Add info whether the native cert is builtin or user/admin installedΒ #14
Description
It would be helpful to know if a certificate has been shipped by the OS, or was installed by the user or the administrator. This unlocks two use cases:
- ignore the certificates from the first category and use a different root store as the basis, like the ones from the
webpki-rootscrate. - impose special requirements on the OS builtin certificates. Chrome does this for example, e.g. by limiting how long a certificate can be valid. Another requirement might be a check for an SCT.
In Chromium, this check is implemented via a is_known_root field on the verification result. The value is populated from the respective OS backends.