[cabfpub] OCSP Requests and Do Not Track

Ryan Sleevi sleevi at google.com
Thu Jun 15 08:21:52 UTC 2017


A question in this context - is your colleague expecting that
browser-configured DNT signals are propagated to (typically OS)-provided
OCSP fetching?

I ask this because only one browser today has integrated its certificate
verification logic in the browser component; all others, today, treat it as
a disjoint 'black box' system service. The consequence of this design split
is that aspects that are normally the remit of the user agent - which
include logic such as CORS preflights (in the case of OCSP POST requests),
DNT header propagation, or even user-agent strings and HTTP caching
subsystems - are not shared.

On Wed, Jun 14, 2017 at 5:41 PM, Jacob Hoffman-Andrews via Public <
public at cabforum.org> wrote:

> Forwarding on behalf of a colleague at EFF who is working on the Do Not
> Track standard:
> -------- Forwarded Message --------
> Subject: OCSP Requests and Do Not Track
> Date: Mon, 15 May 2017 16:22:58 -0400
> From: Alan Toner <at at eff.org>
> To: Jacob Hoffman-Andrews <jsha at eff.org>, Peter Eckersley <pde at eff.org>
> Hi,
> At the Electronic Frontier Foundation we are currently working on an
> implementation guide for site owners who have adopted our Do Not Track
> (DNT) policy (1). As part of this effort we want to identify service
> providers who can comply with the policy for users who send a DNT:1
> header expressing their desire not to be tracked. Certification
> Authorities are relevant to this due to the potential for OSCP queries
> to track visits to a site even if the site otherwise complies with a
> strong DNT.
> We are interested to hear if there are Certification Authorities which
> can satisfy our DNT standard in the context of OCSP requests from public
> users. Compliance means any logs containing unique identifiers
> should be deleted within ten days unless an exception applies - in the
> case of  a Certification Authority such exceptions would include
> suspicions of fraud, security abuse, or the need to debug technical
> problems.
> Let's Encrypt has such a policy (2) but we would like to be able to
> point to others. If you believe your CA to be compliant, please let us
> know so that we can include your organization in our guide. We would
> also like to hear from you if there is a section of your privacy policy
> which addresses the use of information gathered in the course of OCSP
> requests.
> Best,
> Alan Toner
> (1) https://www.eff.org/dnt-policy
> (2) https://letsencrypt.org/privacy/
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170615/08fd2e13/attachment-0003.html>

More information about the Public mailing list