DAS is a Java servlet that performs asymmetric private key operations (such as RSA decryption, RSA and ECDSA signing, or ECDH key agreement) on demand for properly authenticated users. Typically the users are members of a group that may be thought of either as a community of interest (COI) or as defining a particular security role.
DAS is supported by and fully compatible with DAS-enabled CSPid 2.0 and above, thereby making DAS services available to any security-enabled application that makes use of CSPid. Authentication to a DAS server may be direct or delegated through a separate proxy service.
Sharing sensitive documents among the members of a COI
DAS† allows sensitive documents and even entire disk partitions to be securely shared among the frequently changing members of one or more Communities of Interest (CoIs). Once a document is encrypted for a particular CoI (or for the union of several CoIs), DAS ensures that it can only be decrypted by a current member of that group. Documents need not be re-encrypted as group membership rosters change — DAS figures out in real time who should have access to a given document.
Facilitating ‘role-based’ signing
Another application of DAS is to facilitate ‘role-based’ signing: issue a special ‘role certificate’ and load its private key along with a ‘duty roster’ of authorized ‘watch officers’ into a DAS server. DAS will ensure that only active watch officers can sign documents using that role’s private key.† Recipients use the ‘role certificate’ to validate incoming signed messages while the DAS system audit trail records forensic evidence if knowledge of exactly which individual watch officer signed a given document is ever required.
Defining Groups and Roles
Groups may be defined using a local certificate database or via queries to an existing LDAP repository. As of release 1.7, DAS supports dynamic LDAP groups as well as static ones when used with SecretAgent 5.9 client software. As of release 6.0, SecretAgent clients allow documents to be encrypted for arbitrary intersections (of unions) of static and dynamic LDAP groups.
†DAS-mediated decryption and signing services may be accessed via DAS-enabled CSPid by nearly all security-enabled applications (including S/MIME clients such as Microsoft Outlook and Mozilla Thunderbird), or directly by SecretAgent and SpyProof! clients. Client applications can access DAS services on behalf of an authorized subject using either direct or delegated authentication.