Security Experts:

DigiCert Addresses Mozilla's Concerns on Symantec CA Acquisition

DigiCert has addressed the concerns raised by Mozilla and others regarding the company’s acquisition of Symantec’s certificate business after some web browser vendors announced that certificates issued by the security firm would no longer be trusted.

DigiCert has acquired Symantec’s website security and related public key infrastructure (PKI) solutions for $950 million in cash and a stake of roughly 30 percent in common stock equity. The acquisition was completed this week.

Mozilla and Google have decided to take action against Symantec after the company and its partners were involved in several incidents involving mississued TLS certificates. The web browser vendors want all existing certificates to be replaced within a year using a third-party’s infrastructure.

Symantec’s decision to sell its certificate business has left many wondering if this is part of a strategy to mitigate the penalties imposed by Google and Mozilla. Mozilla is concerned that despite the new certificates being issued under DigiCert’s name, Symantec management, personnel and infrastructure may still be involved to a great extent in the process of issuing certificates.

Jeremy Rowley, Executive VP of Product at DigiCert, on Tuesday responded to each of Mozilla’s concerns and provided some details about the company’s plans going forward.

Rowley said DigiCert will start validating and issuing all certificates requested through Symantec on December 1. While the company will still use Symantec’s front-end systems and hardware, TLS certificate validation and issuing will not be done through the old infrastructure.

DigiCert also plans on training Symantec validation and operation personnel, and while some managers from the security firm will remain on board, Rowley said DigiCert’s existing management team will oversee the transition.

Mozilla says it’s also concerned that Symantec’s processes might displace DigiCert’s processes.

“What we really hope to do is learn from both DigiCert’s and Symantec’s process to create something new during the transition that is better than either one alone. The integration between the two companies is a perfect time to look at how both companies can improve and implement something more secure and customer friendly,” Rowley said. “We have some good ideas on what to do, and I can’t wait to see them implemented in practice. From workflows to tools, I think the combination of DigiCert’s culture and Symantec’s manpower will let us move into some interesting and exciting areas.”

DigiCert competitor Comodo, whose CA business has been sold to private equity firm Francisco Partners, warned Symantec customers that DigiCert’s smaller infrastructure would not stand up to the task. However, Rowley pointed out that DigiCert has been working on scaling its infrastructure for the past two years – long before it decided to acquire Symantec’s CA – as it had been preparing for the increasing demand for certificates introduced by the Internet of Things (IoT).

On the other hand, some have raised concerns over Comodo CA’s acquisition by Francisco Partners, a company whose portfolio includes several surveillance-focused firms, considering that digital certificates are highly valuable assets for online surveillance purposes.

Related: Google to Completely Ban WoSign, StartCom Certificates in Chrome 61

Related: Google Launches Its Own Root Certificate Authority

Related: Mandatory Certificate Authority Authorization Checks Will Boost Domain Security

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.