When distributing a CRL over HTTP, what is the optimal cache and max age settings (etc) for this distribution mechanism?
Related information on a different answer
Consider using HTTP instead of LDAP- Although AD DS enables publication of CRLs to all domain controllers in the forest, implement HTTP instead of LDAP for revocation information publication. Only HTTP enables the use of the ETag and Cache-Control: Max-age headers providing better support for proxies and more timely revocation information. In addition, HTTP provides better heterogeneous support as HTTP is supported by most Linux, UNIX, and network device clients.
Another reason to not use LDAP is because the revocation window to be smaller. When using AD LDAP to replicate CA information, the revocation window couldn't be less than the time for all sites in AD to get the CA update. Oftentimes this replication could take up to 8 hours... that is 8 hours until a smartcard user's access is revoked. 'Todo: the new recommended CRL refresh time is: ?????`
...
OCSP Cache duration
All OCSP actions occur over the HTTP protocol and therefore are subject to typical HTTP proxy cache rules.
Specifically the Max-age header defines the maximum time that a proxy server or client will cache a CRL or OCSP response before using a conditional GET to determine whether the object has changed. Use this information to configure the web server to set the appropriate headers. Look elsewhere on this page for AD-IIS specific commands for this.