Applications select the particular security services they will use by selectively attaching service provider modules. Each module has an assigned GUID and a set of descriptive attributes to assist applications in selecting appropriate modules for their use. A module can implement a range of services across the OCSF APIs (e.g., cryptographic functions, data storage functions) or a module can restrict its services to a single OCSF category of service (e.g., Certificate Library (CL) services only). Modules that span service categories are called multiservice modules.

Applications use a module's GUID to specify the module to be attached. The attach function, CSSM_ModuleAttach, returns a handle representing a unique pairing between the caller and the attached module. This handle must be provided as an input parameter when requesting services from the attached module. OCSF uses the handle to match the caller with the appropriate service module.

The calling application uses the handle to obtain all types of services implemented by the attached module. Figure 1 shows how the handle for an attached Dual Provider service provider is used to perform cryptographic operations and persistent storage of certificates. The single handle value can be used as the CSPHandle in cryptographic operations and as the DLHandle in data storage operations.

Multiple calls to attach are viewed as independent requests. Each attach request returns separate, independent handles that do not share execution state. Service provider modules may be detached using the CSSM_ModuleDetach function. However, an application should not invoke this operation unless all requests to the target service provider have been completed.