Need better way of reflecting the reason when a chain is rejected as untrusted. These are changes we can make when we move the api into javax-land.