In accordance with the U.S. Department of Commerce's export restrictions concerning cryptography, Microsoft must digitally sign every CSP so that it will run on Microsoft operating systems. The primary purpose of the digital signature is the protection of the system and its users. The operating system validates this signature periodically to ensure that the CSP has not been tampered with. A secondary effect of the digital signature is that it separates applicable export controls on the CSP from the host operating system and applications, thus allowing broader distribution of encryption-enabled products than would be possible under other circumstances.
Generally, U.S. export law limits the export outside the United States or Canada of products that host strong encryption or an open cryptographic interface. The digital signature requirement effectively prevents arbitrary use of CryptoAPI and enables export of the host operating system and CryptoAPI-enabled applications. By removing encryption services from host systems and applications, CryptoAPI places the burden of U.S. encryption export restrictions on the CSP vendor, who is subject to those controls regardless.
Send e-mail to cspsign@microsoft.com if you have questions and comments about the CSP signing mechanism, signing procedures, and CryptoAPI licensing policy. You can request a Microsoft Cryptographic Service Provider Developer's Kit from the Security node of this Microsoft Web site.
CSP vendors may want to consult the U.S. Commerce Department, Bureau of Export Administration, Office of Exporter Services for assistance in the classification and/or export licensing of CSPs for export from the United States.
See Also
Cryptography Registry Settings | About Cryptographic Service Provider | Cryptography | Microsoft Cryptographic System | Certificates
Send Feedback on this topic to the authors
Feedback FAQs