CA/Incident Dashboard
From MozillaWiki
< CA
Contents
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| ACCV: Certificates issued with cRLIssuer in CDP extension | 1884532 | ASSIGNED | Jose Amador | [ca-compliance] [ov-misissuance] | 2024-04-17T08:49:29Z | 2024-03-09T18:14:05Z |
| ACCV: Certificates issued with Policy qualifiers other than id-qt-cps | 1889567 | ASSIGNED | Jose Amador | [ca-compliance] [ev-misissuance] | 2024-04-19T08:00:53Z | 2024-04-04T07:53:32Z |
| ACCV: Delayed response to CPR | 1886785 | ASSIGNED | Jose Amador | [ca-compliance] [policy-failure] | 2024-04-17T08:48:50Z | 2024-03-21T15:13:02Z |
| Actalis: Certificates issued with invalid RDN order | 1883731 | ASSIGNED | Marco Menonna | [ca-compliance] [ev-misissuance] | 2024-04-15T14:23:20Z | 2024-03-05T18:26:39Z |
| AGCE: Non-Compliant VPN Certificate Issuance | 1882256 | ASSIGNED | ance.certification.info | [ca-compliance] [ov-misissuance] | 2024-03-20T16:47:20Z | 2024-02-27T10:44:42Z |
| Asseco Data Systems S.A. (Certum): CRL non-conformance with the TLS BRs | 1888689 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [crl-failure] [external] | 2024-04-17T12:34:49Z | 2024-03-29T17:37:14Z |
| Buypass: TLS certificates with incorrect Subject attribute order | 1864204 | ASSIGNED | Mads Henriksveen | [ca-compliance] [ov-misissuance] [ev-misissuance] Next update 2024-05-06 | 2024-04-10T16:05:49Z | 2023-11-10T16:21:34Z |
| Buypass: Using an external DNS Resolver for DNS lookups | 1872371 | ASSIGNED | Mads Henriksveen | [ca-compliance] [ov-misissuance] Next update 2024-05-06 | 2024-04-03T17:42:14Z | 2023-12-29T16:02:59Z |
| Certigna: TLS certificates with Basic constraint non-critical | 1883416 | ASSIGNED | Josselin Allemandou | [ca-compliance] [ov-misissuance] | 2024-04-10T15:30:22Z | 2024-03-04T16:36:15Z |
| certSIGN: Certificates with incorrect Subject attribute order | 1886624 | ASSIGNED | Gabriel PETCU | [ca-compliance] [ov-misissuance] | 2024-04-09T11:44:42Z | 2024-03-20T22:28:05Z |
| certSIGN: Delayed response to CPR | 1886626 | ASSIGNED | Gabriel PETCU | [ca-compliance] [policy-failure] | 2024-04-09T11:44:55Z | 2024-03-20T22:29:39Z |
| CFCA: certificate basicConstraints extension not marked as critical | 1886135 | ASSIGNED | Gao Fei | [ca-compliance] [ov-misissuance] | 2024-04-06T05:05:04Z | 2024-03-19T10:57:32Z |
| CFCA: Failure to respond to a Certificate Problem Report in a complete and/or timely manner | 1888881 | ASSIGNED | Gao Fei | [ca-compliance] [policy-failure] | 2024-04-08T03:47:00Z | 2024-04-01T07:17:16Z |
| Chunghwa Telecom: Wrong Extended Key Usage setting by GTLSCA | 1887096 | ASSIGNED | Tsung-Min Kuo | [ca-compliance] [ov-misissuance] | 2024-04-19T11:04:55Z | 2024-03-22T17:25:13Z |
| D-Trust: Issuance of 15 certificates with incorrect subject attribute order | 1891225 | ASSIGNED | Leyla Sahin | [ca-compliance] [ev-misissuance] | 2024-04-15T15:30:24Z | 2024-04-12T13:48:03Z |
| D-Trust: Issuance of 15 DV certificates containing ‘serialNumber’ field within subject | 1861069 | ASSIGNED | Enrico Entschew | [ca-compliance] [dv-misissuance] | 2024-04-17T01:43:45Z | 2023-10-25T14:25:07Z |
| D-Trust: LDAP-URL in Subscriber Certificate Authority Information Access field | 1884714 | ASSIGNED | Enrico Entschew | [ca-compliance] [ov-misissuance] | 2024-04-05T08:48:06Z | 2024-03-11T16:29:07Z |
| Digicert: Failure to include CPS URI in 1 certificate | 1888016 | ASSIGNED | Jeremy Rowley | [ca-compliance] [policy-failure] [ev-misissuance] Next update 2024-06-01 | 2024-04-09T22:02:16Z | 2024-03-27T01:23:16Z |
| Digicert: Government Entity listed instead of registration number | 1891531 | ASSIGNED | Jeremy Rowley | [ca-compliance] [ev-misissuance] | 2024-04-16T16:35:21Z | 2024-04-15T17:06:23Z |
| Disig: Certificates with incorrect Subject attribute order | 1889672 | ASSIGNED | Jozef Nigut | [ca-compliance] [ov-misissuance] | 2024-04-16T12:29:42Z | 2024-04-04T15:16:17Z |
