CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time
Apple: EV TLS pre-certificates issued without EKU extension 1777757 ASSIGNED certification_authority [ca-compliance] 2022-07-03T19:23:42Z
Apple: OCSP responders return ‘unknown’ for valid S/MIME and TLS certificates 1771398 ASSIGNED certification_authority [ca-compliance] 2022-07-01T20:34:52Z
Certainly: Serving Expired OCSP Responses 1771238 ASSIGNED Wayne Thayer [ca-compliance] Next update 2022-07-31 2022-07-03T19:24:29Z
Certigna: Certificate issued with validity period greater than 398-days 1774418 ASSIGNED Josselin Allemandou [ca-compliance] 2022-06-16T07:36:12Z
Certigna: Precertificate with a validity period greater than 398-days 1774171 ASSIGNED Ben Wilson [ca-compliance] 2022-07-05T14:29:26Z
CFCA: Overdue Audit Statements 2021 1741497 ASSIGNED Oliver Bi [ca-compliance] [audit-delay] 2022-06-20T09:35:10Z
CFCA: Precertificate with postalCode and streetAddress swapped 1771482 ASSIGNED bixinlong [ca-compliance] 2022-07-05T01:35:08Z
D-Trust: Wrong key usage (Key Agreement) 1756122 ASSIGNED Enrico Entschew [ca-compliance] Next update 2022-06-15 2022-06-20T19:57:43Z
Entrust: TLS Certificate issued with a key that is impacted by the Close Primes vulnerability 1766525 ASSIGNED Bruce Morton [ca-compliance] Next update 2022-10-01 2022-06-01T21:12:43Z
Firmaprofesional: 2022 - Define Device Obsolescence Process 1771727 ASSIGNED Maria Jose Prieto [ca-compliance] 2022-06-30T08:37:08Z
Firmaprofesional: 2022 - Title field 1771722 ASSIGNED Maria Jose Prieto [ca-compliance] 2022-06-20T09:51:16Z
GoDaddy: Misissuance of Cross Signed Certs 1777128 ASSIGNED daryn [ca-compliance] 2022-06-29T20:48:17Z
Google Trust Services: Failure to provide preliminary report within 24h 1770510 REOPENED Cade Cairns [ca-compliance] 2022-07-06T16:06:04Z
Google Trust Services: Incorrect OCSP responses for certain certificates 1773556 ASSIGNED Cade Cairns [ca-compliance] 2022-07-07T16:18:24Z
IdenTrust: : CRL Potential Publication Delay due to Cache 1775454 ASSIGNED IdenTrust [ca-compliance] 2022-07-01T15:18:08Z
IdenTrust: Failure to provide OCSP responses for valid ICA certificates 1758213 ASSIGNED IdenTrust [ca-compliance] Next update 2022-06-30 2022-07-01T03:42:57Z
IdenTrust: OCSP Signer Certificate Missing No-Check Extension 1749089 ASSIGNED IdenTrust [ca-compliance] Next update 2022-07-31 2022-07-01T15:20:59Z
SECOM: Failed an annual update of Cybertrust Japan (CTJ) CPS 1769222 ASSIGNED Hisashi Kamo [ca-compliance] 2022-06-02T08:26:44Z
Sectigo: OCSP responses directly signed using root certificates without KU=digitalSignature 1741777 ASSIGNED Rob Stradling [ca-compliance] Next update 2022-07-27 2022-06-15T15:43:15Z
SecureTrust: 2 certificates with non-DER encoded keyUsage extension 1776764 ASSIGNED Andrea Holland [ca-compliance] 2022-06-28T23:52:22Z
SecureTrust: Incorrect OCSP response 1765800 ASSIGNED Andrea Holland [ca-compliance] Next update 2022-09-01 2022-05-20T17:45:51Z
SecureTrust: Invalid localityName 1720723 ASSIGNED Andrea Holland [ca-compliance] Next update 2022-06-01 2022-06-30T15:24:01Z
TWCA: Policy OID not set to indicate the assurance level to the issued certs 1738778 ASSIGNED Hao-Chun Li [ca-compliance] 2022-06-06T04:01:16Z
UniTrust: Improper DER results in failure to comply with RFC 5280 - Encoded sequence component with default value 1735908 ASSIGNED chenxiaotong [ca-compliance] Next update 2022-10-15 2022-06-01T20:41:59Z

24 Total; 24 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
Summary ID Status Assigned to Whiteboard Last change time
CFCA: Overdue Audit Statements 2021 1741497 ASSIGNED Oliver Bi [ca-compliance] [audit-delay] 2022-06-20T09:35:10Z

1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
Summary ID Status Assigned to Whiteboard Last change time
Amazon Trust Services: Delayed Revocation of Subordinate CA 1743943 ASSIGNED Trevoli (Amazon Trust Services) [ca-compliance] [delayed-revocation-ca] Next update 2022-10-01 2022-07-01T16:34:06Z
SSL.com: Delayed revocation of 53 certificates affected by bug #1750631 1752636 ASSIGNED Chris Kemmerer [ca-compliance] [delayed-revocation-leaf] 2022-06-29T21:12:04Z

2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: