TODO: add TLS channel binding

TLS channel binding is a security improvement that cryptographically ties authentication to a specific TLS connection, preventing TLS MITM proxies from successfully authenticating. This would be valuable for many security-sensitive users, so add it to the TODO list.
curl · Apr 25, 2024 · c5e0b63 · c5e0b63
1 parent 2d2c27e
commit c5e0b63
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/docs/TODO b/docs/TODO
@@ -126,6 +126,7 @@
  13.13 Make sure we forbid TLS 1.3 post-handshake authentication
  13.14 Support the clienthello extension
  13.15 Select signature algorithms
+ 13.16 TLS channel binding
 
  14. GnuTLS
  14.2 check connection
@@ -921,6 +922,23 @@
 
  https://github.com/curl/curl/issues/12982
 
+13.16 TLS channel binding
+
+ TLS 1.2 and 1.3 provide the ability to extract some secret data from the TLS
+ connection and use it in the client request (usually in some sort of
+ authentication) to ensure that the data sent is bound to the specific TLS
+ connection and cannot be successfully intercepted by a proxy.  This
+ functionality can be used in a standard authentication mechanism such as
+ GSS-API or SCRAM, or in custom approaches like custom HTTP Authentication
+ headers.
+
+ For TLS 1.2, the binding type is usually tls-unique, and for TLS 1.3 it is
+ tls-exporter.
+
+ https://datatracker.ietf.org/doc/html/rfc5929
+ https://datatracker.ietf.org/doc/html/rfc9266
+ https://github.com/curl/curl/issues/9226
+
 14. GnuTLS
 
 14.2 check connection