[Dev] What root certificates to ship with Chandler?

[Mitchell Kapor]

 From a design perspective, one option, probably the defualt, is  to 
verify the authenticity of the certificate by following the chain.  
Another option we will probably want to support, as do other clients, 
is to trust the server itself.  This works for cases where the 
certificate is self-signed.  In a more just world, the fees and 
conditions to get a signed certificate would be more just and 
equitable, and there would be less incentive to self-sign, as OSAF has. 
  For the nonce, our design should support certificates signed by a CA 
and those which are not.