[geofft]

It's Symantec's past operation of the CA that's untrusted by Google, and in fact one of the proposals was that Symantec make a new CA and cross-sign it with their old one, which would maintain compatibility for previous customers that pinned the Symantec root as well as customers using up-to-date browsers. So if the setup here is that DigiCert signs their own CA with Symantec's, then everyone's happy: DigiCert gets the customers, the community believes DigiCert is competent, and old Symantec customers get business continuity. It possibly makes more business sense for Symantec to sell their root to a trusted CA than to continue to operate it.

And I think it makes sense for DigiCert to buy it: Symantec's customers are people who are clearly willing to pay too much for even a low-quality certificate because they let Symantec consultants set up their trust infrastructure years ago and have no idea how to modernize their infrastructure. If you want a target market of people who will pay lots of money for CA services despite the presence of free services like Let's Encrypt, Symantec's existing customer base is a perfect fit.

[toomuchtodo]

I work in the financial infrastructure space, and while I'm no fan of Symantec, using Let's Encrypt would get me laughed out of the room by compliance and our auditors.

Some checkboxes are ceremony, some have real purpose. One size does not fit all.

[geofft]

I suspect your auditors have no real reason to object to Let's Encrypt (do they understand that Let's Encrypt is equally capable of issuing a false certificate under your name? does your security rely on the browser PKI? how did every single company in the browser PKI get okayed by your auditors?).

You have a perfectly valid reason, which is that your auditors want you to buy an expensive certificate to make them happy, but you're still paying more than market ($0ish) for SSL, which means you're a good customer for DigiCert to have acquired.

BTW, if you want to save some money, try sending your auditors the WebTrust audits that Let's Encrypt has passed just as well as Symantec (if not more well, see mozilla.dev.security.policy): https://letsencrypt.org/repository/

[toomuchtodo]

As you can probably imagine, money isn't an issue. Our budget for our PKI team is larger than a small startup's entire annual payroll cost.

[tptacek]

The checkboxes you're implicating here are the ceremonial kind. (I do security in the financial infrastructure space, for whatever that's worth).

[toomuchtodo]

I suppose we'll agree to disagree (RegSCI in this case). Happy to grab a beer if you want to lecture me on how I'm wrong, I try to be open minded.

Whether it's ceremony or not, I have to check the box or face harsh regulatory penalties.

[tptacek]

Happy to do this over beer, but I'm not sure I understand which of the SCI rules would determine which CA you use.

I'm a little amused (not at you, but at the absurdity of the whole process) that we're talking about CA selection for products that almost definitely can't even properly quote and unquote a FIX field separator from user input.

[colinbartlett]

What about Let's Encrypt certificates make them non compliant to your auditors?

[blibble]

they didn't pay several million dollars to get added to the checklist

[rocqua]

Maybe they pin to the CA certificate? In that case, it matters how much you trust the specific CA.