Let me add, “Yet.”  Let me also add that this topic will need some serious further investigation as it has major ramifications for the anti-virus, anti-spam and related industries.

Next, Lawrence D'Oliveiro suggests: “The only solution is to dump these CAs' root certificates from the popular browsers. I would expect this sort of thing to happen in upcoming updates. In the meantime, you can reconfigure your browser installations yourself, and remove the suspect certificates from your trusted list.

I added some clarification to the question submitted to de Weger: “Is this likely?  It seems entirely reasonable that browsers could be 'updated' to reject anything to do with the six remaining CAs that cling to MD5.  But, would this also require rejecting anything defined both up-stream and down-stream from the CAs?  If so, the dependency tree could get very interesting.”

De Weger’s response makes it very clear that this problem won’t go away anytime soon.  “Yes, and that is exactly why it's unlikely that existing MD5 certificates will be revoked.”

Huh?  How’s that again? 

De Weger is telling us that even if the six remaining CAs abandon use of MD5 today, the problem won’t go away as an endless supply of existing certificates can’t easily be revoked without major upheavals on the web.

The “now what” hangs heavy in the air.