Rename and better document the UnknownIssuer error

[briansmith]

UnknownIssuer is a name that comes from my historical involvement in other certificate validation libraries. It isn't a good name. We should change it to something that better says "we couldn't build a chain." And we should document the various likely reasons why we couldn't build a chain. We might even be able to encode (some of) the possibilities of chain building in code, e.g. in an enum of errors that all eventually get mapped to this error.

[briansmith]

As I mentioned on Twitter, the most common reasons I'm aware of are:

• The application didn't add the required trust anchor to the Rustls root store they are using.
• The root (or an intermediate) is using RSA 1024 and/or SHA-1 in one of the signatures in the chain.
• The server didn't send the right intermediate certificates to allow us to build a chain.

See also #206.

[tialaramex]

Would it be valuable to help brainstorm a better name to replace UnknownIssuer ? Or is it more valuable to experiment with tweaks to webpki that don't make it more complicated but do give us different errors we can then try to name ?

I would like to help here, and I have a few ideas about how to help people who've received the hypothetical future improved error (or errors) and need more help, from outside the webpki crate - but of course to get them there they need to know they need that help. And maybe we can just make this so awesome it's unnecessary to do more.