StartCom Will Stop Issuing Certificates, Revoking Them All in 2020

thegarbz writes: Startcom, a certificate authority which as we covered previously has been distrusted by Mozilla, by Google, and recently also by Microsoft, has announced that it will cease trading as a Certificate Authority. While their website currently shows no indication that their certificates have any problems, a news posting has announced their intentions to stop providing certificates as of January 2018, and to revoke all remaining certificates in 2020.
The original submission also says StartCom sent an email to all their former customers -- including customers of their free StartSSL certificates -- announcing their intentions. As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.

The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcoms website.

StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years. StartCom would like to thank you for your support during this difficult time.

Re: I thought most browser companies wanted "freed

https://arstechnica.com/information-technology/2017/07/google-drops-the-boom-on-wosign-startcom-certs-for-good/

This doesn't seem like an agenda. Its more like if i write a bunch of bad checks, people will stop accepting my checks because i have broken the trust in my credit worthiness.
Back dating security certs and failing to follow the rules the cert companies have to follow to maintain trust seems like a good reason to stop trusting them.

Selling Customer Details ???

The article does not quote all of the message sent to customers:

Dear customer,

As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.

The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcoms website.

StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years.

StartCom would like to thank you for your support during this difficult time.

StartCom is contacting some other CAs to provide you with the certificates needed. In case you dont want us to provide you an alternative, please, contact us at certmaster@startcomca.com

Please let us know if you need any further assistance with the transition process. We deeply apologize for any inconveniences that this may cause.

Best regards,

StartCom Certification Authority

I don't think their existing customers expect their details to be passed on to the CA's so they can offer their services. Sounds like another way for a dying business to monetise their remaining assets.

Startcom was the Best until WoSign bought them

[rriven]

StartCom was the best option for multiple certificates. Their price model was vastly better and I wonder if they are having a hard time getting re-certified because the other CAs didn’t like their model.

You paid for validation not per cert.
Tier 1 was free and the certs were good for a year. Domain/Email control is all that was validated.
Tier 2 was your name, and it was $50 a year, but your certs were valid for 2 years. This allowed you to have your name in your email cert and basic checks were performed for domain certs. You were also allowed one Code Cert.
Tier 3 was more for Organizations or EV certs. Another $50 and the certs were good for 3 years. You could also have code cert with your organization name in it.

$100 every 3 years could get you UNLIMITED Domain, Email, and two Code certs. One in your name and one in your organization name. The best deal if you ask me. I had 5 email certs and 10 domain certs for $25/year as I only needed to verify once two years.

The problem started when they were bought by Wosign

https://www.wosign.com/english...

Then the shady things that got them revoked started happening and now they are closing shop. My same needs will cost close to a thousand dollars a year.

Re: I thought most browser companies wanted "free

[guruevi]

There are issues with Symantec and particular CA were revoked, a lot of them regional and not very newsworthy.

The mailing lists of the individual browsers capture some of the drama but most CA actually try to fix the issues, StartCom just made things worse as they went along.

They sold themselves to another CA and started signing and backdating certificates, then when people made a complaint of that all they did was spin off the company to a shell company simply to disassociate them from the name but the same company and people were still in charge.

Then they got hacked and when heartbleed came along it was proven that they had someoneâ(TM)s certificates stolen, they refused to retract the certificate until their customer paid them to retract it.

StartComs business model was to profit of customers that found themselves in a bind. It backfired on them.