But it's already fairly obvious how it works. They essentially MITM with the keyserver to receive the SSL nonce. Of course, it's pretty silly to expect cloudflare to have some special mathematical revolution to solve the stated problem. In fact I figure if you could terminate SSL without an online private key, the encryption scheme is simply broken.
It is obvious, and they effectively implemented a custom approach for PKCS11/ssh-agent. Yet the narrative implies some brilliant period of insight and innovation, when really it kind of isn't.
Which is where the "silly" notion that they must have did something novel came from -- their narrative claims it.
Innovation means different things to different people. To you, it seems to mean a mathematical or algorithmic breakthrough. To me, it also means getting an existing idea or technology, and deploying it in a new, real-world context, solving the UX / scalability / security / policy issues that arise in the new context, and make it commercially viable.
The fact that Cloudflare is the first global-level CDN to implement this kind of keyless SSL termination to me is innovation, even though it's based on pulling PKCS11 at the IP level. It's solving a real-world problem in their context, which nobody has solved before, and customers pay for it.
The approach is pretty obvious, and I instantly knew where they were going as soon as I read the phrase "session signing, the only part of the SSL handshake that requires the private key", but still, it's novel to take this existing concept and generalize it to solve the "I don't want to give CloudFlare my private keys" problem. It'll be especially cool if they establish an open standard for the keyserver protocol.
