net: add ability to distinguish user-added root CAs.

We have several places where a need to distinguish `real' root CAs from
user-added root CAs will be useful:
  1) Monoscope wants to inspect correctly signed, but unknown certificates, but
     doesn't want to deal with proxy MITM certificates.
  2) HSTS is likely to add a method for pinning to a certificate, but we don't
     want to break every proxy MITM with it.

This change adds several lists of known, `real' roots. These lists present an
ongoing maintainance issue. However, in the event that the lists are incomplete
in the future, we fail open. This is because roots not in these lists are
treated as user-added and user-added roots have more authority than `real'
roots.

In some sense, this is a problem because it might be a security issue that new
roots are given too much authority. On the other hand, we're not breaking
things when we're behind on updating the lists so the maintainance issue isn't
too pressing.

BUG=none
TEST=none

Review URL: http://codereview.chromium.org/6793041

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@80778 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 0 insertions, 0 deletions

diff --git a/net/data/ssl/certificates/nist_intermediate.der b/net/data/ssl/certificates/nist_intermediate.der
new file mode 100644
index 0000000..55923a0
--- /dev/null
+++ b/net/data/ssl/certificates/nist_intermediate.der