There will be more than meets the eye to all this. I now suspect that on 12th Nov there will be a pair of updates which revoke Apple's certificates by accident and quickly un revoke them.
Whilst the problems in this article mention an OSCP server meltdown ...
https://tidbits.com/2020/11/13/apple-network-failure-destroys-an-afternoon-of-worldwide-mac-productivity/
... Nobody appears to be asking why all those Macs were making OCSP requests in the first place. Really Apple just said, 'Yeah we do that', people said 'What about privacy', Apple said 'We'll use encryption more' and everyone said 'OK then'.
The article does have this in it though ...
"What prevented ocsp.apple.com from responding? I doubt Apple will ever share detail"
I think at least for an app launch these OSCP requests are only supposed to happen as a fallback incase the local database has an invalid revocation in it. High Sierra doesn't do this fallback (but using an app like WhatsYourSign effectively makes that happen) but I think later versions of the OS do this automatically. I don't think it's normal for every app launch (or even a launch and then cache of the result for a bit) in a scenario where certs are thought to be good locally to even make an OCSP request at all. So why were all those Macs making so many OSP requests. It would be interesting to get ISP data to see if there was a traffic spike.
So if Apple had sent a bad update revoking their own certs by mistake then that could cause a lot of Macs to DDOS their OSCPs servers as lots of Mac users launch Apps. So the root cause of the incident in the article would be the extra traffic rather than the servers being bad or under provisioned for expected load or even additional load due to lots of new OS installs of Big Sur.
If that proves to be the case, then you might ask why could they not just make those updates into do nothing updates retrospectively. This would be due to hashing to check updates follow on correctly so changing what is supposed to be immutable data that has already been processed by some systems might cause more issues.
Perhaps people running High Sierra on Nov 12th didn't have slow app launches but did see the problem new installs see (the problem in this thread) for a few hours. An issue like that would be lost in the noise of apps not running or running slow.
I'm going to work back from v145 looking for the issuer hash for WWDRCa to see if the serial for 'Mac OS Application Signing' is in there. This is partly out of stubbornness as if the 2 incidents are related then I'll look like less of an idiot on the other forum.
So to update my theory. Rather than saying that an update was mis-interpreted and caused the Apple certs to be revoked locally by mistake when going up from v42 -> vX -> vY -> v146 all in one go due to being a fresh install, I'm saying that a vX did actually ask to revoke them but perhaps a vY asking to undo that is getting ignored. Obviously if I can't find vX and vY that match my presumptions then I'm just guessing.
Note: If you're interested at 17:45 in this video here https://developer.apple.com/videos/play/wwdc2017/701/ the update mechanism that is involved with this issue is explained at a very high level. Then have a think about what is in the CT Logs and ponder on whether Apple might have been overly trusting them allowing another CA other than themselves to revoke Apple certificates.
Note that I do appreciate that many users are not interested in a root cause analysis and just want their Macs to work.
My strategy here is that if I do actually find anything definitive, then perhaps it can start a dialogue with Apple engineering to see if a patch will be issued or not. Even if the there is no response, which is most likely, it will still be possible to get the information to the right people.
Given that some Macs can't run Mojave and people reinstall their OS for many reasons, locking the users of such macs out of the App Store won't be an experience Apple will want to be in place even if these users are using very old Macs.