OCSP concept question

["Haaino Beljaars" <Haaino.Beljaars@xxxxxxx>]

Hi,

Hopefully somebody can help me with the follwoing questions and remarks:

I send a signed message to person A, person A checks the status of my certificate on time T by an OCSP request, and the status of my certificate is 'good' according to the OCSP response. At time T+1 my certificate is revoked. Person A checks my message again at time T+2.

Question: what does the OCSP responder give back as status at T+2 ?

* If the OCSP responder gives back 'revoked' at time T+2, then that is correct at that moment in time, but it is wrong when you look at the time(T) when the message was signed, because the message was signed when the certificate status was still good.

* If the OCSP responder gives back 'good': this indicates that an OCSP has as a 'history' function. As far as I can read this is not the case in the OCSP RFC.

If person A check the message against a CRL it would indicate at time T+2 that the certificate was good at the moment of signing, this is because a CRL contains time and date when a certificate was revoked, but an OCSP response does not contian that information.

According to this 'analysis' I get different answers concerning the status of a certificate when I concult a CRL or OCSP?

Why doesn't an OCSP response contain date and time when a certificate was revoked? 

And why doesn't an OCSP response contain a signed time? How can I check that the time the OCSP responder gives back is correct?

Best regards,
Haaino