The other option is that we ship a trust store with trust settings. Someone is making it more useful upstream at https://github.com/openssl/openssl/pull/27965
That would be an OpenSSL only solution. We could ship them in a separate directory, and have OpenSSL default to that. Shipping it in a separate directory per type would require that all software using smime sets the path correctly. Shipping the trust settings with the certificate requires the software to say for what purpose they are using it, which most probably don't. Maybe we should try to do both. Kurt
