macOS unable to open any non-Apple application

Sincerely and without any intention to troll or be sarcastic: I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down. Maybe I'm just getting this wrong, because I can honestly not quite wrap my head around this. This is such a big no-go, from a systems design point of view.

Even beyond unintentional glitches at Apple, just imagine what this could mean when traffic to this infra is disrupted intentionally (e.g. to any "unfavorable" country). That sounds like a really serious cyber attack vector to me. Equally dangerous if infra inside the USA gets compromised, if that is going to make Apple computers effectively inoperable. Not sure how Apple will shield itself from legal liability in such an event, if things are intentionally designed this way. I seriously doubt that a cleverly crafted TOS/EULA will do it, for the damage might easily go way beyond to just users in this case.

Again, maybe (and in fact: hopefully) I'm just getting this all wrong. If not, I might know a country or two where this could even warrant a full ban on the sale of Apple computers, if there is no local/national instance of this (apparently crucial) infrastructure operating in that country itself, merely on the argument of national security (and in this case a very valid one, for a change).

All in all, this appears to be a design fuck-up of monumental proportions. One that might very well deserve to have serious legal ramifications for Apple.

Welcome to 2020.

Because we can't have nice things, Apple has to check that apps are signed with a current certificate for safety and security reasons. OCSP tells the client if the certificate has been revoked or not.

Try opening a non-https web page; you'll get a bunch of ominous warnings from all major browsers.

Browser certificates need to be OSCP signed for the browser to trust them. You can't even get a new cert if the issuer’s OCSP server goes down, which does happen on occasion.

There are so many dependencies to ensure we're not running malware infected apps that sometimes things break.

Let’s not get carried away; every major tech company has had some version of this happen at one time or another.

FWIW, I haven't experienced any issues with my iMac running Big Sur running Apple or 3rd party apps all day.

This used to be true, but neither Chrome nor Firefox actually check CRLs or OCSP that much. They'll accept OCSP-stapling, but that's about it.

This is a very serious concern for Enterprise PKI systems: revoking certificates is now virtually impossible. CRLs and OCSP do practically nothing.

Google especially has unilaterally decided that Enterprise PKI systems don't matter. They have established a new "standard" called Certificate Transparency, which they use to make CRLSets that they publish as Chrome updates.

Which is fine I suppose for public CAs, but utterly useless on internal-use private CAs on local networks, especially those with lots of BYOD or guest/partner systems. Think universities or hospitals.

Google has become a juggernaut with more control over computing in general (not even just the Internet!) than all of the world governments put together.

They're getting truly terrifying.