WebPKI Observatory — Trust Surface
The four major root stores collectively trust 335 roots from 90 CA owners, but only 38 owners appear in all four stores and just 90 roots achieve universal trust. Microsoft maintains 142 roots not present in Chrome, Mozilla, or Apple stores, representing legacy trust decisions that create operational asymmetry. Store disagreement means a certificate chain validated by Microsoft browsers may fail in Chrome or Safari, forcing CAs to maintain multiple hierarchies and complicating incident response when trust decisions diverge.