Jacob, A question in this context - is your colleague expecting that browser-configured DNT signals are propagated to (typically OS)-provided OCSP fetching?
I ask this because only one browser today has integrated its certificate verification logic in the browser component; all others, today, treat it as a disjoint 'black box' system service. The consequence of this design split is that aspects that are normally the remit of the user agent - which include logic such as CORS preflights (in the case of OCSP POST requests), DNT header propagation, or even user-agent strings and HTTP caching subsystems - are not shared. On Wed, Jun 14, 2017 at 5:41 PM, Jacob Hoffman-Andrews via Public < [email protected]> wrote: > Forwarding on behalf of a colleague at EFF who is working on the Do Not > Track standard: > > -------- Forwarded Message -------- > Subject: OCSP Requests and Do Not Track > Date: Mon, 15 May 2017 16:22:58 -0400 > From: Alan Toner <[email protected]> > To: Jacob Hoffman-Andrews <[email protected]>, Peter Eckersley <[email protected]> > > Hi, > > At the Electronic Frontier Foundation we are currently working on an > implementation guide for site owners who have adopted our Do Not Track > (DNT) policy (1). As part of this effort we want to identify service > providers who can comply with the policy for users who send a DNT:1 > header expressing their desire not to be tracked. Certification > Authorities are relevant to this due to the potential for OSCP queries > to track visits to a site even if the site otherwise complies with a > strong DNT. > > We are interested to hear if there are Certification Authorities which > can satisfy our DNT standard in the context of OCSP requests from public > users. Compliance means any logs containing unique identifiers > should be deleted within ten days unless an exception applies - in the > case of a Certification Authority such exceptions would include > suspicions of fraud, security abuse, or the need to debug technical > problems. > > Let's Encrypt has such a policy (2) but we would like to be able to > point to others. If you believe your CA to be compliant, please let us > know so that we can include your organization in our guide. We would > also like to hear from you if there is a section of your privacy policy > which addresses the use of information gathered in the course of OCSP > requests. > > Best, > > Alan Toner > > (1) https://www.eff.org/dnt-policy > > (2) https://letsencrypt.org/privacy/ > > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public > >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
