{"id":2264,"date":"2017-10-31T04:47:25","date_gmt":"2017-10-31T11:47:25","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2264"},"modified":"2017-10-31T04:50:06","modified_gmt":"2017-10-31T11:50:06","slug":"statement-digicerts-proposed-purchase-symantec","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2017\/10\/31\/statement-digicerts-proposed-purchase-symantec\/","title":{"rendered":"Statement on DigiCert\u2019s Proposed Purchase of Symantec’s CA"},"content":{"rendered":"

Mozilla\u2019s Root Store Program has taken the position that trust is not automatically transferable between organizations. This is specifically stated in section 8 of our Root Store Policy v2.5<\/a>, which details how Mozilla handles transfers of root certificates between organizations. Mozilla has taken an interest in such transfers, and there is the potential for trust adjustments based on the particular circumstances.<\/p>\n

The CA DigiCert has announced that it is in negotiations to acquire the CA business of Symantec<\/a>. This announcement was made following the decision of Mozilla and other root store programs to phase out trust in Symantec\u2019s root certificates<\/a>, based on a detailed investigation<\/a> of their old and large CA hierarchies and their behaviour and practices over the past few years. There are no plans to change this phase-out of trust in the roots owned by Symantec.<\/p>\n

While Mozilla does not intend to micro-manage any CA, the final arrangements for management and processes and infrastructure to be used by the combined company is of interest and potential concern to us. It would not be appropriate for a CA to escape root program sanction by restructuring, or by purchasing another CA through M&A and continuing operations under that CA\u2019s name, essentially unchanged. And examination of historical corporate merger and acquisition activity, including deals involving Symantec, show that it\u2019s possible for an M&A billed as the \u201cpurchase of B by A\u201d to end up with name A and yet be mostly managed by the executives of B.<\/p>\n

Representatives of DigiCert have sought guidance from us on the type of arrangements which would and would not cause us concern. In a good faith effort to answer that enquiry, we can make the following, non-exhaustive statements of what would cause Mozilla concern.<\/p>\n