It doesn't make sense for Debian to remove certificates that are still
distributed by Mozilla and required in practice. Including intermediate
CAs won't be necessary once this is fixed. (That is, assuming you fix
upgraded systems somehow. In the meantime, everyone who upgrades
ca-certificates to the broken version will be permanently broken due to
the aforementioned Debian-specific update-ca-certificates bug.)
