Despite the recent turmoil in the SSL certificate market, Comodo CA's new leadership believes the space presents...
a wealth of opportunities.
Private equity firm Francisco Partners last fall acquired Comodo CA, the certificate authority arm of Comodo. Francisco Partners appointed Bill Conner, president and CEO of SonicWall, as chairman of Comodo CA, and named Bill Holtz, former COO of certificate authority Entrust and former CIO of Expedia, as the company's new chief executive, replacing former CEO and founder Melih Abdulhayoglu. Now the two are tasked with expanding Comodo's business in areas like the internet of things.
In part one of the conversation with SearchSecurity, Conner and Holtz discussed the struggles of Symantec's certificate authority, the harsh actions taken by Google and Mozilla to correct those issues, and the effect they had on the overall market. In part two, they discuss the competition landscape in the certificate space and the opportunities presented by IoT certificates. Here is part two of the discussion with Conner and Holtz:
How competitive is the certificate industry today as opposed to maybe 10 years when there were more players?
Bill Conner: It was a much more fractured industry in the past, and there have been a lot of changes; you start to create new certificates, going from domain validation [DV] to organization validation [OV] and now extended validation [EV], over the last few years and have code signing and digital signatures, and then you go from RSA [cryptography] to elliptical. The industry was consolidated with a lot of mergers and acquisitions under Symantec. At that point, there were very few people that had the root keys in the browsers. In one sense, there was less competition back then because there wasn't enough space in the market to have it. Increasingly, as you could have more certificates, a lot of people started entering the space. And there was fallout from that because some companies couldn't handle the lifecycle and others got cannibalized. Some of those brands survived under other companies like Symantec. If you look at the market today, there are a lot more people playing like Let's Encrypt and others around the world at the low end. At the high end, it's a smaller group: GlobalSign, DigiCert and Comodo. So there's less players, but more competition. And in light of the latest episode with Symantec, if you have to move to new certificates, you're probably going to look at other [CA] options. So there may be more competitive activities today than there used to be.
Bill Connerchairman, Comodo CA
I'll also say that with net-new IoT certificates for connected devices and code signing and other areas, we're going to have more and more certificates, but they're going to get bent to do new things. It won't just be for authentication. It might be for non-repudiation or digital signatures. I think that is going to morph as networks, cloud services, mobile devices and applications reshape themselves in the next five to 10 years.
Bill Holtz: There's definitely competition out there, but I think some people are pigeonholing themselves. Look at Let's Encrypt, for example, in the DV space. A lot of people that did not have certificates before are using them, but there are limitations. They're 90-day certificates, they don't cover all of the legacy servers that you may have in your enterprise, and they don't come with support. But for the market segment they're in, they're serving a purpose. And it is getting the web encrypted; if you look at the number of HTTPS pages on the web, it's increased dramatically. And that plays to the industry's advantage because it raises awareness. But Let's Encrypt doesn't do OV or EV. So there is some competition, but I think our path is pretty well laid out for us.
You said trust in the certificate authority business today has taken a big hit. What's the appeal of getting into this business today, and where do you want to take Comodo CA as a certificate authority?
Holtz: The appeal is it's a healthy business that generates a lot of cash, and it provides an important service to the internet. The internet can't run without certificates. There's been a discussion now for over a decade about how SSL and PKI are going to go away, but all I see are SSL and PKI continuing to thrive. Certificates are going to continue to grow. In fact, with IoT devices, now you have certificates going everywhere. It's a great business to be in, and it has a lot of growth potential in different areas. What you have to start looking at is complete certificate lifecycle management. It's not just about issuing the certificate. I think customers are looking for help for this complete lifecycle management, whether it's finding out what certificates you have, how you maintain them and how you renew them. And when you apply that even further to IoT devices, it's a really exciting space to be in.
Conner: If you look at the technology landscape, apps are talking to apps and devices are talking to apps. You also have the cloud, so instead of the old way of endpoints talking to endpoints, you have endpoints talking to cloud services. There's not a place for people in those areas. Those are going to morph. Those won't be classic 509 certificates as you used to think of them. And at the core of everything is the basis of trust and how to validate it and create handshakes for it. You can do public trusted and you can also do non-publicly trusted. I think the new world will have a hybrid of those approaches as these new applications and networks are formed. And by the way, the traditional business is still pretty attractive for someone like Comodo to pick up some market share and some financial opportunities while helping to drive some of those new capabilities and new markets.
Given all the struggles we've seen with different certificate authorities in recent years, do you feel the certificate business is a challenging one?
Conner: It is for the layperson because it's not well understood. Certificates are pretty basic, but when you get into what you have to do with root certificates and managing them, then you've got to have expertise. That's your secret sauce as a certificate authority. And ultimately that's [the] exciting thing that Melih [Abdulhayoglu] and I saw, and Bill [Holtz] ultimately saw as well. The expertise that [Abdulhayoglu] had and what [Holtz] and I brought make a very interesting combination of talent that I don't think existed in this space today.
Holtz: I'd say it is a hard business from the standpoint that you have to have the right level of intellectual capability in the executive team running the business. We saw Symantec leaning more and more on their partners and letting other people do things, and we saw what happened there. You have to pay attention to what you're doing. You can't be issuing rogue certificates. There are a lot of things you have to be doing, and doing them well, every day in this business. There's little room for error. So yes, it's a hard business, but as Bill [Conner] said, we're starting with a great base here at Comodo, and we're attracting some of the best talent that we know in this market so we can take the business to the next level.