but deep down I still had a desire to know it. 3. Is open source software user-friendly and ready for the customer? Everything is a matter of learning. Open source refers to both the concept and practice. Many features distinguish open source software from proprietary software. Although the use of open source software is growing, most end-users only interact with proprietary software. I had problems installing open source software, and then I lost the interest. Nowadays, many schools have adopted open source software bringing the students onto a different platform and awakening the interest of open source software. I know kids who are using open source software at school and have no problem with it.

4. How is the technical support of open source software currently?

I cannot tell you if support for the open source software has changed or if there is a lack of it. But access to information has changed enormously.

62

Today, we have much more facilities to update information, such as broadband and e-learning. On the Internet, we can normally reach developers who can help us with any problems we might have. 5. Are you member in any open source community? After my tough start in the open source software world, I returned and I tried working with it. Besides working with open source software in the company I also was a member of some communities. But now due to lack of time, I stopped. Nowadays, I have been reading posts of open source programmers or following discussions in newsgroups, but not developing. 6. Are Brazilian open source software communities very active? Can you give examples? Yes, they are very active. Many participants receive financial incentives to engage fully in the project development. The government itself has created communities where it is established that each one will develop. Within the Federal Savings Bank (CEF), I do use open source software. We have many applications that are developed in open source software. The FLISOL – Latin American festival of Free Software Installation – is the largest event to promote open source software in Latin America. 7. How it was the migration to open source software within of Federal Savings Bank (CEF)? Here in my department, we are end-users. We use many open source software applications. And often we do not know whether the application is open source software, I mean, when we start using it is like any other software that we do not feel the difference. From an end-user perspective, we do not see much difference in the operating system. It could be UNIX, BSD, Microsoft Windows or Linux. 8. Are there many private companies moving towards open source? Can you give examples?

63

With the growing commitment of the Federal Government migrating their computers to the Linux operating system, surprisingly, the number of private companies adopting the Linux operating system is growing. The government of the Rio Grande do Sul, in the south of Brazil embraced successful work in implementation and dissemination of open source software with the participation of schools, universities and private companies. The federal government also has encouraged the development of open source software through scholarships and research grants for students and university professors. 9. When is open source software useful and when should it be avoided? Open source software brings many advantages, but each company must analyze its reality and verify if it will give value to the company. For instance, if migration of the systems is very difficult then this is also a very important factor to be considered. Another thing to be observed is if there is skilled technical support. Being free is not essential. Freedom of expression is an advantage - in proprietary applications you cannot adapt it to any use and distribute it to others. Another advantage is that open source software is secure and problems are fixed faster and updates are quicker. 10. What is the importance of open source software for society? I see a lot of strength. Among them I would like to mention: • • • Open source software has a key role in government policies regarding digital inclusion. In Brazil, many telecentres have been created because they have lower costs with the use of open source software thus more people will have more access to information. Services providers – the use of open source software can be a great encouragement for numerous local companies that can surface, capable to configure, develop solutions and provide others services. • Great potential of open source software for embedded device development.

In my opinion, the Brazilian society will only achieve full development by investing in education and technology.

64

Dataprev
Technology and Information Social Security Company (Dataprev) is a Brazilian public company responsible for maintaining statistics related to social security, including retirement, pensions, services provided, work-related accidents and finances, as well as processing social security benefits and claims. Mr. Érico José Ferreira – Manager and Advisor of Open source Software Development Mr. Eduardo Santos – Technical Coordinator of Brazilian Public Software Portal Mr. Claudio Filho – Creator and Leader of the Community ‘BrOffice.org’

1. A decade ago, many European countries began experimenting with open-source software, but France has been the only one that is constantly advocating open-source software, especially in the government and educational sector. The French government said in December 2006 that it will “make Paris a centre of excellence for open-source software development” and that “the goal of the centre will be to develop a healthy and profitable open-source software industry”. Are the approaches in Brazil similar? Yes, because the use of open source software is among the priorities of the Brazilian government and Dataprev has distinguished itself in adopting open source software. Governmental agencies have demonstrated support and engagement not only when they use open source software, but also when they start to make available to the population and communities many applications as open source software. With open source software, we are focusing to reach sustainability. Sustainability and the future of open source software depend strictly on juridical legality and professional institutions and communities that promote new technologies related to the segment. This should be obtained, according to Cláudio Filho, through measures such as promoting knowhow and technology transfer, and actions against tax evasion for consulting services, and independence from foreign suppliers. Another aspect in this context is the solidarity of the Latin people. Beyond the technical issues, there are also social concerns aggregated to the development of open source software in Brazil. For instance, the experience of the inventory application CACIC, the first open source
65

software, in all government expects, available from DATAPREV, demonstrates how the vision of sharing was extended to all of society. At the start of its implementation, the CACIC was aimed at satisfying internal demands of the Brazilian government. But, then the DATAPREV identified that the demand for this product was unusually strong among the society. When DATAPREV released this application as open source software, it gave conditions to make possible for many small and medium companies to deploy and install this software previously inaccessible due to lack of funds. Also, some people saw this as a niche market, as they studied the code and began to make money by selling services, such as training and support and also as an embedded application. 2. How is the culture of open source software in Brazil? Does Brazil have laws and legislations about open source software? First, a document was created by the Government Committee providing the procedures to be followed to release software as open source software. This document tries to assist government agencies by providing practical information and approaches to consider when making available open source solutions. Second, yes, we have some problems about copyright. What is important to underline is that the law and legislation regarding open source software is evolving with its growing popularity. This involves issues of international law and to adapt the Brazilian legislation to those standards.

3. How is the relationship between Brazil and other South American countries about open source software? Are there other countries in Latin America trying to use open source software?

It is great. For instance, our open source CACIC, won the accession by the governments of Argentina, Paraguay and Venezuela. We have held several events with open space for debates and reflections on the use of open source software in Latin America.

An important point to be emphasized in this relationship among countries in Latin America is that this activity between society and government, in parallel, only exists here in Brazil.
66

And as Brazil is working on a functional model that is the case of public Software and is also working on a series of government actions, regarding open source software, Brazil is serving as a legal and political precedent for our neighbours in Latin America.

The big challenge among the countries that are starting to join the open source software is to internalize the concept: learning to work together so that everyone wins with the exchange of experience, knowledge and ideas.

4. Are there many barriers to overcome toward open source software adoption?

Today, our biggest problem with open source software in general, I would say, is the Brazilian businessmen, because they are coming from decades of life in a structure that we all know that is the concentration of income. That is, the monopoly prevails. With the change to open source software the imperialism is over, because in this new concept anyone can use the software and do business with it, as already mentioned, through the sale of services.

Then, enterprises are no longer companies marketing products, but become technology companies, because there is aggregate intelligence. This is a very difficult change in mentality to be accepted. It is necessary that companies understand that they must work in partnership.

5. How is the dynamic in communities of open source software in Brazil? Does the Brazilian government have any influence over them?

Currently, there is no way to deny that the government has a very large portion of the software in the market. In Brazil, today, 60% of all software market segments are governmental. This automatically generates money for anyone involved in the process. And, it is important to stress that this does not generate income for a single company but for everyone interested in participating, selling services. The interest depends on the software in question and the community generally grows in line with the business opportunities that the software generates. 6. Are there many private companies adopting open source software?

67

Yes, quite a lot. But, like I have observed, (says Mr. Érico José Ferreira), there are many companies that have the mentality that open source software is free. Open source software is not free, but allows different kinds of budget decisions than proprietary software. In terms of cost, since the companies have the source code, they have complete control in deciding what services they pay for. Many companies do not disclose that they use open source software because it represents a competitive benchmark. For example, a supermarket chain uses in all its outlets Linux. Their profit margin is better than one that uses a proprietary solution because using open source software may reduce costs. However, this supermarket that uses open source solutions prefers not to reveal this information because they do not want to show their profit margin.

The advantage of an open source solution is the access to an increased number of programmers and developers. Open source programs are typically written in the most common programming languages, making resources easier to find and not so costly.

7. Open source software that most of the companies have been adopting is Linux. Some surveys pointed out that Linux is more expensive than Windows in an enterprise. Can you comment on this issue?

One thing that creates this false impression is that when you do a migration process from a Windows environment to Linux nothing can be done overnight. It is a process of change. You cannot get off a hardware terminal, do another installation and in the next moment turn it on and say to the staff: – Ok you can continue working. No. There are phases that need to be evaluated and followed. We can mention, for instance, Petrobrás (a Brazilian company focused on oil exploration and production operation).

It took over six months for Petrobrás to complete the process of installing open source software BrOffice in 90 000 computers. Six months, from approval to installation. The estimate is that the process generates a reduction of at least 40% compared to a paid license of equivalent proprietary software.

