Possibly revisit who is part of our trusted certificate authorities

[Denis-de-Bernardy]

Related to heartbleed, and the following Mozilla and Debian tickets:

​https://bugzilla.mozilla.org/show_bug.cgi?id=994033

​https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744027

In essence, we should monitor who is in our trusted CA file, and update it prior to releasing.

[dd32]

We've previously aligned to using the certificate bundle from the latest Mozilla release, and as such, we recently removed a bunch of 1024bit SSL roots accordingly - see #27017

We can and perhaps should switch to using Mozilla NSS directly, which has, since the last stable Mozilla release added a few roots and removed 1.

We should ensure that we sync prior to release, so at beta is ideal, but I think we should defer to NSS for what certificates to trust.

The certificate bundle can be rebuilt as such using the cURL bundle creator:

wget https://raw2.github.com/bagder/curl/master/lib/mk-ca-bundle.pl
chmod +x mk-ca-bundle.pl
# For NSS direct:
./mk-ca-bundle.pl -d nss src/wp-includes/certificates/ca-bundle.crt
# For Mozilla latest release (default)
./mk-ca-bundle.pl src/wp-includes/certificates/ca-bundle.crt

for PHP 5.2 compatibility, r25569 must be manually applied to move the EE cert to the start of the file.

[dd32]

Marking as invalid; as we handle updating to the latest Mozilla Release certs (From their NSS project) regularly, which is the de-facto standard of trust amongst browsers.