This debatably could have waited until the next update would have taken
place, but it's easier to see what changes if we get it out of the way
now.
MFC after: 3 days
Interested users can blacklist any/all of these with certctl(8), examples:
- mv /usr/share/certs/trusted/... /usr/share/certs/blacklisted/...; \
certctl rehash
- certctl blacklist /usr/share/certs/trusted/*; \
certctl rehash
Certs can be easily examined after installation with `certctl list`, and
certctl blacklist will accept the hashed filename as output by list or as
seen in /etc/ssl/certs
No objection from: secteam
Relnotes: Definite maybe