| Disig: TLS certificate with basicConstraints not marked as critical | 1888104 | ASSIGNED | Jozef Nigut | [ca-compliance] [ov-misissuance] | 2024-04-19T14:53:00Z | 2024-03-27T10:37:26Z |
| e-commerce monitoring GmbH: CRLs with mismatched issuer | 1888371 | ASSIGNED | Daniel Zens | [ca-compliance] [crl-failure] [external] | 2024-04-19T11:47:48Z | 2024-03-28T10:58:07Z |
| e-commerce monitoring gmbh: precertificate validity does not match leaf certificate | 1883711 | ASSIGNED | Daniel Zens | [ca-compliance] [ov-misissuance] | 2024-04-19T11:56:03Z | 2024-03-05T17:00:37Z |
| Entrust: clientAuth TLS Certificates without serverAuth EKU | 1886467 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [ev-misissuance] Next update 2024-04-30 | 2024-04-19T15:12:15Z | 2024-03-20T14:42:35Z |
| Entrust: CPR was not responded to in 24 hours | 1885754 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [external] [policy-failure] Next update 2024-05-03 | 2024-04-19T17:11:48Z | 2024-03-16T22:14:29Z |
| Entrust: CPS typographical (text placement) error | 1890896 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] | 2024-04-19T15:04:11Z | 2024-04-11T00:45:36Z |
| Entrust: CRL non-conformance with the TLS BRs | 1889217 | ASSIGNED | Bruce Morton | [ca-compliance] [crl-failure] [external] | 2024-04-17T22:21:25Z | 2024-04-02T19:39:57Z |
| Entrust: Delayed incident report - CPS typographical (text placement) error | 1890901 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] | 2024-04-17T17:14:02Z | 2024-04-11T01:04:16Z |
| Entrust: EV Certificate missing Issuer’s EV Policy OID | 1888714 | ASSIGNED | Bruce Morton | [ca-compliance] [ev-misissuance] | 2024-04-19T14:54:32Z | 2024-03-29T21:05:02Z |
| Entrust: EV TLS Certificate cPSuri missing | 1883843 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [ev-misissuance] | 2024-04-19T15:07:52Z | 2024-03-06T08:35:58Z |
| Entrust: Failed to provide a preliminary incident report according to TLS BR 4.9.5 | 1890123 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [policy-failure] | 2024-04-19T09:45:08Z | 2024-04-06T13:24:25Z |
| Entrust: Failure to revoke EV TLS certificates issued before CPS update | 1890685 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] | 2024-04-19T16:53:50Z | 2024-04-09T23:40:57Z |
| Entrust: Failure to revoke OV TLS - CPS typographical (text placement) error | 1890898 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] | 2024-04-19T14:58:33Z | 2024-04-11T00:52:33Z |
| Entrust: Late CPS Update | 1887753 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] [ev-misissuance] | 2024-04-19T14:50:35Z | 2024-03-25T20:45:35Z |
| Entrust: OCSP response signed with SHA-1 | 1879602 | ASSIGNED | Bruce Morton | [ca-compliance] [ocsp-failure] Next update 2024-05-03 | 2024-04-17T22:28:53Z | 2024-02-09T18:13:00Z |
| Firmaprofesional: Policy Qualifiers other than id-qt-cps present for certificate | 1889420 | ASSIGNED | ext-antoni.camon | [ca-compliance] [ov-misissuance] | 2024-04-11T15:26:07Z | 2024-04-03T15:46:27Z |
| FNMT: Certificates issued included Policy qualifiers other than id-qt-cps | 1875942 | ASSIGNED | Amaya Espinosa | [ca-compliance] [ov-misissuance] [ev-misissuance] | 2024-02-24T15:58:01Z | 2024-01-22T23:10:58Z |
| GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints | 1888060 | ASSIGNED | capoc | [ca-compliance] [ov-misissuance] | 2024-04-16T13:05:18Z | 2024-03-27T06:15:29Z |
| Google Trust Services: Incorrect OCSP responses for new ICAs under test | 1882904 | ASSIGNED | Google Trust Services | [ca-compliance] [ocsp-failure] Next update 2024-04-26 | 2024-04-15T03:38:48Z | 2024-02-29T22:32:18Z |
| Hongkong Post: Delayed response to CPR | 1886722 | ASSIGNED | Man Ho | [ca-compliance] [policy-failure] | 2024-03-26T08:30:26Z | 2024-03-21T11:36:56Z |
