Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

DigiCert Addresses Mozilla’s Concerns on Symantec CA Acquisition

DigiCert has addressed the concerns raised by Mozilla and others regarding the company’s acquisition of Symantec’s certificate business after some web browser vendors announced that certificates issued by the security firm would no longer be trusted.

DigiCert has addressed the concerns raised by Mozilla and others regarding the company’s acquisition of Symantec’s certificate business after some web browser vendors announced that certificates issued by the security firm would no longer be trusted.

DigiCert has acquired Symantec’s website security and related public key infrastructure (PKI) solutions for $950 million in cash and a stake of roughly 30 percent in common stock equity. The acquisition was completed this week.

Mozilla and Google have decided to take action against Symantec after the company and its partners were involved in several incidents involving mississued TLS certificates. The web browser vendors want all existing certificates to be replaced within a year using a third-party’s infrastructure.

Symantec’s decision to sell its certificate business has left many wondering if this is part of a strategy to mitigate the penalties imposed by Google and Mozilla. Mozilla is concerned that despite the new certificates being issued under DigiCert’s name, Symantec management, personnel and infrastructure may still be involved to a great extent in the process of issuing certificates.

Jeremy Rowley, Executive VP of Product at DigiCert, on Tuesday responded to each of Mozilla’s concerns and provided some details about the company’s plans going forward.

Rowley said DigiCert will start validating and issuing all certificates requested through Symantec on December 1. While the company will still use Symantec’s front-end systems and hardware, TLS certificate validation and issuing will not be done through the old infrastructure.

DigiCert also plans on training Symantec validation and operation personnel, and while some managers from the security firm will remain on board, Rowley said DigiCert’s existing management team will oversee the transition.

Mozilla says it’s also concerned that Symantec’s processes might displace DigiCert’s processes.

Advertisement. Scroll to continue reading.

“What we really hope to do is learn from both DigiCert’s and Symantec’s process to create something new during the transition that is better than either one alone. The integration between the two companies is a perfect time to look at how both companies can improve and implement something more secure and customer friendly,” Rowley said. “We have some good ideas on what to do, and I can’t wait to see them implemented in practice. From workflows to tools, I think the combination of DigiCert’s culture and Symantec’s manpower will let us move into some interesting and exciting areas.”

DigiCert competitor Comodo, whose CA business has been sold to private equity firm Francisco Partners, warned Symantec customers that DigiCert’s smaller infrastructure would not stand up to the task. However, Rowley pointed out that DigiCert has been working on scaling its infrastructure for the past two years – long before it decided to acquire Symantec’s CA – as it had been preparing for the increasing demand for certificates introduced by the Internet of Things (IoT).

On the other hand, some have raised concerns over Comodo CA’s acquisition by Francisco Partners, a company whose portfolio includes several surveillance-focused firms, considering that digital certificates are highly valuable assets for online surveillance purposes.

Related: Google to Completely Ban WoSign, StartCom Certificates in Chrome 61

Related: Google Launches Its Own Root Certificate Authority

Related: Mandatory Certificate Authority Authorization Checks Will Boost Domain Security

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybersecurity Funding

SecurityWeek investigates how political/economic conditions will affect venture capital funding for cybersecurity firms during 2023.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.