If it was a StartSSL security leak, then I would expect them to give away revocations for free. But if YOU, the customer, leaked your own private key by running some bad software? That's simply not their fault, nor their problem.
With a regular CA, you pay upfront, and you can revoke and reissue with no problems. If you trust a CA that does this, you can count on the fact that anybody buying a cert from that CA has the ability to grab a brand new certificate whenever they want until the expiration period.
But with a CA like StartSSL, they give out certificates without guaranteeing that websites using those certificates have the ability to regenerate their certificate. If a website gets compromised, since they haven't paid upfront, you don't know if they will pay to reissue. They might just keep quiet and pretend there was no security breach, instead of doing the proper thing and renewing the certificate. If you know they paid upfront, you can be more sure that they will take advantage of the free renew upon a security breach.
I find this issue to be vaguely similar to the difference between socialist healthcare systems and privatized healthcare systems. If everyone is guaranteed to have healthcare because it must be paid through their taxes, then people are generally healthier since they are encouraged to go to the doctor. But if you must pay a bill whenever you receive healthcare, people might be encouraged to forego treatment or checkups that could catch deadly diseases in an early phase before they become life-threatening. I don't really think this is a good analogy though because the other pros and cons of both healthcare systems don't map well to this problem.
StartSSL's denying free cert revocation does not make them untrustworthy from a technical perspective. The onus remains on the site owner to implement their site security properly and pay any fees necessary to do that. So the only issue here is a moral one and whether you believe they have a responsibility to revoke these certificates for free.
I think that given the extenuating circumstances, they probably should revoke the certificates if requested, but I have no right to demand that they do so.
>They might just keep quiet and pretend there was no security breach, instead of doing the proper thing and renewing the certificate. If you know they paid upfront, you can be more sure that they will take advantage of the free renew upon a security breach.
This is the point that I'm not so sure about. I know there are plenty of people running SSL certs (from any company) that have no idea what Heartbleed is, let alone what 'certificate revocation' means or why they'd ever do it.
