How to get rid of DigiNotar digital certificates from OS X (Updated) | TUAW – The Unofficial Apple Weblog:

The flaw is in the way OSX handles Extended Validation certs – that is, it appears that if an EV cert is anywhere in the certificate chain, OSX will only check to see whether there are valid signatures – it will not check the inherited trust. This means that any EV cert that chains to any root certificate on which you’ve modified the trust settings will not reflect your intended trust settings.