CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time
Certainly: Root CRL validity period exceeds maximum by one second 1732745 ASSIGNED Wayne Thayer [ca-compliance] 2021-10-11T22:56:50Z
E-Tugra: CA Certificate Missing from Audit Reports 1716843 ASSIGNED Davut Tokgöz [ca-compliance] Next update 2021-11-01 2021-08-24T14:50:03Z
E-Tugra: Forbidden Domain Validation Method 3.2.2.4.6 1716902 ASSIGNED Davut Tokgöz [ca-compliance] 2021-08-25T14:17:48Z
emSign: Audit Delay 1728790 ASSIGNED Vijay Kumar [ca-compliance][audit-delay][covid-19] 2021-09-30T12:55:05Z
Entrust: Incorrect value in Business Category field for Government Entities 1728796 ASSIGNED Paul van Brouwershaven [ca-compliance] Next update 2021-11-15 2021-09-29T13:26:55Z
Entrust: Invalid localityName 1712106 ASSIGNED Dathan Demone [ca-compliance] Next update 2021-11-15 2021-09-15T20:33:20Z
Entrust: Test Website Certificates Expired 1731887 ASSIGNED Bruce Morton [ca-compliance] 2021-10-14T14:37:28Z
Firmaprofesional: 2021 Audit Report Finding 2 out of 3 1717791 ASSIGNED Maria Jose Prieto [ca-compliance] Next update 2021-10-01 2021-10-14T13:30:41Z
GlobalSign: Incorrect OCSP Delegated Responder Certificate 1649937 ASSIGNED douglas.beattie [ca-compliance] Next Update 2021-10-01 2021-09-08T16:57:33Z
GoDaddy: Certificate Problem Report responses greater than 24 hours 1734953 ASSIGNED Brittany Randall [ca-compliance] 2021-10-12T20:00:13Z
GoDaddy: Issued EV Wildcard Certificate 1731939 ASSIGNED Brittany Randall [ca-compliance] Next update 2021-11-01 2021-10-12T14:17:43Z
GoDaddy: Root CRLs exceed maximum validity period by 1 second 1734265 ASSIGNED Brittany Randall [ca-compliance] 2021-10-12T14:16:28Z
Google Trust Services: CRL validity period set to expected value plus one second 1731164 ASSIGNED Cade Cairns [ca-compliance] 2021-10-14T22:38:03Z
Google Trust Services: Delayed publication of CPS removing DNS Operator Exception 1729097 ASSIGNED Brett L [ca-compliance] Next update 2021-09-24 2021-10-14T22:39:27Z
IdenTrust: Intermittent interruptions to DNS service 1734906 ASSIGNED IdenTrust [ca-compliance] 2021-10-15T22:18:54Z
IdenTrust: Mis-Issued EV Certificates 1734917 ASSIGNED IdenTrust [ca-compliance] 2021-10-15T22:17:52Z
iTrusChina: verification errors for the roots' CRLs(ARL) 1712664 ASSIGNED iTrusChina Co.,Ltd. [ca-compliance] 2021-10-14T08:29:27Z
KIR S.A.: Invalid organizationName 1705647 ASSIGNED Piotr Grabowski [ca-compliance] Next update 2021-10-15 2021-09-08T19:57:20Z
Let's Encrypt: certificate lifetimes 90 days plus one second 1715455 ASSIGNED Josh Aas [ca-compliance] Next update 2021-11-12 2021-10-09T03:14:38Z
Let's Encrypt: Mis-issued certificates related to SC48v2 1735247 ASSIGNED Jillian [ca-compliance] 2021-10-15T21:14:16Z
Microsec: Misissuance of one OV certificate with Key Usage KeyEncipherment 1728384 ASSIGNED dr. Sándor SZŐKE [ca-compliance] 2021-09-15T09:36:53Z
Microsoft PKI Services: Malformed ICAs (missing certificate policy extensions) 1711147 ASSIGNED John Mason [ca-compliance] Next update 2021-12-31 2021-09-30T19:22:43Z
Netlock: CA Certificate Missing from Audit Reports 1716874 ASSIGNED Zoltán Kővári-Szabó [ca-compliance] 2021-09-21T08:03:25Z
Netlock: Replacement of enduser certificates after the EVGL 1.7.4 self-audit 1680378 ASSIGNED Zoltán Kővári-Szabó [ca-compliance] 2021-10-05T08:52:25Z
Network Solutions: 2021 Audit Observation #1 1725039 ASSIGNED Keith McKenney [ca-compliance] 2021-10-08T17:34:47Z
Network Solutions: 2021 Audit Observation #3 1725043 ASSIGNED Keith McKenney [ca-compliance] 2021-10-08T18:06:18Z
Network Solutions: All test CA test website certificates are expired 1726333 ASSIGNED Keith McKenney [ca-compliance] 2021-10-08T17:32:24Z
PKIoverheid: KPN CPS Lists Forbidden Domain Validation Method 3.2.2.4.6 1719451 ASSIGNED David Weissenberg [ca-compliance] Next update 2021-10-01 2021-09-16T11:31:07Z
Problem with NETLOCK's codesigning CA 1734114 ASSIGNED Zoltán Kővári-Szabó [ca-compliance] 2021-10-05T15:30:53Z
QuoVadis/PKIoverheid: incorrect OCSP response for precertificate 1724276 ASSIGNED Stephen Davidson [ca-compliance] Next update 2021-10-18 2021-09-30T20:49:14Z
SECOM: CA Certificates Missing from Audit Reports 1717044 ASSIGNED Hisashi Kamo [ca-compliance] 2021-09-10T11:01:30Z
SECOM: FUJIFILM intermediate not listed in audit statement 1695938 ASSIGNED Hisashi Kamo [ca-compliance] Next update 2021-10-01 2021-09-08T17:06:38Z
SECOM: Root CRLs exceed maximum validity period by 1 second 1735998 ASSIGNED Hisashi Kamo [ca-compliance] 2021-10-15T14:05:25Z
Sectigo: CRL validity beyond CPS allowed value 1735761 ASSIGNED Tim Callan [ca-compliance] 2021-10-14T15:27:52Z
Sectigo: Inappropriate subject:serialNumber information in EV certificates obtained through ACME 1712120 ASSIGNED Tim Callan [ca-compliance] Next update 2021-10-01 2021-10-11T15:56:25Z
Sectigo: Missing registration numbers in EV certificates 1721271 ASSIGNED Tim Callan [ca-compliance] Next update 2021-10-18 2021-10-12T15:56:23Z
Sectigo: Mojibake in certificate Subject fields 1724458 ASSIGNED Tim Callan [ca-compliance] Next update 2021-09-18 2021-10-09T17:19:34Z
Sectigo: Subject field with unvalidated information included in certificates 1736064 ASSIGNED Tim Callan [ca-compliance] 2021-10-15T18:22:50Z
Sectigo: test certificates issued from trusted CA 1712188 ASSIGNED Tim Callan [ca-compliance] 2021-10-14T13:29:30Z
Sectigo: Truncated registration numbers in EV certificates 1732484 ASSIGNED Tim Callan [ca-compliance] 2021-10-07T13:46:45Z
SecureTrust: Invalid localityName 1720723 ASSIGNED Andrea Holland [ca-compliance] Next update 2021-09-22 2021-10-12T20:22:42Z
SSL.com: Incorrect Domain Validation for 1 TLS certificate with FQDN having "www." string within domain labels 1724520 ASSIGNED Chris Kemmerer [ca-compliance] 2021-09-17T22:20:23Z
SSL.com: Issuance of 3 EV TLS certificates without 2-person validation of the organization information 1722089 ASSIGNED Chris Kemmerer [ca-compliance] 2021-09-11T00:08:19Z
SSL.com: Issuance of an EV TLS certificate with incorrect O Field Value 1719916 ASSIGNED Chris Kemmerer [ca-compliance] 2021-09-03T21:47:29Z
SwissSign: Certificate with key length 16258 1731586 ASSIGNED Mike Guenther [ca-compliance] 2021-10-11T10:05:58Z
SwissSign: wrong address in EV certificate 1734131 ASSIGNED Mike Guenther [ca-compliance] 2021-10-14T13:27:46Z
Telia CA: Invalid email contact address was used for few domains 1736020 ASSIGNED pekka.lahtiharju [ca-compliance] 2021-10-15T14:06:16Z
UniTrust: Improper DER results in failure to comply with RFC 5280 - Encoded sequence component with default value 1735908 ASSIGNED chenxiaotong [ca-compliance] 2021-10-15T09:23:19Z
Web.com: Failure to respond in time to revocation requests 1723121 ASSIGNED Keith McKenney [ca-compliance] 2021-10-08T18:05:23Z
Web.com: Overdue Audit Statements 2021 1721473 ASSIGNED Keith McKenney [ca-compliance] 2021-10-08T18:04:54Z

