Hello, OCSP requests reveal details of individuals' browsing history to the operator of the OCSP responder. These can be exposed accidentally (e.g., via data breach of logs) or intentionally (e.g., via subpoena). This is part of why Chrome doesn't do OCSP checks for Domain Validated (DV) or Organization Validated (OV) certificates by default, and starting in version 106, Chrome won't do them for Extended Validation (EV) certificates either, to better protect users' privacy.
Select revocation checking support will continue to be available through CRLSets <https://www.chromium.org/Home/chromium-security/crlsets/>, and OCSP stapling <https://en.wikipedia.org/wiki/OCSP_stapling> will still be supported. Chrome also supports an enterprise policy <https://chromeenterprise.google/policies/#EnableOnlineRevocationChecks> to enable online revocation checking, though this may be removed in the future. For any other questions or concerns, please email us at [email protected]. Thanks, Ryan [Sent on behalf of the Chrome Root Program] -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADEW5O9Wztn76K%2BFJ6OshDnespeDactN%3DCuPXoHYQJKwdNMr6w%40mail.gmail.com.
