I don't recall the exact details of their poor historical practices, but I think they at least had audited issuance, and reasonable control of their roots, although their intermediates issued questionable certificates?
If so, the new owner can relatively easily shut down issuance under the current pipelines of questionable quality; issue new intermediates from the root, to be used in the new owner's pipelines and to make it possible to revoke/detrust the old intermediates if more serious trust issues are uncovered in the previous practices. Then the new owner gets to enjoy the benefits of the previous customer base, and installed base of the roots and pins.
In short, as long as they do a good job of making a clean separation of issuing practices, it's not a toxic asset.
> Many large organizations have complex, and potentially undocumented and little-known dependencies on their certificate infrastructure. Examples of complex dependencies on Symantec public roots that our customers have shared or we have identified include:
> Embedded devices that are pinned to certificates issued by a Symantec public root to communicate to resources over the Internet or Intranet. Replacing these certificates would result in immediate failures and the need to recode and reimage the firmware for these devices.
> Mobile applications that have pinned certificates. Replacing server certificates would require these applications to be recoded, recompiled and redistributed.
> Critical infrastructure organizations that use certificates issued off of Symantec roots to validate internal and external resources. In many cases, the applications being used are pinned to Symantec certificates.
> Some large organizations use certificates chained to Symantec public roots for nearly all internal applications and communications. Many of these organizations are under regulatory requirements to encrypt even internal communications.
You have lots of customers that have made the stupid decision to hard-code the Symantec public key as indefinitely trustworthy. (Some of them may well have got Symantec to do the consulting for their internal infrastructure.) No matter how stupid the decision is, it's been made, and those customers will pay good money for a cert that's either issued directly from or chains to the Symantec root.
Even if the only thing that DigiCert does with the Symantec private key is to sign their own CA and then destroy it, and they kill the Symantec brand and every piece of Symantec infrastructure, that still brings them tons of customers who literally cannot move to a competitor not in possession of the Symantec private key. I'm not surprised that's worth $1B.
Well this business unit might be a toxic asset now.
But I'm sure it'll go right back to printing money once it's no longer directly associated with a vendor of TLS interception middle boxes popular among despots. And the browser relations fiasco will blow over eventually.
Might cost them a bunch of rebates and refunds to keep clients, but I see why this could be a viable customer acquisition move for DigiCert.
If so, the new owner can relatively easily shut down issuance under the current pipelines of questionable quality; issue new intermediates from the root, to be used in the new owner's pipelines and to make it possible to revoke/detrust the old intermediates if more serious trust issues are uncovered in the previous practices. Then the new owner gets to enjoy the benefits of the previous customer base, and installed base of the roots and pins.
In short, as long as they do a good job of making a clean separation of issuing practices, it's not a toxic asset.