Every CSP must be digitally signed by Microsoft to be recognized by the operating system. The primary purpose of the digital signature is the protection of the system and its users; the operating system validates this signature periodically to ensure that the CSP has not been tampered with. A secondary effect of the digital signature is that it separates applicable export controls on the CSP from the host operating system and applications, thus allowing broader distribution of encryption-enabled products than would be possible under other circumstances.
Generally, U.S. export law limits the export outside the United States or Canada of products that host strong encryption or an open cryptographic interface. The digital signature requirement effectively prevents arbitrary use of CAPI and enables export of the host operating system and CAPI-enabled applications. By removing encryption services from host systems and applications, CAPI places the burden of U.S. encryption export restrictions on the CSP vendor, who is subject to those controls regardless.
Questions and comments about the CSP signing mechanism, signing procedures and CAPI licensing policy can be directed to cspsign@microsoft.com.
CSP vendors may wish to consult the U.S. Commerce Department, Bureau of Export Administration, Office of Exporter Services for assistance in the classification and/or export licensing of CSPs for export from the United States.