| Hongkong Post: TLS certificates with basicConstraints not marked as critical | 1887008 | ASSIGNED | Man Ho | [ca-compliance] [ov-misissuance] | 2024-03-26T03:49:51Z | 2024-03-22T13:11:35Z |
| Hongkong Post: TLS certificates with Certificate Policies extension that does not assert http scheme | 1886406 | ASSIGNED | Man Ho | [ca-compliance] [ov-misissuance] | 2024-03-25T14:07:14Z | 2024-03-20T11:23:23Z |
| Izenpe: Failure to Submit Annual CCADB Self-Assessment | 1883493 | ASSIGNED | David | [ca-compliance] [disclosure-failure] [external] | 2024-03-21T09:50:35Z | 2024-03-04T20:36:07Z |
| Microsec: Disallowed subject attribute field in DV certificate | 1889699 | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] [dv-misissuance] | 2024-04-11T15:24:41Z | 2024-04-04T17:01:58Z |
| Microsec: Late response to a certificate problem report | 1886998 | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] [policy-failure] | 2024-04-19T16:57:56Z | 2024-03-22T12:22:34Z |
| Microsec: Misissuance an EV TLS certificate without CPSuri | 1886257 | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] [ev-misissuance] | 2024-04-11T14:50:58Z | 2024-03-19T18:23:18Z |
| NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates | 1889570 | ASSIGNED | Tamás Horváth | [ca-compliance] [ev-misissuance] | 2024-04-19T13:48:07Z | 2024-04-04T08:18:19Z |
| Sectigo: EV Certificate issuance with incorrect subject:serialNumber attribute value | 1891245 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [ev-misissuance] | 2024-04-19T21:30:04Z | 2024-04-12T15:53:42Z |
| Sectigo: Premature disabling of CRL generation for an inactive CA | 1891039 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [crl-failure] | 2024-04-17T15:09:21Z | 2024-04-11T14:49:46Z |
| SSL.com - Issuance of one Sponsored-Validated S/MIME certificate with organization information in givenName and surName of the subjectDN | 1871113 | ASSIGNED | Thomas Zermeno | [ca-compliance] [smime-misissuance] | 2024-02-22T22:18:09Z | 2023-12-20T18:56:27Z |
| SSL.com: Findings in 2023 audit | 1867851 | ASSIGNED | Thomas Zermeno | [ca-compliance] [audit-finding] Next update 2024-02-16 | 2024-04-05T20:59:48Z | 2023-12-01T19:23:02Z |
| SSL.com: subCA/Reseller Issues | 1832570 | ASSIGNED | Thomas Zermeno | [ca-compliance] [policy-failure] | 2024-04-19T21:42:11Z | 2023-05-11T13:53:25Z |
| Telekom Security: TLS certificates with basicConstraints not marked as critical | 1875820 | ASSIGNED | Arnold Essing | [ca-compliance] [ov-misissuance] | 2024-04-15T07:09:36Z | 2024-01-22T14:27:18Z |
| TWCA: Revocation delay for TLS certificates with non-critical basicConstraints | 1886110 | ASSIGNED | chtsai | [ca-compliance] [ov-misissuance] | 2024-04-19T05:13:38Z | 2024-03-19T07:42:18Z |
| TWCA: TLS certificates with non-critical basicConstraints | 1885132 | ASSIGNED | Hao-Chun Li | [ca-compliance] [ov-misissuance] [ev-misissuance] | 2024-04-15T09:06:10Z | 2024-03-13T13:09:19Z |
| TWCA: TLS EV certificates with invalid subject attribute order | 1883620 | ASSIGNED | Hao-Chun Li | [ca-compliance] [ev-misissuance] Next update 2024-04-30 | 2024-04-15T13:26:03Z | 2024-03-05T12:28:02Z |
| VikingCloud: Delayed preliminary report of CPR to affected Subscribers | 1888667 | ASSIGNED | Andrea Holland | [ca-compliance] [policy-failure] | 2024-04-19T19:49:27Z | 2024-03-29T15:15:35Z |
| VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 | 1885568 | ASSIGNED | Andrea Holland | [ca-compliance] [ov-misissuance] | 2024-04-19T21:52:27Z | 2024-03-15T16:20:17Z |
| VikingCloud: OV Precertificates with incorrect Subject RDN encoding order | 1883779 | ASSIGNED | Andrea Holland | [ca-compliance] [ov-misissuance] | 2024-04-16T22:06:47Z | 2024-03-05T21:42:27Z |
59 Total; 59 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
No results.
