> -----Original Message-----
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec....@lists.mozilla.org] On Behalf Of
> Devon O'Brien via dev-security-policy
> Sent: Wednesday, August 09, 2017 12:24 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: [EXT] Re: Symantec Update on SubCA Proposal
> Hello m.d.s.p.,
> I'd just like to give the community a heads up that Chrome’s plan remains to
> put up a blog post echoing our recent announcement on blink-dev [1], but
> in the meantime, we are reviewing the facts related to Symantec’s sale of
> their PKI business to DigiCert [2].
> Recently, it has come to our attention that Symantec may have selected
> DigiCert from the RFP process to become a Managed CA Partner. As defined
> in Google’s first Managed CA proposal [3], then supported by Symantec’s
> commitment to “[cover] all aspects of the SubCA proposal” [4], and finally
> reiterated in Google’s final proposal [1], the requirement has always been
> that the Managed Partner Infrastructure be operated by an independent
> and non-affiliated CA while Symantec worked to rebuild the web
> community's confidence.
> Based on this information, we have a series of questions that we’d like
> Symantec to address for public discussion:
> 1. Just to confirm, Did Symantec select DigiCert to be Managed CA Partner
> under the RFP process? If so, in light of DigiCert’s acquisition of Symantec’s
> PKI business and Symantec’s substantial equity investment in DigiCert, can
> you explain how you believe selecting DigiCert as the Managed CA Partner
> meets the stated requirement of being an independent and non-affiliated
> organization?

Before we initiated our SubCA RFP process in May, Google provided Symantec with 
a list of Certificate Authorities, including DigiCert, which met the 
eligibility requirements of a Managed CA under the SubCA proposal.   Symantec 
conducted a thorough SubCA RFP process and believes DigiCert can credibly meet 
browser requirements and timelines.

Symantec decided it was in the best interests of all of its stakeholders to 
sell its Website Security and related PKI solutions to DigiCert. To ensure 
business continuity for customers, Symantec entered into a SubCA arrangement 
with DigiCert simultaneous with entry into the definitive acquisition agreement 
to account for the possibility that the acquisition may not close by December 
1, 2017.

Regardless of whether the acquisition closes before December 1, 2017 or not, 
there is never a circumstance under which DigiCert will be an 'affiliate' of 
Symantec with respect to acting as Symantec's Managed CA under the SubCA 
proposal.  Symantec currently has no ownership interest in or ability 
(contractual or otherwise) to control the operations of DigiCert, nor does 
either party otherwise constitute an 'affiliate' of the other, as such term is 
defined in the CA-Browser Forum Baseline Requirements (v 1.4.9).

At the closing of the acquisition, Symantec is being paid in both cash and 
stock, with the latter comprising a 30% ownership interest in the common equity 
of DigiCert, which allows for Symantec stockholders to benefit from the 
potential value created by the DigiCert business after the closing. This 
minority ownership position, which shall not be received by Symantec until the 
closing of the acquisition, represents a financial investment in DigiCert.  
This financial investment does not give Symantec control over DigiCert's CA 
technology, operations or business, and therefore we believe that it satisfies 
the spirit of the non-affiliate status that the browser community was seeking 
to achieve through the SubCA proposal.

It is Symantec's understanding that all certificates issued by DigiCert on or 
after December 1, 2017 and the closing of the acquisition will chain to 
DigiCert's existing public roots. If the acquisition closes before December 1, 
2017, then no certificates will ever be issued by DigiCert as a Managed CA of 
Symantec because DigiCert will not be issuing certificates under a new ICA that 
chains to a new Symantec PKI.  Rather, in this instance, certificates will 
either (i) be issued off of Symantec’s existing PKI, which is permitted under 
the SubCA proposal until November 30, 2017, or (ii) be issued off of DigiCert’s 
existing PKI.  The actual timing of the acquisition closing relative to the 
parties’ operational integration planning schedule will determine whether 
certificates are issued under both scenarios or just the latter.

If the acquisition does not close before December 1, 2017, then DigiCert has 
agreed to serve as Symantec's Managed CA partner as of December 1, 2017, but 
will not be an 'affiliate' during this pre-closing period for the reasons 
explained above.

> 2. Were any additional CAs selected to be a Managed CA Partner from the
> list of trusted CAs that Symantec “felt best met the browser requirements”?

There were no additional CAs selected to be a Managed CA partner.  Symantec 
conducted a thorough SubCA RFP process and believes DigiCert can credibly meet 
browser requirements and timelines.

Although we believe the DigiCert transaction achieves the goals of Google and 
Mozilla and the extended browser community (transition away from Symantec's 
existing PKI and issuance platform to one that is accepted by browsers) as well 
as our own goals (minimize customer disruption), there are important 
differences between this sale transaction and the SubCA proposal.  Under the 
SubCA proposal, Symantec SSL/TLS certificates would be issued through one or 
more independently operated third-party CAs – under an ICA that chains to a new 
private PKI issued by Symantec and which is cross-signed by Symantec's existing 
PKI – until Symantec developed and deployed a modernized PKI platform that is 
accepted into trust stores. After the closing of the DigiCert acquisition, our 
customers will be issued SSL/TLS certificates from DigiCert’s existing PKI and 
platform, which is currently available and publicly trusted by all browsers.

Symantec decided it was in the best interests of all of its stakeholders to 
sell its Website Security and related PKI solutions to DigiCert because this 
transaction accelerates the transition for our customers to an existing PKI 
platform at DigiCert that meets all industry standards and browser 
requirements, ensuring continuity for our customers and providing a foundation 
for continued innovation.

dev-security-policy mailing list

Reply via email to