Some X509 Certificate authorities (see T3907), mostly cacert, provide their CRLs so slow that for the user it looks like GpgOL is broken.
E.g. a first verification of an S/MIME mail can take up to 30 minutes by default. During the verification GpgOL does not show the contents of the mail. So it can take up to 30 minutes for a user until she can read a signed S/MIME mail. This amounts to a denial of service.
An idea could be to blacklist CA's that are so slow with their CRL's. My idea would be to skip the verification if it takes more then 5 seconds. Keep it running in the background but do just another verify in offline mode. The second verify would only be used as an integrity check. So for that second verify do not treat the result as a valid signature (no green bar, no trusted sender address) and show in the details "is not valid because the CRL was not known" the next time the mail is viewed it will hopefully have the CRL cached and then it will be quick.