KSP

The AliasList parameter maps certificates from CSP to KSP.

The KSP allows all certificates by default, but there are scenarios when some certificates should be ignored. This parameter specifies the matching condition to be fulfilled to allow a certificate.

The KSP allows all tokens by default, but there are scenarios when some tokens should be ignored. The AllowToken parameter specifies the matching condition. See Tokens for more information.

During token management there can be an eternal loop, because of the behavior of the underlaying security system. This parameter is added to avoid this loop.

The ComponentEnable and ComponentDisable parameters allows the use of conditions to blacklist and/or whitelist an applications' use of the KSP.

The CRYPT_SILENT flag can be specified by an application when communicating with the KSP. When this flag is specified, it tells that the KSP is not allowed to open any dialogs. But sometimes the calling application have forgotten that a PIN dialog is needed, so a parameter is added to ignore this flag.

FriendlyName is the description that sometimes is used to represent the certificate. This parameter is used to specify the format of this text.

The IgnoreLogout parameter disables all attempts to logout a smart card by the caller, to avoid interference with single sign-on.

ImplementationType sets the value the KSP uses during its registration. The following values are defined:

Set KeepConnected to 1 to always keep the PKCS11 component loaded.

The LoadMyself flag is used to load the library one extra time to avoid unloading. This behavior is not recommended, but is available to allow for the same behavior as CSP.

The MaxContext parameter sets the maximum number of simultaneous KSP contexts. The minimum value is 10.

Usually the KSP checks for token events and act on those. For example when smart cards are removed or inserted. But in some scenarios, you may want to turn off this event checking.

The default container name is generated from certificate thumbprint and ended with slot ID. The slot ID is usually not required and can be ignored.

The ProviderName parameter specifies the name of our KSP.

There is no separate registration of smart cards towards KSP. Instead it is an option when registering the CSP.

For more information about registration, consult the external website docs.microsoft.com (external link that opens in new tab) .

The certificate can be sorted before returned to the calling application. This allows some kind of default certificate control, but should probably not be used any longer since it only tells in what sequence the KSP will return certificates. The intended function is to control the order of certificates for a certificate selection dialog, but there are too many layers of interfaces to predict the outcome. That is, order can be updated by CryptoAPI or the certificate selection dialog.

The UseCritical parameter adds a critical section for each KSP call. It blocks multi-threaded access, and makes sure that each call is atomic.

The KSP can show PIN dialog, but can also run in silent mode.

Our KSP can use key ID as container name, but is usually generated from the certificate thumbprint.