Reasons for disabling a root certificate may include, but are not limited to:
* Expired or Expiring CA
* Small modulus key length ; [http://csrc.nist.gov/groups/ST/key_mgmt/documents/Transitioning_CryptoAlgos_070209.pdf NIST recommend that recommendations about phasing out 1024 bit roots be phased out by the end of 2010] * Outdated signing key algorithm ; e.g. MD2/MD5
* Transition/Rollover to new root completed
* Legacy, no longer in use