RFC2560 与 RFC5019
RFC2560 vs RFC5019
我阅读了一些关于 RFC2560 and RFC5019 的文档。我意识到它们都是供 OCSP 检查证书的有效性,但我找不到它们之间的任何区别。
RFC6960 (which replaces RFC2560) is a general standard for OCSP protocol implementation. RFC5019 由 Microsoft 开发,通过添加 restrictions/constraints 来促进大型环境需要减少网络过载,同时保持其仍然可靠。 RFC5019 仍然基于 RFC2560/6960,只是有限制。引自 RFC5019:
As the use of PKI continues to grow and move into diverse
environments, so does the need for a scalable and cost-effective
certificate status mechanism. Although OCSP as currently defined and
deployed meets the need of small to medium-sized PKIs that operate on
powerful systems on wired networks, there is a limit as to how these
OCSP deployments scale from both an efficiency and cost perspective.
Mobile environments, where network bandwidth may be at a premium and
client-side devices are constrained from a processing point of view,
require the careful use of OCSP to minimize bandwidth usage and
client-side processing complexity.
也就是说:RFC6960 更适合“高成本、低容量”环境,而 RFC5019(和 Microsoft 实施)仅支持“低成本、高容量”环境。
我阅读了一些关于 RFC2560 and RFC5019 的文档。我意识到它们都是供 OCSP 检查证书的有效性,但我找不到它们之间的任何区别。
RFC6960 (which replaces RFC2560) is a general standard for OCSP protocol implementation. RFC5019 由 Microsoft 开发,通过添加 restrictions/constraints 来促进大型环境需要减少网络过载,同时保持其仍然可靠。 RFC5019 仍然基于 RFC2560/6960,只是有限制。引自 RFC5019:
As the use of PKI continues to grow and move into diverse environments, so does the need for a scalable and cost-effective certificate status mechanism. Although OCSP as currently defined and deployed meets the need of small to medium-sized PKIs that operate on powerful systems on wired networks, there is a limit as to how these OCSP deployments scale from both an efficiency and cost perspective. Mobile environments, where network bandwidth may be at a premium and client-side devices are constrained from a processing point of view, require the careful use of OCSP to minimize bandwidth usage and client-side processing complexity.
也就是说:RFC6960 更适合“高成本、低容量”环境,而 RFC5019(和 Microsoft 实施)仅支持“低成本、高容量”环境。