Corporate leadership at the board room level is often resistant to the idea that oversight is their job, even though it is literally their only job. (Insert "You Had One Job" meme image). In many cases these people are paid (especially on a per hour basis) more than anybody else in the entire organisation, they ought to be working _very hard_ to deserve this money, and at most corporates they do little or nothing.
Did Symantec's shareholders get the board responsible for this... replaced? Did they at least get a big cut in their wages given that they're apparently no good at their jobs? Nope.
The Web PKI in my not at all humble opinion is doing a better job of handling this problem today than, for example, many actual bona fide regulators. When Symantec kept trying to offer up little bits and pieces (e.g. let's wind up this lucrative Korean partnership programme we've secretly been running for years that had no effective oversight...) they were told it wasn't enough.
In the end this distrust that you're seeing now was mandatory but it was not intended as a "death sentence" for the Symantec CA function pe se. Symantec were told to go find somebody whose leadership we could trust, and let the trustworthy outfit physically run the CA (with Symantec's brands) while Symantec got their shit together and tried again in a year or two. In the process of negotiating such a deal with DigiCert Symantec instead sold their entire CA business to them, which everybody seems to have (in some cases grudgingly) accepted is a good enough outcome.
DigiCert did a better than might be expected job of this from a technical point of view, and I hope that it works for them commercially as a result.
Did Symantec's shareholders get the board responsible for this... replaced? Did they at least get a big cut in their wages given that they're apparently no good at their jobs? Nope.
The Web PKI in my not at all humble opinion is doing a better job of handling this problem today than, for example, many actual bona fide regulators. When Symantec kept trying to offer up little bits and pieces (e.g. let's wind up this lucrative Korean partnership programme we've secretly been running for years that had no effective oversight...) they were told it wasn't enough.
In the end this distrust that you're seeing now was mandatory but it was not intended as a "death sentence" for the Symantec CA function pe se. Symantec were told to go find somebody whose leadership we could trust, and let the trustworthy outfit physically run the CA (with Symantec's brands) while Symantec got their shit together and tried again in a year or two. In the process of negotiating such a deal with DigiCert Symantec instead sold their entire CA business to them, which everybody seems to have (in some cases grudgingly) accepted is a good enough outcome.
DigiCert did a better than might be expected job of this from a technical point of view, and I hope that it works for them commercially as a result.
[Edited for clarity]