A CAPI, or cryptographic application programming interface,
is an interface to a library of functions that software developers
can call upon for security and cryptography services. The goal
of a CAPI is to make it easy for developers to integrate cryptography
into applications. Separating the cryptographic routines from
the software may also allow the export of software without any
security services implemented. The software can later be linked
by the user to the local security services. CAPIs can be targeted
at different levels of abstraction, ranging from cryptographic
module interfaces to authentication service interfaces. The International
Cryptography Experiment (ICE) is an informally structured program
for testing NSA's export restrictions (see Question 148 and
Question 149)
on CAPIs. More information can be obtained about this program
by e-mail to <ice@tis.com>. Some examples of CAPIs
include RSA Laboratories' Cryptoki (PKCS #11)
[RSA95], NSA's Fortezza
(see Question 156), Internet GSS-API [Lin93], and the X/Open GCS-API
[Xop95]. NSA has prepared a helpful report
[NSA95]that surveys
some of the current CAPIs.