[Karunamon]

And worse, the Debian developers would be at fault.

This is a sticky situation, really. On one hand, StartCom's pricing structure is fairly upfront. On the other hand, extracting $25 from every customer because of a bug they have no control over is dick behavior of the highest order.

Ideally they'd put out a notice saying that they will offer a one-time rekey for free. Without getting into ethics, it's an entirely automated process and costs Startcom absolutely nothing.

[sigzero]

I don't think it is dick behavior at all. That has always been their policy. They have no control of the software originating the problem. It is up to them to wave or not but not choosing to doesn't make the anything but a business.

[Karunamon]

So it's a business. So it's policy. Those are not defenses.

A CA profiting from a vulnerability is a fairly perverse incentive, too.

[lotsofmangos]

What else do CAs profit from if it isn't security vulnerabilities?

Their whole purpose is to help with the authentication side of security. They didn't force anyone to use buggy code written by a third party and it is not their fault that many of their customers have gone and done so.

[aidenn0]

I use a StartCom certificate, but it has never been used with OpenSSL, so I'm fine.

It costs money to maintain a CRL.

Maybe they could revoke their intermediate certificate and reissue certificates to everyone. That would take time to coordinate, and every month that goes by 1/12 of the bad certs expire anyway.

[Karunamon]

It might, but certainly not $25 per instance. That feels a lot like gouging.