I read some documents about RFC2560 and RFC5019. I realized that both of them are for OCSP to check validity of a certificate but i could not find any differences between them.
Asked
Active
Viewed 239 times
3
-
i don't understand your question.can you provide more information? – فربد ضروري Nov 25 '17 at 10:35
1 Answers
5
RFC6960 (which replaces RFC2560) is a general standard for OCSP protocol implementation. RFC5019 is developed by Microsoft to facilitate large environment needs to reduce network overload by adding restrictions/constraints while keeping it still reliable. RFC5019 is still based on RFC2560/6960, just with restrictions. A quote from RFC5019:
As the use of PKI continues to grow and move into diverse environments, so does the need for a scalable and cost-effective certificate status mechanism. Although OCSP as currently defined and deployed meets the need of small to medium-sized PKIs that operate on powerful systems on wired networks, there is a limit as to how these OCSP deployments scale from both an efficiency and cost perspective. Mobile environments, where network bandwidth may be at a premium and client-side devices are constrained from a processing point of view, require the careful use of OCSP to minimize bandwidth usage and client-side processing complexity.
That is: RFC6960 is more appropirate for "high cost, low volume" environments and RFC5019 (and Microsoft implementation) supports only "low cost, high volume" environments.
