Being able to identify the developer of any app I run on my own machine is already too far. You have to assume all these requests are logged and available for state actors on legal demand.

I wonder how big a local revocation list would be. I would support a on-by-default local check.