PFS Service API
The Virgil Perfect Forward Secrecy (PFS) service is a standalone web-service that is dedicated to solve the PFS use-case scenario. It works over a Virgil Card's PKI infrastructure and heavily uses Virgil Cards as building blocks.
Perfect Forward Secrecy (PFS) is a technique that protects previously intercepted traffic from being decrypted, even if the main private key is compromised.
Each recipient is identified by:
Identity Card (IC)
The long-term Virgil Card registered for the recipient. This card will never be rotated and has an unlimited lifetime. In terms of the Virgil Card service, it is an application scoped Virgil Card with the client's information. This card is created by the SDK package, directly on the Virgil Cards service.
Long-Term Ephemeral Card (LTC)
The Ephemeral Virgil Card that is rotated periodically (on a daily or monthly basis depending on the application developer's security considerations) and signed with the IC. In terms of the Virgil Card service, it is an application scoped Virgil Card created on behalf of the Virgil PFS service.
One-Time Ephemeral Card (OTC).
The short-term Virgil Cards that expires each session (session lifetime is determined on the client side by the Virgil PFS SDK) and are signed with the IC. It is an application scoped Virgil Card created on the behalf of the Virgil PFS service.
LTC and OTC must only have the signature of the IC. ICs are identified by a client's identity and are constrained by this value.
Create a Recipient's Entry
Invocation of this endpoint is not mandatory and is only used to bootstrap the OTCs and LTCs for the IC.
Create a Recipient's LTC
This endpoint pushes a new LTC instance and revokes the previous one, if any exists.
Get a Recipient's Credentials
This endpoint invocation performs a search over registered recipients and returns one's IC, LTC and OTC. The returned OTC is then marked as exhausted and will never be returned again. Please note that the recipient must, at least, have a valid IC and LTC to be returned. The maximum number of identities is 10.
Get Recipient's OTCs
This endpoint shows how to return a certain number of available client OTCs.
Upload Recipient's OTCs
The purpose of this endpoint is to push multiple OTCs to the server. The maximum number of OTCs for one recipient is 100 entries.
The response also returns a
x-otcs-count custom HTTP header with the actual OTCs count.
This endpoint validates the list of OTCs provided by their identifiers. The Maximum number of identities is 150.