QuicConnection: Validate certificates asynchronously.

[rzikm]

microsoft/msquic#3318 introduced new API for validating peer certificates asynchronously:

• Value of QUIC_STATUS_PENDING is returned when handling PEER_CERTIFICATE_RECEIVED event
• Later, use ConnectionCertificateValidationComplete to set the result.

We would have to dispatch a Task to threadpool to do the actual validation, so this may slow down the handshake a bit (affecting time to first byte in HTTP/3), but might improve overall effectiveness as we don't block MsQuic threads while we download CRL or intermediate certificates for the actual chain building.

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

microsoft/msquic#3318 introduced new API for validating peer certificates asynchronously:

• Value of QUIC_STATUS_PENDING is returned when handling PEER_CERTIFICATE_RECEIVED event
• Later, use ConnectionCertificateValidationComplete to set the result.

We would have to dispatch a Task to threadpool to do the actual validation, so this may slow down the handshake a bit (affecting time to first byte in HTTP/3), but might improve overall effectiveness as we don't block MsQuic threads while we download CRL or intermediate certificates for the actual chain building.

Author:	rzikm
Assignees:	-
Labels:	area-System.Net.Quic
Milestone:	-

[wfurt]

related to #79441. It may be beneficial if validation needs to do any IO.

[rzikm]

This issue is only about an internal implementation detail, it does not touch public API and seems orthogonal to the issue you mentioned.

However, one thing that would be interesting to add is X509Chain.BuildAsync (here we actually do the sync-over-async of downloading the certs). But I am not sure if the API proposal would pass since AFAIK we can do it truly async only on Linux.