If you read my post TLS: A Broken Trust Model, you really should read Bruce Schneier’s post Man-in-the-Middle Attacks Against SSL.
Certificates issued to the wrong party is not only a possibility, but a reality and even a commercial service. The target is government organizations, but is probably easily accessible to others as well.
Matt Blaze’s final comment in his blog post sums it up quite nicely:
Whether this kind of surveillance is currently widespread or not, Soghoian and Stamm's paper underscores the deeply flawed mess that the web certificate model has become. It's time to design something better.