
DigiCert to Acquire Symantec’s Website Security and Related PKI Solutions - andygambles
http://investor.symantec.com/About/Investors/press-releases/press-release-details/2017/DigiCert-to-Acquire-Symantecs-Website-Security-and-Related-PKI-Solutions/default.aspx
======
tptacek
Presumably the idea here is that DigiCert is buying Symantec's customer
database, and instead of Symantec painstakingly transferring its users to a
new, trustworthy certificate issuance system, everyone will just use
DigiCert's.

Which, if that's the case, will mean Google and Mozilla more or less killed
the web's largest CA.

~~~
justinjlynn
> Which, if that's the case, will mean Google and Mozilla more or less killed
> the web's largest CA.

No, no it did not. Symantec deserve zero benefit for any "customer base"
transfer and digicert should be ashamed for rewarding Symantec's behaviour.

What Symantec did should result in punishment so severe no CA would dare do
the same ever again. Their business should be null and void and considered to
be worth absolutely nothing.

~~~
CaveTech
You seem to be conflating expectations and reality.

They did kill the business, but Symantec was able to salvage part of it.

~~~
justinjlynn
They should have been utterly destroyed; not parted out to the highest bidder.
I want every Symantec shareholder to feel the pain of a zero share price for
what they enabled.

~~~
justinjlynn
The point I'm trying to make is that they're not dead if they own 30% of
digicert as a result of this instead of being left with nothing.

~~~
tptacek
What exactly does Google accomplish by somehow trying to prevent Symantec from
having a beneficial interest in its customer base? The alternative to this
deal is that Symantec continues limping forward with a broken CA customer base
that browsers have to accommodate for years to come. The economics of this
deal are what enabled it to happen at all.

~~~
justinjlynn
> What exactly does Google accomplish by somehow trying to prevent Symantec
> from having a beneficial interest in its customer base?

What digicert is doing, in allowing Symantec to continue operating in their
name, is wrong and really lessens what it means to completely fuck up the core
mission of what a CA does and it makes a mockery of any sort of censure any
browser/TLS developer/user could do. They should have to limp along while
browsers distrust their certs and their customers leave to other providers
competing on an open market. Then once they've been bled dry they should die
alone. I _want_ this to be difficult for their customers. Part of choosing a
CA is doing due diligence and you can bet that once people have been burnt
they'll be a lot more cautious about their next choice. This makes the CA/PKI
system stronger as result -- a bit of pain now is a good thing.

This is the interest Google should have in ensuring that the rats go down with
the sinking ship.

~~~
tptacek
I'm really having trouble following you. You keep writing as if the
alternative to Digicert's fire-sale acquisition was that Symantec's CA would
simply vanish off the face of the Earth. No. False premise.

~~~
justinjlynn
Please explain. If their certs become useless and no-one will touch them
because, in turn, their certs will be useless... then how _wouldn 't_
Symantec's CA vanish off the face of the earth? Their customers can't exactly
live without the PKI -- they would just have to go to another vendor, as they
should in any case. If those customers have made poor engineering decisions in
their own products, well, that's their problem isn't it?

~~~
tptacek
I think you've oversimplified the pre-existing Google/Mozilla distrust plan,
and your misapprehension about what was happening has harmed your
understanding of the economics of this acquisition.

~~~
justinjlynn
You're right. I probably do need to go back and re-examine the details.
Generally when disagreements happen, one or both parties is missing something.
At the same time, I still feel this is far too nice an ending for Symantec
given the shit they pulled.

------
michaelbuckbee
I'm a reseller for Digicert - they just sent an announcement email about this,
here's the most interesting bit:

"Earlier this year, the browsers proposed a plan to limit trust in Symantec
certificates after discovering issues with how they were validating and
issuing digital certificates. Importantly, we feel confident that this
agreement will satisfy the needs of the browser community.

DigiCert is communicating this deal and its intentions to the browser
community and will continue to work closely with them during the period
leading up to our closing the transaction. DigiCert appreciates and shares the
browsers’ commitment to engendering trust in digital certificates and
protecting all users. "

~~~
justinjlynn
You may want to come up with an escape plan then. If digicert can buy Symantec
so that Symantec can escape censure what message does that send? At this point
Symantec should be considered so radioactive that nobody would go near it for
fear of contamination. Symantec betrayed all of us and digicert, in buying it
and rewarding the behaviour is doing the same.

~~~
cjbprime
The message is that Symantec doesn't get to run a CA business anymore.
Presumably the fact that a sale was somewhat necessary was priced into the
purchase price.

~~~
thanksgiving
They will own 30%of digicert.

I think this deal should put digicert on a "one strike and you're out" zone as
well.

I don't understand what's going on. Digicert will give Symantec 800M+ cash and
a 30% equity?

And Symantec will generously allow the current digicert CEO to continue as the
CEO of digicert? Doesn't look like Symantec is selling anything. Looks like
Symantec is buying digicert from the owners of digicert.

