TODO: remove "Support intermediate & root pinning for PINNEDPUBLICKEY"

See also https://github.com/curl/curl/pull/7507
2025-01-30 14:22:33 +08:00 · 2023-08-03 17:27:44 +02:00 · 2023-08-03 17:27:44 +02:00 · 0f49b5bacb
commit 0f49b5bacb
parent 16d077330b
1 changed files with 0 additions and 12 deletions
--- a/docs/TODO
+++ b/docs/TODO
@ -121,7 +121,6 @@
 13.8 Support DANE
 13.9 TLS record padding
 13.10 Support Authority Information Access certificate extension (AIA)
- 13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
 13.12 Reduce CA certificate bundle reparsing
 13.13 Make sure we forbid TLS 1.3 post-handshake authentication
 13.14 Support the clienthello extension
@ -878,17 +877,6 @@

 See https://github.com/curl/curl/issues/2793

-13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
-
- CURLOPT_PINNEDPUBLICKEY does not consider the hashes of intermediate & root
- certificates when comparing the pinned keys. Therefore it is not compatible
- with "HTTP Public Key Pinning" as there also intermediate and root
- certificates can be pinned. This is useful as it prevents webadmins from
- "locking themselves out of their servers".
-
- Adding this feature would make curls pinning 100% compatible to HPKP and
- allow more flexible pinning.
-
 13.12 Reduce CA certificate bundle reparsing

 When using the OpenSSL backend, curl will load and reparse the CA bundle at