I'd like to associate my own protections into a given root. I'm happy for my company's root certificate to identify as *.company.com, I don't want it identifying as www.mybank.com, have it as an option under "edit trust". Same goes for root certs -- if I choose to disallow "China Financial Certification Authority" as a normal root cert, and I go to "chinabank.com" or wherever, I should have a message pop up saying "this site isn't allowed", and allow me to tag an exception for that specific certificate to China Financial Certification Authority (although not if it's MITMed)
These settings should persist through browser upgrades too.
These settings should persist through browser upgrades too.