~~~
justinjlynn
Indeed. Classic reverse buyout to escape a bad name. It's complete bullshit
and the browser vendors should see right through it.

~~~
tptacek
It would be a "classic reverse buyout" if DigiCert was going to continue to
operate the Symantec CA infrastructure. If it is not, then Google and Mozilla
will have accomplished their most important objective, which is the
elimination of insecure certificate issuers in current operation.

You clearly have other objectives you would like Google and Mozilla to
accomplish for you, and I probably agree with many of them, but let's try to
stay focused here.

~~~
justinjlynn
And now the same people who made that shitty infrastructure will control a
large chunk of the business that created what was once (probably) a perfectly
good one -- and likely make the same shit decisions that made their old one
shit as well making digicerts' infrastructure worse, and eventually probably
shit as well.

~~~
tptacek
I'm pretty sure the Symantec CA people aren't coming along or taking over
Digicert.

~~~
justinjlynn
With 30% control, you can _bet_ there are Symantec CA business people coming
into Digicert.

~~~
tptacek
Would you like to make that bet more explicit? I would be game.

~~~
justinjlynn
Sure. How would we judge it though?

~~~
tptacek
Lay out the scenario, in as much detail as you can, where employees of
Symantec brought over to DigiCert somehow corrupt the certificate issuance
process. If it's specific enough, I'll take your money over it (I assume
proceeds to charity; mine's Partners In Health).

------
huhtenberg
_From the email announcement:_

    
    
      ... snip ...
    

Also, some of you may be wondering about any implications our announced
acquisition will have on the ongoing debate between Symantec and the browser
community about trust in their certificates.

Earlier this year, the browsers proposed a plan to limit trust in Symantec
certificates after discovering issues with how they were validating and
issuing digital certificates. Importantly, we feel confident that this
agreement will satisfy the needs of the browser community. DigiCert is
communicating this deal and its intentions to the browser community and will
continue to work closely with them during the period leading up to our closing
the transaction. DigiCert appreciates and shares the browsers’ commitment to
engendering trust in digital certificates and protecting all users.

    
    
      ... snip ...

------
rietta
How is Symantec's cert business not a toxic asset given their historical
practices?

~~~
toast0
I don't recall the exact details of their poor historical practices, but I
think they at least had audited issuance, and reasonable control of their
roots, although their intermediates issued questionable certificates?

If so, the new owner can relatively easily shut down issuance under the
current pipelines of questionable quality; issue new intermediates from the
root, to be used in the new owner's pipelines and to make it possible to
revoke/detrust the old intermediates if more serious trust issues are
uncovered in the previous practices. Then the new owner gets to enjoy the
benefits of the previous customer base, and installed base of the roots and
pins.

In short, as long as they do a good job of making a clean separation of
issuing practices, it's not a toxic asset.

------
mw6621
"Under the terms of the agreement, Symantec will receive approximately $950
million in upfront cash proceeds and approximately a 30 percent stake in the
common stock equity of the DigiCert business at the closing of the
transaction."

------
yuhong
In any case, I wonder if Google "senior executives" are really involved.

------
packetized
Make no mistake, this is going to be an even greater period of uncertainty for
current SYMC CA customers over the next six to twelve months.

------
pastyboy
Eh ? About to be untrusted by google... interesting time to sell it.

~~~
geofft
It's Symantec's past operation of the CA that's untrusted by Google, and in
fact one of the proposals was that Symantec make a new CA and cross-sign it
with their old one, which would maintain compatibility for previous customers
that pinned the Symantec root as well as customers using up-to-date browsers.
So if the setup here is that DigiCert signs their own CA with Symantec's, then
everyone's happy: DigiCert gets the customers, the community believes DigiCert
is competent, and old Symantec customers get business continuity. It possibly
makes _more_ business sense for Symantec to sell their root to a trusted CA
than to continue to operate it.

And I think it makes sense for DigiCert to buy it: Symantec's customers are
people who are clearly willing to pay too much for even a low-quality
certificate because they let Symantec consultants set up their trust
infrastructure years ago and have no idea how to modernize their
infrastructure. If you want a target market of people who will pay lots of
money for CA services despite the presence of free services like Let's
Encrypt, Symantec's existing customer base is a perfect fit.

~~~
toomuchtodo
I work in the financial infrastructure space, and while I'm no fan of
Symantec, using Let's Encrypt would get me laughed out of the room by
compliance and our auditors.

Some checkboxes are ceremony, some have real purpose. One size does not fit
all.

~~~
colinbartlett
What about Let's Encrypt certificates make them non compliant to your
auditors?

~~~
blibble
they didn't pay several million dollars to get added to the checklist

