And there's currently no publicly announced plan/date for revoking the affected certs. There's a tool coming out in November that you can use to generate new certs for your own ID card but as it's not compulsory, don't expect 100% of affected people to update in a matter of days, weeks or months.
Aren't these cards in Estonia used for a LOT of things, like banking access? EG: at 50k it's probably not profitable to do this per-user but at 5k it is probably VERY profitable if you could get enough public keys.
Even a single ID card can be valuable - factor a big company CEO's private key, log in to his company's bank, start making transfers to places where the money does not come back from.
And there's currently no publicly announced plan/date for revoking the affected certs. There's a tool coming out in November that you can use to generate new certs for your own ID card but as it's not compulsory, don't expect 100% of affected people to update in a matter of days, weeks or months.