Security Experts:

Under New Ownership, DigiCert Expands into Verified Mark Certificates

Three years after Thoma Bravo acquired a majority holding in DigiCert, the Utah-based digital certificate firm has announced its acquisition by Clearlake Capital Group and TA Associates. TA already had a minority holding in the firm and has been investing in DigiCert for seven years.

When the plan was first announced in July 2019, Thoma Bravo said, "As a part of the transaction, Clearlake and TA will become equal partners in DigiCert. The company will continue to be led by CEO John Merrill and the current management team, who are investing alongside Clearlake and TA in the transaction."

The financial terms of the deal have not been released, but Jason Werlin, a managing director at TA Associates, commented, "We look forward to continuing to work closely with the management team to invest in and support DigiCert's innovation and growth efforts," adding, ""DigiCert has a unique opportunity to capitalize on new growth initiatives that we believe will help them better serve their customers and their industry."

Two separate and current growth opportunities for DigiCert come with the burgeoning IoT market, and companies' increasing desire to prevent their brands being abused in email phishing scams. 

For IoT, DigiCert offers a PKI platform solution that verifies individual devices and encrypts their communication. "The company operates PKI for enterprise authentication and many IoT device industry consortia and manufacturers, and has issued billions of device certificates to-date," says the firm.

The email opportunity comes with the development of its own Verified Mark Certificate (VMC) for domains that send email at scale, and its upcoming pilots of the BIMI (Brand Indicators for Message Identification) standard that require validated logos. The purpose of BIMI is to allow sending companies to have their logo appear with messages in email inboxes, but without the danger of them being spoofed. The VMC is the certificate that verifies the authenticity of the logo. BIMI is intended to work alongside DMARC.

In September 2019, Entrust Datacard issued the first VMC, developed in collaboration with the Authindicators Working Group (which is developing the BIMI standard), as a vendor-neutral solution to allow enterprises the ability to communicate a trademarked brand logo to compatible email clients for display. "Email is the dominant form of customer communication, yet customer phishing and spoofing attempts are at an all-time high," said Armen Najarian, CMO of email security company Agari, an Authindicators Working Group member. "Pairing Domain-based Message Authentication, Reporting and Conformance (DMARC) and VMCs is a winning combination for organizations to deliver improved customer interactions through the inbox."

Yahoo is currently running a BIMI pilot, and Google is expected to implement a pilot in 2020. Other email providers are also expected to begin their own BIMI implementations next year.

The issuing certificate authority for a VMC verifies an organization's registered trademarks and confirms their registration and ownership. The VMC is signed cryptographically with a trusted root, so that mail applications can rely on the information inside the certificate. Once this process is complete, the CA sends the VMC to the organization for its use. 

DigiCert issued the world's first specific VMC on October 10, 2019, to CNN.com. "DigiCert is excited to work with CNN and members of the AuthIndicators Working Group to take this first step in demonstrating the feasibility and benefit of VMCs for global brands under the BIMI pilot program," said DigiCert chief of product Jeremy Rowley. "We know that there is a demand for issuing VMCs at scale and we are fully committed to providing that capability."

The intention is that VMC verified logos will only be displayed if the associated email is at least authenticated via SPF (RFC7208), or DKIM (RFC6376), and passes the DMARC (RFC7489) policy check. The email itself is consequently as well-proofed against phishing spoofs as currently possible. Adding VMC to the logo display means that the email provider can confidently display the sender's branded logo without fear of it being separately spoofed.

Combining VMC and DMARC will allow organizations to add the marketing effect of their branded logo to phishing-proofed emails.

"DigiCert has an exciting business and a compelling vision for internet security based on the company's legacy of innovation and roadmap for building trust in identity and digital interactions," commented Behdad Eghbali, cofounder and managing partner, and Prashant Mehrotra, partner, of Clearlake, following the acquisition. "We are ready to leverage Clearlake's O.P.S. [operations, people and strategy] framework to help the company to continue to build upon its product offerings for customers and fuel new growth through organic investments and acquisitions."

Related: Symantec to Sell Certificate Business to DigiCert for $950 Million 

Related: 23,000 Digital Certificates Revoked in DigiCert-Trustico Spat 

Related: DMARC Use is Growing, But Difficult to Configure Correctly and Completely 

Related: DMARC Fully Implemented on Two Thirds of U.S. Government Domains

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.