CA/Incident Dashboard
Contents
Open CA Bugs in Bugzilla
There are three separate lists of open compliance bugs below:
- Compliance bugs (not including audit delays or leaf revocation delays)
- Audit Delays
- Leaf Revocation Delays
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=CA+Program&component=CA+Certificate+Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
---|---|---|---|---|---|---|
Actalis: CRL distribution point with ldap scheme | 1906690 | ASSIGNED | Marco Menonna | [ca-compliance] [crl-failure] | 2024-11-07T16:39:00Z | 2024-07-08T15:44:42Z |
Actalis: Use of CRLReason Code in Certificate Revocation | 1914419 | ASSIGNED | Marco Menonna | [ca-compliance] [crl-failure] | 2024-11-07T16:34:59Z | 2024-08-22T15:13:31Z |
certSIGN: Missing certificate from the list of bad order subject attributtes | 1924497 | ASSIGNED | Gabriel PETCU | [ca-compliance] [disclosure-failure] | 2024-10-23T06:01:22Z | 2024-10-14T11:33:46Z |
CFCA: Failure to respond to a CPR in a complete and/or timely manner | 1888881 | ASSIGNED | Gao Fei | [ca-compliance] [policy-failure] | 2024-09-12T18:01:32Z | 2024-04-01T07:17:16Z |
Chunghwa Telecom: “Test Website - Valid" URL disclosed to CCADB is expired | 1904038 | ASSIGNED | Tsung-Min Kuo | [ca-compliance] [policy-failure] | 2024-09-23T11:22:43Z | 2024-06-21T12:48:21Z |
Chunghwa Telecom: TLS Certificates Contains two LocalityName Values in SubjectDN by GTLSCA | 1916392 | ASSIGNED | Leo Fang | [ca-compliance] [ov-misissuance] | 2024-11-05T09:22:53Z | 2024-09-03T10:00:29Z |
DigiCert: Domain used for CRLs and OCSP has expired | 1930759 | ASSIGNED | Tim Hollebeek | [ca-compliance] [external] [crl-failure] [ocsp-failure] | 2024-11-26T22:12:59Z | 2024-11-12T20:41:59Z |
DigiCert: Incorrect CP listed in CCADB | 1925106 | ASSIGNED | Tim Hollebeek | [ca-compliance] [disclosure-failure] | 2024-11-23T00:36:46Z | 2024-10-16T19:56:28Z |
DigiCert: Incorrect OrgID in S/MIME certificates for one customer | 1927506 | ASSIGNED | Tim Hollebeek | [ca-compliance] [smime-misissuance] | 2024-11-25T23:20:26Z | 2024-10-28T16:12:09Z |
DigiCert: Random value in CNAME without underscore prefix | 1910322 | ASSIGNED | Jeremy Rowley | [ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance] Next update 2024-11-01 | 2024-11-25T23:11:49Z | 2024-07-29T02:17:59Z |
DigiCert: Some CRLs were not updated for a few days | 1932994 | ASSIGNED | Tim Hollebeek | [ca-compliance] [crl-failure] | 2024-11-25T17:40:55Z | 2024-11-23T00:30:32Z |
DigiCert: Typo in TLS Org Name | 1910258 | ASSIGNED | Martin Sullivan | [ca-compliance] [ov-misissuance] Next update 2024-11-15 | 2024-11-23T00:38:45Z | 2024-07-27T20:48:42Z |
DigiCert: Unclear Disclosure of CAA Issuer Domain Names | 1914911 | ASSIGNED | Tim Hollebeek | [ca-compliance] [policy-failure] [external] | 2024-11-25T23:17:57Z | 2024-08-26T13:21:22Z |
eMudhra emSign PKI Services : Key Blocking Mechanism Fails to Validate Historical Public Key Reuse. | 1931683 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [dv-misissuance] [ov-misissuance] | 2024-11-18T18:04:08Z | 2024-11-16T08:39:56Z |
eMudhra emSign PKI Services : OCSP Responder Time Inconsistency | 1917459 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [ocsp-failure] | 2024-11-13T15:28:09Z | 2024-09-08T09:06:01Z |
eMudhra emSign PKI Services: Failure To Update CA Owner Information In CCADB | 1924492 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [disclosure-failure] | 2024-11-13T15:24:31Z | 2024-10-14T11:19:40Z |
Entrust: Action Items from June 2024 Report | 1901270 | ASSIGNED | Ben Wilson | [ca-compliance] [meta] Next update 2024-11-30 | 2024-11-26T14:56:54Z | 2024-06-07T16:50:41Z |
Entrust: CRL missing revocation reasonCode | 1931886 | ASSIGNED | Bruce Morton | [ca-compliance] [crl-failure] | 2024-11-18T16:25:40Z | 2024-11-18T15:12:21Z |
