[tptacek]

Presumably the idea here is that DigiCert is buying Symantec's customer database, and instead of Symantec painstakingly transferring its users to a new, trustworthy certificate issuance system, everyone will just use DigiCert's.

Which, if that's the case, will mean Google and Mozilla more or less killed the web's largest CA.

[proactivesvcs]

Symantec killed their own CA with their misdeeds. Google and Mozilla just carried the bullet a while.

[justinjlynn]

> Which, if that's the case, will mean Google and Mozilla more or less killed the web's largest CA.

No, no it did not. Symantec deserve zero benefit for any "customer base" transfer and digicert should be ashamed for rewarding Symantec's behaviour.

What Symantec did should result in punishment so severe no CA would dare do the same ever again. Their business should be null and void and considered to be worth absolutely nothing.

[CaveTech]

You seem to be conflating expectations and reality.

They did kill the business, but Symantec was able to salvage part of it.

[justinjlynn]

They should have been utterly destroyed; not parted out to the highest bidder. I want every Symantec shareholder to feel the pain of a zero share price for what they enabled.

[tptacek]

Where once there was a Symantec CA system, now there is none. It is dead. It wasn't dead before. The thing that made it be dead? Google.

I think you're mostly arguing with claims I didn't make.

[justinjlynn]

The point I'm trying to make is that they're not dead if they own 30% of digicert as a result of this instead of being left with nothing.

[geobmx540]

It's hard to put a value on the deal [1]. But -

Using the rankings of CA's largest to smallest [2], the first public CA is GoDaddy (W2Techs 2016 Survey), which has a range of services. They show GoDaddy to be 11.8% of the market, with Symantec at 26%. So Symantec is 220% larger. I'm too lazy to estimate GoDaddy's CA business from their financials, I didn't see anything obvious in their financials to make it easier.

GoDaddy's public valuation at this time is 7.27B [3], and if we scale up GoDaddy Market Cap to Symantec's size, and only account 20% [4] to the CA business: 7.27B * (26/11.8) * .2 = ~3.2B (Symantic CA Business)

If we use DigiCert, and try to GoDaddy's market cap down to DigiCerts market share (3.0%) [2]. Then you end up with 7.27B * (3.0/11.8) * .2 = ~370M (DigiCert Current Valuation)

However, DigiCert becomes number two CA provider overnight, to 29%, which rockets their value up (maybe?), by our same math, they are now 245% the size of GoDaddy from a cert perspective, 7.27B * ((26 + 3)/11.8) * .2 = ~3.57B (DigiCert + Symantec Business) [5].

So Symantec ends up with 950m cash and 1.07B DigiCert holdings (3.57B * .3 = 1.07B), or ~1.957B of value.

That'd mean Symantec is taking 2/3rds (~1b hit) - that feels like a pretty solid deterrent?

1. Armchair economist 2. https://en.wikipedia.org/wiki/Certificate_authority 3. https://www.google.com/finance?q=NYSE%3AGDDY&ei=qU-CWciuPMqg... (8/2/2017 EOD MarketCap) 4. This could be wildly high.. 5. Normally a combined entity would have duplicative operations and arguably be worth more than their whole, but since these are kind of iffy assets, they probably would be worth less.

[tptacek]

What exactly does Google accomplish by somehow trying to prevent Symantec from having a beneficial interest in its customer base? The alternative to this deal is that Symantec continues limping forward with a broken CA customer base that browsers have to accommodate for years to come. The economics of this deal are what enabled it to happen at all.

[justinjlynn]

> What exactly does Google accomplish by somehow trying to prevent Symantec from having a beneficial interest in its customer base?

What digicert is doing, in allowing Symantec to continue operating in their name, is wrong and really lessens what it means to completely fuck up the core mission of what a CA does and it makes a mockery of any sort of censure any browser/TLS developer/user could do. They should have to limp along while browsers distrust their certs and their customers leave to other providers competing on an open market. Then once they've been bled dry they should die alone. I want this to be difficult for their customers. Part of choosing a CA is doing due diligence and you can bet that once people have been burnt they'll be a lot more cautious about their next choice. This makes the CA/PKI system stronger as result -- a bit of pain now is a good thing.

This is the interest Google should have in ensuring that the rats go down with the sinking ship.