EC 62351-3:2023, clause 6.4.4.4.3, indicates "OCSP responses have an expiry time indicated by the nextUpdate value."
RFC6960, clause 4.2.1 indicates the 'nextUpdate' as OPTIONAL.
Proposal
Considering:
* RFC6960, clause 2.4 defines 'thisUpdate" as: "The most recent time at which the status being indicated is known by the responder to have been correct."
* IEC 62351-3:2023, clause 6.4.4.4.3, indicates: "the caching of OCSP responses shall be supported with a maximum of 24 hours".
To cover the case where OCSP Responses are without 'nextUpdate', the following paragraph can be added:
"In case the OCSP Response does not contain 'nextUpdate', the implementation claiming conformance to this standard shall consider the response valid until 'thisUpdate' plus the maximum caching time of 24 hours".
Discussion
Created
Status
The proposal is OK for me.
19 Jun 25
Drafting Implementation
Incorporated comment as proposed
18 Jun 25
Drafting Implementation
Given the original proposal and the latest addition, I would propose to enhance the paragraph in clause 6.4.4.4.3. as following:
OCSP responses have an expiry time indicated by the nextUpdate value. This allows caching an OCSP response. If OCSP is applied, the caching of OCSP responses shall be supported with a maximum of 24 hours. NEW: In case the OCSP Response does not contain 'nextUpdate', the implementation claiming conformance to this standard shall consider the response valid until 'thisUpdate' plus the maximum caching time of 24 hours. As OCSP responses are intended to support an immediate (online) certificate revocation check, the nextUpdate value should be not larger than 6 hours, also considering the caching option.
16 Jun 25
Discussion (red)
In an OCSP response, there can be several responses. What do we have to do if some of the responses contain an nextUpdate field and other responses do not contain this field?
Should we not have a sentence like in section 6.4.4.4.2 "The recommended period of refreshing a local CRL is 24 hours. The CRL itself also contains information when the CRL will be updated in the nextUpdate field. The refreshing of the CRL should be aligned with whatever time comes first."
The goal is to verify the certificate at least every 24 hours (at the latest). So, we should honor the times in the nextUpdate fields or the thisUpdate fields +24h whichever comes first.
07 Feb 25
Discussion (red)
Proposal to go forward with proposed solution
04 Feb 25
Discussion (red)
Good catch and I think the proposal addresses the finding.