Entrust: Improperly Verified Business Category | 1921387 | ASSIGNED | Bruce Morton | [ca-compliance] [uncategorized] Next update 2024-11-30 | 2024-11-26T21:27:16Z | 2024-09-27T02:27:48Z |
Entrust: Not updating CPR Problem Reporting Mechanism fields in CCADB | 1894111 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] Next update 2025-01-15 | 2024-10-31T14:42:21Z | 2024-04-29T21:37:24Z |
Entrust: S/MIME certificates lacking OU verification | 1914065 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-11-30 | 2024-11-26T21:54:18Z | 2024-08-20T21:35:45Z |
Entrust: S/MIME mailbox address case mismatch between subject and subjectAltName | 1906470 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-11-30 | 2024-11-26T16:04:11Z | 2024-07-05T18:24:44Z |
Entrust: S/MIME OrgID Country not matching C field | 1914999 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-11-30 | 2024-11-26T21:39:10Z | 2024-08-26T17:57:09Z |
Firmaprofesional: Incorrect publication of information for "Test Website - Revoked" URL in the CCADB. | 1925293 | ASSIGNED | ext-antoni.camon | [ca-compliance] [policy-failure] | 2024-10-31T08:24:49Z | 2024-10-17T14:51:05Z |
FNMT: LDAP URI in CRL Distribution Points Extension | 1922906 | ASSIGNED | Amaya Espinosa | [ca-compliance] [ov-misissuance] Next update 2024-12-20 | 2024-11-21T20:58:01Z | 2024-10-05T17:53:15Z |
GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints | 1888060 | ASSIGNED | capoc | [ca-compliance] [ov-misissuance] | 2024-11-11T07:30:33Z | 2024-03-27T06:15:29Z |
GoDaddy: Does not provide a method for domain owners to revoke their certificates | 1924992 | ASSIGNED | Steven Deitte | [ca-compliance] [policy-failure] [external] | 2024-11-13T16:00:19Z | 2024-10-16T12:06:02Z |
Google Trust Services: New hire onboarding deviation from written procedure | 1931413 | ASSIGNED | Google Trust Services | [ca-compliance] [policy-failure] | 2024-11-22T18:46:42Z | 2024-11-14T19:31:28Z |
IdenTrust: Approval of TLS certificate renewal without domain validation | 1930029 | ASSIGNED | IdenTrust | [ca-compliance] [ov-misissuance] | 2024-11-15T23:24:30Z | 2024-11-08T01:22:37Z |
IdenTrust: Incorrect response for OCSP validation | 1933353 | ASSIGNED | IdenTrust | [ca-compliance] [ocsp-failure] | 2024-11-26T08:56:29Z | 2024-11-25T23:32:51Z |
iTrusChina: CPR was not responded to within 24 hours | 1927675 | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] [policy-failure] | 2024-11-25T16:28:55Z | 2024-10-29T06:55:46Z |
iTrusChina: Issuance of certificates using keys previously reported as compromised | 1927384 | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] [ov-misissuance] | 2024-11-25T09:44:02Z | 2024-10-28T02:26:15Z |
iTrusChina: lacking 2018 KGC and GAP period audit report | 1923279 | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] | 2024-11-25T16:31:12Z | 2024-10-08T08:22:18Z |
Izenpe: Duplicate attribute in Subject | 1921254 | ASSIGNED | David | [ca-compliance] [ev-misissuance] | 2024-11-15T14:25:06Z | 2024-09-26T14:54:33Z |
Izenpe: Failure to Submit Annual CCADB Self-Assessment | 1883493 | ASSIGNED | David | [ca-compliance] [disclosure-failure] [external] | 2024-09-30T12:32:31Z | 2024-03-04T20:36:07Z |
Izenpe: Not allowed Qualifier ID OID on Certificate Policies extension of Precertificates | 1922844 | ASSIGNED | David | [ca-compliance] | 2024-10-22T04:57:23Z | 2024-10-04T18:51:05Z |
KIR: Delayed revocation within seven (7) days for bug 1921598 | 1922572 | ASSIGNED | Piotr Grabowski | [ca-compliance] [ca-revocation-delay] Next update 2025-01-03 | 2024-11-20T18:00:03Z | 2024-10-03T16:12:24Z |
KIR: Failure to disclose intermediate certificate within 7 days in ccadb | 1921596 | ASSIGNED | Piotr Grabowski | [ca-compliance] [disclosure-failure] | 2024-10-07T11:55:07Z | 2024-09-28T09:18:06Z |
KIR: Intermediate CA - SZAFIR Trusted CA3 - Certificate Policies extension - non-compliance | 1921598 | ASSIGNED | Piotr Grabowski | [ca-compliance] [ca-misissuance] | 2024-10-17T17:22:28Z | 2024-09-28T09:36:58Z |
