[cabfpub] OCSP Requests and Do Not Track

philliph at comodo.com philliph at comodo.com
Wed Jun 14 23:50:15 UTC 2017

They all can trivially, the sites should perform OCSP stapling. Privacy was one of the original reasons for proposing it.

> On Jun 14, 2017, at 5:41 PM, Jacob Hoffman-Andrews via Public <public at cabforum.org> wrote:
> Forwarding on behalf of a colleague at EFF who is working on the Do Not Track standard:
> -------- Forwarded Message --------
> Subject:	OCSP Requests and Do Not Track
> Date:	Mon, 15 May 2017 16:22:58 -0400
> From:	Alan Toner <at at eff.org <mailto:at at eff.org>>
> To:	Jacob Hoffman-Andrews <jsha at eff.org <mailto:jsha at eff.org>>, Peter Eckersley <pde at eff.org <mailto:pde at eff.org>>
> Hi,
> At the Electronic Frontier Foundation we are currently working on an
> implementation guide for site owners who have adopted our Do Not Track
> (DNT) policy (1). As part of this effort we want to identify service
> providers who can comply with the policy for users who send a DNT:1
> header expressing their desire not to be tracked. Certification
> Authorities are relevant to this due to the potential for OSCP queries
> to track visits to a site even if the site otherwise complies with a
> strong DNT.
> We are interested to hear if there are Certification Authorities which
> can satisfy our DNT standard in the context of OCSP requests from public
> users. Compliance means any logs containing unique identifiers
> should be deleted within ten days unless an exception applies - in the
> case of  a Certification Authority such exceptions would include
> suspicions of fraud, security abuse, or the need to debug technical
> problems.
> Let's Encrypt has such a policy (2) but we would like to be able to
> point to others. If you believe your CA to be compliant, please let us
> know so that we can include your organization in our guide. We would
> also like to hear from you if there is a section of your privacy policy
> which addresses the use of information gathered in the course of OCSP
> requests.
> Best,
> Alan Toner
> (1) https://www.eff.org/dnt-policy <https://www.eff.org/dnt-policy>
> (2) https://letsencrypt.org/privacy/ <https://letsencrypt.org/privacy/>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170614/fe619374/attachment-0003.html>

More information about the Public mailing list