I don't agree with the article's statement that this is necessary.
I'm sure it serves a purpose. But it should be more transparent to the user what's going on, and it should be possible to switch it off if the user decides they don't want this.
And really, the article also mentions Apple used to do this with a local cache but stopped doing this in Catalina. The question should be asked why. A local cache arguably offers better protection as it will work even without a network connection whereas the OCSP has no alternative other than failing open or stopping the system from working.
> And really, the article also mentions Apple used to do this with a local cache but stopped doing this in Catalina
This exactly. Local cache works fine, certificate revocation is rare, and a marginal to nonexistent improvement in security is not worth the slowdown, denial of service, and privacy invasion.
Chrome uses a certificate revocation list for basically the entire internet; certainly macOS can (and indeed should) go back to using such a list for developer certificates, as they did in Mojave.
I'm sure it serves a purpose. But it should be more transparent to the user what's going on, and it should be possible to switch it off if the user decides they don't want this.
And really, the article also mentions Apple used to do this with a local cache but stopped doing this in Catalina. The question should be asked why. A local cache arguably offers better protection as it will work even without a network connection whereas the OCSP has no alternative other than failing open or stopping the system from working.