50 Total; 50 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
Summary ID Status Assigned to Whiteboard Last change time
emSign: Audit Delay 1728790 ASSIGNED Vijay Kumar [ca-compliance][audit-delay][covid-19] 2021-09-30T12:55:05Z

1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
Summary ID Status Assigned to Whiteboard Last change time
Camerfirma: Delayed revocations of certificates issued by old CAs with an RSA modulus size of 2047 bits 1692535 ASSIGNED Ana Lopes [ca-compliance] [delayed-revocation-leaf] Next update 2021-10-11 2021-10-08T08:10:31Z
KIR S.A.: Delayed revocations of certificates 1709872 ASSIGNED Piotr Grabowski [ca-compliance] [delayed-revocation-leaf] Next update 2021-12-01 2021-09-15T20:41:23Z
Let's Encrypt: Failure to revoke for Certificate Lifetime Incident 1715672 ASSIGNED Aaron Gable [ca-compliance] [delayed-revocation-leaf] Next update 2021-11-12 2021-10-07T16:26:40Z
SECOM: Delayed Revocation of non-technically constrained FUJIFILM Certificates 1707229 ASSIGNED Hisashi Kamo [ca-compliance] [delayed-revocation-leaf] Next update 2021-10-01 2021-09-28T08:16:15Z

4 Total; 4 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: