CVE-2022-23491, or Why PO boxes can’t be root certificate authorities anymore

Fri 14Jul2023

Joel Reardon, University of Calgary

From 14:00 until 15:00

At CAB H 52 (Seminar), ETH Zurich

CAB H 52 (Seminar), ETH Zurich


Mozilla curates a set of root certificate authorities to validate hostnames for TLS in the Firefox browser. Many other software projects, such as Tor Browser and ca-certificates simply follow Mozilla's list; other entities, such as Apple and Microsoft, make their own decisions for inclusion with considerations for Mozilla's decisions and the associated public discussion.

In March 2023, Mozilla introduced a set of new considerations when deciding on inclusions and removals to their authorities list. Among these are being closely tied through ownership or operation to a spyware operation, having as its address a P.O. box or being a shell corporation, being audited by an auditor that does not audit any other certificate authorities, and not being transparent on matters such as legal domicile and control.

In this talk, we'll discuss our research into a root certificate authority and the associated disclosure that lead to Mozilla distrusting it and Github assigning CVE-2022-23491. This was despite no evidence of any mis-issued certificates or wrongdoing tied to its certificate authority operations. This removal was soon after followed by Mozilla producing their new set of root inclusion considerations, some of which are directly relevant to our disclosure.

Join us in CAB H 52 (Seminar).

Download Event to Calendar