[taspeotis]

    Their stance is entirely correct

Well it sounds like their stance is wrong if they've agreed to the Mozilla CA Certificate Maintenance Policy:

    CAs must revoke Certificates that they have issued
    upon the occurrence of any of the following events:
    
    ...
    
      the CA obtains reasonable evidence that the
      subscriber’s private key (corresponding to the
      public key in the certificate) has been compromised

[techsupporter]

True, but all that violating that policy does is get them kicked out of Mozilla-operated software (at least directly; indirectly I suspect it causes a lot more hassle for them). Their internal rules say that a certificate revocation requires payment so, by their own rules, they are correct. If Mozilla comes down on them for their rules, StartCom may choose to modify those rules at their option.

[andreasvc]

It doesn't say it needs to be free. It's perfectly reasonable to charge a nominal handling fee, as other CAs do for their services. What's special is that StartSSL offers their basic certificates for free, but this shouldn't make people feel entitled. Especially when someone exposes their private key on purpose they don't deserve special treatment in my book.

[daveasdf]

> CAs must revoke [...]

I understand the word "must" to mean that they cannot add additional strings, such as payment, to their obligation to revoke the certificate. Is there another way of interpreting it that I am missing? I guess you could interpret it as "must provide a mechanism", but I can't see that that was the intent of the original document.

Mozilla's use of the word "must" here I think is important, because the barriers to correctly dealing with a security breach should be minimized. For better or worse, root CA's are entrusted with maintaining the security of large chunks of the internet. Charging users who suspect that their certificates _may_ have been compromised (due to the Heartbleed bug, in this case) will cause users to err on the side of inaction, which is going to weaken internet security in the long run.

[tonylampada]

I wouldn't have put it better myself. I just added a new update on the website.

Saturday, April 12, 09:50 (GMT-3)

OK, so here's my reply to Nikolai:

"Let me address this question.

> Anything about free revocations there?

It doesn't, but that's not relevant. It's pretty damn clear: You see the evidence, that alone should be enough for you to take action.

If you take Mozilla's policy by the letter, one doesn't even have to own a certificate to be able to request its revocation. All that should be needed is the evidence of compromise.

If I disclosed the private keys for a certificat I don't own, would you just ignore that information? Or would you come after the certificate owner demanding payment first?

You're a CA, A CA!!! You should be worried about the security of the internet above all things.

You should also be worried that you have a bunch of green padlocks around that don't mean what they once did. You're not worried about that. So in my opinion you don't deserve the trust of the internet anymore.

Cheers Tony"

[guan]

Paying Class 2 customers, like myself, are also charged the fee.

Their basic free Class 1 certificates are advertised on their website as “No Charge, Unlimited + 100 % Free” and “No Kidding 100% FREE”.

It wasn’t hard for me to find the provision that revocations cost $24.90 in question 72 of the FAQ, but it’s not exactly highlighted either. It’s probably not something that most people think about; they probably assume that StartCom provides free certificates (and have the automated infrastructure to do so) for publicity and/or to up-sell paid services. And I did actually go to a paid StartSSL service, which I probably won’t renew.

This isn’t to say that I have a “right” to a free revocation, and I should read the fine print, but I think I’m justified in lowering my opinion of their business practices a few notches.