To license a program to a specific machine means that you have to encode information about that "installation" and in the future given the opportunity (like during an upgrade) to check and see if that license is still running from the "original" information/installation, i.e. perform a validation of the license. Or I am missing something? The first problem is that any code executed on a piece of hardware in which the "bad guys" have control, is code that is reproducible in your choice of programming languages (practically, with comments thanks to MS Framework). That means if you make a call to DPAPI.ProtectedData or RNGCryptoServiceProvider, the bad guys will be able to watch the calls and know what those calls do. At the end of the day, you have to run as much code as possible on the server to deprive prying eyes. At least as far as the licensing. The problem is "local" -- how do you execute those functions and get public/private keys that are from the client and not from the server? I know about metadata decorations for a class that says it needs a license. In fact, my understanding is that every class constructor has a Validate method called in the LicenseProvider class. It is if you do require validation. Since we are still discussing this in a "web" thread, caching a license on the web is a possibility, but the "client" must have Winhost access and you give up on a "standalone" application and require "connected sometimes". Frustrating isn't it? Any body been there done that?