[pfg]

If someone has fraudulently issued a certificate for a domain you own using this (or any other) vulnerability, you're not actually a client of theirs and I don't see how they could force you to pay for revocation. Issuing such a certificate would obviously be a violation of CA/B Baseline Requirements.

Then again, I'm not exactly sure how one would go about reporting such a thing. Browser vendors have done most of the blacklisting for cases like this in the past (either by blacklisting individual certificates, or removing the root certificate completely for massive breaches). I guess I'd try my luck on one of their mailing lists or bug trackers.

If you have a regular certificate from StartSSL, there are no security implications for you because of this. (As in: for you specifically. For the CA system as a whole, this is a "Set-Your-Hair-On-Fire-And-Run-Around-Screaming-Loudly"-scenario.)