Here is the slashdot thread about this from two weeks ago.
http://it.slashdot.org/article.pl?sid=08/05/13/1533212
One thing I’m curious about. If all the keys were generated from a fairly small subset, surely a certificate authority must have received requests from multiple entities to register the same key. I would have thought that would set off some alarm bells.