Forwarding on behalf of a colleague at EFF who is working on the Do Not Track standard:
-------- Forwarded Message -------- Subject: OCSP Requests and Do Not Track Date: Mon, 15 May 2017 16:22:58 -0400 From: Alan Toner <[email protected]> To: Jacob Hoffman-Andrews <[email protected]>, Peter Eckersley <[email protected]> Hi, At the Electronic Frontier Foundation we are currently working on an implementation guide for site owners who have adopted our Do Not Track (DNT) policy (1). As part of this effort we want to identify service providers who can comply with the policy for users who send a DNT:1 header expressing their desire not to be tracked. Certification Authorities are relevant to this due to the potential for OSCP queries to track visits to a site even if the site otherwise complies with a strong DNT. We are interested to hear if there are Certification Authorities which can satisfy our DNT standard in the context of OCSP requests from public users. Compliance means any logs containing unique identifiers should be deleted within ten days unless an exception applies - in the case of a Certification Authority such exceptions would include suspicions of fraud, security abuse, or the need to debug technical problems. Let's Encrypt has such a policy (2) but we would like to be able to point to others. If you believe your CA to be compliant, please let us know so that we can include your organization in our guide. We would also like to hear from you if there is a section of your privacy policy which addresses the use of information gathered in the course of OCSP requests. Best, Alan Toner (1) https://www.eff.org/dnt-policy (2) https://letsencrypt.org/privacy/
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
