CSP vendors pursuing CSP development within North America must complete and return an Export Compliance Certificate ("ECC") to Microsoft. Microsoft will make every effort to review the ECC and sign CSPs as expeditiously as possible. Exact time frames for review and signing depend on the circumstances of your request. A copy of the ECC is included at the end of this section.
North America Only CSP If you do not intend to distribute your CSP outside North America, complete the ECC and certify that you will distribute your CSP only in the U.S. or Canada. Return the ECC to Microsoft. When Microsoft has had a chance to review and verify the ECC, you'll be contacted with information on arrangements to sign your CSP.
CSP Intended for Export If you do plan to export your CSP, you must obtain export approval from a U.S. or Canadian export licensing authority or claim an exemption under U.S. export law; you must complete the ECC with evidence of your export approval or exemption, and certify that you intend to export your CSP from the U.S. or Canada. Return the ECC to Microsoft. Microsoft may independently confirm export approval, and when confirmation is complete, you'll be contacted with information on arrangements to sign your CSP.
Vendors should consult legal counsel or U.S. export authorities to determine whether an export approval or exemption applies to their CSP. See Assistance and Feedback later in this section.
Canadian CSP vendors should note that because Canadian export controls are not entirely consistent with U.S. export controls; U.S. and Canadian export authorities may need to agree whether a given CSP should be signed. Therefore an approval to export from Canada may or may not be sufficient for Microsoft to sign the CSP.
Before Microsoft applies a digital signature to any CSP - whether it is intended for use in North America or elsewhere - Microsoft must receive an original signed ECC. However, Microsoft can initiate review and confirm export approval against a fax copy of the complete ECC.
Ordinarily Microsoft does not need to receive the actual CSP to complete signing, but can sign a message digest (hash) of the CSP itself. It is possible that a U.S. export license or other export approval for a CSP intended for export may require independent or government verification of the CSP's implemented security features prior to signing, which would be the responsibility of the CSP vendor.