They use browser certificates (I'm not sure if this is the right name), which is actually pretty cool. When you create an account, a certificate is generated in your browser, and then you can login with it.
The big problem is that since it's almost not used, browsers implement it but haven't done any job in making it user friendly (for example, you can see the certificates currently stored in your browser in Firefox by going in preferences > Advanced > Certificates > View Certificates > "Your certificates" tab, not exactly user friendly). Also (if I remember correctly) StartSSL implementation is not the nicest one as well, as you have to keep your tab open while they validate your account.
It's non-repudiation, it's so they can be sure that the person who received the email is also the person who requested the email.
Proof of data integrity is typically the easiest of these requirements to accomplish.
A data hash, such as SHA2, is usually sufficient to establish that the likelihood
of data being undetectably changed is extremely low. Even with this safeguard, it is
still possible to tamper with data in transit, either through a man-in-the-middle
attack or phishing. Due to this flaw, data integrity is best asserted when the
recipient already possesses the necessary verification information.
Yeah, I got that far, but I had reinstalled, not backed this up, and there was less than zero information about what to import. I tried installing and/or converting every chunk of certificate-type data I could find. No joy, no help, no nothing.
The big problem is that since it's almost not used, browsers implement it but haven't done any job in making it user friendly (for example, you can see the certificates currently stored in your browser in Firefox by going in preferences > Advanced > Certificates > View Certificates > "Your certificates" tab, not exactly user friendly). Also (if I remember correctly) StartSSL implementation is not the nicest one as well, as you have to keep your tab open while they validate your account.