[digitalchaos]

If you read startssl'a justification on the free cert, you'll see that they charge in relation to the time they need to spend. A low level 1 year cert involves no human time. They don't have fully automated systems for revokes/reissues, so it's pretty lame for people to complain about them charging for it.

[Silhouette]

That's perfectly fair and reasonable from a commercial perspective.

From a security perspective, however, I think you need to meet some minimum standards to remain credible as a CA, and I think at least being willing to revoke certificates that may have been compromised for free and very quickly is one of those standards.

I find it difficult to support retaining StartSSL certificates as trusted-by-default in browsers given their response to Heartbleed and the consequent relatively high probability that any certificate ultimately depending on them has been compromised.

[digitalchaos]

That's understandable and probably a good reason for startssl to build an automated revoke tool, for the sake of keeping their name healthy. However, I would be way more concerned about a company unwilling to pay a trivial amount of money to revoke a cert that was compromises due to their own choice in how they used it. The best CA in the world won't fix bad security incident handling of another company.

Sure, most of the complaining was due to the entitlement, but I'd be interested in a list of all the companies that complained about this and/or failed to pay for a revoke.

[MichaelGG]

I'm surprised it's not a requirement of being a CA. Further speaks to the apparently weak standards the browsers have.