> So roots are dynamically fetched and this is the list of previously fetched roots?
Precisely. Windows comes with a small number of roots pre-installed. I can't remember which they are, I assume it's probably just Microsoft's own, one of which is presumably used to check roots fetched later. When you browse the web with a browser that uses Windows's certificate store, it'll fetch other roots as needed.
Interestingly, this might be a security benefit. If you'd never visited a site using a revoked root, you never had the root in the first place.
Precisely. Windows comes with a small number of roots pre-installed. I can't remember which they are, I assume it's probably just Microsoft's own, one of which is presumably used to check roots fetched later. When you browse the web with a browser that uses Windows's certificate store, it'll fetch other roots as needed.
Interestingly, this might be a security benefit. If you'd never visited a site using a revoked root, you never had the root in the first place.