68

The migration costs can be higher in the first year. And, in many cases, this cost which includes training and adaptation of software among others, is higher than the cost of licensing of current proprietary software.

However, what companies are seeing is that on the one hand means spending, on the other hand means investing. Investment in new technology, in short, is the main difference that has no corporate monopoly, including monopolizing knowledge.

8. Is there a bill that forces government agencies to embrace open-source software?

There is a normative statement that states that before making the hiring of IT, the manager should check the existence of open source software or public software. This normative statement also defines a set of rules for the manager, which justifies the contract of a given IT solution. The TCU (Superior Audit Office of Brazil) is the government agency responsible for audits at the federal government level. If it detects any anomaly, the organization responsible for hiring IT will be penalized. And, we have seen it happen a lot.

9. Were there impediments arising from users within the Dataprev concerning open source software adoption?

Yes, we had. Dataprev is a pioneer in a matter of open source software in government. Today, we have about 3500 servers running Linux. This process was not easy, but also was not traumatic. It was not easy due to capacity and mainly cultural issues. We have a live example here in this room. “This” colleague, for instance, when she came to work with us, was used to working only with Windows. On the door, there is a sign "Unit of open source software" and when I opened the door she had a station with Windows installed. The difficulty was more cultural than technical to change the habits of employees familiarized with certain programs. In general, the tools are similar in both types of programs. The best ways to face this problem are: gradual migration, management support, extensive training and frequent support, which concerns both users and technicians.
69

For the user, the greatest impact in terms of migration is when the operating system is involved. Then, the case is won when the migration is done by other applications first, for example: browser, BrOffice and email software. The most significant is that Dataprev is changing the culture of the users in relation to open source software promoting the thought that open source software is an investment in technology in the country. 10. “Business software companies will incur losses, thus resulting in a sizeable hole in the economy, if too many jump onto “the open source software revolution” rather than purchasing genuine licenses from technology companies that provide proprietary solutions, it might cause another worrying issue.” Please can you comment on the above statement?

It will be a loss for business owners; this we have no doubt. And it may even affect the economy of other countries, but not the Brazilian economy. In 1999, the government and mainly the Secretariat of Logistics and Information Technology (SLTI) of the Ministry of Planning standardized the use of Windows in all workstations. That represented a great technical set back in Brazil. For example, small companies that were developing an operation system or databases went bankrupt because it was not a Windows platform. In this sense, several small domestic technologies didn’t stand as progressive diffusion because the government is 60% of the market, so, the market follows the trend of what companies are doing with their "core businesses". The government also stopped collecting tax from those mentioned small companies when they closed.

For the economy as a whole, there is a decrease in the size of large companies and an increase in the number of small companies. Iin my view, this is not at all bad because with a large number of small companies pursuing many different approaches, the chances of developing optimal approaches will be higher than if only a small number of large companies are involved and mainly because this promotes regional development and royalties that were transferred out of the country. They are now circulating in the Brazilian market and therefore, generate more jobs, said Eduardo Santos.

70

11. Can you mention any experiences in open source software that were not successful within Dataprev?

I would not say it was not successful. I would say that we didn’t use the best practices when we tried to implement the BrOffice here some years ago. In some departments, the process was well done but not in some other departments. The fact that Dataprev did not have a security policy on computers that did not allow users to install new programs on their machines without the assistance of technical support was a complicating factor, says Érico José Ferreira. Consequently, some staff resistant to implementation of BrOffice installed other programs, which caused great discomfort within the company.

The software ‘CACIC’ was developed with the intention to make an inventory of hardware and software in the sphere of federal government thus enabling the control of licenses in workstations.

12. In your opinion what is the biggest challenge regarding open source software within Dataprev?

Our biggest challenge is to implement open source software within the production process of the company as a whole. There are certain applications that are linked to the operating system or a particular technology. When you decide to use an alternative technology, this should not generate losses to users, systems and environment.

71

Mr. Renato Martini – President of ITI
ITI – The National Institute of Information Technology is a federal agency linked to the Civil Cabinet of the Presidency of Brazil. Beyond the academic and professional involvement with the themes of ‘open source software’, and ‘Public Key Infrastructure’ Mr. Renato Martini is author of two books: ‘Encryption and Digital Citizenship’ and ‘Security Manual in Linux Networking’

1. What is your expectation to be the president of ITI? The ITI is a federal agency linked to the Civil Cabinet of the Presidency of Brazil and was created in 2001 by a Provisional Measure 2.200 (August 24th 2001) under President Fernando Henrique Cardoso, with a very specific goal that is to deal with the theme of 'Digital Certificate'. I began my work at ITI in 2003, at the government of current President Lula, as director of Public Key Infrastructure. I was called by Sérgio Amadeu, who was the president of ITI. Sérgio Amadeu is a sociologist and was one of the major implementers of Telecentres in Brazil. He became fascinated not only by the theme of 'Open Source Software’ but also the theme 'Digital Inclusion'. Then he called me to take care of ‘Digital Certificate’ at ITI and, during the time we worked together, he participated actively encouraging the use of public software. When he left ITI, in 2005, I was designated his successor. From 2003 until today, we have grown quantitatively throughout the structure of ICP-Brazil, I mean, first level Certificate Authorities (CAs), Certificate Authorities of second level and Registration Authorities (RAs). Brazil currently has nine CAs of first level, 1000 RAs. In total, we have 30 CAs summing the first and second level, all over the national territory. Two of these ACs are private and other governmental organizations. The private certificate authorities are responsible for 80% of the issuance of digital certificates in Brazil. It is the private sector which drives the digital certification market.
72

My relationship with open source software, today, is not as strong, I must confess, due to my own stress. Since 2000, I worked very much within the government sphere regarding the ‘open source software’ theme giving a lot of training in the area of security attached to this issue. My own stress has come because the world of open source software is extraordinarily exciting. So much that Linux is a concrete result and is now a billionaire brand. We use open source software within ITI. The platform at Root Certification Authority of the Brazilian PKI (ICPBrazil) is developed in open source software. Technologically, we have tangible results. Apache is a reality. BrOffice is a reality. Then, the results are undeniable. The open source software communities are very exciting. Ten exquisite developers will produce excellent software. What about 10,000? What about a million of exquisite developers? So are the communities. Time zone differences can be a great advantage. Midnight in Japan is noon here in Brazil. This means that the community here is awake, working, and vice versa when it is midnight in Japan the communities are awake, working. Not to mention that a community has an immeasurable power to amplify the quality of software. Those who enter in this world get involved, and the work ahead to digital certification is another world very engaging too, one that absorbs much of our energy. Hence, the reason why I'm not too much involved with open source software.

2. Some analysts have reported that the reaction regarding open source software, in Brazil, has been just a touch too euphoric. There was much excitement in the beginning, around 2003, but that euphoria now is much less. Do you agree with those analysts? 2003 and 2004, in Brazil, were years of much ideological effervescence, not necessarily years of result. This subject was getting in the government sphere. Then you need to think about the specialty of Brazil, because here the government has a much stronger, greater power over the people. The government buys 80% of the technology in Brazil. I mean, Petrobrás, Federal Savings Bank, Bank of Brazil and many other government institutions. Then the power inductor of the government is too big. It is our culture, unlike the Anglo-Saxon world, for example.
73

At that time, this subject raised a great ideological wave within the federal government. Passed the effervescence, we entered into a time of production and development. I mean, while some articulated the debate, others were programming, improving, being trained. Then, three - four years after the results appeared, because technology is not made within ten minutes. The platform of the Root CA-Brazil that we used to generate the certificates was proprietary software. We took six years to develop another one using our technology. It takes time for one to develop and test and train ... get the software stable to be used. Open source software has good products and technological successes, but only technological debates are not enough. However crazy as it might seem, but it is obvious to say that debate does not make software. It does not make hardware. It does not produce systems. It does not migrate platforms, and it does not migrate the legacy of many years of information technology in the Brazilian state. These things are very complex. So, this is what happened, after the debates we entered into a traditional line building quality, and training and critical mass within the Brazilian state, which is not necessarily something emblematic of newspaper and the media.

