DigiCert to Acquire Symantec’s Website Security and Related PKI Solutions(investor.symantec.com) |
DigiCert to Acquire Symantec’s Website Security and Related PKI Solutions(investor.symantec.com) |
Which, if that's the case, will mean Google and Mozilla more or less killed the web's largest CA.
No, no it did not. Symantec deserve zero benefit for any "customer base" transfer and digicert should be ashamed for rewarding Symantec's behaviour.
What Symantec did should result in punishment so severe no CA would dare do the same ever again. Their business should be null and void and considered to be worth absolutely nothing.
They did kill the business, but Symantec was able to salvage part of it.
"Earlier this year, the browsers proposed a plan to limit trust in Symantec certificates after discovering issues with how they were validating and issuing digital certificates. Importantly, we feel confident that this agreement will satisfy the needs of the browser community.
DigiCert is communicating this deal and its intentions to the browser community and will continue to work closely with them during the period leading up to our closing the transaction. DigiCert appreciates and shares the browsers’ commitment to engendering trust in digital certificates and protecting all users. "
Symantec basically killed their golden goose are are now selling it off to another company at a huge discount. If they didn't do this there's a good chance their whole business would fall apart.
I'd consider losing potentially billions of dollars over the next few years to be a pretty solid message.
However, I don't think that anyone is actually going to make Symantec as contaminated as you or I want. If the people at DigiCert who were competent yesterday are operating Symantec's infrastructure today, that infrastructure is now trustworthy. And in buying and salvaging it, DigiCert did the community a service: instead of leaving us in this ambiguous position where a too-big-to-fail CA was calling up Google executives to potentially overrule engineering decisions, that CA is now no longer a threat.
... snip ...
Earlier this year, the browsers proposed a plan to limit trust in Symantec certificates after discovering issues with how they were validating and issuing digital certificates. Importantly, we feel confident that this agreement will satisfy the needs of the browser community. DigiCert is communicating this deal and its intentions to the browser community and will continue to work closely with them during the period leading up to our closing the transaction. DigiCert appreciates and shares the browsers’ commitment to engendering trust in digital certificates and protecting all users.
... snip ...And I think it makes sense for DigiCert to buy it: Symantec's customers are people who are clearly willing to pay too much for even a low-quality certificate because they let Symantec consultants set up their trust infrastructure years ago and have no idea how to modernize their infrastructure. If you want a target market of people who will pay lots of money for CA services despite the presence of free services like Let's Encrypt, Symantec's existing customer base is a perfect fit.
Some checkboxes are ceremony, some have real purpose. One size does not fit all.
Buying up their customers like this is huge for Digicert. They're getting a huge influx of paying customers at a steep discount. I'd expect Digicert to make billions off of this deal over the next decade.
If so, the new owner can relatively easily shut down issuance under the current pipelines of questionable quality; issue new intermediates from the root, to be used in the new owner's pipelines and to make it possible to revoke/detrust the old intermediates if more serious trust issues are uncovered in the previous practices. Then the new owner gets to enjoy the benefits of the previous customer base, and installed base of the roots and pins.
In short, as long as they do a good job of making a clean separation of issuing practices, it's not a toxic asset.
But have you seen the blog post where Symantec was like "We talked to our customers and they said that Google's being mean"? https://www.symantec.com/connect/blogs/symantec-ca-proposal
> Many large organizations have complex, and potentially undocumented and little-known dependencies on their certificate infrastructure. Examples of complex dependencies on Symantec public roots that our customers have shared or we have identified include:
> Embedded devices that are pinned to certificates issued by a Symantec public root to communicate to resources over the Internet or Intranet. Replacing these certificates would result in immediate failures and the need to recode and reimage the firmware for these devices.
> Mobile applications that have pinned certificates. Replacing server certificates would require these applications to be recoded, recompiled and redistributed.
> Critical infrastructure organizations that use certificates issued off of Symantec roots to validate internal and external resources. In many cases, the applications being used are pinned to Symantec certificates.
> Some large organizations use certificates chained to Symantec public roots for nearly all internal applications and communications. Many of these organizations are under regulatory requirements to encrypt even internal communications.
You have lots of customers that have made the stupid decision to hard-code the Symantec public key as indefinitely trustworthy. (Some of them may well have got Symantec to do the consulting for their internal infrastructure.) No matter how stupid the decision is, it's been made, and those customers will pay good money for a cert that's either issued directly from or chains to the Symantec root.
Even if the only thing that DigiCert does with the Symantec private key is to sign their own CA and then destroy it, and they kill the Symantec brand and every piece of Symantec infrastructure, that still brings them tons of customers who literally cannot move to a competitor not in possession of the Symantec private key. I'm not surprised that's worth $1B.
But I'm sure it'll go right back to printing money once it's no longer directly associated with a vendor of TLS interception middle boxes popular among despots. And the browser relations fiasco will blow over eventually.
Might cost them a bunch of rebates and refunds to keep clients, but I see why this could be a viable customer acquisition move for DigiCert.
I think you're mostly arguing with claims I didn't make.
Using the rankings of CA's largest to smallest [2], the first public CA is GoDaddy (W2Techs 2016 Survey), which has a range of services. They show GoDaddy to be 11.8% of the market, with Symantec at 26%. So Symantec is 220% larger. I'm too lazy to estimate GoDaddy's CA business from their financials, I didn't see anything obvious in their financials to make it easier.
GoDaddy's public valuation at this time is 7.27B [3], and if we scale up GoDaddy Market Cap to Symantec's size, and only account 20% [4] to the CA business: 7.27B * (26/11.8) * .2 = ~3.2B (Symantic CA Business)
If we use DigiCert, and try to GoDaddy's market cap down to DigiCerts market share (3.0%) [2]. Then you end up with 7.27B * (3.0/11.8) * .2 = ~370M (DigiCert Current Valuation)
However, DigiCert becomes number two CA provider overnight, to 29%, which rockets their value up (maybe?), by our same math, they are now 245% the size of GoDaddy from a cert perspective, 7.27B * ((26 + 3)/11.8) * .2 = ~3.57B (DigiCert + Symantec Business) [5].
So Symantec ends up with 950m cash and 1.07B DigiCert holdings (3.57B * .3 = 1.07B), or ~1.957B of value.
That'd mean Symantec is taking 2/3rds (~1b hit) - that feels like a pretty solid deterrent?
1. Armchair economist 2. https://en.wikipedia.org/wiki/Certificate_authority 3. https://www.google.com/finance?q=NYSE%3AGDDY&ei=qU-CWciuPMqg... (8/2/2017 EOD MarketCap) 4. This could be wildly high.. 5. Normally a combined entity would have duplicative operations and arguably be worth more than their whole, but since these are kind of iffy assets, they probably would be worth less.
I think this deal should put digicert on a "one strike and you're out" zone as well.
I don't understand what's going on. Digicert will give Symantec 800M+ cash and a 30% equity?
And Symantec will generously allow the current digicert CEO to continue as the CEO of digicert? Doesn't look like Symantec is selling anything. Looks like Symantec is buying digicert from the owners of digicert.
You clearly have other objectives you would like Google and Mozilla to accomplish for you, and I probably agree with many of them, but let's try to stay focused here.
What digicert is doing, in allowing Symantec to continue operating in their name, is wrong and really lessens what it means to completely fuck up the core mission of what a CA does and it makes a mockery of any sort of censure any browser/TLS developer/user could do. They should have to limp along while browsers distrust their certs and their customers leave to other providers competing on an open market. Then once they've been bled dry they should die alone. I want this to be difficult for their customers. Part of choosing a CA is doing due diligence and you can bet that once people have been burnt they'll be a lot more cautious about their next choice. This makes the CA/PKI system stronger as result -- a bit of pain now is a good thing.
This is the interest Google should have in ensuring that the rats go down with the sinking ship.
You have a perfectly valid reason, which is that your auditors want you to buy an expensive certificate to make them happy, but you're still paying more than market ($0ish) for SSL, which means you're a good customer for DigiCert to have acquired.
BTW, if you want to save some money, try sending your auditors the WebTrust audits that Let's Encrypt has passed just as well as Symantec (if not more well, see mozilla.dev.security.policy): https://letsencrypt.org/repository/
Whether it's ceremony or not, I have to check the box or face harsh regulatory penalties.
I'm a little amused (not at you, but at the absurdity of the whole process) that we're talking about CA selection for products that almost definitely can't even properly quote and unquote a FIX field separator from user input.
Badness happened, but no more. There are paths forward for everyone involved. No more harm, just move forward.