[claudius]

No, they are evil because they are lying to me.

When Mozilla put them in my browser, they promised “we will make sure that only people who own the domains get certs for them”. Now there are a bunch of people with leaked private keys and StartSSL is apparently doing nothing about them.

Note that I don’t care what StartSSL wants their “customers” to do, nor do I care what these “customers” want StartSSL to do, but I do care about private keys with associated valid StartSSL certificates floating around the internet, and it is not the responsibility of the owners of these keys to revoke the certs ASAP but StartSSL’s. Given that they don’t seem willing to do so, I’ll have to remove their CA from my browser.

One easy way out for “free certs” would be a clause like “If we have reasonable evidence that your certificate is compromised, we will revoke it immediately and you agree to pay a handling fee of 25 € for that.” in their Terms and Conditions. If such a clause would be illegal, I guess free certificates are just not feasible.