StartSSL also requires you to send a copy of your passport out of country (to Israel). Fine; they need to verify identity.
They retain the records for seven years though. Why preserve the documents at all after validation is complete for non-EV certs? Seems like it creates an unreasonable liability given that data breaches happen. They will also not say how the records are secured. When I inquired, they simply said "We obviously can't provide any technical details about our security measures, but the documents are secure." While I can understand the need to maintain operational security, disclosing whether documents are stored encrypted or not should not violate this security.
The lack of openness, combined with the charge for cert re-issuance made me look elsewhere. When the heartbleed vulnerability hit and I had to regenerate certs, I was very happy to have chosen a different CA.
That's not a good reason to skip over them. Unless you expect multiple Heartbleed-severity bugs to be exposed in two years you are still way ahead. Just don't lose your private key.
You actually only need a single one to make it cheaper to go elsewhere, they charged $25/revocation, which brings the price up to $85 which no longer makes them the most cost effective.
Heck for $99 you can buy a Comodo "EssentialSSL" wildcard, which grants you unlimited re-issue (plus you don't have to deal with StartSSL's terrible UI):
They retain the records for seven years though. Why preserve the documents at all after validation is complete for non-EV certs? Seems like it creates an unreasonable liability given that data breaches happen. They will also not say how the records are secured. When I inquired, they simply said "We obviously can't provide any technical details about our security measures, but the documents are secure." While I can understand the need to maintain operational security, disclosing whether documents are stored encrypted or not should not violate this security.
The lack of openness, combined with the charge for cert re-issuance made me look elsewhere. When the heartbleed vulnerability hit and I had to regenerate certs, I was very happy to have chosen a different CA.