Presumably the idea here is that DigiCert is buying Symantec's customer database, and instead of Symantec painstakingly transferring its users to a new, trustworthy certificate issuance system, everyone will just use DigiCert's.
Which, if that's the case, will mean Google and Mozilla more or less killed the web's largest CA.
> Which, if that's the case, will mean Google and Mozilla more or less killed the web's largest CA.
No, no it did not. Symantec deserve zero benefit for any "customer base" transfer and digicert should be ashamed for rewarding Symantec's behaviour.
What Symantec did should result in punishment so severe no CA would dare do the same ever again. Their business should be null and void and considered to be worth absolutely nothing.
They should have been utterly destroyed; not parted out to the highest bidder. I want every Symantec shareholder to feel the pain of a zero share price for what they enabled.
Using the rankings of CA's largest to smallest [2], the first public CA is GoDaddy (W2Techs 2016 Survey), which has a range of services. They show GoDaddy to be 11.8% of the market, with Symantec at 26%. So Symantec is 220% larger. I'm too lazy to estimate GoDaddy's CA business from their financials, I didn't see anything obvious in their financials to make it easier.
GoDaddy's public valuation at this time is 7.27B [3], and if we scale up GoDaddy Market Cap to Symantec's size, and only account 20% [4] to the CA business: 7.27B * (26/11.8) * .2 = ~3.2B (Symantic CA Business)
If we use DigiCert, and try to GoDaddy's market cap down to DigiCerts market share (3.0%) [2]. Then you end up with 7.27B * (3.0/11.8) * .2 = ~370M (DigiCert Current Valuation)
However, DigiCert becomes number two CA provider overnight, to 29%, which rockets their value up (maybe?), by our same math, they are now 245% the size of GoDaddy from a cert perspective, 7.27B * ((26 + 3)/11.8) * .2 = ~3.57B (DigiCert + Symantec Business) [5].
So Symantec ends up with 950m cash and 1.07B DigiCert holdings (3.57B * .3 = 1.07B), or ~1.957B of value.
That'd mean Symantec is taking 2/3rds (~1b hit) - that feels like a pretty solid deterrent?
What exactly does Google accomplish by somehow trying to prevent Symantec from having a beneficial interest in its customer base? The alternative to this deal is that Symantec continues limping forward with a broken CA customer base that browsers have to accommodate for years to come. The economics of this deal are what enabled it to happen at all.
I'm a reseller for Digicert - they just sent an announcement email about this, here's the most interesting bit:
"Earlier this year, the browsers proposed a plan to limit trust in Symantec certificates after discovering issues with how they were validating and issuing digital certificates. Importantly, we feel confident that this agreement will satisfy the needs of the browser community.
DigiCert is communicating this deal and its intentions to the browser community and will continue to work closely with them during the period leading up to our closing the transaction. DigiCert appreciates and shares the browsers’ commitment to engendering trust in digital certificates and protecting all users. "
You may want to come up with an escape plan then. If digicert can buy Symantec so that Symantec can escape censure what message does that send? At this point Symantec should be considered so radioactive that nobody would go near it for fear of contamination. Symantec betrayed all of us and digicert, in buying it and rewarding the behaviour is doing the same.
When Symantec bought Verisign it was making over $400million in net profits off of over $1.1 billion in revenue.
Symantec basically killed their golden goose are are now selling it off to another company at a huge discount. If they didn't do this there's a good chance their whole business would fall apart.
I'd consider losing potentially billions of dollars over the next few years to be a pretty solid message.
I think your outrage is properly directed, and I agree with you that this is way too nice an ending for Symantec.
However, I don't think that anyone is actually going to make Symantec as contaminated as you or I want. If the people at DigiCert who were competent yesterday are operating Symantec's infrastructure today, that infrastructure is now trustworthy. And in buying and salvaging it, DigiCert did the community a service: instead of leaving us in this ambiguous position where a too-big-to-fail CA was calling up Google executives to potentially overrule engineering decisions, that CA is now no longer a threat.
The message is that Symantec doesn't get to run a CA business anymore. Presumably the fact that a sale was somewhat necessary was priced into the purchase price.
I think this deal should put digicert on a "one strike and you're out" zone as well.
I don't understand what's going on. Digicert will give Symantec 800M+ cash and a 30% equity?
And Symantec will generously allow the current digicert CEO to continue as the CEO of digicert? Doesn't look like Symantec is selling anything. Looks like Symantec is buying digicert from the owners of digicert.
It would be a "classic reverse buyout" if DigiCert was going to continue to operate the Symantec CA infrastructure. If it is not, then Google and Mozilla will have accomplished their most important objective, which is the elimination of insecure certificate issuers in current operation.
You clearly have other objectives you would like Google and Mozilla to accomplish for you, and I probably agree with many of them, but let's try to stay focused here.
The point is the purchase price should have been zero. I want every Symantec shareholder to feel the pain and never invest in any company that is that shit again.
Also, some of you may be wondering about any implications our announced acquisition will have on the ongoing debate between Symantec and the browser community about trust in their certificates.
