[asutherland]

Wow! This surprised me since https://www.startssl.com/?app=1 makes no mention of this, but indeed section 3.1.2.1 of the StartCom CA policy at https://www.startssl.com/policy.pdf does state:

"Class 1 certificates are limited to client and server certificates, whereas the later is restricted in its usage for non-commercial purpose only. Subscribers MUST upgrade to Class 2 or higher level for any domain and site of commercial nature, when using high-profile brands and names or if involved in obtaining or relaying sensitive information such as health records, financial details, personal information etc."

Looking further, it appears that while these classifications are not formally encoded (that I can find after a cursory investigation; please let me know if I am wrong), it does appear to be the case that the concept/nomenclature exists amongst multiple CAs. Wikipedia context: http://en.wikipedia.org/wiki/Public_key_certificate#Classifi..., Indian Government CA policy: http://cca.gov.in/cca/?q=node/45

Thanks for pointing this out, as I have been erroneously indicating that the StartCom free certificates might be viable options in all cases, where it seems like the reality is somewhat different. (Although I still believe the barrier to usage of valid/non-self-signed certificates to be quite low and for it to be strongly advisable for server operators to use them.)

(edit note: inserted the missing word "been" shortly after submitting.)