From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 3 Aug 2023 15:27:44 +0000 (+0200)
Subject: TODO: remove "Support intermediate & root pinning for PINNEDPUBLICKEY"
X-Git-Tag: curl-8_3_0~228
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f49b5bacbf6d39d163ca3ddd3f15eb50488b6d6;p=thirdparty%2Fcurl.git

TODO: remove "Support intermediate & root pinning for PINNEDPUBLICKEY"

See also https://github.com/curl/curl/pull/7507
---

diff --git a/docs/TODO b/docs/TODO
index d6bf5980fa..a7ea191147 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -121,7 +121,6 @@
  13.8 Support DANE
  13.9 TLS record padding
  13.10 Support Authority Information Access certificate extension (AIA)
- 13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
  13.12 Reduce CA certificate bundle reparsing
  13.13 Make sure we forbid TLS 1.3 post-handshake authentication
  13.14 Support the clienthello extension
@@ -878,17 +877,6 @@
 
  See https://github.com/curl/curl/issues/2793
 
-13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
-
- CURLOPT_PINNEDPUBLICKEY does not consider the hashes of intermediate & root
- certificates when comparing the pinned keys. Therefore it is not compatible
- with "HTTP Public Key Pinning" as there also intermediate and root
- certificates can be pinned. This is useful as it prevents webadmins from
- "locking themselves out of their servers".
-
- Adding this feature would make curls pinning 100% compatible to HPKP and
- allow more flexible pinning.
-
 13.12 Reduce CA certificate bundle reparsing
 
  When using the OpenSSL backend, curl will load and reparse the CA bundle at