What Trusted Root Certification Authorities should I trust?

google-chrome security certificate ssl

If I had a MITM rogue cert on my machine, how would I even know?

You often wouldn't. In fact, this is often how SysAdmins snoop the HTTPS sessions of employees: they quietly push out a trusted cert to all desktops, and that trusted cert allows an intermediate proxy to MITM scan content without alerting the end users. (Look up "push out CA for https proxy group policy" - ran out of links with my low reputation!)

Does a list of "accepted" certs exist?

There are a few, generally the default list of certs on stock operating system installations. However, there are ALSO hardcoded lists of CAs in certain browsers (e.g., http://mxr.mozilla.org/mozilla-central/source/security/certverifier/ExtendedValidation.cpp) to support Extended Validation ("green bars"), but EV lists also vary (e.g., http://www.digicert.com/ssl-support/code-to-enable-green-bar.htm)

Am I safe in removing the expired CAs?

Generally, yes...if all you're doing is surfing web sites. However, you may run into other issues running certain signing applications.

Can I know if/when I have ever used a CA for HTTPS?

Hmmmm...sounds like an app that needs a-writing. ;)

Related

Are powerline Ethernet adapters actual bridges?
Word replacing “next page” section breaks with continuous section breaks
How to turn off smooth scrolling for apps and start menu in Windows 10?
How to get rid of random "ghost" monitors and weird behavior with graphics adapter
OSX Sierra constantly logging to console
Crazy Screen Saver (Bubbles screen saver became super fast)
Get `git commit -a` to ignore submodules?
Keyboard shortcut to switch to specific app in OS X
Add bookmarks to Delicious and Google Bookmarks at the same time
Error when using apt-get update
upgraded to 15.04 init conf file doesn't work
Support TrendNet TEW-643PI Wireless N network card