| Platform SDK: Cryptography |
A CSP must be digitally signed by Microsoft to be used with the released versions of Windows 2000, Windows NT, or Windows 95 and later. The digital signature separates applicable legal export controls on the CSP from the host operating system and applications, thereby allowing broader distribution of encryption-enabled products than would be possible under other circumstances. Generally, U.S. export law limits the export outside the U.S. or Canada of products that host strong encryption or an open cryptographic interface. The digital signature requirement effectively prevents arbitrary use of CryptoAPI, and allows export of the host operating system and CryptoAPI-enabled applications. By removing encryption services from host systems and applications, CryptoAPI places the burden of U.S. encryption export restrictions squarely on the CSP vendor, who is subject to those controls regardless.
In addition, the operating system validates this signature periodically to ensure that the CSP has not been changed.
Microsoft's interests in applying signatures to CSPs are
Any disclosure requested by Microsoft is used solely to determine whether export approval is required, or if sufficient export approval exists, for Microsoft to sign a vendor's CSP. Vendors must complete and return an Export Compliance Certificate (ECC) to Microsoft. A copy of the ECC is included at the end in Export Compliance Certificate (ECC).
Vendors developing a CSP for distribution only in the U.S. and Canada only need to compete and return the EEC.
Vendors who expect to export a CSP outside the U.S. and Canada must obtain export approval from a U.S. or Canadian export licensing authority or claim an exemption under U.S. export law. The completed ECC must contain evidence of export approval or exemption, and certify that the CSP is intended for export outside the U.S. or Canada. Microsoft independently confirms export approval, and when confirmation is complete, will return information on arrangements to sign the CSP.
Microsoft makes every effort to review the ECC and sign CSPs as expeditiously as possible. Exact time frames for review and signing depend on the circumstances of each request.
Vendors should consult legal counsel or U.S. export authorities to determine whether an export approval or exemption applies to their CSP.
Questions and comments about the CSP signing mechanism, signing procedures and CryptoAPI licensing policy can be sent by email to cspsign@microsoft.com.
CSP Vendors can also consult
U.S. Commerce Department,
Bureau of Export Administration
Office of Exporter Services
for assistance in the classification and/or export licensing of CSPs for export from the U.S. The US Commerce Department's export license process, encryption export controls, and points of contact are described on their Web site at http://www.bxa.doc.gov/encstart.htm.
Microsoft will sign CSPs subject only to the limitations of U.S. export controls. Microsoft will sign CSPs from competitors. At present, CSPs are signed at the Microsoft facilities in Redmond, Washington, USA.
For further information, see Microsoft's CSP Signing Policy.