Correction: In the talk I mentioned Chrome has its own root ca store, which is only partly true. On macOS and Windows Chrome uses a blacklist with the underlying OS providing the root CA store. On Linux it uses NSS, which is sometimes the “system” one, but sometimes not.

Root Certificate Policy Chromium

Links in talk:

ChaDev Lunch Talk Recording


Obligatory XKCD