On 1/12/23 04:47, Hans Leidekker (@hans) wrote:
I'd rather figure out why the response isn't read from wininet cache first. Optimizing corner cases like outdated links or servers specifying no-cache may be a good reason to do this, if there's evidence that Windows does it.
I looked into the case which inspired this a bit more, and wininet caches are actually working when http request is successful. Yet I think there are things to mention:
1. cache max age (as returned by globalsign.com Web server) is 3600sec. While OCSP (and CRL) validity period it reports inside the response is a few days.
2. The whole OCSP check process, even with caches used, takes good 100-150ms.
Do you know any specific reasons to prefer Web response caching and avoid revokation specific caching? Those things look functionally unrelated to me in the first place: http response vailidity time can be wrong both ways, isn't it just correct to rely on the protocol specific validity indication, and also use already existing revocation check caching to avoid all that entirely: extra requests each hour instead of once a few days, shorten that 100ms when response is cached, cover the corner cases like wrong ocsp url?