| Platform SDK: Cryptography |
This section assumes that a CSP vendor from outside the U.S. and Canada has already received the CSPDK under an appropriate U.S. export license. Vendors who have not yet received the CSPDK can contact Microsoft (cspsign@microsoft.com) for information on the CSPDK license process.
Because all of the required certifications are completed during the U.S. export license process, when a CSP vendor from outside the U.S. and Canada is ready to have a CSP signed, it is not necessary to complete an Export Compliance Certificate or other documentation. These vendors can notify Microsoft when they are ready, or preferably notify Microsoft approximately two to three weeks prior to when the CSP may be ready to sign. Microsoft will use the time to verify the request against any possible terms and conditions of the export license covering the CSP development. When confirmation is complete, Microsoft will return information on arrangements to sign the CSP.
A U.S. export license or other export approval for a CSP intended for export might require independent or government verification of the CSP's implemented security features prior to signing, which would be the responsibility of the CSP vendor. It may also be a condition of the U.S. export license that Microsoft receives the actual CSP for signing, and not just a hash.
At present Microsoft will sign CSPs at its facilities in Redmond, Washington, USA. In the future Microsoft might sign CSPs at approved locations in foreign countries, at which time Microsoft will offer CSP vendors from outside the U.S. and Canada the option of offshore signing.
In summary, Microsoft will sign CSPs for vendors outside the U.S. and Canada subject to the limitations of U.S. export controls and other national controls on this technology. Microsoft will sign CSPs from competitors. Microsoft will make every effort to review signing requests and sign CSPs as expeditiously as possible. Exact time frames for review of signing requests and CSP signing depend significantly on whether the U.S. export license permitting the CSP development set down any conditions for review or confirmation of the CSP's implemented security features.