3. There is some controversy between the terms 'free software' (Free Software Foundation) and “Open source software” (Open Source Initiative). Many people use both terms as if they are the same thing. Could you tell us what the Brazilian government is adopting? In fact the Brazilian state is not as unified in technology. Each government agency has its own power of decision. A government agency, when working with open source software, must respect the software license. For pieces of code that we (the Brazilian government) have created, we preserve so the code is not misappropriated because we believe that software is public. This belief generated another discussion in Brazil which is resulting in a new concept for open source software within the scope of government, called ‘Software Public’. I personally believe that open source software should be seen in a technical way and that those who produce open source software must be vigilant to meet the demands. People must put aside the emotion, sometimes almost a religious fervour and prejudice in order to analyze the open source software in a technical way to see what real benefits it offers. It is impossible

74

for a manager of technology to guide and take decisions on planning applications that are not technical. 4. What led ITI to develop the João-de-Barro platform? The João-de-Barro project is an open source platform. It is one platform because it is a set of hardware and software. The platform we had before had gone through four companies. One went into bankruptcy. Then, it was bought by another that went into bankruptcy. Then, it was bought by another.... And what was worse is that they only had two companies in the world who could give support to that legacy software and hardware. We had no access to anything and we could not hire another company to give us support. We were completely tied to them. So, why did we take the decision to develop this platform? Just because we needed to have autonomy to be free. We needed to have an independent supplier. We needed to be able to change. We needed autonomy to make any implementation or security validation in the software. We needed freedom to change the support when necessary. The João-de-Barro platform has many meanings for the national system of digital certification, the ICP-Brazil, but the biggest is the fullness of technological autonomy.

5. What was the biggest challenge facing the João-de-Barro platform project? It is human nature to share knowledge. However, the administrative and bureaucratic structures of government, which are composed of people, often have difficulty to share information and build knowledge together. So, to answer your question, the greatest challenge was to bring together the group that participated in the project, and make this group work as a community that should cooperate mutually and share experience and information. It was difficult because it is not of the nature of the state to do this. Our country has enormous areas of expertise and often we do not know what they are doing. After overcoming this difficulty, the accession was very high, which gave us the desired result.

75

6. What are your expectations regarding the João-de-Barro platform? The platform cryptographic João-de-Barro will be available in the Brazilian Public Software Portal as soon as the ITI completes the process of registration of the mark in the National Institute of Industrial Property (INPI) to ensure the copyright of the ITI, to ensure that nobody misappropriates it. Our interest is in the spread of this technology both in a national and international market. We have joined efforts to try to make the diffusion and enlarge this platform in Latin America. We do not want to sell software because this is not the role of the ITI. The business of the government is not selling software. What we want is to spread the idea. We want to aggregate partners so that together we can share and improve technology and know-how. The interesting part of the Brazilian Public Software Portal is that it has a strategy and structure to create communities of users and developers around the government’s projects. However, I do not have great hopes of forming large communities around the João-de-Barro platform, because it is a very specific solution to certificate authorities. It would be another case if João-de-Barro was a solution to be used within companies or by companies that use digital certification in commercial transactions. I mean an application of more universal use. Then, yes, the communities would be immense. Talking like this, you see, if the government had not invested financially in this product, it would not exist. The project was fully funded by the government. A project of this size has no way to be developed by communities that are not funded. Many Open Source projects are supported by community effort, but today, most of the open source large projects are funded by some institution. The João-de-Barro platform has a great importance for the ITI and for Brazil because it was all developed with our own technology, using open source software, which allows a full audit of the process. The whole project aimed to provide full security for the digital certification of ICP-Brazil; therefore, it was built in compliance with international safety standards.

76

7. Do you believe that the use of digital certification will become popular? The new Civilian Identity Registry (RIC) is a promising initiative for this popularity? The big challenge of the Brazilian government is the dematerialization. That is, to replace the paper document by the electronic document. This is the revolution that I'm engaged in now. I tell you that the RIC is the largest civilian electronic identity project in the world. It's a project for 150 million identities. The RIC was instituted by a law authored by Senator Pedro Simon in 1997. This project was in discussion for 13 years and only now is it being leveraged. This is because we were not mature enough for this project. This is because the RIC is a very challenging project. We have many challenges ahead such as standardization of different AFIS Systems, and our network infrastructure and budget. The RIC is a document more secure and more robust. It is a document based on biometrics and digital certification. We expect that in 10 years, which is the deadline for its implementation, it will be fully accepted in the country and thus the institutions and society will see no need to issue other documents. An embedded digital certificate on RIC offers a unique window of opportunity for effectively mass distributing digital certification technology in Brazil. However, the digital certificate to the citizen is still a frontier to be explored. Our systems are all migrating to the Internet. The civilian life is going to the internet; therefore, it is necessary that Brazil has an ostensive and unequivocal identification in large networks of computers. 90% of frauds are born with the falsification of identity because an individual exercises rights when it identifies. Brazil needs to give citizens a more secure way to identify themselves. The RIC will solve this issue.

77

Mr. Y
1. What are the differences between free source software and public software? The concept of public software is not fully closed. We are in the process of debates about it to build a new model. The concepts of public software and open source software are not exactly alike, but share motivations. Open source software still lives with the dichotomy between free and gratuity. I can say that the public software is free. Public software is treated as a public good and allocates responsibilities to government entities in making available a solution. Our understanding is that software can be a citizen's right and as a public good a set of services become mandatory. Public software is not a competitive model. It is an alternative model. The term ‘public’ provides the insertion of government in the process of providing solutions. The idea of treating the software as a public good is precisely to create a set of prerogatives that must be met before, during and after the release of the software. A company can define when it will discontinue a solution, even though there are customers interested in remaining in the solution. The public software can become a way of continuity of projects and software development, ensuring the longevity of the solutions. This brings greater security and confidence for users, and consequently increases the adoption of software in various segments. 2. The public software has a differentiated license? Debates about property are still very deep. Who sets the licensing rule is the original developer of the solution. For now, we are adopting the GPL license as the basis for making available the solutions by the federal government. 3. Doesn’t it mean that this concept is “state-owned”? No. Public software is a common good and accessible by all. Any citizen or company can provide and / or use public software. We have several private companies that made available software as public. It is a new form of business marketing.

78

Mr. Ruy Ramos – Technical Advisory Board of Public Key infrastructure at ITI
1. How long have you been working at the João-de-Barro project?

I have been working in this project since March 2008.

2. What were the biggest challenges at the beginning of the project?

The project was already underway when I entered, but through reports, I can say that the biggest problems were: definitions of methodologies, identification of institutions that would participate in the project, allocate work teams and financial resources. This at first was quite complicated. After my entry, we had some points about schedules, but nothing critical that I could enumerate.

3. Briefly, what are your main feelings towards the open source concept? By the nature of the internet today that is a great forum for debate and exchange of ideas and experiences. I think this is the essence that guides the development of open source software. What is interesting in open source software is the collective collaboration, where developers are not worried about the amount by which you must pay for access to that product. It's very interesting the participation of individuals in the elaboration and development of projects and then see the shared results of these projects so others can enjoy. It's not just the sharing of ideas, values and ideals, but also the sharing of the developed product. Such practice is extremely beneficial. But open source software has some key characteristics such as free, low cost, easy accessibility that are quite critical for the government sphere and even for private companies. What I mean by that is it’s not enough to understand or to think that simply downloading open source software that we will not have costs. And, this error will be a complicating factor over time. Companies, government and institutions that adopt open source software need to understand that they must maintain an internal team that can absorb, retain and continue this technology.

79

Today, the concept of open source software is more mature, but companies need to prepare for the use of it.

4. What opportunities do you detect in João-de-Barro with an open platform?

If we analyze this platform, only in the framework of ICP-Brazil, that is the root certificate authority or certifying authorities of first and second level, I would say that the applicability is very limited. This project already brought benefits to the federal government because its solutions are being used in the Certification Authority of the Federal Revenue in Brazil, and AC-JUS and SERPRO.

However, a public or private enterprise, or an online certification authority can use this software making the appropriate changes to assemble their internal certification authorities. Then, companies can benefit from this platform, since commercial solutions of this nature are very expensive on the market. Some business models involve the initial purchase of the product and a dividend payment for each license, what we call royalties.

5. Can you draw a parallel between open source software PKI solutions and proprietary PKI solutions?

Here, at ITI, we experienced expensive and inflexible proprietary solutions, due to this reason we developed the João-de-Barro platform. We recognized the technical and economic benefits of open source software for our PKI deployment. However, I would emphasize that we cannot retain only on a trade issue, in other words the cost of the solution. Cost is important because it affects the budget. But the most important is the maintenance, support and perspective of longevity of the solution. Nowadays, many open source software are sponsored by governments and private sector companies, which brings greater long-term sustainability. It is impossible for the government or even for a company dependent on open source software that does not give a guarantee of longevity. Of course, there is the risk of discontinuity, for any reason, of a proprietary solution.

80

In conclusion, I think in the future there will not be major changes in terms of open source PKI solutions and proprietary PKI solutions in this regard. I think and I am a great defender that the government as well as all certificate authorities of the ICP-Brazil, that is more interesting and relevant and even more safe, develop their solutions or use a public solution (open) because they can guarantee the continuity and autonomy of development of the solution. 6. What is the government's strategy to promote the development of PKI solutions in Brazil?

The ITI maintains as a strategic definition, the focus to encourage and develop the market for PKI in the sense that the digital certificate may be more widely used in Brazil, and applications developed. And, also encourage academia and research institutions to continue investing in this technology to capacitate manpower. In fact, this strategy is implicit in the work that is developed in ITI.

The ITI also provides to interested segments its open source software in order to encourage domestic industry and to train a critical mass of knowledge in the country concerning information security and digital certification.

7. Are there a number of open source PKI offerings available? What is most needed? The market has many business models. A cloud computing data centre is one such model that is spreading a lot. But, the most sensitive data may not be guaranteed in public cloud computing data centres. Data is transferred, processed and stored by external cloud providers. However, data owners are very sceptical to place their data outside their own control.

Then, I think that one next step is to have these data centres in conformity with ICP-Brazil. I mean making use of digital certificates homologated by one certificate authority of ICP-Brazil. Because these data centres following the rules of ICP-Brazil will guarantee that the data are encrypted, signed with a digital certificate making impossible any attempt of fraud. The information is guarded. So, I think it will emerge PKI applications that will give support to this new business.

81

Mr. Djalma Valois Filho
Manager of Center for Diffusion of Technology and Knowledge (CDTC) General Coordinator of Operations of the National Institute of Information Technology / Civil House / Presidency of the Republic

Note: Throughout this paper the researcher has been using the term 'open source software’, however for translation of this interview it was used the term ‘free software’ as the interviewee preferred.

“We see free software as means to promote social inclusion” Djalma Valois Filho

1. Working with free software in the government sphere, what was the biggest problem you faced?

One of the early problems we faced was the unavailability of material content that we could qualify people. We realize initially that it was very difficult to implement a public policy for use of free software without having people knowing that it was free software.

I do not speak from the viewpoint of evangelization in terms of explaining ‘what free software is’ or ‘why free software is good or bad’. No, what we needed was to say to government employees that there was certain free software and we needed to show how to use it.

Then, we created the Center for Diffusion of Technology and Knowledge (CDTC). The CDTC is a project of ITI, which the purpose is a joint effort between the public and private sectors and academics aiming to expand the knowledge society in the use of free software.

2. There is some controversy between the terms 'free software' (Free Software Foundation) and “Open source software” (Open Source Initiative). Many people use both terms as if they are the same thing. Does it matter? And about public software?

82

The movement 'open source software' and 'free software' are distinguished more by the application of a social standpoint. It is the vision that exists about the result. There is no difference under the technological point of view. The movement 'open source software' says that it is good to use this software because it is reliable; it is a very technical speech. The free software says the same thing with the difference that this is all good because we change the society to become a better world. The free software movement is a politicized movement that sees technology as a tool to improve the world. The open source movement has no vision of a social standpoint. Inside of the government sphere, we have both movements. I for example say free software. There are other people who will say open source.

The term 'software public' was a solution given by staff of the ministry of planning that aggregated all the concepts that are around the world free software / open source making the State responsible for maintaining this software. There is no public software unless the license is free. All software that is published in the ‘Public Software Portal’ has an entire structure and it is assured the continuity of it. The origin of the software can be from government or from private companies. The Brazilian public software model is still under discussion.

3. Critiques have argued that free software in Brazil was a great euphoria around the year 2004, but now the euphoria is about to end. Do you agree with them?

The point is that we stopped talking and we start doing.

To give you an idea about it, two years ago, Brazil has sold more than 260 000 computers, all with free software. It was a government program that facilitated and cheapened the cost of equipment in production, provided access to financing, but only for computers that were sold with free software. It was to continue the government initiatives in relation to free software that the CDTC was created, in 2004.

The specific objective of CDTC is to assist the Federal Government in the implementation of the national non-proprietary software and open source, identifying and mobilizing groups of opinion leaders among civil servants and political agents of the Federal Government, stimulating and encouraging the domestic market to adopt new business models of information technology and new business communications based on non-proprietary software
83

and open source. This provided specific capability for technicians, support professionals and civil servant users creating groups of civil servants who will train other public officials and act as advocates and supporters of non-proprietary software products and open source code, providing technical content for online support services, tools for developing software products and non-proprietary and its free source code, articulating networks of third parties (within and outside government) providing education, research, development and testing of free software products. As a result of this work that we have developed, today, we have over 200 courses being offered, about 50,000 students, placed in more than 1400 Brazilian cities. We have over 3200 private companies using the CDTC for training their employees. And, 1,800 public institutions that get from CDTC the necessary support for the qualification of their employees.

The CDTC offers, besides basic workshops, free software, a web radio and manuals to download.

4. Is free software secure?

I do not agree with the opinion that due to the fact that free software is conducted by a community of volunteers it receives less security treatment than proprietary software. It is the opposite. Most proprietary software we do not know how they work. The problem with security through obscurity is that perverse developers can introduce malicious code into software and we do not have access to the code. As the code is not available so bugs or security flaws may be hard to check.

A free software, however, might have tens of thousands of downloaders around the world. Each one of the downloaders can audit the code and then it is much easier to discover a bug or security flaw and submit the report back to the projects core maintainers. Free software is more heavily tested than proprietary software. Free software is highly reliable, flexible and secure. Free software is not a product of one company or one person. It is collectivized. Many people think that free software is like a no man's land, where anyone would be able to add code to it without supervision or guidance. Actually, free software projects implement a rigorous system of self-governance in which participation is voluntary but managed, and new code
84

contributions are closely examined. In terms of security, the overriding concern of communities of free source is not only with malicious code, but also with poorly-written code. Large numbers of collaborations are not accepted because there are others that are more efficient or just because they do not meet the criteria for coding the project.

In practice, monitoring the quality of software is a heavy task. Code quality is the success of many free software projects such as the Linux kernel.

5. Is there any free software PKI solution already available in the CDTC?

Yes, the CTDC developed modules that allow the administrator of various content management applications replace the traditional login-password by using the standard X509 digital certificates. An important factor in making this product available is to encourage society to adopt the digital certificate in their transactions via the Internet.

We also have courses in the digital certification area. The course objective is to regulate and standardize the skills of the professional who receives and guides and checks the documents and delivers the digital certificate to the person interested in acquiring it.

6. Business software companies will incur losses. Thus, resulting in a sizeable hole in the economy if too many jump onto “the open source software revolution” rather than purchasing genuine licenses from technology companies, that provide proprietary solutions. It might cause another worrying issue. Please can you comment?

It is perhaps worrying for the Americans, but not for Brazil. The preoccupation is reversed. If we stop buying licenses from American’ proprietary software developers, then the American companies will lose business. The money spent by the government on the purchase of proprietary software licenses can be reverted to social actions of the government to make the basic structure of the state for anything else in support of the Brazilian State. When we use the free software, we are paying for the services, but not royalties.
85

7. What was your biggest problem in relation to free software? What is the biggest barrier to overcome toward free software adoption?

The first major challenge I had regarding to free software was I understand myself. I have worked in the area since 1978, and the dream of everyone who worked with the computer was to develop a computer program that no one had developed before and win a lot of money with it, living from selling licenses for the rest of my life, as Bill Gates. This was the expectation of many professionals in this area.

So, the big dilemma that I faced with free software was to know, understand, and assume that it is the correct way to work. The free software vision makes me change my mind.

Anyone who works with computers spends most of their lives producing for employers or for a company of shareholders. When producing free software, the one is producing for the whole community and for the society. It was then that I began to really understand what was behind the free software, the concepts, the new forms of behaviour, and especially the interaction.

Free software is far superior, in terms of cost, capacity and quality. In the long term, there is another huge benefit: a great potential for learning in using free software that does not exist in proprietary software. Because when the source code is proprietary, it is not known by the general population. This takes away the population a great opportunity for learning.

Another difficulty was having an idea of the high volume of free software produced. It means that you can find free software for almost everything you need.

The great struggle that lies ahead is the issue of patents. The protection relating to the patentability of software is not harmonized internationally. Due to this, there is a need for a discussion of patent law on the national and international scene. The growth in the monopoly of a patent increases the private benefit and, in turn, reduces the public benefit.

86

Mr. Wesley Rodrigues da Siva – Network Administrator at SBF Group
SBF Group – The largest group of Latin America in the sport equipment store chain. It owns the BY Tennis Chain and the license of the Nike Store in Brazil. 1. How long have you been working with open source software?

