Kurhan - Fotolia

Symantec certificate authority business reportedly for sale

As Google and Mozilla prepare plans to reduce trust for Symantec's certificate authority, the antivirus vendor is reported to be seeking a buyer for its web certificate business.

Symantec is reportedly looking to sell its web certificate business following months of pressure from the web browser community to reform its certificate authority practices.

According to a Reuters report, Symantec has been reaching out to "a small number" of potential buyers to stir up demand for its troubled PKI unit. Unloading the Symantec certificate authority business could simplify matters for the security giant as it struggles to retain its spot as a trusted certificate authority for Google and Mozilla root browser stores.

Symantec did not respond to requests for comments on the move.

Symantec has been feuding with the browser community since 2015 when Google discovered that Symantec had improperly issued test certificates for a number of domains that it did not own, including some owned by Google. Since then, researchers have uncovered numerous problems with Symantec certificate authority operations, including thousands of improperly issued certificates.

As a result of the improprieties, browser developers at both Mozilla and Google have offered Symantec a consensus remediation plan that requires Symantec to partner with one or more third-party certificate authorities capable of standing up a completely new certificate authority for Symantec's public key infrastructure as a way to regain trust. Symantec accepted most of the plan but has continued to delay implementation in recent weeks, primarily over concerns that proposed deadlines didn't give the vendor enough time.

According to Reuters, which spoke with three people familiar with the matter, the Symantec certificate authority business generates revenue of roughly $400 million. Symantec acquired most of its certificate authority business in 2010, when it purchased Verisign for $1.28 billion.

Reuters said that while Symantec is discussing the possibility of a sale with several parties, no deals have yet been made.

Updating the browser community?

The Reuters report comes more than a week after Gervase Markham, software engineer at Mozilla, reported that Symantec certificate authority staff met privately with Mozilla on June 30 to discuss the company's progress on the trust remediation plan proposed by Google.

"Symantec asked for the meeting to update us on their progress in finding a CA partner or partners to work with them in implementing the consensus remediation plan, which as you will know involves them passing off issuance to a third party while they stand up a new PKI on new, best-practice infrastructure," Markham wrote on the Mozilla developer security policy forum on July 3.

When asked on the forum what was discussed at the meeting, Markham noted that details would be forthcoming by the end of the first week in July or early the following week, but he acknowledged that Symantec shared information about its progress in implementing the browser community's consensus remediation plan.

At that time, Symantec shared information on their progress with Mozilla, but Markham wrote "it seems unnecessary to document all that here, as the meat of what they told me should end up in their implementation proposal." At that time, it seemed, a sale was apparently not discussed.

"In this case, the only information Symantec gave me which we agreed not to reveal was the names of the particular companies they were considering as CA partners," Markham said via email. "No doubt their implementation plan will show who they eventually choose."

"Mozilla runs our root store program in an open and transparent way," a Mozilla spokesperson told SearchSecurity. "We'll continue to update our public mailing lists with relevant information as it comes up."

Symantec and Google have not responded to requests for comment.

The report that the Symantec certificate authority business could be up for sale came just days after Google announced its schedule for dropping trust in certificates issued by WoSign, the Chinese certificate authority that got in trouble for attempting to bypass the ban on SHA-1 by selling backdated certificates, and for clandestinely purchasing StartCom, the Israeli certificate authority, which is included in the loss of trust.

Next Steps

Has Symantec been dragging its heels on responding to certificate authority allegations?

Learn about certificate authority risks, and how to manage them

Find out how TLS 1.3 may solve some certificate authority problems

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing