It's Symantec's past operation of the CA that's untrusted by Google, and in fact one of the proposals was that Symantec make a new CA and cross-sign it with their old one, which would maintain compatibility for previous customers that pinned the Symantec root as well as customers using up-to-date browsers. So if the setup here is that DigiCert signs their own CA with Symantec's, then everyone's happy: DigiCert gets the customers, the community believes DigiCert is competent, and old Symantec customers get business continuity. It possibly makes more business sense for Symantec to sell their root to a trusted CA than to continue to operate it.
And I think it makes sense for DigiCert to buy it: Symantec's customers are people who are clearly willing to pay too much for even a low-quality certificate because they let Symantec consultants set up their trust infrastructure years ago and have no idea how to modernize their infrastructure. If you want a target market of people who will pay lots of money for CA services despite the presence of free services like Let's Encrypt, Symantec's existing customer base is a perfect fit.
I work in the financial infrastructure space, and while I'm no fan of Symantec, using Let's Encrypt would get me laughed out of the room by compliance and our auditors.
Some checkboxes are ceremony, some have real purpose. One size does not fit all.
Happy to do this over beer, but I'm not sure I understand which of the SCI rules would determine which CA you use.
I'm a little amused (not at you, but at the absurdity of the whole process) that we're talking about CA selection for products that almost definitely can't even properly quote and unquote a FIX field separator from user input.
I suspect your auditors have no real reason to object to Let's Encrypt (do they understand that Let's Encrypt is equally capable of issuing a false certificate under your name? does your security rely on the browser PKI? how did every single company in the browser PKI get okayed by your auditors?).
You have a perfectly valid reason, which is that your auditors want you to buy an expensive certificate to make them happy, but you're still paying more than market ($0ish) for SSL, which means you're a good customer for DigiCert to have acquired.
BTW, if you want to save some money, try sending your auditors the WebTrust audits that Let's Encrypt has passed just as well as Symantec (if not more well, see mozilla.dev.security.policy): https://letsencrypt.org/repository/
As I mentioned above, when Symantec bought Verisign it was making over $440 million a year in profit (not revenue, profit).
Buying up their customers like this is huge for Digicert. They're getting a huge influx of paying customers at a steep discount. I'd expect Digicert to make billions off of this deal over the next decade.
"Under the terms of the agreement, Symantec will receive approximately $950 million in upfront cash proceeds and approximately a 30 percent stake in the common stock equity of the DigiCert business at the closing of the transaction."
I'm a reseller for Digicert - they just sent an announcement email about this, here's the most interesting bit:
"Earlier this year, the browsers proposed a plan to limit trust in Symantec certificates after discovering issues with how they were validating and issuing digital certificates. Importantly, we feel confident that this agreement will satisfy the needs of the browser community.
DigiCert is communicating this deal and its intentions to the browser community and will continue to work closely with them during the period leading up to our closing the transaction. DigiCert appreciates and shares the browsers’ commitment to engendering trust in digital certificates and protecting all users. "
You may want to come up with an escape plan then. If digicert can buy Symantec so that Symantec can escape censure what message does that send? At this point Symantec should be considered so radioactive that nobody would go near it for fear of contamination. Symantec betrayed all of us and digicert, in buying it and rewarding the behaviour is doing the same.
The message is that Symantec doesn't get to run a CA business anymore. Presumably the fact that a sale was somewhat necessary was priced into the purchase price.
The point is the purchase price should have been zero. I want every Symantec shareholder to feel the pain and never invest in any company that is that shit again.
I think this deal should put digicert on a "one strike and you're out" zone as well.
I don't understand what's going on. Digicert will give Symantec 800M+ cash and a 30% equity?
And Symantec will generously allow the current digicert CEO to continue as the CEO of digicert? Doesn't look like Symantec is selling anything. Looks like Symantec is buying digicert from the owners of digicert.
It would be a "classic reverse buyout" if DigiCert was going to continue to operate the Symantec CA infrastructure. If it is not, then Google and Mozilla will have accomplished their most important objective, which is the elimination of insecure certificate issuers in current operation.
You clearly have other objectives you would like Google and Mozilla to accomplish for you, and I probably agree with many of them, but let's try to stay focused here.
