CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

There are three separate lists of open compliance bugs below:

  • Compliance bugs (not including audit delays or leaf revocation delays)
  • Audit Delays
  • Leaf Revocation Delays

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
Actalis: CRL distribution point with ldap scheme 1906690 ASSIGNED Marco Menonna [ca-compliance] [crl-failure] 2024-11-07T16:39:00Z 2024-07-08T15:44:42Z
Actalis: Use of CRLReason Code in Certificate Revocation 1914419 ASSIGNED Marco Menonna [ca-compliance] [crl-failure] 2024-11-07T16:34:59Z 2024-08-22T15:13:31Z
certSIGN: Missing certificate from the list of bad order subject attributtes 1924497 ASSIGNED Gabriel PETCU [ca-compliance] [disclosure-failure] 2024-10-23T06:01:22Z 2024-10-14T11:33:46Z
CFCA: Failure to respond to a CPR in a complete and/or timely manner 1888881 ASSIGNED Gao Fei [ca-compliance] [policy-failure] 2024-09-12T18:01:32Z 2024-04-01T07:17:16Z
Chunghwa Telecom: “Test Website - Valid" URL disclosed to CCADB is expired 1904038 ASSIGNED Tsung-Min Kuo [ca-compliance] [policy-failure] 2024-09-23T11:22:43Z 2024-06-21T12:48:21Z
Chunghwa Telecom: TLS Certificates Contains two LocalityName Values in SubjectDN by GTLSCA 1916392 ASSIGNED Leo Fang [ca-compliance] [ov-misissuance] 2024-11-05T09:22:53Z 2024-09-03T10:00:29Z
DigiCert: Domain used for CRLs and OCSP has expired 1930759 ASSIGNED Tim Hollebeek [ca-compliance] [external] [crl-failure] [ocsp-failure] 2024-11-26T22:12:59Z 2024-11-12T20:41:59Z
DigiCert: Incorrect CP listed in CCADB 1925106 ASSIGNED Tim Hollebeek [ca-compliance] [disclosure-failure] 2024-11-23T00:36:46Z 2024-10-16T19:56:28Z
DigiCert: Incorrect OrgID in S/MIME certificates for one customer 1927506 ASSIGNED Tim Hollebeek [ca-compliance] [smime-misissuance] 2024-11-25T23:20:26Z 2024-10-28T16:12:09Z
DigiCert: Random value in CNAME without underscore prefix 1910322 ASSIGNED Jeremy Rowley [ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance] Next update 2024-11-01 2024-11-25T23:11:49Z 2024-07-29T02:17:59Z
DigiCert: Some CRLs were not updated for a few days 1932994 ASSIGNED Tim Hollebeek [ca-compliance] [crl-failure] 2024-11-25T17:40:55Z 2024-11-23T00:30:32Z
DigiCert: Typo in TLS Org Name 1910258 ASSIGNED Martin Sullivan [ca-compliance] [ov-misissuance] Next update 2024-11-15 2024-11-23T00:38:45Z 2024-07-27T20:48:42Z
DigiCert: Unclear Disclosure of CAA Issuer Domain Names 1914911 ASSIGNED Tim Hollebeek [ca-compliance] [policy-failure] [external] 2024-11-25T23:17:57Z 2024-08-26T13:21:22Z
eMudhra emSign PKI Services : Key Blocking Mechanism Fails to Validate Historical Public Key Reuse. 1931683 ASSIGNED Naveen Kumar ML [ca-compliance] [dv-misissuance] [ov-misissuance] 2024-11-18T18:04:08Z 2024-11-16T08:39:56Z
eMudhra emSign PKI Services : OCSP Responder Time Inconsistency 1917459 ASSIGNED Naveen Kumar ML [ca-compliance] [ocsp-failure] 2024-11-13T15:28:09Z 2024-09-08T09:06:01Z
eMudhra emSign PKI Services: Failure To Update CA Owner Information In CCADB 1924492 ASSIGNED Naveen Kumar ML [ca-compliance] [disclosure-failure] 2024-11-13T15:24:31Z 2024-10-14T11:19:40Z
Entrust: Action Items from June 2024 Report 1901270 ASSIGNED Ben Wilson [ca-compliance] [meta] Next update 2024-11-30 2024-11-26T14:56:54Z 2024-06-07T16:50:41Z
Entrust: CRL missing revocation reasonCode 1931886 ASSIGNED Bruce Morton [ca-compliance] [crl-failure] 2024-11-18T16:25:40Z 2024-11-18T15:12:21Z
Entrust: Improperly Verified Business Category 1921387 ASSIGNED Bruce Morton [ca-compliance] [uncategorized] Next update 2024-11-30 2024-11-26T21:27:16Z 2024-09-27T02:27:48Z