I have been working with open source software since 1999. I am a Linux expert. One of my responsibilities is to analyze the solutions we have in the company to migrate these solutions to Linux or open source based solutions, generating savings for the company.

2. How is the migration to open source software within the SBF group?

The process of change is always difficult. In our group, before, there was a conception that Linux was to run on a server and it was only command lines. Then they thought it was difficult to adapt. And, it is not like that. Today the developers of open source software are a major concern regarding the usability and accessibility. In the beginning there was a certain bias to accept solutions based on open source software, both from other administrators and by directors boards.

The solution I found to migrate was having a test environment where everything was installed, analyzed and shown to decision makers in order to have a good acceptance and reduce the impact in case of changes. Because only talking, I was unable to convince them. We just finished a big migration project. We are using Linux, some open source security solutions and open source software to emails, navigator and media playback among others.

But this work started to have value now. Two years ago I faced much resistance. With the arrival of a new manager, Mário Ribeiro, open source software has gained a major ally in the company.

3. Can you mention any successful experiences regarding to open source software?

It happened some. But I can tell that it was not about incompatibility of systems. It lacked time to establish and test the entire cycle of the systems used by the user.
87

Since then, we create policies related to development, migration and implementation of open source software within the company. Today, users see advantages in using Linux because they can customize in the way they want.

4. Are you a member in any open source community?

Yes. I am an active developer of OpenSuSE. It is a distribution of the Linux operating system. I also collaborate on development by participating in various forums of open source software.

5. Which motives have been for you to join the open source community?

First, I felt frustrated because I could not solve problems with proprietary software, because I didn’t have access to code. When I started working with open source software, I realized that I could improve products of other developers. All that led me to learn and develop new skills.

6. Which motives keep you staying in this community?

It is to notice that large companies are increasingly using open source software. As a consumer, I do not think we should be limited to only one option.

7. Do you have good technical support for open source software that you use in the company?

Yes and no. When we buy the license to have access to the support, then it is great.

But, we have some technical support problems when we are limited to the communities. We still have problems when we explore online technical support of open source software by a study of postings to discussion boards. We have skilled professionals, but there is a lack of professionals in the marketing who have a broad vision. I mean the one who knows about operating systems, security and infrastructure. To solve this problem, it is important to have a skilled team in-house.
88

The SBF group opted to have the support of distributors and train a team internally. With regard to the distributors, we have support in the development and migration.

And we have other good news, for instance, it is emerging a vast number of certification programs in Linux and open source. Certificates tend to lead to higher performance. 8. What is the main barrier to overcome toward open source software adoption?

Support is one, but it is not the biggest. The biggest challenge is the change of culture, mainly for open source software running on desktops.

Linux, for example, is highly consolidated on servers. However on desktops we have problems with users reluctant to use non-proprietary software. And we also have some problems in connection with electronic exchange. Issues of interoperability are still a stumbling block to widespread adoption. In my opinion, this problem would be minimized with the collaboration of manufacturers of hardware and software. Hardware manufacturers should focus more on offering to the consumers other models more compatible and developers to create distributions optimized to run on desktops.

9. What is the importance of open source software for society?

First, it has the option to choose a non monopolized product. Second, one can change a solution to better suit ones needs, since one has access to the code. Third, people who had no access to a particular solution for reasons of cost with open source software this problem is minimized.

10. Is open source software secure? Yes and no. Where we download open source software, we know that the software was revised by several people around the world. We know what is behind the code. This is a guarantee of reliability.

However, if the company does not have an in-house skilled technical staff of its own, the company does not have support from distributors of the open source software this company
89

may incur great risks. Using open source, we can adapt the solution to solve specific problems of the company, but an erroneous implementation can bring serious damage.

11. What opportunities do you see for open source software in the next few years?

In my opinion, open source software will play a vital role in cloud computing by allowing some basic software elements, for example, virtual machine images and appliances to be created from easily accessible components.

90

Mr. Felipe Montezano – Network Administrator – SBF Group
1. How has the SBF Group been using the PKI technology? So far, the SBF Group uses PKI technology in the digital certificate issuing electronic invoices and transactions with the government. Electronic invoices are only legally valid when guaranteed by digital signature - process that verifies the integrity and originator of an electronic file. Today, we have three types of certificates: A3 in which the data is generated, stored and processed on a smart card with password access; A1 in which information is generated and stored on a server; and a SSL certificate that is used for e-commerce that is also installed on the server. With the certificate A3, we use to make transactions with the government and also for our import and export transactions. Only authorized persons within the company have access to use those digital certificates. 2. There is the possibility of a smartcard containing more than one certificate? You can install up to three certificates in the same smartcard, according to one we have been using. 3. What is the time taken for the revocation of digital certificates? By getting in touch with our Certificate Authority and request revocation of a digital certificate, it is revoked immediately making it impossible to use from now on. Up to now, we didn’t need to revoke any digital certificate. We need to care about the passwords that we need to use along with the digital certificate. To be honest, we always have a certain fear when we use a digital certificate.

The Smart Card has two security passwords, PIN and PUK. The PIN is the password to use the card that we changed on the time of validation and the PUK is an emergency password. If we miss the PIN three times, this password is locked and can only be unlocked using the PUK.

91

4. On what operating systems can you use the digital certificate? On Linux or Mac OS, we have read-only access of digital certificate. When it is necessary to perform the issuance of a new certificate, it can only be performed in the Windows platform following system requirements defined by our CA. 5. What is the average cost of a digital certificate? It is 169 USD for three years, without the card reader. 6. You view other future applicability of PKI technology within the company? No, in the near future I see no other applicability of this technology within the company. If not for the cost, the company might be able to use a digital certificate to provide access for the employee to the company as well as the systems. Among other things, the digital certificate could be used to inhibit employees from accessing information that they have no authority to access. The use of PKI technology is very new and quite unknown. 7. Have you been noticing if the digital certificates have been increasing in the market? Personally I do not know anyone who owns a digital certificate, only digital certificates from companies. However, I think that this market is increasing a lot because before I could get support to come to the company two weeks after I required it, but now I don’t get it before one month. In other words, it seems that demand is increasing. I believe that this demand is due to requirements of government agencies to carry out transactions via the Internet.

92

Mrs. Margarida Nunes da Costa Pedra – SBF Group IT Director
1. What were the challenges in the initial deployment of digital certificates in the company? First, one must understand the process of obtaining a digital certificate. This was difficult because we had to read what the obligations that the Federal Revenue of Brazil (IRS) was imposing in relation to the use of digital certification. So, many times we had to contact the IRS to obtain certain information and clarify doubts. In other words, we had to clarify the process and at the beginning there were only two Certificate Authorities, which led to a lot of time spent with the IRS. I think it was a learning period for everyone involved. I can say that we learned together. Today, we can hire services from one Registration Authority in order to come to our company and assist us. This service greatly facilitated the process of obtaining a digital certificate. Also today, the IRS Web site information is clearer and the staff is better prepared to answer questions and meet the needs of taxpayers. Another aspect is that digital certificates were not cheap – taking into account the whole process such as digital certificate, card reader, and a professional visit to the company (the last it was our option). One thing I would stress is that there were many doubts regarding the use of a digital certificate and how to deal with it. 2. Does the SBF Group make use of the digital certificate for other purposes? We began to adopt digital certificates within the SBF Group complying with the Brazilian Government's requirement for an electronic invoice. This has generated a movement to standardize the delivery of electronic documents and digital signatures. At the time, that we started the process of digital certification in the company, as required by the federal government, the SBF Group had an e-commerce shop. With the learning acquired by using digital certificates and taking into account the security that this technology brings, the SBF Group tried to obtain a digital certificate to increase the reliability of electronic commerce with our customers. We purchased a digital certificate to ensure secured
93

transactions when using our site. So, our customers could feel safer when using their credit cards without fear of fraud caused in such transactions. By following successful innovative technologies, the SBF Group is always seeking mechanisms to protect its customers as transacting with it. And in this case, one Certificate Authority accredited by ICP-Brazil gives us this support. 3. From the beginning until today, what can you tell us of positives and / or negatives in the process of digital certification? First, the digital certificates provided greater flexibility in tax processes. Now we do not need to mobilize human resources to go to service centres of government agencies, whether federal, state or municipal for delivering a tax obligation. Today we resolved almost everything we need with a computer, a card reader and a digital certificate. It led to a saving of printing, savings in handling and storage accounting books and others documents, due to the fact that bookkeeping and tax accounting now is made and maintained in digital media and validated through digital certification. And, for the government, it is a chance to increase the quality of surveillance and thereby obtain greater control over tax evasion. 4. In terms of costs, is it expensive to obtain a digital certificate? Not today. At first we were paying around 285 USD to obtain a digital certificate, valid for three years. Today this value has fallen to around 170 USD. This is pretty low compared to the benefits we got. We use a digital certificate not only for digital signatures. It is also the passport validation for us to have access to many government websites to obtain information that before it was only in person. The word I can use to define the benefits that digital certificate brought to us is ‘AGILITY’. Before we had to go to a service station, wait a long time to be attended then go to another department to stamp the document and so on. Remembering that, it meant going from one sector to another within a public agency and sometimes even to another public agency.
94

