[mstrem]

Disclaimer: I have a number of free StartCom certificates.

However, even though I own some certs with StartCom, I personally think this comment has literally no basis.

Looking at the CA market - if anything - we should be happy that a CA like StartCom exists. It is a very small team lead by Eddy Nigg (he is very helpful by the way) and given that they are the ONLY ones (as far as I am aware) offering free certs - we should applaud them. Besides, the fee for revoking is very small.

I also was very much aware that revoking a cert had a charge before I signed up for one - I think it is pretty clear - so not a problem for me at all. Of course if I had to revoke a cert because of StartCom's mistake that would be a different story.

Bare in mind these are only domain validated certificates - perfect for small website owners who wish to offer their site over httpS without paying any extra fee.

[yeukhon]

If I remember correctly, http://gandi.net/ offers 1 year free SSL cert if you buy a domain. To be honest the difference between an excellent cert and good-enough cert is what you want to protect. If you think your data is so sensitive and you accept that we must rely on CA at the moment, you wouldn't be using StartCom free cert.

[hansjorg]

Self signed certificates (i.e. free) are much better than a CA which won't revoke a certificate that's reported to be compromised.

Your customer relation to StartCom is irrelevant, this is about everybody else implicitly trusting them.