It took quite a bit of searching before I could identify the specific root certificate involved. It turns out that root was already marked as "untrusted", which means I would not have been affected by this problem.
Also, the subscriber certificate involved is apparently marked as revoked in OCSP (Online Certificate Status Protocol) messages. Those who set their browsers to always confirm the validity of subscriber certificates via an OCSP server and who also set their browsers to assume a subscriber certificate is invalid if an OCSP response cannot be obtained are well protected from this problem.
Of course, for this solutions to be implemented, users must have browsers that allow root certificates to be marked "untrusted", that have an option to check certificates against OCSP servers, and that have an option to assume that a certificate is invalid if an OCSP response cannot be obtained. Mozilla-based browsers -- Firefox and SeaMonkey -- have all of those capabilities.