I use StartCom, and I revoked and re-keyed yesterday. In the revocation reason, I linked to the CVE. They waived the fee, citing "exceptional circumstances." It could be that they're waiving fees only for paying users. My certs with them are all class 2 wildcards; definitely not free. Or it could just be inconsistency during a very hectic time for them.
I've used several CAs and StartCom is the one I dislike the least. I wish Amazon would become a registrar and CA. Then AWS would really be one-stop shopping.
I have free Class 1 certs, and had to pay for all revocations. They did ask me first and pointed out that upgrading to Class 2 would be cheaper, and suggested that reissueing at Class 2 would be sufficient. However, they admitted it would create more latency. I bit the bullet and went ahead with the revocations.
My wallet is unhappy, and I do feel like charging for revocations is a bit odd, since revocations usually happen for security reasons and this deincentivizes good security. OTOH, they do run a business and I've created work for them at no charge previously, so I'm not mad.
It's not unreasonable to charge a little bit for a revocation. They require more work than a cert itself (updating and hosting the revokes list etc.) and a fee prevents unneccesary revokations from taking place.
Yeah, I'm not really mad. Every time I have interacted with StartCom personnel they've been fast, courteous and competent, and their style is enjoyably direct and goal-focused (plain email, no boiler plate, no patronizing). I like the idea of competent people getting paid well, so that soothes my hurting wallet a bit.
AIUI, it's $60 for an identity validation, which is valid for 350 years. Within those 350 days you can create unlimited certificates at no additional charge, which are valid for 2-3 years (depending on type). That means you basically need to pay $60 for a revalidation every 2-3 years so you can reissue certificates to replace expiring ones.
Furthermore, you aren't bounded to any domain. So Startcom gives unlimited SSL/SMIME/Code signing certificates for almost a year after paying $60. Non-wildcard certificates are free (altough your name isn't on the cert).
I find it's the most reasonably priced CA of them all.
I just redid my personal ID after a year, but paperwork stalled refreshing my company ID. Now Heartbleed has struck, and I'm in the position of not having a current validation for the company (currently waiting on their return call). If I revoke, I can't reissue...