Hi all
According to RFC 6960, the following date fields in an OCSP response are defined as:
| thisUpdate | The most recent time at which the status being indicated is known by the responder to have been correct. |
| producedAt | The time at which the OCSP responder signed this response. |
When validating a signer against an OCSP response, Acrobat seems to consider the thisUpdate field as the date the OCSP response was signed. For example:
An OCSP with the following fields:
thisUpdate: Fri Apr 29 07:29:58 EDT 2016
nextUpdate: Fri Apr 29 10:40:38 EDT 2016
producedAt: Fri Apr 29 10:35:38 EDT 2016
will yield the following result in Acrobat:
The OCSP Response was signed by "OCSP Authority" on 2016/04/29 07:29:58 -04'00' (<--- thisUpdate) and is valid until 2016/04/29 10:40:38 -04'00'.
Aside from showing erroneous information, this becomes a real problem when the OCSP Responder is using validation information which is older than the responder certificate (thisUpdate < responder certificate notBefore). In that scenario, validation fails with not yet valid exception since thisUpdate is used as signature date, which is before the certificate existence.
Any info on this ? Am I wrong with my assumptions ?