Entrust: Not updating CPR Problem Reporting Mechanism fields in CCADB 1894111 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] Next update 2025-01-15 2024-10-31T14:42:21Z 2024-04-29T21:37:24Z
Entrust: S/MIME certificates lacking OU verification 1914065 ASSIGNED Bruce Morton [ca-compliance] [smime-misissuance] Next update 2024-11-30 2024-11-26T21:54:18Z 2024-08-20T21:35:45Z
Entrust: S/MIME mailbox address case mismatch between subject and subjectAltName 1906470 ASSIGNED Bruce Morton [ca-compliance] [smime-misissuance] Next update 2024-11-30 2024-11-26T16:04:11Z 2024-07-05T18:24:44Z
Entrust: S/MIME OrgID Country not matching C field 1914999 ASSIGNED Bruce Morton [ca-compliance] [smime-misissuance] Next update 2024-11-30 2024-11-26T21:39:10Z 2024-08-26T17:57:09Z
Firmaprofesional: Incorrect publication of information for "Test Website - Revoked" URL in the CCADB. 1925293 ASSIGNED ext-antoni.camon [ca-compliance] [policy-failure] 2024-10-31T08:24:49Z 2024-10-17T14:51:05Z
FNMT: LDAP URI in CRL Distribution Points Extension 1922906 ASSIGNED Amaya Espinosa [ca-compliance] [ov-misissuance] Next update 2024-12-20 2024-11-21T20:58:01Z 2024-10-05T17:53:15Z
GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints 1888060 ASSIGNED capoc [ca-compliance] [ov-misissuance] 2024-11-11T07:30:33Z 2024-03-27T06:15:29Z
GoDaddy: Does not provide a method for domain owners to revoke their certificates 1924992 ASSIGNED Steven Deitte [ca-compliance] [policy-failure] [external] 2024-11-13T16:00:19Z 2024-10-16T12:06:02Z
Google Trust Services: New hire onboarding deviation from written procedure 1931413 ASSIGNED Google Trust Services [ca-compliance] [policy-failure] 2024-11-22T18:46:42Z 2024-11-14T19:31:28Z
IdenTrust: Approval of TLS certificate renewal without domain validation 1930029 ASSIGNED IdenTrust [ca-compliance] [ov-misissuance] 2024-11-15T23:24:30Z 2024-11-08T01:22:37Z
IdenTrust: Incorrect response for OCSP validation 1933353 ASSIGNED IdenTrust [ca-compliance] [ocsp-failure] 2024-11-26T08:56:29Z 2024-11-25T23:32:51Z
iTrusChina: CPR was not responded to within 24 hours 1927675 ASSIGNED iTrusChina Co.,Ltd. [ca-compliance] [policy-failure] 2024-11-25T16:28:55Z 2024-10-29T06:55:46Z
iTrusChina: Issuance of certificates using keys previously reported as compromised 1927384 ASSIGNED iTrusChina Co.,Ltd. [ca-compliance] [ov-misissuance] 2024-11-25T09:44:02Z 2024-10-28T02:26:15Z
iTrusChina: lacking 2018 KGC and GAP period audit report 1923279 ASSIGNED iTrusChina Co.,Ltd. [ca-compliance] 2024-11-25T16:31:12Z 2024-10-08T08:22:18Z
Izenpe: Duplicate attribute in Subject 1921254 ASSIGNED David [ca-compliance] [ev-misissuance] 2024-11-15T14:25:06Z 2024-09-26T14:54:33Z
Izenpe: Failure to Submit Annual CCADB Self-Assessment 1883493 ASSIGNED David [ca-compliance] [disclosure-failure] [external] 2024-09-30T12:32:31Z 2024-03-04T20:36:07Z
Izenpe: Not allowed Qualifier ID OID on Certificate Policies extension of Precertificates 1922844 ASSIGNED David [ca-compliance] 2024-10-22T04:57:23Z 2024-10-04T18:51:05Z
KIR: Delayed revocation within seven (7) days for bug 1921598 1922572 ASSIGNED Piotr Grabowski [ca-compliance] [ca-revocation-delay] Next update 2025-01-03 2024-11-20T18:00:03Z 2024-10-03T16:12:24Z
KIR: Failure to disclose intermediate certificate within 7 days in ccadb 1921596 ASSIGNED Piotr Grabowski [ca-compliance] [disclosure-failure] 2024-10-07T11:55:07Z 2024-09-28T09:18:06Z
KIR: Intermediate CA - SZAFIR Trusted CA3 - Certificate Policies extension - non-compliance 1921598 ASSIGNED Piotr Grabowski [ca-compliance] [ca-misissuance] 2024-10-17T17:22:28Z 2024-09-28T09:36:58Z
