Comment by antihero

Sure but how does that work? If a cert-revoked app is allowed to run, the damage is already done.

I think perhaps a better tradeoff would be if a revocation list could be synced hourly or so and the app could be checked sync locally and then asyncronously on open. And of course, always give the power user an option to ignore things.