Security Experts:

Mozilla Raises Concerns Over DigiCert Acquiring Symantec CA

Mozilla has raised some concerns regarding DigiCert acquiring Symantec’s website security and related public key infrastructure (PKI) solutions after major web browser vendors announced that certificates issued by the security firm would no longer be trusted.

Due to a series of incidents involving mississued TLS certificates, Mozilla and Google want Symantec and its partners to replace all existing certificates within a year. Furthermore, new certificates will need to be issued through the infrastructure of a subordinate certificate authority (CA).

Microsoft and Apple have yet to make any public comments on the matter, but they will likely follow in the footsteps of Mozilla and Google.

Instead of finding a subordinate CA to help it issue new certificates, Symantec has decided to sell its certificate business to DigiCert for $950 million in cash and a stake of roughly 30 percent in common stock equity of the DigiCert business. The companies announced on Tuesday that the acquisition has been completed.

DigiCert has reached out to Mozilla to see if the organization has any concerns over the acquisition. Mozilla is primarily concerned that while the new certificates will be issued under DigiCert’s name, Symantec will be involved in the process and it will introduce the problematic practices that led to the current situation.

“It would not be appropriate for a CA to escape root program sanctions by restructuring, or by purchasing another CA through M&A and continuing operations under that CA’s name, essentially unchanged,” explained Gervase Markham, a software engineer at the Mozilla Foundation. “And examination of historical corporate merger and acquisition activity, including deals involving Symantec, show that it’s possible for an M&A billed as the ‘purchase of B by A’ to end up with name A and yet be mostly managed by the executives of B.”

Mozilla informed DigiCert that it has four primary concerns. The organization does not want the day-to-day issuance of certificates to rely too much on Symantec’s old infrastructure.

Mozilla also cautioned about Symantec’s validation and operations personnel continuing their work without first receiving training from DigiCert. Furthermore, the web browser vendor is concerned that Symantec’s processes may actually displace DigiCert’s existing processes.

Finally, Mozilla has advised DigiCert not to allow Symantec to control the CA organization, particularly when it comes to providing technical and policy direction and oversight of the PKI.

“We hope that this provides useful guidance about our concerns, and note that our final opinion of the trustworthiness of the resulting entity will depend on the facts and behavior of the resulting organization. Mozilla reserves the right to include or exclude organizations or root certificates from our root store at our sole discretion,” Markham said.

Symantec and DigiCert promised customers an easy transition, but competitors have taken the opportunity to point out that the process could pose problems.

Comodo CA, which tech-focused private equity firm Francisco Partners acquired this week for an undisclosed amount, warned that “DigiCert does not have the same infrastructure as Symantec, as a much smaller Certificate authority it never had the need to. Therefore, the eventual platform migration poses a huge execution and technology risk for all Symantec Enterprise customers and channel partners.”

Related: Google to Completely Ban WoSign, StartCom Certificates in Chrome 61

Related: Google Launches Its Own Root Certificate Authority

Related: Mandatory Certificate Authority Authorization Checks Will Boost Domain Security

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.