I wish CA management was easier to bulk-edit. Show me a table of root CAs with their data, their country of origin, etc., and allow me to filter and enable/disable all based on filters.
Full disable would shut down trust entirely, and get the warnings similar to a self-issued cert.
Reduced trust would have a "not Secure" label or something, like a plain http connection.
"Country of origin" is a really interesting one for precisely the Symantec scenario.
Symantec is a US company right? But the main _problem_ happened at a company called CrossCert, full name Korea Electronic Certification Authority. They're Korean.
So if you decided you don't trust Koreans, Symantec's root looks fine, nothing Korean about that. Except, somewhere Symantec signed a contract with CrossCert saying "OK, we'll issue any certificate you want, so long as you pay us and promise to do all these things". Oh, and then they didn't actually check CrossCert did any of the other things (I think we can assume they checked they got paid...). You don't get to see that contract. It wasn't even prohibited by the rules Symantec had agreed to. If Symantec hadn't been caught issuing bogus certificates as a result you wouldn't even be reading about it.
Full disable would shut down trust entirely, and get the warnings similar to a self-issued cert.
Reduced trust would have a "not Secure" label or something, like a plain http connection.