CA/Incident Dashboard
From MozillaWiki
< CA
Contents
Open CA Bugs in Bugzilla
There are three separate lists of open compliance bugs below:
- Compliance bugs (not including audit delays or leaf revocation delays)
- Audit Delays
- Leaf Revocation Delays
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=CA+Program&component=CA+Certificate+Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| Actalis: CRL distribution point with ldap scheme | 1906690 | ASSIGNED | Marco Menonna | [ca-compliance] [crl-failure] | 2024-11-07T16:39:00Z | 2024-07-08T15:44:42Z |
| Actalis: Use of CRLReason Code in Certificate Revocation | 1914419 | ASSIGNED | Marco Menonna | [ca-compliance] [crl-failure] | 2024-11-07T16:34:59Z | 2024-08-22T15:13:31Z |
| certSIGN: Missing certificate from the list of bad order subject attributtes | 1924497 | ASSIGNED | Gabriel PETCU | [ca-compliance] [disclosure-failure] | 2024-10-23T06:01:22Z | 2024-10-14T11:33:46Z |
| CFCA: Failure to respond to a CPR in a complete and/or timely manner | 1888881 | ASSIGNED | Gao Fei | [ca-compliance] [policy-failure] | 2024-09-12T18:01:32Z | 2024-04-01T07:17:16Z |
| Chunghwa Telecom: “Test Website - Valid" URL disclosed to CCADB is expired | 1904038 | ASSIGNED | Tsung-Min Kuo | [ca-compliance] [policy-failure] | 2024-09-23T11:22:43Z | 2024-06-21T12:48:21Z |
| Chunghwa Telecom: TLS Certificates Contains two LocalityName Values in SubjectDN by GTLSCA | 1916392 | ASSIGNED | Leo Fang | [ca-compliance] [ov-misissuance] | 2024-11-05T09:22:53Z | 2024-09-03T10:00:29Z |
| DigiCert: Domain used for CRLs and OCSP has expired | 1930759 | ASSIGNED | Tim Hollebeek | [ca-compliance] [external] [crl-failure] [ocsp-failure] | 2024-11-15T20:15:30Z | 2024-11-12T20:41:59Z |
| DigiCert: Incorrect CP listed in CCADB | 1925106 | ASSIGNED | Tim Hollebeek | [ca-compliance] [disclosure-failure] | 2024-11-15T21:20:25Z | 2024-10-16T19:56:28Z |
| DigiCert: Incorrect OrgID in S/MIME certificates for one customer | 1927506 | ASSIGNED | Tim Hollebeek | [ca-compliance] [smime-misissuance] | 2024-11-19T21:42:02Z | 2024-10-28T16:12:09Z |
| DigiCert: Random value in CNAME without underscore prefix | 1910322 | ASSIGNED | Jeremy Rowley | [ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance] Next update 2024-11-01 | 2024-11-19T21:54:45Z | 2024-07-29T02:17:59Z |
| DigiCert: Typo in TLS Org Name | 1910258 | ASSIGNED | Martin Sullivan | [ca-compliance] [ov-misissuance] Next update 2024-11-15 | 2024-11-15T20:01:58Z | 2024-07-27T20:48:42Z |
| DigiCert: Unclear Disclosure of CAA Issuer Domain Names | 1914911 | ASSIGNED | Tim Hollebeek | [ca-compliance] [policy-failure] [external] Next update 2024-11-01 | 2024-11-20T21:36:24Z | 2024-08-26T13:21:22Z |
| eMudhra emSign PKI Services : Key Blocking Mechanism Fails to Validate Historical Public Key Reuse. | 1931683 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [dv-misissuance] [ov-misissuance] | 2024-11-18T18:04:08Z | 2024-11-16T08:39:56Z |
| eMudhra emSign PKI Services : OCSP Responder Time Inconsistency | 1917459 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [ocsp-failure] | 2024-11-13T15:28:09Z | 2024-09-08T09:06:01Z |
| eMudhra emSign PKI Services: Failure To Update CA Owner Information In CCADB | 1924492 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [disclosure-failure] | 2024-11-13T15:24:31Z | 2024-10-14T11:19:40Z |
| Entrust: Action Items from June 2024 Report | 1901270 | ASSIGNED | Ben Wilson | [ca-compliance] [meta] Next update 2024-11-30 | 2024-10-31T14:37:19Z | 2024-06-07T16:50:41Z |
| Entrust: CRL missing revocation reasonCode | 1931886 | ASSIGNED | Bruce Morton | [ca-compliance] [crl-failure] | 2024-11-18T16:25:40Z | 2024-11-18T15:12:21Z |