5. Do you still have some problems regarding digital certificates in the company? Today the digital certificate within the SBF Group generates no insecurity. Now we have science that has only helped us. And the maturity that we acquired with the use of digital certification leads us to have bigger goals with respect to the use of this technology. 6. Digital certificates generate a process of dematerialization, in other words, enabling the substitution of paper documents for an electronic document digitally signed. This for many people can mean difficulty. How the SBF Group analyzes this issue? Many papers have been eliminated, but we still issue a voucher every time a document is delivered electronically. The voucher is archived for future validations. Thus, the difficulty has a legal nature. The tendency is to avoid printing because it eliminates costs. 7. What is the future of digital certification within the SBF Group? Today, within the SBF Group, every employee has its own badge which is their identification within the company. This badge has a number that is tied to the employee record in the Ministry of Labour. In the future, all information that is available on this badge along with many others may be used in a digital certificate giving greater reliability and transparency in all processes within the company. This is our goal for the future. However, today, the badge represents a low cost solution compared to the digital certificate. Although we believe that this cost does not mean spending, but investment. This investment is still high for us to opt for this alternative to the company at this time. 8. How is the market with respect to skilled professionals in digital certification? The technology area is increasingly segmented. Today, we hardly managed to hire a generalist professional, what more the market demands today are specialists. The specialization courses are expensive but the professionals are increasingly investing in them. Despite a lack of specialists, when a company defines the professional profile it needs, the company finds her/him and manage to bring this professional to be a collaborator. And the PKI technology is still a relatively new field for us.
95

Mr. Glauco de Paula – System Engineer at Empresa1
Empresa1 – electronic ticketing systems. Today, the company is a reference in the national market in this segment. It is present in over 80 Brazilian cities. 1. Is Empresa1 using open source software? Yes it is. But this is not my specialty. 2. How is Empresa1 making use of PKI technology? We use PKI technology in transaction processing solutions based on smart cards, with all data recorded protected through encryption to prevent tampering as well as non-repudiation of all collected transactions. The system is based on encryption and public keys, which can be used only by the key holder. Among other security features with the use of PKI technology, we could guarantee more security in the transaction and eliminate the use of passwords. Passwords are still the basis in which many information systems attach their safety, because it is the main mechanism used to authenticate human users to computer systems. However, there are several problems such as the difficulty that people have in choosing passwords difficult to guess or remember passwords randomly generated by the system. Our concern is always focused on providing secure transactions for our customers 3. It was very expensive to deploy this technology in the system? We spent one year to develop this current application in our system. There was consequently cost with staff which required better skilled professionals. The utilization of PKI technology put us in a different level in relation to our competitors because it ensures greater transaction security for our customers. 4. What was the biggest challenge working with PKI technology? The success of a PKI implementation depends on how well people interact with the system and how the system is implemented. The biggest challenge to me was to understand the PKI technology.

96

5. What is the future of PKI technology within the Empresa1? Evolve the PKI technology within the current system to ensure security of the application within all terminals. 6. In your opinion what is the future of PKI technology? This technology is starting in the Brazilian market. There are still few who are working deeply with this technology. I believe that a promising area for utilization of PKI technology will be in our electoral vote system. However, the Internet is a great channel, because there is a lot of information travelling but very little security in the transactions.

97

Mr. Jerson Souto – Technology Business Manager (Professional Outsourced expert in
Open Source Software) 1. How is your experience with open source software? I started working with open source a long time ago. I was selling Linux and suddenly we could download it from the Internet. From that, we had the code in our hands. I was fascinated with that and then I started to use extensively open source software, basically Linux. But today, what else fascinates me when we talk about open source software is its connection with digital inclusion, and the dissemination of information this entails. I think there is a revolution of cognition. The possibility of providing open source software to more people makes the digital inclusion more tangible. 2. Are you a member of some open source software community? I should do that more. At first, I followed a few things, mainly doing validations, tests, downloading beta software and exchanging opinions. It wasn’t anything much officially. All along much more as a user and enthusiast of everything around open source software. I do not have a leadership profile, but I think I am an opinion leader. Often people around me feel curiosity, begin to use and adopt open source software on their own workstation, and then this is the way I participate. In fact, when we work with system development, it is so absorbing that we stop trying other things. My recent times have been like that. When I worked with the support team, then yes, I knew a little of this world, that is huge. 3. What roles have Brazilian government played regarding open source software? The government has invested heavily in digital inclusion. How will you provide computers for a vast majority of the population which has no way to pay an operating system (even one that is subsidized)? The government has subsidized the hardware, but that didn’t solve the problem about having one computer. So, the brilliant solution has been the adoption of open source software.

98

In my opinion, we have been very reckless in trusting all strategic information in a single company. Imagine, almost all decisions, political and economic, are in Excel, an application that we do not know what may have behind the code. Another important thing with respect to open source software is that we do not have to transfer foreign exchange out of the country. We can hire services in our own country. So, it is good the government gives the example adopting open source software, others, for sure will follow it. 4. Is open source software secure? To me what is secure? Is what I see and what I can check or something that comes in a sealed box and I cannot see? Yes, open source software is secure. And once more, it has technical support infinitely better than any support that is given by a single company. The support is immediate and widespread. It does not depend on anyone's timetable or country. And the most important is that the code is fully auditable. It is something completely different from what exists in the proprietary world. 5. Is it true that open source software is hard to install and configure? These things are very controversial because no one installs Windows. Everyone buys the computer that has Windows installed. Nobody studies Windows. People just use it because someone has taught or because since childhood they have been using it and so on. Most people do not know anything about Windows. They only use those basic functions and surfing on the internet. Today, for example, the Linux installation is fairly intuitive except managing the disk partitions. The problem is that we all have resistance to change at some levels. The open source software interfaces must be different from proprietary software including as a matter of copyright. But if we are not open for change, we will not grow. Changes need to be motivated. And motivation is a tricky business because one of the great thing that drives motivation is marketing. Open source software does not do marketing.

99

6. Did you observe some difference after the government started encouraging the practice of open source software? Yes, sure. Mainly because, as a result of government policies, I see that schools are beginning to encourage the use of open source software. It is important to give to students the opportunity to see how their tools work and examine the inner workings of software. We are just into the beginnings of the information age. It is time for the opening of the tools that will be needed to build this new age. Who does not change, stays behind. Brazil is a country of continental dimensions. And only 10% to 15% of the population has access to technology. Then, we see the real necessity of government initiatives regarding digital inclusion. 7. Are there many private companies moving towards open source? Can you give examples? Yes. Most companies adopt open source software on servers and many small companies because they want to reduce costs. Companies are finding that with open source software also there is the possibility to change suppliers without losing the aggregate knowledge in their systems, and this increases the bargaining power. 8. In your opinion what are the biggest challenges regarding open source software adoption in Brazil? It is a paradigm shift. The Internet is challenging the software world that we all know. The challenge is to do what the government is doing: a foundation work, creating a new culture. And do not change a culture with a decree. In my opinion, the big challenge is to continue this work that began. I believe in the long-term jobs, jobs that do not last the life of a person, but that last the life of many people, a succession of things. The great achievements are done like that.

100

Mr. Fernando Augusto Medeiros – LinuxPlace
LinuxPlace provides support, training, consultancy and development, always using open source software tools. The LinuxPlace is a reference and a pioneer in spreading the Linux operating system on the Brazilian market, having participated in several projects linked to public and private development and information security.

1. How long have you been working with open source software? Eleven and a half years. 2. Briefly, what are your main feelings towards the open source concept? During this time I have carried the flag of open source software I must admit that I was more active before. Indeed, I believed in open source software as a matter of ideology. Today, I have surpassed the ideology and have come to be the real strength of open source software. It is no longer an alternative, but reality. It is a rarity, today, to find a company that has no open source software. Open source software is a collaborative work carried out by motivated programmers around the world. We always will find faster solutions to problems of systems development than any proprietary software. We must think about the models cathedral and bazaar. However, I do not believe that open source software will dominate the proprietary software. There will be a market for both models. Open source software today is consolidated on the market. Many companies are opting for open source software not only about the cost but because they have more control. 3. When is open source software useful and when should it be avoided? Open source software should not be adopted when the customer does not want to have any development work, which involves staff training and when there is incompatibility in the system. Otherwise, the company that wants to use open source should hire someone to do it for them as the proprietary model.

