[Tomte]

It isn't compromised. You yourself handed out your private key to others who may act on your behalf. Not by mistake, not by Heartbleed, not by some hacking event, but out of your clear will and as part of your policy how to handle the key.

In terms of your business transaction with StartSSL, the private key is still only known to "you".

[mpyne]

> It isn't compromised.

The private key being not private is the very definition of "compromised" when applied to the CA security architecture. Whether StartSSL has a different definition is completely immaterial to the Mozilla policy.

Now you're right that it's not StartSSL's fault that OpenSSL suffered Heartbleed, but nor is it the various end customers' fault (unless they introduced the bug themselves?). So pinning down the response to this as a simple exercise of assigning blame and responsibility completely misses the point and does nothing toward resolving what is admittedly a very difficult question.

[Tomte]

So in your opinion the one who actually buys and gets the certificate from the StartSSL web site must not share it with the system administrator? Or some second-in-command?

IMO, as long as the key is only known to people who the rightful owner explicitly wanted it to possess, it is not compromised.

This is just an extreme case of a troll wanting the whole world to have the key.

It has nothing to do with Heartbleed! Posting your private key in a gist on the web is not the same as being victim to some hacking because of a OpenSSL bug.

[mpyne]

> So in your opinion the one who actually buys and gets the certificate from the StartSSL web site must not share it with the system administrator? Or some second-in-command?

This key is now public and must be revoked. Bottom line. StartSSL can even conceivably invoice him for the work, but they have to revoke it if they want to be a CA in a secure public-key infrastructure.