From today's HotWired Packet http://www.packet.com:
"Today Microsoft is using similar technology as part of its Cryptography API: You can't load an encryption engine into Windows 95 or Windows NT unless that engine has been specially signed by Microsoft's corporate key. The reason for this restriction, says the company, is the Clinton administration: Microsoft couldn't have gotten export permission for its operating systems if users could easily plug in crypto engines that hadn't been approved. " This is disturbing, if true, though I suspect there is also a less ominous reason: you certainly want your cryptography provider to be trusted, and you want to be sure the code has not been altered. The implications really depend on Microsoft's policy on signing cryptography engines, and whether they allow a way to delegate signature authority. Ravi