At 10:14 AM 1/17/96 -0800, Alan Bostick wrote:

...

The OS will not load just any old CSP. CSPs have to be signed by Microsoft. The kernel contains a (hardcoded?) 1024 RSA public key that it uses to check the signature when the user tries to load a CSP. If the signature check fails, the CSP won't load. Microsoft says it will sign any CSP from anyone AS LONG AS THEY CERTIFY THAT THEY WILL FOLLOW THE EXPORT RULES. So you can get your CSP signed if you use exportable cryptography or if you agree not to send it outside the US and Canada, etc. But an end user can't just compile crypto code and use it as a CSP, even for his or her own use, without getting it signed by Microsoft first (actually, the CSP development kit does allow this, but it uses a special version of the OS).

The next obvious question is: Will Microsoft sign strong-crypto CSPs developed by foreign developers for out-of-USA use?

And, as well, for in-USA-use. Currently, it is only the export of cryptographic devices and programs which is restricted. Are they going to prohibit the export of digital signatures which enable the use of foreign-developed software?!?