aboutsummaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorrugk <rugk@posteo.de>2016-09-19 16:23:38 +0200
committerDaniel Stenberg <daniel@haxx.se>2016-09-19 16:58:33 +0200
commit31dd3bf674ff7e627700bcb2c65e2e501ffe1037 (patch)
tree5c53915bf07679ea4bdbcbbd447f88aeb46f0e37 /docs
parenta2b360f8908139db9caad9011f43d47c442cc8c1 (diff)
TODO: Add PINNEDPUBLICKEY - HPKP compatibility, HSTS & HPKP
Closes #1025 Closes #1026 Closes #1027
Diffstat (limited to 'docs')
-rw-r--r--docs/TODO39
1 files changed, 39 insertions, 0 deletions
diff --git a/docs/TODO b/docs/TODO
index 6bffdd620..9af44cceb 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -109,6 +109,9 @@
13.8 Support DANE
13.9 Support TLS v1.3
13.10 Support SSLKEYLOGFILE
+ 13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
+ 13.12 Support HSTS
+ 13.13 Support HPKP
14. GnuTLS
14.1 SSL engine stuff
@@ -718,6 +721,42 @@ that doesn't exist on the server, just like --ftp-create-dirs.
used as inspiration and guidance
https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c
+13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
+
+ CURLOPT_PINNEDPUBLICKEY does not consider the hashes of intermediate & root
+ certificates when comparing the pinned keys. Therefore it is not compatible
+ with "HTTP Public Key Pinning" as there also intermediate and root certificates
+ can be pinned. This is very useful as it prevents webadmins from "locking
+ themself out of their servers".
+
+ Adding this feature would make curls pinning 100% compatible to HPKP and allow
+ more flexible pinning.
+
+13.12 Support HSTS
+
+ "HTTP Strict Transport Security" is TOFU (trust on first use), time-based
+ features indicated by a HTTP header send by the webserver. It is widely used
+ in browsers and it's purpose is to prevent insecure HTTP connections after
+ a previous HTTPS connection. It protects against SSLStripping attacks.
+
+ Doc: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
+ RFC 6797: https://tools.ietf.org/html/rfc6797
+
+13.13 Support HPKP
+
+ "HTTP Public Key Pinning" is TOFU (trust on first use), time-based
+ features indicated by a HTTP header send by the webserver. It's purpose is
+ to prevent Man-in-the-middle attacks by trusted CAs by allowing webadmins
+ to specify which CAs/certificates/public keys to trust when connection to
+ their websites.
+
+ It can be build based on PINNEDPUBLICKEY.
+
+ Wikipedia: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
+ OWASP: https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
+ Doc: https://developer.mozilla.org/de/docs/Web/Security/Public_Key_Pinning
+ RFC: https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21
+
14. GnuTLS
14.1 SSL engine stuff