I'm a StartCom user that's affected by Heartbleed. Right now, I am using the free certificates, so this FAQ entry applies (https://www.startssl.com/?app=25#72):
" Revocations carry a handling fee of currently US$ 24.90. Class 1 subscribers may use a different sub domain in order to create additional certificates without the need to revoke a previously created certificate. Alternatively it's possible to upgrade to Class 2 level which allows to create the same set of certificates once again (besides all the other benefits), because different levels are issued by different issuers, making revocation unnecessary."
I understand where Mozilla's coming from here, but I also see it from StartCom's side. StartCom requires manual verification for certain sensitive CA operations, so they've set up their (quite reasonable) fee schedule accordingly. Likewise, I'm sure that the terms and conditions of other CAs states that in the case of a key compromise, sure, they'll revoke the certificate for free, but the user must buy a new certificate to replace the compromised one - which is basically the same thing as StartCom charging for revocation.
" Revocations carry a handling fee of currently US$ 24.90. Class 1 subscribers may use a different sub domain in order to create additional certificates without the need to revoke a previously created certificate. Alternatively it's possible to upgrade to Class 2 level which allows to create the same set of certificates once again (besides all the other benefits), because different levels are issued by different issuers, making revocation unnecessary."
I understand where Mozilla's coming from here, but I also see it from StartCom's side. StartCom requires manual verification for certain sensitive CA operations, so they've set up their (quite reasonable) fee schedule accordingly. Likewise, I'm sure that the terms and conditions of other CAs states that in the case of a key compromise, sure, they'll revoke the certificate for free, but the user must buy a new certificate to replace the compromised one - which is basically the same thing as StartCom charging for revocation.