Startcom is great (I use it for a bunch of domains), but there are some caveats:

* They are only free for personal, non-commercial use. You can't (contractually) use them for your startup.

* They are free to acquire, but they charge to revoke them. So don't lose your key (even accidentally, via something like heartbleed).

* Their roots are not in the Windows XP base install. They are included in an optional update, but my experience with a web site that had old machines in its demographics showed that practically no one had it installed. Given that XP is no longer supported by Microsoft, this point is getting less and less relevant as the days go by.

I think even WinXP had auto root update by default, and even Win7 don't have the StartCom root installed by default.

Sorry, but no. Their response to Heartbleed - refusing to revoke certs without charge even in an emergency - means I can never recommend Startcom again.

Failing to revoke keys on any notification they've been compromised is a CA/B forum guideline reason to revoke their trust as a CA, actually. They still have valid unrevoked signs on thousands of Heartbleeded keys now, because they issued them free but won't withdraw them without charge.

Fortunately, Let's Encrypt will replace them.

This is the second thing I've seen you say that surprised me, given your background (the first being that you actually use DANE). TLS certificate revocation is, of course, theater --- and will be until widespread deployment of some kind of "must-staple" extension --- and Start's refusal to issue revocations had virtually no operational impact on the Internet or on privacy.

For now, but it did made me think about short lived certificates.