to the baseline product driven by market considerations without waiting for an export license review that would be necessary for a product with built-in cryptographic functionality.
Cryptographic APIs are likely to have a profound effect on the rapidity with which cryptography will diffuse into various information technology applications. If implemented properly (not a trivial task), they can enhance the security of stored data and communications. When effective CAPI technologies are embedded into the operating systems upon which IT applications build, the result will likely be encrypted files and communications galore. Operating systems will be shipped with default cryptographic modules that are active "out of the box," and users will have the option of replacing default modules with more capable modules procured from other vendors.
The notion of a CAPI is not new. However, in general, export licenses for products incorporating CAPIs have been denied, even though such products, with no cryptographic capabilities built into them, have no cryptographic functionality and are therefore not specifically included in Category XIII of the International Traffic in Arms Regulations (see Appendix N). The reason for such denial has been that strong cryptographic capabilities could be deployed on a vast scale if U.S. vendors exported applications supporting a common CAPI and a foreign vendor marketed (or some party made available over the Internet) an add-on module with strong cryptography, which foreign users could then plug into the baseline U.S. product.