When life gives you lemons... sell those lemons to someone else for almost $1 billion. That appears to be Symantec's thinking, anyway, because it announced that DigiCert has agreed to acquire its "Website Security and related PKI solutions" for $950 billion in cash. (Symantec will also receive a 30% stake in DigiCert's common stock when the deal closes.) Among those solutions: Symantec's problematic Certificate Authority (CA) division.
It might sound weird to call what is apparently a $1 billion business a "lemon," but the problems with Symantec's CA work run deep. Since late 2015, the company has been sparring with Google over whether or not Symantec-issued certificates should be trusted by Chrome, Android, et al. Now, it seems that instead of trying to solve the issue, Symantec's going to hand off the business to DigiCert and make a cool billion in the process.
The problems started when Google discovered in October 2015 that Symantec issued a rogue certificate for the "google.com" domain. Symantec and Google looked into the problem, and after some back and forth, the companies found more than a hundred certificates issued for domains without their controlling organizations' knowledge. They also learned that 2,458 certificates were issued for domains that were never registered.
These are serious mistakes. CAs and the certificates they distribute underpin the protections that make sure your connections to websites are secure. That system only works if the certificates can be trusted, and the rogue certificates issued by Symantec undermined that trust. Yet the problems didn't stop there: In December 2015, Google removed a Symantec root certificate from Chrome and Android because Symantec decided not to support the CA/Browser Forum’s Baseline Requirements with its root certificates. That was a deal-breaker for Google, so away the trust went.
Things escalated further when Google announced in March that it will gradually distrust certificates issued by Symantec. This time it was because Symantec improperly issued 30,000 certificates over the last few years. Google also immediately stopped recognizing Symantec's Extended Validation certificates and said it wouldn't re-trust (if that's a word) them for at least a year. Things were looking glum for Symantec's CA business.
Symantec responded in April by coming up with an 11-point transparency plan meant to show Google how important its certificates are to many website operators. The move was likely supposed to convince Google to reconsider its stance because of the effect it could have on popular sites. Google didn't show any signs of budging, however, which probably led to Symantec's decision to sell off the problematic business to DigiCert.
In its announcement, Symantec said its board of directors unanimously approved the deal with DigiCert. The deal is expected to close in Q3 2018.
