Re: [pkix] OCSP reponses without nexUpdate

Peter Gutmann <> Mon, 24 February 2020 09:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 367963A0969 for <>; Mon, 24 Feb 2020 01:10:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JuHhrtNBhr7e for <>; Mon, 24 Feb 2020 01:10:51 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E8B133A0968 for <>; Mon, 24 Feb 2020 01:10:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1582535451; x=1614071451; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=jrojnSXO+HF7OPwwd3FzEYFvwIg0EV/KPzgPr9GRUbE=; b=UXI+mrzI4Wx3atZHLrueqWo3NaJ6lfEOjweYHUVznwMxO+9CtFA/hfp4 1Ut/ij9ZNMTIFU+2OcrCpnzWfV1AhWofvpEq2lqUYdSAVrrjT53MC3X3v jskkZhnvxOU0wXCQAC4U3R71nV+lSjDB0vQ9r0KX94PNddDvq71SoOnQ2 dym150kT4zWHXbftkOVTe0jll+SIcb4ZHC7c6Bh5l8LofO3Qh7YNirL5u r3TxUFqoKRHhwq1wuziAw2/4xa1Ms+RBrZiGc7Ytr7ASmyBJT2Yz3ZoGl fdrf5br+dkn3em+229hlEdIJzE5HeUc0r4Hc+GQcFieJM1TPxtYhp9HCX w==;
X-IronPort-AV: E=Sophos;i="5.70,479,1574074800"; d="scan'208";a="116982224"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 24 Feb 2020 22:10:48 +1300
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 24 Feb 2020 22:10:47 +1300
Received: from ([]) by ([]) with mapi id 15.00.1395.000; Mon, 24 Feb 2020 22:10:47 +1300
From: Peter Gutmann <>
To: Thomas Kopp <>, "" <>
Thread-Topic: OCSP reponses without nexUpdate
Thread-Index: AdXq547Yj5JHBOWqRKivA/b474BBgwACl3bg
Date: Mon, 24 Feb 2020 09:10:47 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [pkix] OCSP reponses without nexUpdate
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 24 Feb 2020 09:10:53 -0000

Thomas Kopp <> writes:

>Does it mean for subsequent requests that one of the fields  thisUpdate or
>producedAt must change even if certificate status has not changed?

Yes, no, and maybe.  If you're applying strict CRL compatibility, you set it
to the CRL nextUpdate time.  If you decide that since it's an online service
another update can become available at any time, you set it the current time.
If you're running CRLs at the same time, you set it to the next CRL production
time.  If you're doing batch signing to deal with OCSP's non-scalability, in
other words pre-producing responses, you set it to when the next batch of
responses get signed.  If you believe the Martians are coming, you set it to
just before they land so there's no expectations of OCSP responses after
they've killed us all.

If you don't believe any of the above then feel free to come up with another
interpretation and use that.  See long-ago threads on this list for more
suggestions on how this field can be interpreted (I can't remember all of the

Another interpretation is to do whatever makes sense to you and put it in your