<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">They all can trivially, the sites should perform OCSP stapling. Privacy was one of the original reasons for proposing it.<div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jun 14, 2017, at 5:41 PM, Jacob Hoffman-Andrews via Public <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Forwarding on behalf of a colleague at EFF who is working on the Do Not Track standard:<div class=""><br class=""></div><div class="">-------- Forwarded Message --------<table class="gmail-moz-email-headers-table" border="0" cellspacing="0" cellpadding="0"><tbody class=""><tr class=""><th align="RIGHT" nowrap="" valign="BASELINE" class="">Subject: </th><td class="">OCSP Requests and Do Not Track</td></tr><tr class=""><th align="RIGHT" nowrap="" valign="BASELINE" class="">Date: </th><td class="">Mon, 15 May 2017 16:22:58 -0400</td></tr><tr class=""><th align="RIGHT" nowrap="" valign="BASELINE" class="">From: </th><td class="">Alan Toner <<a href="mailto:at@eff.org" class="">at@eff.org</a>></td></tr><tr class=""><th align="RIGHT" nowrap="" valign="BASELINE" class="">To: </th><td class="">Jacob Hoffman-Andrews <<a href="mailto:jsha@eff.org" class="">jsha@eff.org</a>>, Peter Eckersley <<a href="mailto:pde@eff.org" class="">pde@eff.org</a>></td></tr></tbody></table>
<br class=""><br class=""><pre class="">Hi,
At the Electronic Frontier Foundation we are currently working on an
implementation guide for site owners who have adopted our Do Not Track
(DNT) policy (1). As part of this effort we want to identify service
providers who can comply with the policy for users who send a DNT:1
header expressing their desire not to be tracked. Certification
Authorities are relevant to this due to the potential for OSCP queries
to track visits to a site even if the site otherwise complies with a
strong DNT.
We are interested to hear if there are Certification Authorities which
can satisfy our DNT standard in the context of OCSP requests from public
users. Compliance means any logs containing unique identifiers
should be deleted within ten days unless an exception applies - in the
case of a Certification Authority such exceptions would include
suspicions of fraud, security abuse, or the need to debug technical
problems.
Let's Encrypt has such a policy (2) but we would like to be able to
point to others. If you believe your CA to be compliant, please let us
know so that we can include your organization in our guide. We would
also like to hear from you if there is a section of your privacy policy
which addresses the use of information gathered in the course of OCSP
requests.
Best,
Alan Toner
(1) <a href="https://www.eff.org/dnt-policy" class="">https://www.eff.org/dnt-policy</a>
(2) <a href="https://letsencrypt.org/privacy/" class="">https://letsencrypt.org/privacy/</a>
</pre></div></div>
_______________________________________________<br class="">Public mailing list<br class=""><a href="mailto:Public@cabforum.org" class="">Public@cabforum.org</a><br class="">https://cabforum.org/mailman/listinfo/public<br class=""></div></blockquote></div><br class=""></div></body></html>