KIR: Intermediate CA - SZAFIR Trusted CA4 - Certificate Policies extension - non-compliance 1921597 ASSIGNED Piotr Grabowski [ca-compliance] [ca-misissuance] 2024-10-17T17:22:54Z 2024-09-28T09:28:40Z
Microsec: Expired Certificates on test Pages for Revocation 1925239 ASSIGNED dr. Sándor SZŐKE [ca-compliance] [policy-failure] 2024-11-22T17:27:38Z 2024-10-17T10:05:59Z
NETLOCK: CPR was not responded to in 24 hours 1905509 ASSIGNED Nikolett [ca-compliance] [policy-failure] 2024-09-05T17:30:54Z 2024-06-29T19:45:26Z
NETLOCK: Findings in 2024 Audit 1917046 ASSIGNED Nikolett [ca-compliance] [audit-finding] 2024-10-18T15:56:04Z 2024-09-05T17:25:24Z
NETLOCK: Intermediate CA Certificate not disclosed to CCADB 1904041 ASSIGNED Nikolett [ca-compliance] [policy-failure] [disclosure-failure] 2024-08-30T16:07:55Z 2024-06-21T13:01:09Z
SECOM: Issuance of TLS server certificates using keys previously compromised 1931515 ASSIGNED ONO Fumiaki [ca-compliance] [ov-misissuance] 2024-11-27T09:36:23Z 2024-11-15T11:21:37Z
SHECA: CRLReason code usage error 1914365 ASSIGNED Alvin.Wang [ca-compliance] [crl-failure] 2024-11-22T16:29:58Z 2024-08-22T11:43:31Z
SSL.com: CAA Empty set handling results in Wildcard issuance 1932973 ASSIGNED Thomas Zermeno [ca-compliance] [ov-misissuance] 2024-11-25T17:43:20Z 2024-11-22T21:37:15Z
SSL.com: Delay in publishing OCSP responses 1931636 ASSIGNED Rebecca Kelley [ca-compliance] [ocsp-failure] 2024-11-25T09:59:08Z 2024-11-15T22:42:53Z
SSL.com: Entrust API and CAA checking 1931615 ASSIGNED Rebecca Kelley [ca-compliance] [ov-misissuance] 2024-11-22T21:38:06Z 2024-11-15T20:24:25Z
SSL.com: Issuance of certificates using keys previously reported as compromised 1927532 ASSIGNED Rebecca Kelley [ca-compliance] [dv-misissuance] 2024-11-22T21:09:42Z 2024-10-28T18:17:59Z
SwissSign: S/MIME certificates deviate from CPR 1929189 ASSIGNED Mike Guenther [ca-compliance] [smime-misissuance] Next update 2024-12-20 2024-11-26T15:41:58Z 2024-11-05T08:25:05Z
SwissSign: S/MIME LCP not-permitted key usage 1914023 ASSIGNED Sandy Balzer [ca-compliance] [smime-misissuance] Next update 2024-11-15 2024-11-15T13:25:25Z 2024-08-20T18:42:01Z
Telekom Security: CRL-Entries with wrong CRL Reason Codes 1914383 ASSIGNED Arnold Essing [ca-compliance] [crl-failure] 2024-11-25T08:43:27Z 2024-08-22T12:56:33Z
Telia: S/MIME Certificate issued to expired domain 1920659 ASSIGNED Antti Backman [ca-compliance] [smime-misissuance] 2024-11-27T05:46:45Z 2024-09-24T09:05:29Z

54 Total; 54 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
Chunghwa Telecom:Delayed Annual Audit Report 2024 1917224 ASSIGNED Li-Chun CHEN [ca-compliance] [audit-delay] 2024-11-21T21:29:21Z 2024-09-06T12:29:32Z
PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA 1911335 ASSIGNED Jochem van den Berge [ca-compliance] [audit-delay] 2024-10-01T13:56:00Z 2024-08-02T15:40:40Z

2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
[meta] Delayed Revocation 1911183 ASSIGNED Ben Wilson [ca-compliance] [meta] [leaf-revocation-delay] 2024-11-20T16:01:15Z 2024-08-01T20:05:04Z
Buypass: Delayed revocation of TLS certificates 1872738 ASSIGNED Mads Henriksveen [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-20T15:49:51Z 2024-01-02T19:18:17Z
CFCA: Delayed revocation of TLS certificates(basicConstraints extension not marked as critical) 1888882 ASSIGNED Gao Fei [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-25T09:58:51Z 2024-04-01T07:19:09Z
Chunghwa Telecom: Delayed Revocation Due to GTLSCA EKU Misissuance 1892419 ASSIGNED Leo Fang [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-20T15:57:07Z 2024-04-19T10:55:40Z
