the URL in bold above shouldn't have the "http://" prefix, I think?
A CA can later decide to revoke a site's certificate, in which case it gets added to a list of revoked certificates. The browser is supposed to then verify that any certificates it receives don't appear on this list, but this behaviour is sadly not very robust (some just don't check and many will, if they fail to get a response, just assume it's okay). So previously hacked CAs have just revoked all the certificates. Removal of the CA from the trusted list is a major step, and means that no sites using their certificates will show as trusted any more. For the really major CAs (Comodo, Verisign, Thawte, etc), this is just not a reasonable option. Fortunately DigiNotar is a very small scale outfit, and blocking them will affect very few sites.