Interview: John Merrill, CEO, DigiCert

The sector of browser security saw a fair few headlines over the past 12 months, with stories of unfixed bugs and malicious extensions exceedingly common, all with the looming end of support for Adobe Flash in 2020 too.

Add to that the issues around certificates, including Google, Apple and GoDaddy recalling over a million certificates, researchers spoofing PKI certificates and the case where Trustico director Zane Lucas claimed he was “suffering significantly” after 23,000 certificates were revoked.

In that original story, the certificates were revoked last March after DigiCert said that private keys and certificates had been compromised. The news came after DigiCert acquired Symantec’s website security business in a $950m deal. 

After all of this, DigiCert CEO John Merrill spoke with Infosecurity and said that he is seeing more of a push to privacy, especially around the deployment of SSL, and the that company was trying to navigate “quantum leaps” in computer power around SSL and post-quantum cryptography around IoT. That's because, although there is currently no quantum computers, “if you look at the devices we use now, the processes and products you design now will probably be around when the quantum computer becomes viable,” Merrill explained. 

He said that this is the reason for creating algorithms to protect that, “and if you’re not already thinking about it, you’re too late.” He said that most financial services and banking CISOs are thinking about that now, and that will lead to some hybrid certificates being issued later this year, with a post-quantum resistant key in it so people can start testing.

Looking back at the acquisition from Symantec, Merrill said that after Symantec had stopped investing into the Verisign platform, it was not meeting industry standards anymore and this led to the dispute with other certificate authorities.

“We jointly established the rules and protocols, as we authenticate the companies and the browsers look for the certificates and display them as trusted or not trusted,” he said. “So it is a collaboration between us and it got to the point where the browsers didn’t trust Symantec.” 

He explained that Google gave Symantec a deadline, and this led to the acquisition and integration in November 2017. “We had to take over that certificate vetting for all of Symantec’s certificates, and replace them in a year, so it was a year of transition,” he said. 

As part of that transition, the last year was spent building new data centers to scale up. Merrill acknowledged that the certificate authority sector “is a little old” as the likes of RSA have been around since the 1970s, and there has been a lack of innovation and one way to innovate is with post-quantum cryptography.

“Our obligation is to do things right for the internet, so we’re investing in infrastructure and our products and there is an element of public trust that we have to fulfill,” he pointed out.

Focusing on the issues of trust, Merrill said that the company “has always tried to do the right thing” and is working with the browsers, and has invested in industry standards as well as participating in industry forums. In the case of distrusted Symantec certificates, he explained that they had to be replaced in a “hellacious job, to be candid” as this was over five million certificates.

“That whole event made us realize that we had to get our act together,” he admitted. “It is not just the internet, it is also IoT devices as a lot of them use PKI for their security. We have to create encryption algorithms that will be safe in 15-20 years, otherwise we could have another distrust type event.”

Concluding, Merrill said that DigiCert is past the updating and transition phase, and is now at “the scale to really do it right” as it has the ability to look at post-quantum cryptography, and revamp infrastructure and products.

“The internet is global, but business is still local so we acquired Swiss company QuoVadis as the EU has its own standards for certificates called ‘qualified certificates’ and in an SSL transaction there is the encryption piece, and the authentication piece, so we will be a European CA,” he said. “Part of it is technology innovation, but we also want to be geographically supportive.”

What’s Hot on Infosecurity Magazine?