It doesn't say it needs to be free. It's perfectly reasonable to charge a nominal handling fee, as other CAs do for their services. What's special is that StartSSL offers their basic certificates for free, but this shouldn't make people feel entitled. Especially when someone exposes their private key on purpose they don't deserve special treatment in my book.
I understand the word "must" to mean that they cannot add additional strings, such as payment, to their obligation to revoke the certificate. Is there another way of interpreting it that I am missing? I guess you could interpret it as "must provide a mechanism", but I can't see that that was the intent of the original document.
Mozilla's use of the word "must" here I think is important, because the barriers to correctly dealing with a security breach should be minimized. For better or worse, root CA's are entrusted with maintaining the security of large chunks of the internet. Charging users who suspect that their certificates _may_ have been compromised (due to the Heartbleed bug, in this case) will cause users to err on the side of inaction, which is going to weaken internet security in the long run.
I wouldn't have put it better myself.
I just added a new update on the website.
Saturday, April 12, 09:50 (GMT-3)
OK, so here's my reply to Nikolai:
"Let me address this question.
> Anything about free revocations there?
It doesn't, but that's not relevant.
It's pretty damn clear: You see the evidence,
that alone should be enough for you to take action.
If you take Mozilla's policy by the letter,
one doesn't even have to own a certificate to be able to request its revocation.
All that should be needed is the evidence of compromise.
If I disclosed the private keys for a certificat I don't own,
would you just ignore that information?
Or would you come after the certificate owner demanding payment first?
You're a CA, A CA!!!
You should be worried about the security of the internet above all things.
You should also be worried that you have a bunch of green padlocks around that don't mean what they once did.
You're not worried about that.
So in my opinion you don't deserve the trust of the internet anymore.
Paying Class 2 customers, like myself, are also charged the fee.
Their basic free Class 1 certificates are advertised on their website as “No Charge, Unlimited + 100 % Free” and “No Kidding 100% FREE”.
It wasn’t hard for me to find the provision that revocations cost $24.90 in question 72 of the FAQ, but it’s not exactly highlighted either. It’s probably not something that most people think about; they probably assume that StartCom provides free certificates (and have the automated infrastructure to do so) for publicity and/or to up-sell paid services. And I did actually go to a paid StartSSL service, which I probably won’t renew.
This isn’t to say that I have a “right” to a free revocation, and I should read the fine print, but I think I’m justified in lowering my opinion of their business practices a few notches.
