Skip to main content

A PFS-preserving protocol for LURK

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors Samuel Erb , Rich Salz
Last updated 2016-11-29 (Latest revision 2016-05-28)
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document defines a protocol between a content provider and an external key owner that enables the provider to act as a TLS termination end-point for the key owner, without having the key actually being provisioned at the provider. The protocol between the two preserves forward secrecy, and is also designed to prevent the use of the key owner as a general-purpose signing oracle which would make it complicit in attacks against uses of the very keys it is trying to protect.


Samuel Erb
Rich Salz

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)