| Platform SDK: Cryptography |
CSP vendors pursuing CSP development within the United States and Canada must complete and return an Export Compliance Certificate (ECC) to Microsoft. Microsoft will make every effort to review the ECC and sign CSPs as expeditiously as possible. Exact time frames for review and signing depend on the circumstances of your request. A copy of the ECC is included at the end of this section.
North America Only CSP To distribute a CSP only inside the U.S. and Canada, complete the ECC and certify that the CSP will be distributed only in the U.S. or Canada. Return the ECC to Microsoft. When Microsoft has had a chance to review and verify the ECC, Microsoft will return information on arrangements to sign the CSP.
CSP Intended for Export To export a CSP, export approval from a U.S. or Canadian export licensing authority or claim an exemption under U.S. export law must be obtained. The completed ECC must contain evidence of export approval or exemption, and certify that the CSP is intended for export outside the U.S. or Canada. Return the ECC to Microsoft. Microsoft may independently confirm export approval, and when confirmation is complete, will return information on arrangements to sign the CSP.
Vendors should consult legal counsel or U.S. export authorities to determine whether an export approval or exemption applies to their CSP. For more information, see Background - U.S. Export Controls and CryptoAPI later in this section.
Note for Canadian CSP vendors Because Canadian export controls are not entirely consistent with U.S. export controls; U.S. and Canadian export authorities might need to agree whether a given CSP should be signed. Therefore an approval to export from Canada might not be sufficient for Microsoft to sign the CSP.
Before Microsoft applies a digital signature to any CSP - whether it is intended for use in the United States and Canada or elsewhere - Microsoft must receive an original, signed ECC. However, Microsoft can initiate review and confirm export approval against a fax copy of the complete ECC.
Ordinarily, Microsoft does not need to receive the actual CSP to complete signing, but can sign a message hash of the CSP itself. A U.S. export license or other export approval for a CSP intended for export might require independent or government verification of the CSP's implemented security features prior to signing. Getting this verification is the responsibility of the CSP vendor.