I understand the slight delay can be frustrating, but this provides a robust industry-standard way to verify the authenticity of jars downloaded over the internet. the soft-fail mechanism is the default we use specifically because most launch cases are on networks without internet access. The "strict" mode would actually require a connection to one of the revocation endpoints (ocsp.digicert.com or cacerts.digicert.com) which is why its not the default (but can be turned on in the launchers' config JSON)
You could get with IT to allow comms to the OCSP server if its a blocker, but typically this type of thing wouldn't be a "blocker" but an annoyance and the trade-off for security here is a much higher need than the delay in launching, especially considering its a fixable problem with modern IT solutions.