101

One needs to have strategy when adopting open source software. The important thing to remember is that its use requests installation, configuration and other services that can mean costs. 4. Critics have argued that open source software in Brazil had a great euphoria around the year 2004, but now the euphoria is about to end. Do you agree with them? In the beginning, people talked too much, but did little in practice. It is the opposite now. 5. There is some controversy between the terms 'free software' (Free Software Foundation) and “Open source software” (Open Source Initiative). What is your opinion about it? It is linked to ideological issues. I think that Richard Stallman had a key role in the free software movement. But I'm not in favour of radicalism. The conflict will always exist. Yes, I question whether in practice free software/open source software licenses will work as designed. 6. Are there many private companies moving towards open source? Can you give examples? They are a few. Despite recent efforts, Brazil still has not developed much open source software. We use much more than we develop. But this is not a problem related to open source software. In the 80's and early 90’s, when the government imposed severe restrictions on entry of hardware in Brazil, there was a demand for domestic production of it. But, when it started in Brazil a trade liberalization process, many hardware companies in Brazil had to shrink considerably or simply close the doors. With the latest government policies, this picture is turning a bit. Today, the government, be it federal or state, is using its buying power as an incentive to produce technology. This is tremendously good. 7. How is it about professional support (training, consulting, and implementation) regarding open source software?

102

Many people say that they do not adopt open source software because it is hard to get technical support and that is one barrier to overcome. Yes, we have problems with technical support because they are not enough. But people forget to get in contact with those who developed the software. Those who developed the software are best to help when you need support. And they are there for it. They want to help you. It is how they will sell their services. And then, I again repeat, open source software is not free. It has a cost. 8. In your opinion what are the biggest challenges regarding open source software adoption in Brazil? The professional is one of the biggest challenges. The technology professional in Brazil is difficult in any area. It is not only a problem of open source software. For example, you will find professionals who work and support Linux, but, for example, if you need support for the proprietary software AIX, then you will have many difficulties. The proprietary software offers some advantages that are not so easily found in open source software. Among these advantages, the one that stands out is technical support. Due to this fact, many companies choose proprietary software.

103

Prodemge
Prodemge is a Certification Authority accredited by ITI for issuing digital certificate standards ICP-Brazil, including e-CPF and CNPJ and NF-e in the hierarchy of Federal Revenue in Brazil (IRS). Respondents: Mr. Sergio de Melo Daher – Superintendent of Technology Mrs. Jacira dos Reis Xavier – Manager, PKI expert

1. How do you describe how you're using PKI technology at Prodemge? This technology is fully consolidated at Prodemge. We have been working with PKI technology for 5 years and we are a certificate authority linked to ICP-Brazil. In Brazil, we had a period of adaptation and today this technology is being widely used in public administration. PKI has been increasingly used to ensure the safety and reliability of information and virtual operations. 2. What it was the biggest challenge regarding PKI? Our biggest challenge was with relation to changing culture. Why do we need a digital certificate? How can we integrate the existing systems to a PKI system? How can we manage certificate lifecycle? These questions were in the mind of users when we started to implement PKI. And the process from paper to digital documents was a big issue. The method of dissemination of PKI technology, at Prodemge, was a vital role to consolidate the use of digital certificates in our systems. Another challenge was regarding the cost. The cost was very high. It is still expensive to operate and maintain, but now we have been providing services of quality at a cost-effective rate because we have high-volume transactions. 3. Has Prodemge provided any PKI application for users and private companies? The Prodemge acts more as a provider of solutions for government agencies. The invoice of the municipality of Belo Horizonte, for instance, was provided by Prodemge. The Prodemge

104

has an accredited Certificate Authority for issuing digital certificate standards ICP-Brazil, including e-CPF, e-CNPJ and NF-e. 4. How are companies experiencing electronic invoices? The acceptance was very high. As electronic invoices can be delivered via email or FTP from any location, at any hour of the day or night, it increased value and satisfaction for companies. The electronic invoices brought efficiency and effectiveness with simplification of procedures. Another consequence is the dematerialization of documents by transforming paper documents into electronic files. 5. Has another application within this scope that you could highlight? Yes, one is the implementation of the practice of electronic processes by the judiciary and another is one implemented by DETRAN-MG (Traffic Department of Minas Gerais). Providing services in electronic form and using technology that ensures security – both regarding the information and by identifying safely who is accessing the information – has drastically reduced the time and bureaucracy in the processes. 6. Did you have any problem regarding users and their private key? No. Prodemge had no report about it. The only problem is that users often forget the password, and then you need to issue a new certificate. The user can change the password whenever he/she wants. We always warned the holder of the digital certificate that the private key must be of its exclusive control, use and knowledge. 7. PKI is rapidly maturing as a security solution, how do you envision the future for PKI?

I think that many applications will emerge for individuals with new Civilian Identity Registry (RIC). Mainly because many citizens say they can't justify purchasing a digital certificate due to cost. As every citizen will have RIC and it will have an embedded digital certificate then more services will be available and then can be the massification of PKI technology.

105

8. Were PKI applications running within Prodemge developed by you or were bought in the market? Most solutions were developed by Prodemge because we have specific systems of the Minas Gerais state. Private companies have many solutions with reasonable prices. 9. How is the qualification of professionals in the areas of PKI, in the Brazilian market? In 2004 when we started developing a project using this technology, there was a concern about training professionals. Today we have a great team that has absorbed this technology. This team studies, implements and provides new projects. The market has few professionals in this area. 10. Has Prodemge adopted open source software? Prodemge is a big user of open source software. Open source software inside the Prodemge was happening gradually, it was not a strategic decision. It was being incorporated day-to-day into the company. We started using Linux. Today 70% of our network servers are running Linux, and we use Apache too. And we have many open source software applications. We use some open source software that are free of cost but the great majority we pay for the use of license in terms of technical support. Others, as we have knowledge, we don’t pay to have technical support. 11. How was the acceptance associated with the adoption of open source software? Sometimes it was complicated. For example, we had a difficult period when we started working with Java. There was a lot of training. Today, I can say that, open source is very well accepted within the company. When a new professional joins the workforce all support is given to him/her, so he/she can work comfortably.

106

12. Do you agree or disagree that open source software is secure? I consider open source software secure because the code is open. This means that it can be seen by everyone and then errors can be easily found and corrected. The auditability is very important. Dangerous are proprietary software that we do not know what may be embedded within. 13. Are there many barriers to overcome toward open source software adoption? I could say that is support. All software needs a good support infrastructure behind it, be it open source software or a proprietary one. One cannot download open source software and think that it will work without any problem. One should not only worry when problems arise. To adopt open source software you need a team with deeper knowledge. 14. Does Prodemge make use of open source PKI? No. 15. Do you think of some advantage in using open source software PKI? To make it happen Prodemge needs to have intellectual resources. I mean, we need to have a team ready to audit and verify if this software is framed within our business rules and within the technical standards required. 16. In your opinion, what are the biggest challenges regarding PKI in Brazil? I think that our biggest challenge is to meet the expectations of the RIC project. It's a fantastic project which means a lot in terms of citizenship.

107

Mr. Alexandre Atheniense

Lawyer, IT Law Professor, Consultant, Writer, Speaker. Specialised in matters related to Law and Information Technology, Internet law and Intellectual property 1. Briefly, what are your main feelings towards the open source concept and how do you see open source in government and in Brazil in general? To talk about open source in Brazil and mainly in the government sphere I need to mention the name of Sérgio Amadeu. He, as president of ITI, defended substantially the use and dissemination of open source software. He always believed in open source software as a business model for the Brazilian executive branch. After Amadeu left ITI, the market didn’t slowdown, but the theme open source software has not been treated in the same way as when Amadeu was ahead of ITI. I have taught some lectures on the subject and I have been following the path of open source in Brazil. I even participated in a project to sell PCs with lower prices by using operating systems developed in open source software. We have one unique state law in the Brazilian state called ‘Rio Grande do Sul’. This law determines the preferential use of open source software in public administration directly and indirectly in that state. But this law is being contested. We have one purview based on 11419/2006 law which states that the Brazilian courts should preferably make use of systems based on open source software to develop routine procedural practices. Brazil is a pioneer in terms of having a specific law on judicial processes electronically. That is, allows a prosecution from the beginning to the end in digital format. Several courts have already regulated at least a procedural practice, but, unfortunately, few lawyers are capable to work in this new scenario yet. The adoption of open source software in the Judiciary is in constant discussions, but lobbies of proprietary software companies are very strong. Currently, the vast majority of Brazilian courts buy proprietary software. As each court has an autonomous decision, they can decide what track to take over their systems.
108

