DAS is a customer-hosted (on-premise or cloud) web service that performs cryptographic operations (such as decryption, signing,
and key agreement) on behalf of properly authenticated users. Typically these users are members of a ‘community of interest’ (COI) or of a group authorized to play a specific organizational role.


DAS Information Sheet




DAS is a Java servlet that performs asymmetric private key operations (such as RSA decryption, RSA and ECDSA signing, or ECDH key agreement) on demand for properly authenticated users. Typically the users are members of a group that may be thought of either as a community of interest (COI) or as defining a particular security role.

Overview of Use Cases

DAS is supported by and fully compatible with DAS-enabled CSPid 2.0 and above, thereby making DAS services available to any security-enabled application that makes use of CSPid. Authentication to a DAS server may be direct or delegated through a separate proxy service.

Sharing sensitive documents among the members of a COI

DAS† allows sensitive documents and even entire disk partitions to be securely shared among the frequently changing members of one or more Communities of Interest (CoIs). Once a document is encrypted for a particular CoI (or for the union of several CoIs), DAS ensures that it can only be decrypted by a current member of that group. Documents need not be re-encrypted as group membership rosters change — DAS figures out in real time who should have access to a given document.

COI Decryption

Facilitating 'role-based' signing

Another application of DAS is to facilitate 'role-based' signing: issue a special 'role certificate' and load its private key along with a 'duty roster' of authorized 'watch officers' into a DAS server. DAS will ensure that only active watch officers can sign documents using that role's private key.† Recipients use the 'role certificate' to validate incoming signed messages while the DAS system audit trail records forensic evidence if knowledge of exactly which individual watch officer signed a given document is ever required.

Role-Based Signing

Defining Groups and Roles

Groups may be defined using a local certificate database or via queries to an existing LDAP repository. As of release 1.7, DAS supports dynamic LDAP groups as well as static ones when used with SecretAgent 5.9 client software. As of release 6.0, SecretAgent clients allow documents to be encrypted for arbitrary intersections (of unions) of static and dynamic LDAP groups.

†DAS-mediated decryption and signing services may be accessed via DAS-enabled CSPid by nearly all security-enabled applications (including S/MIME clients such as Microsoft Outlook and Mozilla Thunderbird), or directly by SecretAgent and SpyProof! clients. Client applications can access DAS services on behalf of an authorized subject using either direct or delegated authentication.