That's too bad. Fast certificate revocation seems to be hard though. I don't know of a great solution for it.<p>I really do hate how apps hang waiting to phone home to Apple though. It compromises the user experience. (Though I'm not sure how much of that time is actually waiting for slow network services and how much of it is waiting for slow local processing.)<p>Given that revocation is rare, I think I might be willing to forego online validation and just use something like a local list of revoked code signing certs that is updated at a configurable interval.
OCSP has a fundamental weakness that it can’t be allowed to fail open, because the same attacker that can MITM a certificate can simulate a network outage for the OCSP check.<p>Browsers have given up — reliability and performance won — and they fail open on OCSP check failures.