2. In your opinion, open source software is good for society? Yes, without a doubt. The use of open source software is of great importance to meet the interests and aspirations of society for a fair access to knowledge. It is extremely reliable. For a given type of application open source software is fantastic. 3. Do you have or have you had any lawsuit filed against open source software? No. I didn’t have any lawsuit about violation of open source license yet. All my work in this area occurred constructively, making licensing agreements of open source software. I mean, it was always based on prevention. It was never due to a dispute yet. 4. Would you describe how you're using PKI technology? I started having contact with this technology since 1999. Along with other lawyers we created an independent Certificate Authority for the OAB (Brazilian Bar Association). This certificate authority named ICP-OAB was intended to issue digital certificates to lawyers. It didn’t follow the ICP-Brazil standards. It operated in the states of São Paulo, Minas Gerais and Rondônia. The Brazilian law which defines digital document as original not prohibit other types of electronic identification and certification apart of ICP-Brazil standard. It can be accepted as valid by the parties or accepted by the person to whom the document is raised. However, the Certification Authority that we created could not continue operating, It was determined that any digital certification system used by the federal government or the Judiciary could only be provided within the requirements of ICP-Brazil. After a long period of discussions we abandoned the project of independent certificate authority of OAB. There is much commercial interest behind this - interest to sell digital certificates. We also initiated a work of evangelisation of the Brazilian lawyers in order to show them the practical benefits that the digital certificate may provide, such as, demonstrating that certain routines could be performed remotely and by replacing the paper electronically.

109

5. In your opinion, what is the current significant impediment to the widespread adoption of PKI technology? I believe that the use of digital certificates could take off in Brazil much more if not for the price. We have a demand for services but the prices charged by digital certificates are unviable to use on a commercial scale. I did research, and I counted 150 systemic features allowed by law 11419/2006 that should be developed with the purpose of substituting paper by digital documents, many of those using digital certificates. It is a huge amount of applications needed to attend to the demand we have. 6. Are, in Brazil, the data protection principals adequate for the processing of personal data concerning PKI technology? Are there bills, regarding data protection, being processed? Is there already electronic crime legislation in Brazil? In recent legislative reforms, it has been increasingly included electronic procedures in forensic practice. For example, our laws on election advertising on the Internet are very advanced. It is true that we need some new laws for new types that emerged after the use of information technology. We need a law to regulate in more detail online privacy. The current Brazilian legislation includes a series of conduct of impact that happens in the area of information technology. There are 20 different types of crimes committed on the Internet that already are foreseen in our legislation. 7. In case of dispute, lawyers will have to rely on experts to investigate the digital evidence to determine whether an electronic signature was used. Do you think that in Brazil everybody (technologists, individuals, lawyers …) connected with electronic signatures and variants of signature available have been well trained to use and treat properly digital signatures? Law and technology are two worlds that I'm seeing increasingly interacting, by the state in the imposition of society. For example, we, as a lawyer, today, need to understand how Facebook, Twitter or Orkut works, to know which way to take when making a decision. Or even to advise a client regarding the benefits and hazards of dealing with social networking.
110

The Law of Information Technology is interlacing increasingly with the more traditional branches of law, in a way that requires from professionals in the field of law the need of specialisation on new subjects, which were not and are still not being addressed by the Law Universities in Brazil. We, lawyers, need to be aware that we will have a greater connection with electronic evidence than evidence on paper. 8. Are the Brazilian states able to legally accept digital documents? It was created in 2001 the Provisional Measure 2200/02, which established criteria so that we can consider as valid the documents generated in digital format. This Provisional Measure, which has force of law, stipulates that if the document was digitally signed using asymmetric cryptography, so this document is accepted as original. We need to solve the situation of document that is generated on paper and converted to digital. We have a bill that is moving to establish the appropriate criteria. The digital document is increasingly gaining space in our daily lives. The 11419 law allowed the conduct of judicial proceedings without paper. It’s a great advancement towards dematerialisation – that is replacing the paper document by the digital document. Another area that dematerialisation is happening with great success is the accounting. Brazil is the world's first country to have legislation that allows the processing of an electronic judicial process from start to finish. Several countries have procedural moments, but not as complete. We are the only ones. 9. In your opinion what are the biggest challenges regarding PKI in Brazil? The biggest challenge is to make people have the same trust relationship with the digital document in the same way they have with the paper document. The lawyer today is a great enemy of digital certification, because he/she still prefers the paper document. We need to spread the culture of digital certification among lawyers. Today, the OAB, has 700 000 lawyers registered, but only 20 000 have a digital certificate issued by ICP-Brazil.

111

The benefits of Digital Certificates to the lawyers become evident to the extent that the Brazilian courts are moving fast in the deployment of the judicial process paperless. We are in a phase of cultural transition in which the lawyers, as effective opinion-makers, need to acquire a trust relationship with the electronic document and encourage their customers to make business at a distance by electronic means using the digital signature. This change begins to happen from the moment that certain courts establish guidelines and regulations imposing that a particular practice only be done electronically. We are in the process at our Superior Court (STJ). 10. How can we preserve honesty in a cyberspace where anonymity grows? Is PKI one solution? Unsurprisingly say that the weakest link in the chain of information security in electronic medium is the human being. We should aggregate several items related to information security in order to have an effective risk management. The one who will provide electronic services should always be concerned to exercise a trust relationship with the party interested in the service. One of the most important benefits of the digital signature is to provide integrity and security in the exchange of information over network.

112

Professor Jeroen van de Graaf
Researcher in cryptography, doctor in the area from University of Montreal, Canada Professor at Federal University of Ouro Preto, Ouro Preto, Brazil Note: The names of the companies were not disclosed by this report avoiding exposing them.

1. Briefly, what are your main feelings towards the open source PKI? I have several feelings. The company A for instance, is one leader company in PKI solutions, with over 10 years operating in Brazil and exclusive Brazilian affiliate of an American company. With the experience of these companies, I believe that they don’t have motivations to adopt open source software because they are based software Development Company. This means that any issues will be resolved very quickly by themselves. I worked on two projects open source PKI. One of them is ICP-EDU (ICP is PKI in English), which main objective is to create conditions necessary for implementation of an ICP within academia, facilitating mutual recognition of X509 certificates issued by universities or other academic organizations, thus facilitating the authentication, authenticity, integrity and nonrepudiation of communications. Providing, at no cost, digital certificates for students, teachers, staff and academic researchers brings a great benefit because it eliminates the cost of buying digital certificates issued by a commercial ICP. This project is all based on open source software. The other project is one to implement an ICP to company B in Minas Gerais State. The initial plan was to develop a software from scratch, but after some problems it was decided to implement another open source PKI, the EJBCA, which was developed by one Swedish company. When I finished working in those projects, as I like more theoretical issues, I decided to continue as a teacher and research. I believe that today, PKI does not present many technological challenges, because it is a well established technology. The challenges of PKI solutions are cultural, for example, a challenge as how to encourage Brazilian people to use PKI, to rely on this technology. Those are the biggest challenges regarding PKI in Brazil.
113

2. What roles do universities play in the development of skills related to open source PKI? Many projects have formed the participation of universities in research and development in the area of infrastructure of public keys. And many of these projects offer scholarships. The ‘João-de-Barro’ project, for instance, that is an open source PKI platform, was developed with the participation of some universities. This promotes an exchange of experiences very large and intense. 3. Surveys have pointed out that PKI is complex, very expensive and suffers interoperability issues. Do you think that open source software can minimize those problems? PKI has been around for a long time, but it has not taken off except in a few high security niches. Yes, it is expensive. You see, it is a needed operating system, client software, cryptographic hardware, database, safe room, qualified professionals among others. Given this, open source software is just one small aspect. Then, in this case, I don’t believe that open source software can influence costs. But for me, I act in the security area and I am extremely worried about this question. I believe that we cannot trust in software which code is not open. PKI cannot generate one killer application for open source software. However, I am not an idealist regarding to open source software, I think that the government should have reservations when adopting software, especially those software that generate public and private keys. Then, mainly in this case open source should be adopted. 4. PKI is rapidly maturing as a security solution, how do you envision the future for PKI? I believe that the PKI solution is healthy. However, I do not agree with the adopted model. I mean, the way that the digital certificates are issued. I think that we should pay for the services, not buying a digital certificate.

114

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer: Get 4 months of Scribd and The New York Times for just $1.87 per week!

Master Your Semester with a Special Offer from Scribd & The New York Times