And now the same people who made that shitty infrastructure will control a large chunk of the business that created what was once (probably) a perfectly good one -- and likely make the same shit decisions that made their old one shit as well making digicerts' infrastructure worse, and eventually probably shit as well.
Lay out the scenario, in as much detail as you can, where employees of Symantec brought over to DigiCert somehow corrupt the certificate issuance process. If it's specific enough, I'll take your money over it (I assume proceeds to charity; mine's Partners In Health).
When Symantec bought Verisign it was making over $400million in net profits off of over $1.1 billion in revenue.
Symantec basically killed their golden goose are are now selling it off to another company at a huge discount. If they didn't do this there's a good chance their whole business would fall apart.
I'd consider losing potentially billions of dollars over the next few years to be a pretty solid message.
I think your outrage is properly directed, and I agree with you that this is way too nice an ending for Symantec.
However, I don't think that anyone is actually going to make Symantec as contaminated as you or I want. If the people at DigiCert who were competent yesterday are operating Symantec's infrastructure today, that infrastructure is now trustworthy. And in buying and salvaging it, DigiCert did the community a service: instead of leaving us in this ambiguous position where a too-big-to-fail CA was calling up Google executives to potentially overrule engineering decisions, that CA is now no longer a threat.
I don't recall the exact details of their poor historical practices, but I think they at least had audited issuance, and reasonable control of their roots, although their intermediates issued questionable certificates?
If so, the new owner can relatively easily shut down issuance under the current pipelines of questionable quality; issue new intermediates from the root, to be used in the new owner's pipelines and to make it possible to revoke/detrust the old intermediates if more serious trust issues are uncovered in the previous practices. Then the new owner gets to enjoy the benefits of the previous customer base, and installed base of the roots and pins.
In short, as long as they do a good job of making a clean separation of issuing practices, it's not a toxic asset.
Well this business unit might be a toxic asset now.
But I'm sure it'll go right back to printing money once it's no longer directly associated with a vendor of TLS interception middle boxes popular among despots. And the browser relations fiasco will blow over eventually.
Might cost them a bunch of rebates and refunds to keep clients, but I see why this could be a viable customer acquisition move for DigiCert.
> Many large organizations have complex, and potentially undocumented and little-known dependencies on their certificate infrastructure. Examples of complex dependencies on Symantec public roots that our customers have shared or we have identified include:
> Embedded devices that are pinned to certificates issued by a Symantec public root to communicate to resources over the Internet or Intranet. Replacing these certificates would result in immediate failures and the need to recode and reimage the firmware for these devices.
> Mobile applications that have pinned certificates. Replacing server certificates would require these applications to be recoded, recompiled and redistributed.
> Critical infrastructure organizations that use certificates issued off of Symantec roots to validate internal and external resources. In many cases, the applications being used are pinned to Symantec certificates.
> Some large organizations use certificates chained to Symantec public roots for nearly all internal applications and communications. Many of these organizations are under regulatory requirements to encrypt even internal communications.
You have lots of customers that have made the stupid decision to hard-code the Symantec public key as indefinitely trustworthy. (Some of them may well have got Symantec to do the consulting for their internal infrastructure.) No matter how stupid the decision is, it's been made, and those customers will pay good money for a cert that's either issued directly from or chains to the Symantec root.
Even if the only thing that DigiCert does with the Symantec private key is to sign their own CA and then destroy it, and they kill the Symantec brand and every piece of Symantec infrastructure, that still brings them tons of customers who literally cannot move to a competitor not in possession of the Symantec private key. I'm not surprised that's worth $1B.
Also, some of you may be wondering about any implications our announced acquisition will have on the ongoing debate between Symantec and the browser community about trust in their certificates.
Earlier this year, the browsers proposed a plan to limit trust in Symantec certificates after discovering issues with how they were validating and issuing digital certificates. Importantly, we feel confident that this agreement will satisfy the needs of the browser community.
DigiCert is communicating this deal and its intentions to the browser community and will continue to work closely with them during the period leading up to our closing the transaction. DigiCert appreciates and shares the browsers’ commitment to engendering trust in digital certificates and protecting all users.
Presumably the idea here is that DigiCert is buying Symantec's customer database, and instead of Symantec painstakingly transferring its users to a new, trustworthy certificate issuance system, everyone will just use DigiCert's.
