TODO: sslfingerprint and thereabouts.

svn path=/branches/BRANCH_6-3/; revision=5388

2 files changed, 6 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index a1e2ae1c..edab25a3 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,8 @@ removed from a 6.4.0 or newer release.)
 * POP2 is obsolete, support will be removed from a future fetchmail version.
 * RPOP is obsolete, support will be removed from a future fetchmail release.
 * --sslcertck will become a default setting in a future fetchmail version.
+* --sslfingerprint may be removed from a future fetchmail version, because it's
+  just too easily abused to create a false sense of security.
 * The multidrop To/Cc guessing code along with the fragile duplicate suppressor
   is deprecated and may be removed from a future release.
 * The "envelope Received" option may be removed from a future release, because
diff --git a/TODO.txt b/TODO.txt
index a6186a1f..97305e01 100644
--- a/TODO.txt
+++ b/TODO.txt
@@ -90,6 +90,10 @@ questionable:
 - CRYPTO: perhaps port to NSS? Check license and features and required procedure
   changes. - Redhat Bugs #333741 (crypto consolidation), #346891 (port fetchmail to NSS)
 - CRYPTO: make the SSL default v3 (rather than v23).
+- CRYPTO: remove sslfingerprint? too easily abused (see NEWS)
+- CRYPTO: force sslcertck
+- CRYPTO: by default forbid cleartext or other compromising password
+  schemes over insecure connections?
 - put more hints to the FAQ (should we call it FGA?) as first support place
 - make sure we print socket error messages such as connection reset by
   peer to hint users the problem is not in fetchmail