So last week we moved our revocation repositories behind a CDN, this has a number of great benefits but it does have downsides though, for example.
- Cache misses result in a slower response – About a 110ms in my tests.
- OCSP clients that create POSTs get a slower response – This is because they are treated like a cache miss.
Our CDN provider mitigates much he first issue by having a pre-loader that ensures its cache is pre-populated based on request history.
Addressing the second issue requires the CDN provider to be aware of OCSP protocol semantics, specifically the fact that one can compute what a GET request would look like by simply Base64 encoding the binary body of the POST variation.
A CDN with knowledge of this can optimize out the POST derived cache miss, our CDN has done this the change has not yet propagated to all of their datacenters but where it has POST performs the same as a GET.
Hopefully this optimization will have propagated to all their datacenters by next week, when this logic is fully deployed the clients that generate POST based OCSP requests (without a nonce) will also have ~100ms response times.
I should probably ad that in our case almost all of the POST based OCSP requests we receive come from Firefox and do not contain a nonce, hopefully soon Firefox will move to using GET for requests without a nonce like other clients.