As far as I can tell that "day" has already started, the only question is whether it started
back in 2006 or on may 13, but this is unbelievably bad.
Given that the compromised keys are known the ssh client should be updated with the blacklist
as well, so it can:
1) Change its own key and use the old key as a fallback.
2) Remove the compromised keys from the authorized_keys file on the remote systems as soon as
a user logs in.
With the compromised keys in use in tons of authorized_keys files, many of them on systems
that might not get much attention because they weren't subject to the initial problem, it's
only a matter of time before someone generates the keys needed and owns a substantial part of
the machines running ssh in the world.
I've been a great fan of Ubuntu lately, but I'm going to start looking into a more security
conscious distribution (read: something not based on Debian), maybe even FreeBSD which I hear
is getting to be quite acceptable.