Ship “static cache” of intermediate CAs
TBB produces certificate validation errors on incomplete certificate chains, which may “somewhat work” on other browsers due to intermediary CAs being present in caches.
This is problematic, as this leads users to expect certificate errors on certain sites and simply click-through, effectively teaching them terrible security practices.
We could ship, with TBB, a builtin list of “cached” intermediate CAs that are prevalent among misconfigured servers. This data can be obtained from TLS Observatory's data, according to ulfr.