<div dir="ltr">Jacob,<div><br></div><div>A question in this context - is your colleague expecting that browser-configured DNT signals are propagated to (typically OS)-provided OCSP fetching?</div><div><br></div><div>I ask this because only one browser today has integrated its certificate verification logic in the browser component; all others, today, treat it as a disjoint 'black box' system service. The consequence of this design split is that aspects that are normally the remit of the user agent - which include logic such as CORS preflights (in the case of OCSP POST requests), DNT header propagation, or even user-agent strings and HTTP caching subsystems - are not shared.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 14, 2017 at 5:41 PM, Jacob Hoffman-Andrews via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Forwarding on behalf of a colleague at EFF who is working on the Do Not Track standard:<div><br></div><div>-------- Forwarded Message --------<table class="m_4051762748564683642gmail-moz-email-headers-table" border="0" cellspacing="0" cellpadding="0"><tbody><tr><th align="RIGHT" nowrap valign="BASELINE">Subject: </th><td>OCSP Requests and Do Not Track</td></tr><tr><th align="RIGHT" nowrap valign="BASELINE">Date: </th><td>Mon, 15 May 2017 16:22:58 -0400</td></tr><tr><th align="RIGHT" nowrap valign="BASELINE">From: </th><td>Alan Toner <<a href="mailto:at@eff.org" target="_blank">at@eff.org</a>></td></tr><tr><th align="RIGHT" nowrap valign="BASELINE">To: </th><td>Jacob Hoffman-Andrews <<a href="mailto:jsha@eff.org" target="_blank">jsha@eff.org</a>>, Peter Eckersley <<a href="mailto:pde@eff.org" target="_blank">pde@eff.org</a>></td></tr></tbody></table>
<br><br><pre>Hi,
At the Electronic Frontier Foundation we are currently working on an
implementation guide for site owners who have adopted our Do Not Track
(DNT) policy (1). As part of this effort we want to identify service
providers who can comply with the policy for users who send a DNT:1
header expressing their desire not to be tracked. Certification
Authorities are relevant to this due to the potential for OSCP queries
to track visits to a site even if the site otherwise complies with a
strong DNT.
We are interested to hear if there are Certification Authorities which
can satisfy our DNT standard in the context of OCSP requests from public
users. Compliance means any logs containing unique identifiers
should be deleted within ten days unless an exception applies - in the
case of a Certification Authority such exceptions would include
suspicions of fraud, security abuse, or the need to debug technical
problems.
Let's Encrypt has such a policy (2) but we would like to be able to
point to others. If you believe your CA to be compliant, please let us
know so that we can include your organization in our guide. We would
also like to hear from you if there is a section of your privacy policy
which addresses the use of information gathered in the course of OCSP
requests.
Best,
Alan Toner
(1) <a href="https://www.eff.org/dnt-policy" target="_blank">https://www.eff.org/dnt-policy</a>
(2) <a href="https://letsencrypt.org/privacy/" target="_blank">https://letsencrypt.org/<wbr>privacy/</a>
</pre></div></div>
<br>______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
<br></blockquote></div><br></div>