[kodablah]

I think the next logical step is to give those of us who care on the desktop more info about what certs/chains are being used. While FF has extension support for viewing cert info, Chrome does not yet[0]. Once there, it would be reasonable to be able to easily pull up my root CA list and see which ones are queried by my browser and how often (I'd love to trim up my list if mostly unused). Of course this does nothing for a process using its own HTTP client, hence the MITM checking.

0 - https://bugs.chromium.org/p/chromium/issues/detail?id=628819

[isostatic]

I'd like to associate my own protections into a given root. I'm happy for my company's root certificate to identify as *.company.com, I don't want it identifying as www.mybank.com, have it as an option under "edit trust". Same goes for root certs -- if I choose to disallow "China Financial Certification Authority" as a normal root cert, and I go to "chinabank.com" or wherever, I should have a message pop up saying "this site isn't allowed", and allow me to tag an exception for that specific certificate to China Financial Certification Authority (although not if it's MITMed)

These settings should persist through browser upgrades too.