[throwaway613834]

I'm confused, isn't this the normal criterion for a certificate being valid? If your certificate chain doesn't end in a locally-installed trusted CA then how is that any different from a random cert signed by a nobody off the street?

[aaronmdjones]

As tscs37 explained, there's a difference between the CAs that came with your OS/browser by default, and ones you have installed. Pins are usually ignored if the chain ends at the latter, because that's exactly the sort of scenario that would be used for corporate TLS MITM.

[tscs37]

There is a difference between a local CA and a CA part of the root store and/or as part of the system's CA bundle.

[throwaway613834]

So terminating in a root CA imposes more restrictions than terminating in a non-root CA here? Something about that seems off...

[tscs37]

Not root CA. Root store.

A root CA that has been installed by the computer administrator is assumed to be more trustworthy than the one installed by your OS.