| Oh, it's almost certainly a toxic asset. But have you seen the blog post where Symantec was like "We talked to our customers and they said that Google's being mean"? https://www.symantec.com/connect/blogs/symantec-ca-proposal > Many large organizations have complex, and potentially undocumented and little-known dependencies on their certificate infrastructure. Examples of complex dependencies on Symantec public roots that our customers have shared or we have identified include: > Embedded devices that are pinned to certificates issued by a Symantec public root to communicate to resources over the Internet or Intranet. Replacing these certificates would result in immediate failures and the need to recode and reimage the firmware for these devices. > Mobile applications that have pinned certificates. Replacing server certificates would require these applications to be recoded, recompiled and redistributed. > Critical infrastructure organizations that use certificates issued off of Symantec roots to validate internal and external resources. In many cases, the applications being used are pinned to Symantec certificates. > Some large organizations use certificates chained to Symantec public roots for nearly all internal applications and communications. Many of these organizations are under regulatory requirements to encrypt even internal communications. You have lots of customers that have made the stupid decision to hard-code the Symantec public key as indefinitely trustworthy. (Some of them may well have got Symantec to do the consulting for their internal infrastructure.) No matter how stupid the decision is, it's been made, and those customers will pay good money for a cert that's either issued directly from or chains to the Symantec root. Even if the only thing that DigiCert does with the Symantec private key is to sign their own CA and then destroy it, and they kill the Symantec brand and every piece of Symantec infrastructure, that still brings them tons of customers who literally cannot move to a competitor not in possession of the Symantec private key. I'm not surprised that's worth $1B. |