From 7f35431eb735a0fff5fac6c28d46e59b6cdad030 Mon Sep 17 00:00:00 2001
From: famfo <famfo@famfo.xyz>
Date: Wed, 6 Aug 2025 21:59:31 +0200
Subject: [PATCH 1/2] s2s/keys: clarify minimum_valid_until_ts query

Signed-off-by: famfo <famfo@famfo.xyz>
---
 data/api/server-server/keys_query.yaml | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/data/api/server-server/keys_query.yaml b/data/api/server-server/keys_query.yaml
index 791deb0a..bc5df207 100644
--- a/data/api/server-server/keys_query.yaml
+++ b/data/api/server-server/keys_query.yaml
@@ -34,10 +34,10 @@ paths:
         - in: query
           name: minimum_valid_until_ts
           description: |-
-            A millisecond POSIX timestamp in milliseconds indicating when the returned
-            certificates will need to be valid until to be useful to the requesting server.
+            A millisecond POSIX timestamp. The returned keys SHOULD be valid
+            until at least this timestamp.
 
-            If not supplied, the current time as determined by the notary server is used.
+            If not supplied, the notary server SHOULD use the current time.
           required: false
           example: 1234567890
           schema:
@@ -98,12 +98,11 @@ paths:
                           type: integer
                           format: int64
                           description: |-
-                            A millisecond POSIX timestamp in milliseconds indicating when
-                            the returned certificates will need to be valid until to be
-                            useful to the requesting server.
+                            A millisecond POSIX timestamp. The returned keys
+                            SHOULD be valid until at least this timestamp.
 
-                            If not supplied, the current time as determined by the notary
-                            server is used.
+                            If not supplied, the notary server SHOULD use the
+                            current time.
                           example: 1234567890
               required:
                 - server_keys

From 0a764821189b72c16f4d22b505407352363e5843 Mon Sep 17 00:00:00 2001
From: famfo <famfo@famfo.xyz>
Date: Wed, 6 Aug 2025 22:10:18 +0200
Subject: [PATCH 2/2] changelogs/s2s: add minimum_valid_until_ts clarification

---
 changelogs/server_server/newsfragments/2191.clarification | 1 +
 data/api/server-server/keys_query.yaml                    | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/server_server/newsfragments/2191.clarification

diff --git a/changelogs/server_server/newsfragments/2191.clarification b/changelogs/server_server/newsfragments/2191.clarification
new file mode 100644
index 00000000..3247bbf5
--- /dev/null
+++ b/changelogs/server_server/newsfragments/2191.clarification
@@ -0,0 +1 @@
+Clarify what the `minimum_valid_until_ts` field means when it is set in key queries.
diff --git a/data/api/server-server/keys_query.yaml b/data/api/server-server/keys_query.yaml
index bc5df207..02d31568 100644
--- a/data/api/server-server/keys_query.yaml
+++ b/data/api/server-server/keys_query.yaml
@@ -37,7 +37,7 @@ paths:
             A millisecond POSIX timestamp. The returned keys SHOULD be valid
             until at least this timestamp.
 
-            If not supplied, the notary server SHOULD use the current time.
+            If not supplied, the notary server MUST use the current time.
           required: false
           example: 1234567890
           schema:
@@ -101,7 +101,7 @@ paths:
                             A millisecond POSIX timestamp. The returned keys
                             SHOULD be valid until at least this timestamp.
 
-                            If not supplied, the notary server SHOULD use the
+                            If not supplied, the notary server MUST use the
                             current time.
                           example: 1234567890
               required: