Thanks John for the detailed analysis. Windows Update reports my system is up to date. As I understand it:
1. My certificate store is valid.
2. Savannah's HTTPS responses are valid.
3. Emacs 27.2 per se's behavior is valid.
4. GnuTLS 3.6.12 has a bug that produces incorrect results even in presence of 1-2.
5. Emacs 27.2 Windows binaries from
ftp.gnu.org include GnuTLS 3.6.12, which has this bug.
The Emacs 28 pretest Windows binaries from earlier in the year include GnuTLS 3.6.15. I hope this means everything will work as expected on the final Emacs 28.1 Windows binaries.