Comment 13 for bug 310999

As the private key has already been demonstrated at https://192.116.242.23/ it would be prudent to promptly and securely destroy it. Certainly if StartCom are incapable of keeping a private key secure then we have more to worry about, but there is a significant difference between an offline root and a live cert for an important domain sitting on an Internet-facing Apache 2.2.3 server.

Also, even when made in jest, threats like this[1] are deeply disconcerting (especially when made by an official at a currently trusted CA). I don't propose that it be actioned but would encourage people to treat this apparently systemic issue with the severity it deserves.

1. http://groups.google.com/group/mozilla.dev.tech.crypto/msg/55d437cb570978d4