Yeah, even if a time-limited OCSP validation cert is stapled to the app download (which seems like it would be easy to do on the Mac App Store at least), that doesn't seem to meet Apple's apparent desire for fast revocation based on online validation. (Or perhaps for user and app "analytics", but let's assume they are motivated by security and care about privacy.)
As a user I think I might be fine with something like cert stapling for App Store apps, and a cert blacklist for everything else.
On a possibly unrelated note, it is astonishing how long it takes Xcode to validate/install/start up the first time. I thought it was simply hung but it finished in a few hours.
Yeah, even if a time-limited OCSP validation cert is stapled to the app download (which seems like it would be easy to do on the Mac App Store at least), that doesn't seem to meet Apple's apparent desire for fast revocation based on online validation. (Or perhaps for user and app "analytics", but let's assume they are motivated by security and care about privacy.)
As a user I think I might be fine with something like cert stapling for App Store apps, and a cert blacklist for everything else.
On a possibly unrelated note, it is astonishing how long it takes Xcode to validate/install/start up the first time. I thought it was simply hung but it finished in a few hours.