Earlier this year, the browsers proposed a plan to limit trust in Symantec certificates after discovering issues with how they were validating and issuing digital certificates. Importantly, we feel confident that this agreement will satisfy the needs of the browser community.
DigiCert is communicating this deal and its intentions to the browser community and will continue to work closely with them during the period leading up to our closing the transaction. DigiCert appreciates and shares the browsers’ commitment to engendering trust in digital certificates and protecting all users.
I don't recall the exact details of their poor historical practices, but I think they at least had audited issuance, and reasonable control of their roots, although their intermediates issued questionable certificates?
If so, the new owner can relatively easily shut down issuance under the current pipelines of questionable quality; issue new intermediates from the root, to be used in the new owner's pipelines and to make it possible to revoke/detrust the old intermediates if more serious trust issues are uncovered in the previous practices. Then the new owner gets to enjoy the benefits of the previous customer base, and installed base of the roots and pins.
In short, as long as they do a good job of making a clean separation of issuing practices, it's not a toxic asset.
> Many large organizations have complex, and potentially undocumented and little-known dependencies on their certificate infrastructure. Examples of complex dependencies on Symantec public roots that our customers have shared or we have identified include:
> Embedded devices that are pinned to certificates issued by a Symantec public root to communicate to resources over the Internet or Intranet. Replacing these certificates would result in immediate failures and the need to recode and reimage the firmware for these devices.
> Mobile applications that have pinned certificates. Replacing server certificates would require these applications to be recoded, recompiled and redistributed.
> Critical infrastructure organizations that use certificates issued off of Symantec roots to validate internal and external resources. In many cases, the applications being used are pinned to Symantec certificates.
> Some large organizations use certificates chained to Symantec public roots for nearly all internal applications and communications. Many of these organizations are under regulatory requirements to encrypt even internal communications.
You have lots of customers that have made the stupid decision to hard-code the Symantec public key as indefinitely trustworthy. (Some of them may well have got Symantec to do the consulting for their internal infrastructure.) No matter how stupid the decision is, it's been made, and those customers will pay good money for a cert that's either issued directly from or chains to the Symantec root.
Even if the only thing that DigiCert does with the Symantec private key is to sign their own CA and then destroy it, and they kill the Symantec brand and every piece of Symantec infrastructure, that still brings them tons of customers who literally cannot move to a competitor not in possession of the Symantec private key. I'm not surprised that's worth $1B.
Well this business unit might be a toxic asset now.
But I'm sure it'll go right back to printing money once it's no longer directly associated with a vendor of TLS interception middle boxes popular among despots. And the browser relations fiasco will blow over eventually.
Might cost them a bunch of rebates and refunds to keep clients, but I see why this could be a viable customer acquisition move for DigiCert.
"Under the terms of the agreement, Symantec will receive approximately $950 million in upfront cash proceeds and approximately a 30 percent stake in the common stock equity of the DigiCert business at the closing of the transaction."
It's Symantec's past operation of the CA that's untrusted by Google, and in fact one of the proposals was that Symantec make a new CA and cross-sign it with their old one, which would maintain compatibility for previous customers that pinned the Symantec root as well as customers using up-to-date browsers. So if the setup here is that DigiCert signs their own CA with Symantec's, then everyone's happy: DigiCert gets the customers, the community believes DigiCert is competent, and old Symantec customers get business continuity. It possibly makes more business sense for Symantec to sell their root to a trusted CA than to continue to operate it.
And I think it makes sense for DigiCert to buy it: Symantec's customers are people who are clearly willing to pay too much for even a low-quality certificate because they let Symantec consultants set up their trust infrastructure years ago and have no idea how to modernize their infrastructure. If you want a target market of people who will pay lots of money for CA services despite the presence of free services like Let's Encrypt, Symantec's existing customer base is a perfect fit.
I work in the financial infrastructure space, and while I'm no fan of Symantec, using Let's Encrypt would get me laughed out of the room by compliance and our auditors.
Some checkboxes are ceremony, some have real purpose. One size does not fit all.
I suspect your auditors have no real reason to object to Let's Encrypt (do they understand that Let's Encrypt is equally capable of issuing a false certificate under your name? does your security rely on the browser PKI? how did every single company in the browser PKI get okayed by your auditors?).
You have a perfectly valid reason, which is that your auditors want you to buy an expensive certificate to make them happy, but you're still paying more than market ($0ish) for SSL, which means you're a good customer for DigiCert to have acquired.
BTW, if you want to save some money, try sending your auditors the WebTrust audits that Let's Encrypt has passed just as well as Symantec (if not more well, see mozilla.dev.security.policy): https://letsencrypt.org/repository/
Happy to do this over beer, but I'm not sure I understand which of the SCI rules would determine which CA you use.
I'm a little amused (not at you, but at the absurdity of the whole process) that we're talking about CA selection for products that almost definitely can't even properly quote and unquote a FIX field separator from user input.
As I mentioned above, when Symantec bought Verisign it was making over $440 million a year in profit (not revenue, profit).
Buying up their customers like this is huge for Digicert. They're getting a huge influx of paying customers at a steep discount. I'd expect Digicert to make billions off of this deal over the next decade.
Which, if that's the case, will mean Google and Mozilla more or less killed the web's largest CA.