From 04739054cdac5a0614fb94e3655e313c03399f35 Mon Sep 17 00:00:00 2001
From: "brian m. carlson" <sandals@crustytoothpaste.net>
Date: Tue, 18 Jun 2024 10:29:43 +0200
Subject: [PATCH] TODO: TLS channel binding

Closes #13483
---
 docs/TODO | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/docs/TODO b/docs/TODO
index 1faedde4a2..4bf0508107 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -111,6 +111,7 @@
 
  13. TLS
  13.1 TLS-PSK with OpenSSL
+ 13.2 TLS channel binding
  13.3 Defeat TLS fingerprinting
  13.5 Export session ids
  13.6 Provide callback for cert verification
@@ -784,6 +785,23 @@
 
  https://github.com/curl/curl/issues/5081
 
+13.2 TLS channel binding
+
+ TLS 1.2 and 1.3 provide the ability to extract some secret data from the TLS
+ connection and use it in the client request (usually in some sort of
+ authentication) to ensure that the data sent is bound to the specific TLS
+ connection and cannot be successfully intercepted by a proxy. This
+ functionality can be used in a standard authentication mechanism such as
+ GSS-API or SCRAM, or in custom approaches like custom HTTP Authentication
+ headers.
+
+ For TLS 1.2, the binding type is usually tls-unique, and for TLS 1.3 it is
+ tls-exporter.
+
+ https://datatracker.ietf.org/doc/html/rfc5929
+ https://datatracker.ietf.org/doc/html/rfc9266
+ https://github.com/curl/curl/issues/9226
+
 13.3 Defeat TLS fingerprinting
 
  By changing the order of TLS extensions provided in the TLS handshake, it is
-- 
2.47.3