Platform SDK: Cryptography |
Microsoft® Windows NT® with CryptoAPI and the Microsoft Base Cryptographic Provider was transferred from State to Commerce jurisdiction by ODTC Case CJ 128-95, and qualifies for export under License Exception TSU (formerly GTDU) and the General Software Note (GSN) listed in Supplement 2 to Part 774 of the U.S. Commerce Export Administration Regulations. A subsequent transfer covers Microsoft® Windows® 95 with CryptoAPI and the Base Cryptographic Provider. These products may be exported to all destinations and users except countries, persons, entities, or end users subject to U.S. export restrictions. Restricted countries currently include, but are not necessarily limited to, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Restricted persons and entities include but are not necessarily limited to anyone whose export privileges have been suspended, revoked, or denied by the U.S. Bureau of Export Administration or any other federal agency.
U.S. export laws restrain Microsoft and other U.S. companies from offering or enabling strong data encryption in their products intended for export from the U.S. or Canada. Software with data encryption, or software with APIs to provide cryptographic services, are treated as highly restricted commodities. By prohibiting foreign sale of these products to all but a few entities outside the U.S. or Canada, the U.S. government limits distribution of such products to the U.S. and Canada and eliminates virtually all foreign markets for most vendors, thereby removing much of the incentive to implement these features in the first place. Generally speaking, U.S. export restrictions have been a very effective deterrent to the proliferation of strong encryption in mass-market software in the U.S. and abroad.
An open cryptographic API allowing any vendor to implement any CSP might be very useful to security providers, but it would make the host operating system with the cryptographic API ineligible for export from the U.S. or Canada. To ensure that CryptoAPI-enabled Microsoft operating systems are and will remain exportable, Microsoft does not permit open access to these APIs. Microsoft has implemented the CSP signing policy to meet the dual objectives of providing as many vendors as possible a secure and flexible approach to enabling cryptographic services, while maintaining the foreign availability of Microsoft operating systems.
The digital signature requirement separates possible export controls on the CSP from the host operating system and applications, thereby allowing broader distribution of encryption-enabled products than would be possible under other circumstances. The signature effectively prevents arbitrary use of CryptoAPI, which ensures the continued exportability of the host operating system. By removing encryption services from host systems and applications, the burden of U.S. encryption export restrictions is placed squarely on the cryptographic provider which is already subject to these controls with respect to any CSP it markets, whether or not the CSP functions through CryptoAPI.
Microsoft's program for distribution of the CSPDK and CSP signing policy are specifically designed to minimize the impact of U.S. export laws to the greatest extent we think is possible today: they specifically do not interfere with the development of CSPs for use in he U.S. or Canada; the CSP signing policy expects vendors to perform due diligence in the licensing of their CSPs when those CSPs are intended for export from the U.S. or Canada; and the CSPDK distribution program and CSP signing policy comply with existing U.S. export laws for the provision of encryption products (CSPDKs) and services (CSP signatures) to vendors outside the U.S. or Canada.