KIR: Intermediate CA - SZAFIR Trusted CA4 - Certificate Policies extension - non-compliance | 1921597 | ASSIGNED | Piotr Grabowski | [ca-compliance] [ca-misissuance] | 2024-10-17T17:22:54Z | 2024-09-28T09:28:40Z |
Microsec: Expired Certificates on test Pages for Revocation | 1925239 | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] [policy-failure] | 2024-11-22T17:27:38Z | 2024-10-17T10:05:59Z |
NETLOCK: CPR was not responded to in 24 hours | 1905509 | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] | 2024-09-05T17:30:54Z | 2024-06-29T19:45:26Z |
NETLOCK: Findings in 2024 Audit | 1917046 | ASSIGNED | Nikolett | [ca-compliance] [audit-finding] | 2024-10-18T15:56:04Z | 2024-09-05T17:25:24Z |
NETLOCK: Intermediate CA Certificate not disclosed to CCADB | 1904041 | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] [disclosure-failure] | 2024-08-30T16:07:55Z | 2024-06-21T13:01:09Z |
SECOM: Issuance of TLS server certificates using keys previously compromised | 1931515 | ASSIGNED | ONO Fumiaki | [ca-compliance] [ov-misissuance] | 2024-11-27T09:36:23Z | 2024-11-15T11:21:37Z |
SHECA: CRLReason code usage error | 1914365 | ASSIGNED | Alvin.Wang | [ca-compliance] [crl-failure] | 2024-11-22T16:29:58Z | 2024-08-22T11:43:31Z |
SSL.com: CAA Empty set handling results in Wildcard issuance | 1932973 | ASSIGNED | Thomas Zermeno | [ca-compliance] [ov-misissuance] | 2024-11-25T17:43:20Z | 2024-11-22T21:37:15Z |
SSL.com: Delay in publishing OCSP responses | 1931636 | ASSIGNED | Rebecca Kelley | [ca-compliance] [ocsp-failure] | 2024-11-25T09:59:08Z | 2024-11-15T22:42:53Z |
SSL.com: Entrust API and CAA checking | 1931615 | ASSIGNED | Rebecca Kelley | [ca-compliance] [ov-misissuance] | 2024-11-22T21:38:06Z | 2024-11-15T20:24:25Z |
SSL.com: Issuance of certificates using keys previously reported as compromised | 1927532 | ASSIGNED | Rebecca Kelley | [ca-compliance] [dv-misissuance] | 2024-11-22T21:09:42Z | 2024-10-28T18:17:59Z |
SwissSign: S/MIME certificates deviate from CPR | 1929189 | ASSIGNED | Mike Guenther | [ca-compliance] [smime-misissuance] Next update 2024-12-20 | 2024-11-26T15:41:58Z | 2024-11-05T08:25:05Z |
SwissSign: S/MIME LCP not-permitted key usage | 1914023 | ASSIGNED | Sandy Balzer | [ca-compliance] [smime-misissuance] Next update 2024-11-15 | 2024-11-15T13:25:25Z | 2024-08-20T18:42:01Z |
Telekom Security: CRL-Entries with wrong CRL Reason Codes | 1914383 | ASSIGNED | Arnold Essing | [ca-compliance] [crl-failure] | 2024-11-25T08:43:27Z | 2024-08-22T12:56:33Z |
Telia: S/MIME Certificate issued to expired domain | 1920659 | ASSIGNED | Antti Backman | [ca-compliance] [smime-misissuance] | 2024-11-27T05:46:45Z | 2024-09-24T09:05:29Z |
54 Total; 54 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
---|---|---|---|---|---|---|
Chunghwa Telecom:Delayed Annual Audit Report 2024 | 1917224 | ASSIGNED | Li-Chun CHEN | [ca-compliance] [audit-delay] | 2024-11-21T21:29:21Z | 2024-09-06T12:29:32Z |
PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA | 1911335 | ASSIGNED | Jochem van den Berge | [ca-compliance] [audit-delay] | 2024-10-01T13:56:00Z | 2024-08-02T15:40:40Z |
2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
---|---|---|---|---|---|---|
[meta] Delayed Revocation | 1911183 | ASSIGNED | Ben Wilson | [ca-compliance] [meta] [leaf-revocation-delay] | 2024-11-20T16:01:15Z | 2024-08-01T20:05:04Z |
Buypass: Delayed revocation of TLS certificates | 1872738 | ASSIGNED | Mads Henriksveen | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:49:51Z | 2024-01-02T19:18:17Z |
CFCA: Delayed revocation of TLS certificates(basicConstraints extension not marked as critical) | 1888882 | ASSIGNED | Gao Fei | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-25T09:58:51Z | 2024-04-01T07:19:09Z |
