Mac users can already add any certificate to the Apple keychain and authorize them for code signing. The outage today, which what was being written about in the article, was caused by the OCSP.APPLE.COM service not responding. The OCSP service was likely being used to validate if an Apple Developer certificate was still valid.
Operating a "trusted" Certificate Authority generally requires operating under some rules. For example, the "Certification Authority Browser Forum" requires operating a CRLs (now considered bad) or a live OCSP endpoint.
Let's Encrypt does this, as does every other certificate issuer.
As is being discussed, separate OCSP is bad from a privacy standpoint - if a check of OCSP is being made, it gives telemetry on if you are trying to validate a certificate. If you can see the traffic it does reveal the certificate being checked.
FWIW, there is an OCSP Stapling method of attaching "recent" OCSP responses inside of TLS requests so that a TLS client doesn't have to make a separate request to an OCSP service.
And for websites, there's a better way to do OCSP. The web server using the certificate can get an OCSP response for itself (usually once every few minutes) and attach it to all TLS handshakes for that same domain ("OCSP stapling"). That way, clients get an up-to-date OCSP response, but without having to reveal their browsing behavior to the OCSP server.
Unfortunately, there is no obvious way to carry over this behavior to application binaries, since we're not dealing with a client-server architecture here.
Operating a "trusted" Certificate Authority generally requires operating under some rules. For example, the "Certification Authority Browser Forum" requires operating a CRLs (now considered bad) or a live OCSP endpoint.
Let's Encrypt does this, as does every other certificate issuer.
As is being discussed, separate OCSP is bad from a privacy standpoint - if a check of OCSP is being made, it gives telemetry on if you are trying to validate a certificate. If you can see the traffic it does reveal the certificate being checked.
FWIW, there is an OCSP Stapling method of attaching "recent" OCSP responses inside of TLS requests so that a TLS client doesn't have to make a separate request to an OCSP service.