The Windows API provides ways to set security descriptors on objects (allowing the setup of Access Control Lists, for instance).
Security Descriptors of cryptographic keys hosted by a Key Storage Provider (KSP) can be valued using the NCryptSetProperty (and the proper set of flags and parameters).
The Cryptography Provider Development Kit (CPDK) doesn't require any mandatory support of Security Descriptors though (and on dedicated servers where no user account is created, it might not be useful to set an Access Control List indeed).
Does someone know if Security Descriptors support by KSP is expected by some Microsoft applications despite everything? (like Active Directory Certificate Services, for instance)
