As a free SSL provider I think this is entirely valid for them to charge for revocations. Plus, it's entirely possible that not all people using certificates from StartSSL are using OpenSSL.
It's the cert owner's prerogative to ensure their certificate is properly secured. There's no reason for debian/mozilla to remove StartSSL from their CA lists. If you have StartSSL and you used OpenSSL 1.01f or another vulnerable version, pay the $25 and move on-- it's cheaper than if you used godaddy.
It is totally valid for you to be a jerk, and then it is totally valid for other people to call you out on being a jerk.
Yes, maintaining a revocation list costs them time and money. But this is a Big Deal. Extenuating circumstances. They have a social responsibility here, and they're failing at it.
It is totally valid for people to call them out for not going above and beyond, but that doesn't mean Mozilla/Debian/etc should be popping them out of CAs.
The mob is welcome to mob, but Mozilla and Debian shouldn't be making decisions based on the whims of the mob.
If you can't trust the certificates they produce, then they should be removed. And there will be a lot of valid-but-dangerous certs in the wild from them.
You can trust the certificates they produce. It's only users who were running exploitable OpenSSL who's certs are at risk through no fault of StartSSL. There will be many perfectly safe certificates from other customers affected if the root trust is revoked.
You can trust some of the certificates the produce, but you don't know which one. A responsible person would trust none of them, because you can't know who you can and cannot trust.
Their certificates are perfectly trustable. The ones you shouldn't trust are the irresponsible domain owners who refuse to pay 20 fracking dollars for their users' security. It's not like StartSSL are actively refusing to revoke the certificates.
Sure. How many of those are there? My understanding is that most CAs let you revoke and re-issue your certs for free for the year you've paid them for.
This is roughly equivalent to expecting a locksmith to re-key your lock because you left your keys sitting in public for a couple years. Why would a locksmith have a responsibility to do that? His lock and key were fine, you (or people/processes you trust) were the issue.
Your analogy does not allow for the distinction between revocation and renewal. You might not expect the locksmith to renew your lock for free - but you should be able to remove it without paying him.
It's also three times the annual price of a certificate from PositiveSSL, plus StartSSL's "free" certificates have various annoying restrictions intended to encourage you to move to the premium product (fixed expiry period of one year, can't renew until a fortnight before it expires, various limitations on what you can issue, ...)
It's the cert owner's prerogative to ensure their certificate is properly secured. There's no reason for debian/mozilla to remove StartSSL from their CA lists. If you have StartSSL and you used OpenSSL 1.01f or another vulnerable version, pay the $25 and move on-- it's cheaper than if you used godaddy.