The initial idea was that applications know which certificates to
trust, or which CAs to trust. For example I might trust verisign for
web browsing but only my local CA for smtp.
I still believe in the above, but for several applications it seems
it may not make sense. Currently I like the part of the patch of Ludwig
that introduces a gnutls_certificate_set_x509_system_trust(), but it
doesn't set any defaults (because there don't exist in all systems).
For that I'd like more input from the library users here. Are there
standard practices in Linux distributions and other POSIX systems that
would allow to deduce that there is a common trusted certificate bundle?