Why wouldn't it? It's irresponsible on the part of the provider, CA's are in a trusted position and if you can not trust a CA to act in the best interest of the wider community then what place is there for them in the trusted CA list?
Not to mention that in the wake of the Debian Weak Keys issue (http://www.debian.org/security/2008/dsa-1571
) they stated that they were revoking certificates of their own accord (i.e. without the customers interaction) after a few weeks.
StartSSL FAQ #74 wrote:
74.) What is a weak key and why do I have to create a new certificate?
All private keys and the resulting certificates which were created on a Debian based operating system - including Ubuntu, are compromised due to a bug since September 2006. Web sites which rely on a private key created by the affected systems are highly vulnerable and should be replaced immediately.
If you received an email from StartCom warning you about being affected, please request revocation from within the StartSSL Control Panel -> "Tool Box" -> "Revocation Request" and create a new certificate. Certificates which were signed by our old CA root should be revoked from here.
Don't use a Debian system without having it updated - which includes those of hosting providers using cPanel and Plesk. You can create your private key by the StartSSL Certificates Wizard (more information).
StartCom will eventually revoke all affected certificates after a short week period after sending the warning mail.
Empahsis is mine - source: http://www.startssl.com/?app=25#74
I don't see how this is any different - well aside from being a hell of a lot worse and widespread - it's purely an attempt at making a quick buckdue to the large scale of this issue as far as I'm conserned.
As it so happens, I suspect it's also somewhat contary to the Mozilla requirements listed here in section 2:https://www.mozilla.org/en-US/about/gov ... intenance/
Mozilla Certificate Policy wrote:
2 CAs must revoke Certificates that they have issued upon the occurrence of any of the following events:
- the CA obtains reasonable evidence that the subscriber’s private key (corresponding to the public key in the certificate) has been compromised or is suspected of compromise (e.g. Debian weak keys), or that the certificate has otherwise been misused;
I would be surprised if other folks like Debian did not have a clause like this. (Edit:
As it happens, Debian just uses Mozilla's anyway)
Every other CA I've had to deal with this week has either not charged (e.g. if they said they could in the terms of service) or been free anyway as part of the service.
Revoke for free, fee for reissue seems more sane to me. Personally, I moved my paid for services to another provider.