Platform SDK: Cryptography

Export Compliance Certificate (ECC)

EXPORT COMPLIANCE CERTIFICATE

For CSP Signing Services to North American Vendors

WHO SHOULD COMPLETE THIS DOCUMENT The Export Compliance Certificate ("ECC") is intended for CSP vendors with operations in the U.S. or Canada (hereafter 'North America') pursuing CSP development within North America, who seek to have Microsoft or a third-party designated by Microsoft digitally sign a vendor's CSP to enable it to access the Microsoft CryptoAPI. If you are a vendor located outside North America an export license agreement or other arrangement may replace the ECC.

DISCLAIMER AND NOTICE This document is used solely to determine whether export approval is required, or if sufficient export approval exists, for Microsoft to sign CSPs. Microsoft's interests in applying signatures to CSPs are to maintain the integrity of system security, ensure the exportability of CryptoAPI-enabled systems and applications, and to exercise due diligence under prevailing U.S. and other national export controls. Microsoft obtains no right to any CSP by virtue of signing it. Neither do we assume any responsibility for the CSPs we sign. The CSP vendor is wholly responsible for the distribution, disposition and possible end-use of its CSPs, including any possible export or diversion of CSPs outside North America or licensed destinations. The digital signature applied to CSPs in no way grants U.S. export approval or any other form of legal approval for use of a CSP in any national or international context. Microsoft has no role in the U.S. export approval process of a vendor's CSP: U.S. export approval (by license, classification, or exemption) is a separate requirement that CSP vendors must satisfy independently of the digital signature process, and it must precede the signature process when the CSP is intended for use outside North America.

CSP SIGNING CRITERIA AND VENDOR INSTRUCTIONS Microsoft will sign CSPs subject only to the limitations of U.S. export controls. We will sign CSPs from competitors. Microsoft will make every effort to complete ECC review and sign CSPs as expeditiously as possible. Exact time frames for review and signing depend on the circumstances of your request. Ordinarily Microsoft does not need to receive the actual CSP to complete signing, but can sign a hash of the CSP itself.

Sign and Return to Microsoft Before Microsoft signs any CSP it must receive an original signed ECC with sufficient information to evaluate the request. Return ECCs to Microsoft Corporation, Attn: Richard Harrington, One Microsoft Way, Redmond, WA 98052-6399. Questions? Email cspsign@microsoft.com.

SECTION I - GENERAL INFORMATION

All North American (U.S. and Canada) CSP vendors must complete this section.

A. VENDOR INFORMATION Please give the physical address where CSP development has taken or will take place.

B. CSP INFORMATION Please supply sufficient information to identify your CSP by name and to categorize its cryptographic functions. Provide a separate Export Compliance Certificate for each CSP you need signed.

C. INTENDED DISTRIBUTION FOR THIS CSP At the time of this certification the vendor intends the above-described CSP for distribution, disposition or use (check one):

SECTION II - EVIDENCE OF EXPORT APPROVAL

Complete this section only if the described CSP is intended for distribution outside of North America (U.S. and Canada). Otherwise skip to Section III. For export approval, consult legal counsel or relevant export authorities. Commerce export controls are described on their web site at http://www.bxa.doc.gov/encstart.htm.

A. EXPORT CONTROL JURISDICTION FOR THIS CSP Check one of the following:

B. EXPORT APPROVAL INFORMATION Check any type of export approval that you have obtained for this CSP and wish to cite as evidence of export approval. If the CSP is intended for use outside North America, Microsoft cannot sign the CSP without evidence of export approval. You may optionally attach a copy of your export license, CJ/CCATS confirmation, or other export approval. The export approval must correspond to the Product Name and Version cited above.

SECTION III - EXPORT NOTICES

Vendor must execute the signature portion of the ECC acknowledging US export controls as they may apply to their CSP, and attesting to the accuracy of the information they provide herein.

*EXPORT NOTICE FOR CSP VENDORS CERTIFYING THAT THEIR CSP IS FOR DISTRIBUTION, DISPOSITION, OR USE SOLELY IN NORTH AMERICA: CSP Vendor acknowledges that their CSP is subject to US export control laws and regulations. CSP Vendor certifies that it does not intend to export or re-export the CSP named above outside of North America. If the CSP Vendor subsequently decides to export the CSP outside of North America by any means (including physical or electronic distribution), CSP Vendor agrees to obtain U.S. export approval. CSP Vendor is wholly responsible for such export, distribution, disposition and possible end-use of their CSP outside of North America, including complying with all US export or other national controls over their CSP modules, and that Microsoft assumes no responsibility or liability for CSP Vendor's failure to obtain required export approvals.

**EXPORT NOTICE FOR CSP VENDORS CERTIFYING THAT THEIR CSP IS FOR DISTRIBUTION, DISPOSITION, OR USE OUTSIDE OF NORTH AMERICA: CSP Vendor acknowledges that their CSP is subject to US export control laws and regulations. CSP Vendor certifies that it intends to export or re-export the CSP named above outside of North America. CSP Vendor further acknowledges that it is wholly responsible for such distribution, disposition and possible end-use of its CSP outside of North America, including complying with all US export or other national controls over the CSP modules, and that Microsoft assumes no responsibility or liability for CSP Vendor's failure to obtain required export approvals.

If "Company Name" or a company address is filled in below, then the individual signing the ECC represents that he/she has authority to execute this agreement on behalf of such company. This ECC does not otherwise amend or alter the End-User License Agreement for the CryptoAPI CSP Development Kit (CSPDK) previously signed and completed by the Vendor.

IN WITNESS WHEREOF, Recipient has caused this Export Compliance Certificate to be executed by its duly authorized representative, and that the information provided herein is true to the best of his/her knowledge.