I have been doing some research on the development of an abstract security services API(not just a CAPI) and have hit a road block. The problem revolves around the need to authenticate a security service provider to an application. I noticed that microsoft has followed a path of providing a signature in each external provider but the feeling is that this is not that difficult to circumvent. I have the same misgivings but cannot come up with anything else. Are my misgivings unfounded??? What are some other possibilities to allow intrahost (application) authentication of services. Do you need to actually have a cryptographic binding of services? Comments.... Jim Leppek jleppek@suw2k.hisd.harris.com Harris Corporation