Which, if that's the case, will mean Google and Mozilla more or less killed the web's largest CA.
> Which, if that's the case, will mean Google and Mozilla more or less killed the web's largest CA.
No, no it did not. Symantec deserve zero benefit for any "customer base" transfer and digicert should be ashamed for rewarding Symantec's behaviour.
What Symantec did should result in punishment so severe no CA would dare do the same ever again. Their business should be null and void and considered to be worth absolutely nothing.
They should have been utterly destroyed; not parted out to the highest bidder. I want every Symantec shareholder to feel the pain of a zero share price for what they enabled.
What exactly does Google accomplish by somehow trying to prevent Symantec from having a beneficial interest in its customer base? The alternative to this deal is that Symantec continues limping forward with a broken CA customer base that browsers have to accommodate for years to come. The economics of this deal are what enabled it to happen at all.
> What exactly does Google accomplish by somehow trying to prevent Symantec from having a beneficial interest in its customer base?
What digicert is doing, in allowing Symantec to continue operating in their name, is wrong and really lessens what it means to completely fuck up the core mission of what a CA does and it makes a mockery of any sort of censure any browser/TLS developer/user could do. They should have to limp along while browsers distrust their certs and their customers leave to other providers competing on an open market. Then once they've been bled dry they should die alone. I want this to be difficult for their customers. Part of choosing a CA is doing due diligence and you can bet that once people have been burnt they'll be a lot more cautious about their next choice. This makes the CA/PKI system stronger as result -- a bit of pain now is a good thing.
This is the interest Google should have in ensuring that the rats go down with the sinking ship.
I'm really having trouble following you. You keep writing as if the alternative to Digicert's fire-sale acquisition was that Symantec's CA would simply vanish off the face of the Earth. No. False premise.
Please explain. If their certs become useless and no-one will touch them because, in turn, their certs will be useless... then how wouldn't Symantec's CA vanish off the face of the earth? Their customers can't exactly live without the PKI -- they would just have to go to another vendor, as they should in any case. If those customers have made poor engineering decisions in their own products, well, that's their problem isn't it?
I think you've oversimplified the pre-existing Google/Mozilla distrust plan, and your misapprehension about what was happening has harmed your understanding of the economics of this acquisition.
You're right. I probably do need to go back and re-examine the details. Generally when disagreements happen, one or both parties is missing something. At the same time, I still feel this is far too nice an ending for Symantec given the shit they pulled.
I think the discussion you and tptacek are having relates, in a way, to how different people approach the criminal justice system. People generally want it to either punish the guilty (Watchmen's Rorschach) or protect the innocent (Sweden), and I think Symantec's dissolution looks like a carefully thought out plan to protect the innocent.
Badness happened, but no more. There are paths forward for everyone involved. No more harm, just move forward.
Using the rankings of CA's largest to smallest [2], the first public CA is GoDaddy (W2Techs 2016 Survey), which has a range of services. They show GoDaddy to be 11.8% of the market, with Symantec at 26%. So Symantec is 220% larger. I'm too lazy to estimate GoDaddy's CA business from their financials, I didn't see anything obvious in their financials to make it easier.
GoDaddy's public valuation at this time is 7.27B [3], and if we scale up GoDaddy Market Cap to Symantec's size, and only account 20% [4] to the CA business: 7.27B * (26/11.8) * .2 = ~3.2B (Symantic CA Business)
If we use DigiCert, and try to GoDaddy's market cap down to DigiCerts market share (3.0%) [2]. Then you end up with 7.27B * (3.0/11.8) * .2 = ~370M (DigiCert Current Valuation)
However, DigiCert becomes number two CA provider overnight, to 29%, which rockets their value up (maybe?), by our same math, they are now 245% the size of GoDaddy from a cert perspective, 7.27B * ((26 + 3)/11.8) * .2 = ~3.57B (DigiCert + Symantec Business) [5].
So Symantec ends up with 950m cash and 1.07B DigiCert holdings (3.57B * .3 = 1.07B), or ~1.957B of value.
That'd mean Symantec is taking 2/3rds (~1b hit) - that feels like a pretty solid deterrent?
