[cabfpub] OCSP Requests and Do Not Track

Jacob Hoffman-Andrews jsha at letsencrypt.org
Wed Jun 14 14:41:47 MST 2017


Forwarding on behalf of a colleague at EFF who is working on the Do Not
Track standard:

-------- Forwarded Message --------
Subject: OCSP Requests and Do Not Track
Date: Mon, 15 May 2017 16:22:58 -0400
From: Alan Toner <at at eff.org>
To: Jacob Hoffman-Andrews <jsha at eff.org>, Peter Eckersley <pde at eff.org>

Hi,

At the Electronic Frontier Foundation we are currently working on an
implementation guide for site owners who have adopted our Do Not Track
(DNT) policy (1). As part of this effort we want to identify service
providers who can comply with the policy for users who send a DNT:1
header expressing their desire not to be tracked. Certification
Authorities are relevant to this due to the potential for OSCP queries
to track visits to a site even if the site otherwise complies with a
strong DNT.

We are interested to hear if there are Certification Authorities which
can satisfy our DNT standard in the context of OCSP requests from public
users. Compliance means any logs containing unique identifiers
should be deleted within ten days unless an exception applies - in the
case of  a Certification Authority such exceptions would include
suspicions of fraud, security abuse, or the need to debug technical
problems.

Let's Encrypt has such a policy (2) but we would like to be able to
point to others. If you believe your CA to be compliant, please let us
know so that we can include your organization in our guide. We would
also like to hear from you if there is a section of your privacy policy
which addresses the use of information gathered in the course of OCSP
requests.

Best,

Alan Toner

(1) https://www.eff.org/dnt-policy

(2) https://letsencrypt.org/privacy/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170614/c04c7994/attachment-0001.html>


More information about the Public mailing list