Classic Big Lebowski moment: You're not wrong, you're just an asshole. Their stance is entirely correct. The customer used a file that StartCom provided in software that turns out to have had a security flaw. That's neither StartCom's problem nor liability. They didn't say "use this certificate with anything other than OpenSSL; you'll be sorry if you use OpenSSL," nor could they have foreseen it.
On the other hand, showing a cold unwillingness to help when doing so is by far the above-and-beyond response doesn't engender good customer loyalty. It's also how StartCom operates. This is the same cert authority that insisted that I send them a full, unredacted copy of a mobile telephone bill with every "family plan" member's full call, SMS, and data history in order to call me. Otherwise, they could only "verify" me by sending a snail mail letter from Israel to South America (where I lived at the time). Independently-linked, outside verification databases operated by local government entities weren't sufficient.
At least they're consistent with their "rules are rules" processes.
Well it sounds like their stance is wrong if they've agreed to the Mozilla CA Certificate Maintenance Policy:
CAs must revoke Certificates that they have issued
upon the occurrence of any of the following events:
...
the CA obtains reasonable evidence that the
subscriber’s private key (corresponding to the
public key in the certificate) has been compromised
True, but all that violating that policy does is get them kicked out of Mozilla-operated software (at least directly; indirectly I suspect it causes a lot more hassle for them). Their internal rules say that a certificate revocation requires payment so, by their own rules, they are correct. If Mozilla comes down on them for their rules, StartCom may choose to modify those rules at their option.
It doesn't say it needs to be free. It's perfectly reasonable to charge a nominal handling fee, as other CAs do for their services. What's special is that StartSSL offers their basic certificates for free, but this shouldn't make people feel entitled. Especially when someone exposes their private key on purpose they don't deserve special treatment in my book.
I understand the word "must" to mean that they cannot add additional strings, such as payment, to their obligation to revoke the certificate. Is there another way of interpreting it that I am missing? I guess you could interpret it as "must provide a mechanism", but I can't see that that was the intent of the original document.
Mozilla's use of the word "must" here I think is important, because the barriers to correctly dealing with a security breach should be minimized. For better or worse, root CA's are entrusted with maintaining the security of large chunks of the internet. Charging users who suspect that their certificates _may_ have been compromised (due to the Heartbleed bug, in this case) will cause users to err on the side of inaction, which is going to weaken internet security in the long run.
I wouldn't have put it better myself.
I just added a new update on the website.
Saturday, April 12, 09:50 (GMT-3)
OK, so here's my reply to Nikolai:
"Let me address this question.
> Anything about free revocations there?
It doesn't, but that's not relevant.
It's pretty damn clear: You see the evidence,
that alone should be enough for you to take action.
If you take Mozilla's policy by the letter,
one doesn't even have to own a certificate to be able to request its revocation.
All that should be needed is the evidence of compromise.
If I disclosed the private keys for a certificat I don't own,
would you just ignore that information?
Or would you come after the certificate owner demanding payment first?
You're a CA, A CA!!!
You should be worried about the security of the internet above all things.
You should also be worried that you have a bunch of green padlocks around that don't mean what they once did.
You're not worried about that.
So in my opinion you don't deserve the trust of the internet anymore.
Paying Class 2 customers, like myself, are also charged the fee.
Their basic free Class 1 certificates are advertised on their website as “No Charge, Unlimited + 100 % Free” and “No Kidding 100% FREE”.
It wasn’t hard for me to find the provision that revocations cost $24.90 in question 72 of the FAQ, but it’s not exactly highlighted either. It’s probably not something that most people think about; they probably assume that StartCom provides free certificates (and have the automated infrastructure to do so) for publicity and/or to up-sell paid services. And I did actually go to a paid StartSSL service, which I probably won’t renew.
This isn’t to say that I have a “right” to a free revocation, and I should read the fine print, but I think I’m justified in lowering my opinion of their business practices a few notches.
They should collect enough up front to make the revocation pre-paid. Refusing to revoke certs results in an unsafe internet and ruins the value of the entire service they are supposed to be providing.
Ensuring that valid certificates issued by them are only used by legitimate owners of the corresponding domains is their obligation.
Unfortunately, it seems as if Mozilla doesn’t care about the security of their users, otherwise this sorry excuse for a CA would have been dropped from their trust store already.
On the other hand, showing a cold unwillingness to help when doing so is by far the above-and-beyond response doesn't engender good customer loyalty. It's also how StartCom operates. This is the same cert authority that insisted that I send them a full, unredacted copy of a mobile telephone bill with every "family plan" member's full call, SMS, and data history in order to call me. Otherwise, they could only "verify" me by sending a snail mail letter from Israel to South America (where I lived at the time). Independently-linked, outside verification databases operated by local government entities weren't sufficient.
At least they're consistent with their "rules are rules" processes.