This chapter describes the CSP signature process and Microsoft's policy on digitally signing CSPs for vendors in and outside of North America (the United States and Canada).
Every CSP must be digitally signed by Microsoft in order to be recognized by the operating system. The primary purpose of the digital signature is the protection of the system and its users - the operating system validates this signature periodically to ensure that the CSP has not been tampered with. A secondary effect of the digital signature is that it separates applicable export controls on the CSP from the host operating system and applications, thereby allowing broader distribution of encryption-enabled products than would be possible under other circumstances. Generally, U.S. export law limits the export outside the U.S. or Canada of products that host strong encryption or an open cryptographic interface. The digital signature requirement effectively prevents arbitrary use of CryptoAPI, and allows export of the host operating system and CryptoAPI-enabled applications. By removing encryption services from host systems and applications, CryptoAPI places the burden of U.S. encryption export restrictions squarely on the CSP vendor, which is subject to those controls regardless.