[jl6]

Solution 3: cease trusting StartSSL certs issued before 2014-04-07?

This is implied by the request itself but is it possible to implement?

[DoubleMalt]

This is actually not enough as you cannot be sure that certificates generated after that have never been used on a server with a vulnerable OpenSSL implementation.

[throwaway125]

You can't ever guarantee that for any certificate signed by any CA.

[antsar]

And what about those with StartSSL certs deployed to servers that never were vulnerable to heartbleed? No reason to be needlessly inconvenienced by the poor judgement of others.

[derefr]

Easily: they could get their upstream CA to revoke their own CA cert, and then get another one. All certs signed by the previous StartCom CA-cert would then be considered revoked.