Microsoft's interests in applying signatures to CSPs are to maintain the integrity of system security, ensure the exportability of CryptoAPI-enabled systems and applications, and to exercise due diligence under prevailing U.S. and other national export controls. Any disclosure requested by Microsoft is used solely to determine whether export approval is required, or if sufficient export approval exists, for Microsoft to sign a vendor's CSP.
Microsoft obtains no right to any CSP by virtue of signing it. Neither does Microsoft assume any responsibility for the CSPs they sign. The CSP vendor is wholly responsible for the distribution, disposition and possible end-use of its CSPs, including any possible export or diversion of CSPs outside North America or licensed destinations.
Microsoft relies on the CSP vendor's completion of the ECC, CSPDK Export Questionnaire and other documents as to the intended distribution, disposition and use of the CSP in or out of North America, and as an assurance that the vendor will exercise due diligence over the operation, sale, or transfer of its CSP using the Microsoft CryptoAPI. If a vendor's intention changes after a CSP is signed (e.g. it opts to export a CSP signed by Microsoft with the understanding that the CSP was for use in North America only), the vendor is responsible for compliance with U.S. export regulations.
The digital signature applied to CSPs in no way grants U.S. export approval or any other form of legal approval for use of a CSP in any national or international context. In particular, Microsoft has no role in the U.S. export approval process of a North American vendor's CSP: U.S. export approval (by license, classification, or exemption) is a separate requirement that CSP vendors must satisfy independently of the digital signature process, and it must precede the signature process when the CSP is intended for use outside North America. Microsoft's involvement in U.S. export issues will be limited to applying for licenses to export to foreign vendors the CSPDK and to sign their CSPs, as well as to perform due diligence verification that licensed CSP vendors comply with the terms of any U.S. export license.
Microsoft cannot provide the CSPDK to, or sign CSPs from, any vendor who is engaged in a prohibited activity, who is from a prohibited destination, or who is a prohibited party as defined by U.S. law (including the Export Administration Regulations and International Traffic in Arms Regulations). US export laws prohibit Microsoft from providing the CSPDK or signing any CSP if we have reason to know that a given vendor may intentionally violate US export laws, despite a written assurance to the contrary.
The description of U.S. export controls in this chapter is provided for general information purposes only. This document reflects the U.S. export laws and CSP signing program in effect as of April 1997. Export laws are subject to rapid change; therefore this document may not accurately represent current export law. Please consult legal counsel and the appropriate export control agencies to ensure compliance with U.S. and local export laws.