58 comments
[ 4.4 ms ] story [ 117 ms ] threadAnd I think it makes sense for DigiCert to buy it: Symantec's customers are people who are clearly willing to pay too much for even a low-quality certificate because they let Symantec consultants set up their trust infrastructure years ago and have no idea how to modernize their infrastructure. If you want a target market of people who will pay lots of money for CA services despite the presence of free services like Let's Encrypt, Symantec's existing customer base is a perfect fit.
Some checkboxes are ceremony, some have real purpose. One size does not fit all.
Whether it's ceremony or not, I have to check the box or face harsh regulatory penalties.
I'm a little amused (not at you, but at the absurdity of the whole process) that we're talking about CA selection for products that almost definitely can't even properly quote and unquote a FIX field separator from user input.
You have a perfectly valid reason, which is that your auditors want you to buy an expensive certificate to make them happy, but you're still paying more than market ($0ish) for SSL, which means you're a good customer for DigiCert to have acquired.
BTW, if you want to save some money, try sending your auditors the WebTrust audits that Let's Encrypt has passed just as well as Symantec (if not more well, see mozilla.dev.security.policy): https://letsencrypt.org/repository/
Buying up their customers like this is huge for Digicert. They're getting a huge influx of paying customers at a steep discount. I'd expect Digicert to make billions off of this deal over the next decade.
"Earlier this year, the browsers proposed a plan to limit trust in Symantec certificates after discovering issues with how they were validating and issuing digital certificates. Importantly, we feel confident that this agreement will satisfy the needs of the browser community.
DigiCert is communicating this deal and its intentions to the browser community and will continue to work closely with them during the period leading up to our closing the transaction. DigiCert appreciates and shares the browsers’ commitment to engendering trust in digital certificates and protecting all users. "
I think this deal should put digicert on a "one strike and you're out" zone as well.
I don't understand what's going on. Digicert will give Symantec 800M+ cash and a 30% equity?
And Symantec will generously allow the current digicert CEO to continue as the CEO of digicert? Doesn't look like Symantec is selling anything. Looks like Symantec is buying digicert from the owners of digicert.
You clearly have other objectives you would like Google and Mozilla to accomplish for you, and I probably agree with many of them, but let's try to stay focused here.
Symantec basically killed their golden goose are are now selling it off to another company at a huge discount. If they didn't do this there's a good chance their whole business would fall apart.
I'd consider losing potentially billions of dollars over the next few years to be a pretty solid message.
However, I don't think that anyone is actually going to make Symantec as contaminated as you or I want. If the people at DigiCert who were competent yesterday are operating Symantec's infrastructure today, that infrastructure is now trustworthy. And in buying and salvaging it, DigiCert did the community a service: instead of leaving us in this ambiguous position where a too-big-to-fail CA was calling up Google executives to potentially overrule engineering decisions, that CA is now no longer a threat.
If so, the new owner can relatively easily shut down issuance under the current pipelines of questionable quality; issue new intermediates from the root, to be used in the new owner's pipelines and to make it possible to revoke/detrust the old intermediates if more serious trust issues are uncovered in the previous practices. Then the new owner gets to enjoy the benefits of the previous customer base, and installed base of the roots and pins.
In short, as long as they do a good job of making a clean separation of issuing practices, it's not a toxic asset.
But I'm sure it'll go right back to printing money once it's no longer directly associated with a vendor of TLS interception middle boxes popular among despots. And the browser relations fiasco will blow over eventually.
Might cost them a bunch of rebates and refunds to keep clients, but I see why this could be a viable customer acquisition move for DigiCert.
But have you seen the blog post where Symantec was like "We talked to our customers and they said that Google's being mean"? https://www.symantec.com/connect/blogs/symantec-ca-proposal
> Many large organizations have complex, and potentially undocumented and little-known dependencies on their certificate infrastructure. Examples of complex dependencies on Symantec public roots that our customers have shared or we have identified include:
> Embedded devices that are pinned to certificates issued by a Symantec public root to communicate to resources over the Internet or Intranet. Replacing these certificates would result in immediate failures and the need to recode and reimage the firmware for these devices.
> Mobile applications that have pinned certificates. Replacing server certificates would require these applications to be recoded, recompiled and redistributed.
