[tomkinstinch]

StartSSL also requires you to send a copy of your passport out of country (to Israel). Fine; they need to verify identity.

They retain the records for seven years though. Why preserve the documents at all after validation is complete for non-EV certs? Seems like it creates an unreasonable liability given that data breaches happen. They will also not say how the records are secured. When I inquired, they simply said "We obviously can't provide any technical details about our security measures, but the documents are secure." While I can understand the need to maintain operational security, disclosing whether documents are stored encrypted or not should not violate this security.

The lack of openness, combined with the charge for cert re-issuance made me look elsewhere. When the heartbleed vulnerability hit and I had to regenerate certs, I was very happy to have chosen a different CA.