Keystore,, ca-certificates, browser.xul.error_pages.expert_bad_cert and more basic questions

[kwadronaut]

Hi,

I've got some some questions and couldn't easily find answers. Some are
probably asked more often and could end up in a 'FAQ' section on the
mozilla.debian.net page?

* How does this Iceweasel build differ from the one in Debian proper?
* It seems like it's not relying on ca-certificates but instead using
it's own root keystore. Is that assumption correct? If not, how can I
find out?
* Sometimes I don't get the 'I understand the risks' option when
visiting an https page (sec_error_unknown_issuer) but, when visiting a
different site, also using a cert from CaCert, I *do* get that option. I
can set browser.xul.error_pages.expert_bad_cert to true and have the
option everywhere, but that doesn't help me understanding *why.* I
tested with https://labs.riseup.net and https://wiki.cacert.org
* Icedove in Debian stable is still on 17 branch and I don't see
anything more recent. So; if/when to expect that? I presume that
packages like enigmail, iceowl-extension, calendar-timezones would
remain on a version which would remain on a version which is
incompatible with the then-updated Icedove?

Thanks and have a nice day,

kwadronaut