CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time
CFCA: Overdue Audit Statements 2021 1741497 ASSIGNED Oliver Bi [ca-compliance] [audit-delay] 2022-01-05T03:13:44Z
E-Tugra: CA Certificate Missing from Audit Reports 1716843 ASSIGNED Davut Tokgöz [ca-compliance] Next update 2022-01-20 2022-01-11T16:38:11Z
eMudhra emSign CA: Invalid OrganizationalUnitName 1745015 ASSIGNED Vijay Kumar [ca-compliance] 2021-12-13T13:52:46Z
Entrust: CRLs and OCSP responses not issued as specified in the CPS 1737057 ASSIGNED Bruce Morton [ca-compliance] 2021-11-05T17:16:40Z
FNMT: Invalid localityName 1744722 ASSIGNED alain [ca-compliance] Next update 2022-02-28 2022-01-12T15:23:24Z
GlobalSign: EV certificates with serialNumber Government Entity and businessCategory Private Organization 1744518 ASSIGNED Paul Brown [ca-compliance] 2022-01-15T03:39:42Z
GlobalSign: Incorrect OCSP Delegated Responder Certificate 1649937 ASSIGNED douglas.beattie [ca-compliance] Next Update 2022-01-31 2022-01-17T07:44:37Z
GoDaddy: Failure to Revoke Subscriber Certificates within 24 hours 1742657 ASSIGNED Brittany Randall [ca-compliance] Next update 2022-02-11 2022-01-08T02:00:03Z
IdenTrust: Issuance of OV SSL Certificate with doc vetting older than 398 days 1744627 ASSIGNED IdenTrust [ca-compliance] Next update 2022-01-17 2021-12-30T23:08:15Z
IdenTrust: Mis-Issued EV Certificates 1734917 ASSIGNED IdenTrust [ca-compliance] Next update 2022-01-22 2022-01-11T17:04:54Z
IdenTrust: OCSP Signer Certificate Missing No-Check Extension 1749089 ASSIGNED IdenTrust [ca-compliance] 2022-01-17T22:44:52Z
Izenpe: CRL and ARL exceed validity period value by one second 1738421 ASSIGNED David [ca-compliance] 2021-11-03T15:17:42Z
KIR S.A.: Invalid organizationName 1705647 ASSIGNED Piotr Grabowski [ca-compliance] Next update 2022-01-22 2022-01-11T17:21:19Z
Microsec: Misissuance of one OV certificate with Key Usage KeyEncipherment 1728384 ASSIGNED dr. Sándor SZŐKE [ca-compliance] 2022-01-11T13:14:00Z
Microsoft PKI Services: Malformed ICAs (missing certificate policy extensions) 1711147 ASSIGNED John Mason [ca-compliance] Next update 2022-01-17 2022-01-07T18:57:48Z
Netlock: Replacement of enduser certificates after the EVGL 1.7.4 self-audit 1680378 ASSIGNED Anna Bányai [ca-compliance] 2021-11-10T17:45:15Z
PKIoverheid: (KPN) Incorrect Subject OrganizationName 1746421 ASSIGNED David Weissenberg [ca-compliance] 2022-01-10T09:53:03Z
Sectigo: Mojibake in certificate Subject fields 1724458 ASSIGNED Tim Callan [ca-compliance] Next update 2022-02-15 2022-01-14T17:25:15Z
Sectigo: OCSP responses directly signed using root certificates without KU=digitalSignature 1741777 ASSIGNED Rob Stradling [ca-compliance] Next update 2022-02-02 2022-01-14T15:30:03Z
Sectigo: Subject field with unvalidated information included in certificates 1736064 ASSIGNED Tim Callan [ca-compliance] Next update 2022-02-07 2022-01-10T18:28:04Z
SecureTrust: Invalid localityName 1720723 ASSIGNED Andrea Holland [ca-compliance] Next update 2022-01-18 2022-01-11T17:11:25Z Incorrect Domain Validation for 1 TLS certificate with FQDN having "www." string within domain labels 1724520 ASSIGNED Chris Kemmerer [ca-compliance] Next update 2022-01-17 2022-01-17T22:33:11Z Issuance of 3 EV TLS certificates without 2-person validation of the organization information 1722089 ASSIGNED Chris Kemmerer [ca-compliance] Next update 2022-01-17 2022-01-17T22:28:24Z Issuance of TLS certificates with validation methods prohibited by SC-45 1750631 ASSIGNED Chris Kemmerer [ca-compliance] 2022-01-17T20:48:33Z
Telia CA: Invalid email contact address was used for few domains 1736020 ASSIGNED pekka.lahtiharju [ca-compliance] 2021-10-29T13:23:45Z
Telia CA: Issued three precertificates with non-NIST EC curve 1738207 ASSIGNED pekka.lahtiharju [ca-compliance] 2021-12-21T08:17:22Z
TWCA: [Policy OID not set to indicate the assurance level to the issued certs] 1738778 ASSIGNED Hao-Chun Li [ca-compliance] 2022-01-11T17:04:00Z
UniTrust: Improper DER results in failure to comply with RFC 5280 - Encoded sequence component with default value 1735908 ASSIGNED chenxiaotong [ca-compliance] 2021-10-25T08:28:46Z

28 Total; 28 Open (100%); 0 Resolved (0%); 0 Verified (0%);

Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
Summary ID Status Assigned to Whiteboard Last change time
CFCA: Overdue Audit Statements 2021 1741497 ASSIGNED Oliver Bi [ca-compliance] [audit-delay] 2022-01-05T03:13:44Z

1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);

Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
Summary ID Status Assigned to Whiteboard Last change time
Amazon Trust Services - Delayed Revocation of Subordinate CA 1743943 ASSIGNED Trevoli (Amazon Trust Services) [ca-compliance] [delayed-revocation-ca] Next update 2022-01-31 2022-01-13T01:43:29Z
Camerfirma: Delayed revocations of certificates issued by old CAs with an RSA modulus size of 2047 bits 1692535 ASSIGNED Ana Lopes [ca-compliance] [delayed-revocation-leaf] Next update 2022-01-18 2022-01-11T17:19:42Z
Entrust: Late Revocation for SSL Certificates issued with Un-verified IP Addresses 1748634 ASSIGNED Bruce Morton [ca-compliance] [delayed-revocation-leaf] 2022-01-17T21:50:18Z
KIR S.A.: Delayed revocations of certificates 1709872 ASSIGNED Piotr Grabowski [ca-compliance] [delayed-revocation-leaf] Next update 2022-01-22 2022-01-11T17:16:37Z
SECOM: Delayed Revocation of non-technically constrained FUJIFILM Certificates 1707229 ASSIGNED Hisashi Kamo [ca-compliance] [delayed-revocation-leaf] Next update 2022-01-17 2022-01-17T05:47:31Z
Telia CA: Delayed revocation of 5 EE certificates in connection to id=1736020 1737808 ASSIGNED pekka.lahtiharju [ca-compliance] [delayed-revocation-leaf] 2021-10-29T13:15:28Z

6 Total; 6 Open (100%); 0 Resolved (0%); 0 Verified (0%);

Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: