re-evaluate our certificate authorities and pinning at Mozilla / Google Chrome

In two years from now, look at which certificate authorities and how that affects the pins we have in Mozilla Firefox and Google Chrome, see #41154 (closed) for background and the previous instance of this.