The root certificates are for BIP70 payment requests which can be signed with an X.509 certificate. Those certificates are SSL certificates, and they are signed by the root certificates. Specifically, I think the root certificates are just the ones that come with your OS.
Yet another security concern. Didn't know that. Thanks.
Any idea what is this 'Non-canonical signature' about and why 'S value is unnecessarily high'?