I'm not doing RFC even if I implement it.
Last time I went around RFC, somebody understood SVG instead of BOX MODEL, even thou I was stating it was BOX MODEL. And I don't want my name on it even thou. Money would be useful, but...
It's simple, on server you first send CLIENT and your SERVER PUBLIC KEY to USER. Then USER's CLIENT generate USER's PUBLIC KEY and send it, already encrypted by server public key to SERVER.
I don't see where it can get's broken if PRIVATE KEYS are secured. I really don't think standardly or normalized, I don't know how RFCs are written and where are they submited, when I tried to submit RFC further I've got was their workgroups github, when It was misunderstood a little bit.
For RSA there is a library for encryption.
In PHP on Server Side you can use middleware to encrypt this way, but you need to:
respond on encrypted request by encrypted information
respond on unencrypted request by sending encryption client
You can also just use OB_Start, and Flush it to encrypter... And if requests post data is encrypted and valid, send it back, if not send error,
Full URL is always going to be visible, so you can set up encrypted channel on "$algorythm".crypt.domain.net and set route data in encrypted post request with client.
Problem could be ajax request, you need to encrypt every ajax request, if you are using any kind of Wrapper for ajax, i.e. jquerry, you can modify wrapper, to encrypt/decrypt ajax as it flows, if you are using vanillas, and you don't have ajax wrapper written, you need to manually change every ajax request.
Is this explained enought?