> Critical infrastructure organizations that use certificates issued off of Symantec roots to validate internal and external resources. In many cases, the applications being used are pinned to Symantec certificates.
> Some large organizations use certificates chained to Symantec public roots for nearly all internal applications and communications. Many of these organizations are under regulatory requirements to encrypt even internal communications.
You have lots of customers that have made the stupid decision to hard-code the Symantec public key as indefinitely trustworthy. (Some of them may well have got Symantec to do the consulting for their internal infrastructure.) No matter how stupid the decision is, it's been made, and those customers will pay good money for a cert that's either issued directly from or chains to the Symantec root.
Even if the only thing that DigiCert does with the Symantec private key is to sign their own CA and then destroy it, and they kill the Symantec brand and every piece of Symantec infrastructure, that still brings them tons of customers who literally cannot move to a competitor not in possession of the Symantec private key. I'm not surprised that's worth $1B.
Earlier this year, the browsers proposed a plan to limit trust in Symantec certificates after discovering issues with how they were validating and issuing digital certificates. Importantly, we feel confident that this agreement will satisfy the needs of the browser community. DigiCert is communicating this deal and its intentions to the browser community and will continue to work closely with them during the period leading up to our closing the transaction. DigiCert appreciates and shares the browsers’ commitment to engendering trust in digital certificates and protecting all users.
Which, if that's the case, will mean Google and Mozilla more or less killed the web's largest CA.
No, no it did not. Symantec deserve zero benefit for any "customer base" transfer and digicert should be ashamed for rewarding Symantec's behaviour.
What Symantec did should result in punishment so severe no CA would dare do the same ever again. Their business should be null and void and considered to be worth absolutely nothing.
They did kill the business, but Symantec was able to salvage part of it.
I think you're mostly arguing with claims I didn't make.
What digicert is doing, in allowing Symantec to continue operating in their name, is wrong and really lessens what it means to completely fuck up the core mission of what a CA does and it makes a mockery of any sort of censure any browser/TLS developer/user could do. They should have to limp along while browsers distrust their certs and their customers leave to other providers competing on an open market. Then once they've been bled dry they should die alone. I want this to be difficult for their customers. Part of choosing a CA is doing due diligence and you can bet that once people have been burnt they'll be a lot more cautious about their next choice. This makes the CA/PKI system stronger as result -- a bit of pain now is a good thing.
This is the interest Google should have in ensuring that the rats go down with the sinking ship.
Badness happened, but no more. There are paths forward for everyone involved. No more harm, just move forward.
Using the rankings of CA's largest to smallest [2], the first public CA is GoDaddy (W2Techs 2016 Survey), which has a range of services. They show GoDaddy to be 11.8% of the market, with Symantec at 26%. So Symantec is 220% larger. I'm too lazy to estimate GoDaddy's CA business from their financials, I didn't see anything obvious in their financials to make it easier.
GoDaddy's public valuation at this time is 7.27B [3], and if we scale up GoDaddy Market Cap to Symantec's size, and only account 20% [4] to the CA business: 7.27B * (26/11.8) * .2 = ~3.2B (Symantic CA Business)
If we use DigiCert, and try to GoDaddy's market cap down to DigiCerts market share (3.0%) [2]. Then you end up with 7.27B * (3.0/11.8) * .2 = ~370M (DigiCert Current Valuation)
However, DigiCert becomes number two CA provider overnight, to 29%, which rockets their value up (maybe?), by our same math, they are now 245% the size of GoDaddy from a cert perspective, 7.27B * ((26 + 3)/11.8) * .2 = ~3.57B (DigiCert + Symantec Business) [5].
So Symantec ends up with 950m cash and 1.07B DigiCert holdings (3.57B * .3 = 1.07B), or ~1.957B of value.
That'd mean Symantec is taking 2/3rds (~1b hit) - that feels like a pretty solid deterrent?
1. Armchair economist 2. https://en.wikipedia.org/wiki/Certificate_authority 3. https://www.google.com/finance?q=NYSE%3AGDDY&ei=qU-CWciuPMqg... (8/2/2017 EOD MarketCap) 4. This could be wildly high.. 5. Normally a combined entity would have duplicative operations and arguably be worth more than their whole, but since these are kind of iffy assets, they probably would be worth less.