When a user marks a certificate as untrusted in Keychain and the cert is EV-SSL, Keychain ignores the user setting and honors the certificate.

The recent compromise of a major Dutch certificate authority has exposed a bug in the Mac OS X Keychain software.

The problem emerged Monday when it was revealed that DigiNotar had issued a fraudulant SSL wildcard certificate for *.google.com. It later was revealed that this was a result of a hack of their systems and that there were over 200 such certificates issued.

Because DigiNotar is one of a large number of CAs that are trusted by browsers and operating systems, many vendors of these announced fixes to remove trust support for the root certificate that had been compromised. Mozilla issued updates to do this yesterday. Most users are covered by now.

But you can configure your software to remove trust for particular certificates yourself. This is what user Seth Bromberger tried to do by removing trust of all DigiNotar certificates on his Mac using the Keychain software. Afterwards he tested by surfing to DigiNotar's site and should have received warnings, but he didn't.

The problem turns out to be that if a site uses an EV-SSL (Extended Validation SSL) certificate, Keychain will ignore the fact that the user has marked it as untrusted.

We have no comment from Apple nor can we find any reports of this on Apple's support discussions. But it seems pretty clearly to be an error. One could argue that EV certificates are more inherently trustworthy than conventional certificates, but a user setting not to trust it clearly should take precendence.

Hat tip to Robert McMillan at Computerworld.