That's a bit more information, but the headline here at HN is still overblown; we're down to one unidentified root certificate that was probably issued by RSA, but for which no records can be found. Most probably attributable to incompetence and poor recordkeeping rather than a malicious compromise of the whole PKI.
And wasn't there some discussion in the last week or two about how easily you could impersonate anybodies valid ssl cert if you could get hold of a real root cert? (something about browsers not notifying users that a previously seen cert is now authenticating via a different root?)
I am not a crypto expert so correct me if I'm wrong, but as I understand it, anyone with a root key necessarily can subvert the entire system in a straightforward way.