Chunghwa Telecom: Delayed Revocation Due to GTLSCA EKU Misissuance | 1892419 | ASSIGNED | Leo Fang | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:57:07Z | 2024-04-19T10:55:40Z |
Chunghwa Telecom: Delayed Revocation with Controversial Extension (2.5.29.9, SubjectDirectoryAttributes) | 1903066 | ASSIGNED | Leo Fang | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:58:55Z | 2024-06-17T14:31:08Z |
D-Trust: Missed Revocation of TLS certificates affected by Bugzilla 1884714 | 1924385 | ASSIGNED | Enrico Entschew | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-22T19:05:08Z | 2024-10-13T17:26:55Z |
Digicert: Delayed Revocation for bug 1894560 | 1896053 | ASSIGNED | Tim Hollebeek | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:57:34Z | 2024-05-10T05:00:07Z |
DigiCert: Delayed revocation of 1910322 | 1910805 | ASSIGNED | Tim Hollebeek | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-25T23:59:36Z | 2024-07-31T00:45:12Z |
eMudhra emSign PKI Services: Delayed Revocation of SSL/TLS Certificates | 1916478 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T16:01:38Z | 2024-09-03T15:24:26Z |
Entrust: Delayed revocation of certificates affected by Jurisdiction issue in some EV TLS & Code Signing certificates | 1898848 | ASSIGNED | ngook.kong | [ca-compliance] [leaf-revocation-delay] Next update 2025-03-31 | 2024-11-20T15:58:29Z | 2024-05-25T03:48:12Z |
Entrust: Delayed revocation of EV TLS certificates with missing cPSuri | 1886532 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [leaf-revocation-delay] Next update 2025-03-31 | 2024-11-20T15:53:00Z | 2024-03-20T17:22:26Z |
Entrust: Failure to revoke EV TLS certificates issued before CPS update | 1890685 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] [leaf-revocation-delay] Next update 2025-03-31 | 2024-11-20T15:56:05Z | 2024-04-09T23:40:57Z |
GDCA: Delayed revocation of SSL/TLS certificates with Non-critical Basic Constraints | 1889062 | ASSIGNED | capoc | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:55:43Z | 2024-04-02T09:18:52Z |
Hongkong Post: Delayed revocation of TLS certificates with basicConstraints not marked as critical | 1887888 | ASSIGNED | Man Ho | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:54:44Z | 2024-03-26T14:39:37Z |
Hongkong Post: Delayed revocation of TLS certificates with Certificate Policies extension problem | 1886665 | ASSIGNED | Man Ho | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:53:35Z | 2024-03-21T04:30:30Z |
Microsec: Delayed revocation of the misissued certificates | 1887110 | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:54:08Z | 2024-03-22T18:00:56Z |
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates - delayed revocation | 1891331 | ASSIGNED | Nikolett | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:56:38Z | 2024-04-13T22:07:56Z |
Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical | 1877388 | ASSIGNED | Arnold Essing | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:50:35Z | 2024-01-30T07:52:58Z |
Telia: Delayed revocation of seven (7) certificates related to incident 1896108 | 1896553 | ASSIGNED | Antti Backman | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:58:07Z | 2024-05-14T04:48:55Z |
TWCA: Revocation delay for EV TLS certificates with invalid subject attribute order | 1884568 | ASSIGNED | Hao-Chun Li | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:51:05Z | 2024-03-10T12:44:57Z |
TWCA: Revocation delay for TLS certificates with non-critical basicConstraints | 1886110 | ASSIGNED | chtsai | [ca-compliance] [ov-misissuance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:52:35Z | 2024-03-19T07:42:18Z |
VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 | 1885568 | ASSIGNED | Andrea Holland | [ca-compliance] [ov-misissuance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:51:59Z | 2024-03-15T16:20:17Z |
22 Total; 22 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here: