StartSSL has some detractors but I've used them for certain projects for quite a while, including for S/MIME email certificates (with full knowledge of the security implications compared to PGP, of course).
I'll give them some credit though for successfully using client certificates for login purposes. Sure it has some obvious drawbacks (if they only issue you one login keypair, losing it locks you out of your account) and some real benefits. It's interesting to say the least, and impressive to see working too.
I'd like to see that sort of login method offered at least as an option on more websites, even consumer stuff like Gmail and Facebook, but especially other SSL providers, seems like a natural fit.
As a login method it works automatically without any user interruption, every browser seems to support it, even my iPhone, and the enrollment process for securely generating a new key on the users machine and installing their certificate in the browser for them can clearly be 100% automated by the website itself (that's what StartSSL does), so that removes almost all the pain points for even non-technical users.
Oh and it makes automatic website login via smartcards possible too, should you choose to develop an obsession with them like I have :)
StartSSL also requires you to send a copy of your passport out of country (to Israel). Fine; they need to verify identity.
They retain the records for seven years though. Why preserve the documents at all after validation is complete for non-EV certs? Seems like it creates an unreasonable liability given that data breaches happen. They will also not say how the records are secured. When I inquired, they simply said "We obviously can't provide any technical details about our security measures, but the documents are secure." While I can understand the need to maintain operational security, disclosing whether documents are stored encrypted or not should not violate this security.
The lack of openness, combined with the charge for cert re-issuance made me look elsewhere. When the heartbleed vulnerability hit and I had to regenerate certs, I was very happy to have chosen a different CA.
That's not a good reason to skip over them. Unless you expect multiple Heartbleed-severity bugs to be exposed in two years you are still way ahead. Just don't lose your private key.
You actually only need a single one to make it cheaper to go elsewhere, they charged $25/revocation, which brings the price up to $85 which no longer makes them the most cost effective.
Heck for $99 you can buy a Comodo "EssentialSSL" wildcard, which grants you unlimited re-issue (plus you don't have to deal with StartSSL's terrible UI):
2 Years wildcard for $59.90