For de-vs mode it will be useful to distinguish between different Root CA. An additional flag along with a certchain compliance check can support this.
Revisions and Commits
A use case for this is to allow the use of S/MIME for de-vs mode and for standard mode while clearly indicating compliant certificates. As of now all certificates matching compliant algorithms are indicated as compliant. The new flag could be used to distinguish between them.