
Francisco Partners Acquires Comodo's Certificate Authority Business - pfg
http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business
======
gluejar
Should we worry that a Deep-Packet-Inspection vendor has the same owner as an
SSL certificate vendor?

~~~
a012
I worry about it too, my company use Fortinet with DPI enabled that it strips
down target server's SSL cert and replaces by its self-signed cert. So, maybe
with Comodo's CA, SonicWall DPI would be transparent to end users. Yes they
assure in the press release but who knows.

~~~
pfg
This would be a violation of root policies and would certainly cause the CA to
be distrusted nowadays. It would also be detected with a high likelihood due
to HPKP (and CT in the future). The economics of buying a CA for this purpose
don't make sense.

~~~
user5994461
You might have missed yesterday's news from Chrome announcing that the HPKP
feature is being considered for removal.

~~~
pfg
The deprecation timeline is being synced with the rollout of CT and CT
enforcement headers (Expect-CT). This provides roughly the same detection (if
not prevention) capabilities.

------
joecool1029
Serious question: Was Francisco Partners unaware that the paid CA business
model is going down the crapper thanks to LetsEncrypt?

Props to Comodo though for having the foresight to exit while there was still
value.

~~~
g09980
Is it really [going down the drain] though? I'd imagine there will be infinite
ways to create costly enterpris-y offerings, be that via additional important-
looking seals, SLAs, EV, or something else. Or Postgres+friends would've
destroyed Oracle ages ago.

~~~
gtsteve
Furthermore, I don't believe there is a LetsEncrypt equivalent for code
signing.

~~~
jacobush
Also harder to implement. With letsencrypt you prove you control the domain
and the DNS. How do you prove you control software?

~~~
nailer
It's the same process as EV - verify the public key is controlled by a real
world legal entity. Validation process depends on the entity type, but usually
a combination of government and private business registrars, and verification
phone calls. Sometimes ID inspection for sole traders (since in their case the
legal entity is a person).

~~~
jacobush
Yes, but this does not lend itself to automation, hence free as letsencrypt
does.

~~~
nailer
Not entirely, but reducing EV verification times is my job at
[https://certsimple.com](https://certsimple.com). There's a lot that can be
done and most CAs tech to handle the problem is at least a decade old.

Also: ACME for EV is coming.

~~~
jacobush
Cool. I’ll send you an email.