Chunghwa Telecom: Delayed Revocation with Controversial Extension (2.5.29.9, SubjectDirectoryAttributes) 1903066 ASSIGNED Leo Fang [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-20T15:58:55Z 2024-06-17T14:31:08Z
D-Trust: Missed Revocation of TLS certificates affected by Bugzilla 1884714 1924385 ASSIGNED Enrico Entschew [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-22T19:05:08Z 2024-10-13T17:26:55Z
Digicert: Delayed Revocation for bug 1894560 1896053 ASSIGNED Tim Hollebeek [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-20T15:57:34Z 2024-05-10T05:00:07Z
DigiCert: Delayed revocation of 1910322 1910805 ASSIGNED Tim Hollebeek [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-25T23:59:36Z 2024-07-31T00:45:12Z
eMudhra emSign PKI Services: Delayed Revocation of SSL/TLS Certificates 1916478 ASSIGNED Naveen Kumar ML [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-20T16:01:38Z 2024-09-03T15:24:26Z
Entrust: Delayed revocation of certificates affected by Jurisdiction issue in some EV TLS & Code Signing certificates 1898848 ASSIGNED ngook.kong [ca-compliance] [leaf-revocation-delay] Next update 2025-03-31 2024-11-20T15:58:29Z 2024-05-25T03:48:12Z
Entrust: Delayed revocation of EV TLS certificates with missing cPSuri 1886532 ASSIGNED Paul van Brouwershaven [ca-compliance] [leaf-revocation-delay] Next update 2025-03-31 2024-11-20T15:53:00Z 2024-03-20T17:22:26Z
Entrust: Failure to revoke EV TLS certificates issued before CPS update 1890685 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] [leaf-revocation-delay] Next update 2025-03-31 2024-11-20T15:56:05Z 2024-04-09T23:40:57Z
GDCA: Delayed revocation of SSL/TLS certificates with Non-critical Basic Constraints 1889062 ASSIGNED capoc [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-20T15:55:43Z 2024-04-02T09:18:52Z
Hongkong Post: Delayed revocation of TLS certificates with basicConstraints not marked as critical 1887888 ASSIGNED Man Ho [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-20T15:54:44Z 2024-03-26T14:39:37Z
Hongkong Post: Delayed revocation of TLS certificates with Certificate Policies extension problem 1886665 ASSIGNED Man Ho [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-20T15:53:35Z 2024-03-21T04:30:30Z
Microsec: Delayed revocation of the misissued certificates 1887110 ASSIGNED dr. Sándor SZŐKE [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-20T15:54:08Z 2024-03-22T18:00:56Z
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates - delayed revocation 1891331 ASSIGNED Nikolett [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-20T15:56:38Z 2024-04-13T22:07:56Z
Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical 1877388 ASSIGNED Arnold Essing [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-20T15:50:35Z 2024-01-30T07:52:58Z
Telia: Delayed revocation of seven (7) certificates related to incident 1896108 1896553 ASSIGNED Antti Backman [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-20T15:58:07Z 2024-05-14T04:48:55Z
TWCA: Revocation delay for EV TLS certificates with invalid subject attribute order 1884568 ASSIGNED Hao-Chun Li [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-20T15:51:05Z 2024-03-10T12:44:57Z
TWCA: Revocation delay for TLS certificates with non-critical basicConstraints 1886110 ASSIGNED chtsai [ca-compliance] [ov-misissuance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-20T15:52:35Z 2024-03-19T07:42:18Z
VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 1885568 ASSIGNED Andrea Holland [ca-compliance] [ov-misissuance] [leaf-revocation-delay] Next update 2025-02-01 2024-11-20T15:51:59Z 2024-03-15T16:20:17Z

22 Total; 22 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: