Re: Check This Out...
Exactly. And the sad part is that it would be very simple to cut out the privacy problems and internet requirement in one update. In fact, if Apple's listening, here's a fix on me:
1. Run up a new service which offers a database of revoked certificates. Put it at the end of an HTTPS API.
2. Write a little tool which downloads this every day.
3. On running any program, check your offline database.
That's not hard, is it? If you want to go for the ultra-sophisticated model, we can add the following extra steps:
1A. Sign the database with a private key you store.
2A. Make sure your tool has the public key corresponding to that so you can verify your database hasn't been messed with. I mean you're already using HTTPS for it so it's not as hideously easy as it would be under your earlier HTTP solution, but still...
1B. Make an extra facility of the API to download incremental database updates.
2B. Update the database every hour now, using the incremental update to keep data consumption low.
I hope this solution works for you, Apple. The next time you need me to suggest something obvious, I'll charge more.