From 0f49b5bacbf6d39d163ca3ddd3f15eb50488b6d6 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 3 Aug 2023 17:27:44 +0200
Subject: [PATCH] TODO: remove "Support intermediate & root pinning for
 PINNEDPUBLICKEY"

See also https://github.com/curl/curl/pull/7507
---
 docs/TODO | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/docs/TODO b/docs/TODO
index d6bf5980fa..a7ea191147 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -121,7 +121,6 @@
  13.8 Support DANE
  13.9 TLS record padding
  13.10 Support Authority Information Access certificate extension (AIA)
- 13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
  13.12 Reduce CA certificate bundle reparsing
  13.13 Make sure we forbid TLS 1.3 post-handshake authentication
  13.14 Support the clienthello extension
@@ -878,17 +877,6 @@
 
  See https://github.com/curl/curl/issues/2793
 
-13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
-
- CURLOPT_PINNEDPUBLICKEY does not consider the hashes of intermediate & root
- certificates when comparing the pinned keys. Therefore it is not compatible
- with "HTTP Public Key Pinning" as there also intermediate and root
- certificates can be pinned. This is useful as it prevents webadmins from
- "locking themselves out of their servers".
-
- Adding this feature would make curls pinning 100% compatible to HPKP and
- allow more flexible pinning.
-
 13.12 Reduce CA certificate bundle reparsing
 
  When using the OpenSSL backend, curl will load and reparse the CA bundle at
-- 
2.47.3