0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| ACCV: Delayed revocation of TLS certificates affected by bug #1884532 | 1886788 | ASSIGNED | Jose Amador | [ca-compliance] [leaf-revocation-delay] | 2024-04-17T08:48:24Z | 2024-03-21T15:34:41Z |
| Actalis: revocation delay for certificates issued with invalid RDN Order | 1887941 | ASSIGNED | Marco Menonna | [ca-compliance] [leaf-revocation-delay] | 2024-04-15T14:23:23Z | 2024-03-26T17:50:20Z |
| Buypass: Delayed revocation of TLS certificates | 1872738 | ASSIGNED | Mads Henriksveen | [ca-compliance] [leaf-revocation-delay] Next update 2024-05-06 | 2024-04-03T17:38:42Z | 2024-01-02T19:18:17Z |
| Certigna: Revocation delay for TLS certificates with basic constraint not marked as critical | 1886442 | ASSIGNED | Josselin Allemandou | [ca-compliance] [leaf-revocation-delay] | 2024-03-28T17:20:01Z | 2024-03-20T13:44:20Z |
| certSIGN: Delayed revocation | 1886627 | ASSIGNED | Gabriel PETCU | [ca-compliance] [leaf-revocation-delay] | 2024-04-09T11:45:04Z | 2024-03-20T22:30:47Z |
| CFCA:Delayed revocation of TLS certificates(basicConstraints extension not marked as critical) | 1888882 | ASSIGNED | Gao Fei | [ca-compliance] [leaf-revocation-delay] | 2024-04-17T15:27:24Z | 2024-04-01T07:19:09Z |
| e-commerce monitoring GmbH: Delayed revocation | 1862004 | ASSIGNED | Daniel Zens | [ca-compliance] [leaf-revocation-delay] [external] | 2024-04-12T16:51:21Z | 2023-10-30T15:06:09Z |
| Entrust: Delayed revocation of clientAuth TLS Certificates without serverAuth EKU | 1887705 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [leaf-revocation-delay] | 2024-04-19T13:47:16Z | 2024-03-25T16:44:53Z |
| Entrust: Delayed revocation of EV TLS certificates with missing cPSuri | 1886532 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [leaf-revocation-delay] | 2024-04-19T13:45:04Z | 2024-03-20T17:22:26Z |
| FIRMAPROFESIONAL: Delayed leaf revocation | 1891251 | ASSIGNED | ext-antoni.camon | [ca-compliance] [leaf-revocation-delay] | 2024-04-15T14:48:50Z | 2024-04-12T16:11:20Z |
| GDCA: Delayed revocation of SSL/TLS certificates with Non-critical Basic Constraints | 1889062 | ASSIGNED | capoc | [ca-compliance] [leaf-revocation-delay] | 2024-04-17T02:35:25Z | 2024-04-02T09:18:52Z |
| Hongkong Post: Delayed revocation of TLS certificates with basicConstraints not marked as critical | 1887888 | ASSIGNED | Man Ho | [ca-compliance] [leaf-revocation-delay] | 2024-03-26T14:43:39Z | 2024-03-26T14:39:37Z |
| Hongkong Post: Delayed revocation of TLS certificates with Certificate Policies extension problem | 1886665 | ASSIGNED | Man Ho | [ca-compliance] [leaf-revocation-delay] | 2024-03-21T15:55:40Z | 2024-03-21T04:30:30Z |
| Microsec: Delayed revocation of the misissued certificates | 1887110 | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] [leaf-revocation-delay] | 2024-04-10T15:33:18Z | 2024-03-22T18:00:56Z |
| NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates - delayed revocation | 1891331 | ASSIGNED | Tamás Horváth | [ca-compliance] [leaf-revocation-delay] | 2024-04-15T02:39:43Z | 2024-04-13T22:07:56Z |
| Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical | 1877388 | ASSIGNED | Arnold Essing | [ca-compliance] [leaf-revocation-delay] | 2024-04-19T07:29:15Z | 2024-01-30T07:52:58Z |
| TWCA: Revocation delay for EV TLS certificates with invalid subject attribute order | 1884568 | ASSIGNED | Hao-Chun Li | [ca-compliance] [leaf-revocation-delay] Next update 2024-04-30 | 2024-04-16T17:56:39Z | 2024-03-10T12:44:57Z |
17 Total; 17 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here:
