There's a number of major Certificate Authorities (CAs) which issue certificates. Their CA certificates will be installed on the N900 (or with FF, IE, etc), and if you run into any not pre-loaded, they can be manually added. The browser developers will work on vetting any new ones and add them to the set sent out with new browser versions - this is where we're likely to miss out with the N900 as Nokia are very unlikely to be sending out any new lists. There's not many new ones added though, so it just means the user has to decide whether or not to trust them before adding the certificate.

The CA certificates are then used by the CAs to sign certificates for web sites, user authentication, applications, etc. When you visit a web site, it sends you the signed certificate and the browser will verify that the signature matches one of the loaded CAs (if not you get the security error).

A CA can later decide to revoke a site's certificate, in which case it gets added to a list of revoked certificates. The browser is supposed to then verify that any certificates it receives don't appear on this list, but this behaviour is sadly not very robust (some just don't check and many will, if they fail to get a response, just assume it's okay).

So previously hacked CAs have just revoked all the certificates. Removal of the CA from the trusted list is a major step, and means that no sites using their certificates will show as trusted any more. For the really major CAs (Comodo, Verisign, Thawte, etc), this is just not a reasonable option. Fortunately DigiNotar is a very small scale outfit, and blocking them will affect very few sites.