| Entrust: Improperly Verified Business Category | 1921387 | ASSIGNED | Bruce Morton | [ca-compliance] [uncategorized] Next update 2024-11-30 | 2024-10-31T14:40:55Z | 2024-09-27T02:27:48Z |
| Entrust: Not updating CPR Problem Reporting Mechanism fields in CCADB | 1894111 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] Next update 2025-01-15 | 2024-10-31T14:42:21Z | 2024-04-29T21:37:24Z |
| Entrust: S/MIME certificates lacking OU verification | 1914065 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-11-30 | 2024-09-30T22:08:51Z | 2024-08-20T21:35:45Z |
| Entrust: S/MIME mailbox address case mismatch between subject and subjectAltName | 1906470 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-11-30 | 2024-11-07T20:39:55Z | 2024-07-05T18:24:44Z |
| Entrust: S/MIME OrgID Country not matching C field | 1914999 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-11-30 | 2024-11-07T20:35:49Z | 2024-08-26T17:57:09Z |
| Firmaprofesional: Incorrect publication of information for "Test Website - Revoked" URL in the CCADB. | 1925293 | ASSIGNED | ext-antoni.camon | [ca-compliance] [policy-failure] | 2024-10-31T08:24:49Z | 2024-10-17T14:51:05Z |
| FNMT: LDAP URI in CRL Distribution Points Extension | 1922906 | ASSIGNED | Amaya Espinosa | [ca-compliance] | 2024-11-20T22:58:17Z | 2024-10-05T17:53:15Z |
| GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints | 1888060 | ASSIGNED | capoc | [ca-compliance] [ov-misissuance] | 2024-11-11T07:30:33Z | 2024-03-27T06:15:29Z |
| GlobalSign: Incorrect whois information for TLD | 1917896 | ASSIGNED | Christophe Bonjean | [ca-compliance] [uncategorized] Next update 2024-10-31 | 2024-11-20T16:19:05Z | 2024-09-10T17:05:08Z |
| GoDaddy: Does not provide a method for domain owners to revoke their certificates | 1924992 | ASSIGNED | Steven Deitte | [ca-compliance] [policy-failure] [external] | 2024-11-13T16:00:19Z | 2024-10-16T12:06:02Z |
| Google Trust Services: New hire onboarding deviation from written procedure | 1931413 | ASSIGNED | Google Trust Services | [ca-compliance] [policy-failure] | 2024-11-18T18:33:48Z | 2024-11-14T19:31:28Z |
| IdenTrust: Approval of TLS certificate renewal without domain validation | 1930029 | ASSIGNED | IdenTrust | [ca-compliance] [ov-misissuance] | 2024-11-15T23:24:30Z | 2024-11-08T01:22:37Z |
| iTrusChina: CPR was not responded to within 24 hours | 1927675 | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] [policy-failure] | 2024-11-18T08:50:46Z | 2024-10-29T06:55:46Z |
| iTrusChina: lacking 2018 KGC and GAP period audit report | 1923279 | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] | 2024-10-22T01:05:56Z | 2024-10-08T08:22:18Z |
| iTrusChina: Mis-issued Certificates for "Test Website - Revoked" | 1927384 | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] [ov-misissuance] | 2024-11-20T18:38:17Z | 2024-10-28T02:26:15Z |
| Izenpe: Duplicate attribute in Subject | 1921254 | ASSIGNED | David | [ca-compliance] [ev-misissuance] | 2024-11-15T14:25:06Z | 2024-09-26T14:54:33Z |
| Izenpe: Failure to Submit Annual CCADB Self-Assessment | 1883493 | ASSIGNED | David | [ca-compliance] [disclosure-failure] [external] | 2024-09-30T12:32:31Z | 2024-03-04T20:36:07Z |
| Izenpe: Not allowed Qualifier ID OID on Certificate Policies extension of Precertificates | 1922844 | ASSIGNED | David | [ca-compliance] | 2024-10-22T04:57:23Z | 2024-10-04T18:51:05Z |
| KIR: Delayed revocation within seven (7) days for bug 1921598 | 1922572 | ASSIGNED | Piotr Grabowski | [ca-compliance] [ca-revocation-delay] Next update 2025-01-03 | 2024-11-20T18:00:03Z | 2024-10-03T16:12:24Z |
| KIR: Failure to disclose intermediate certificate within 7 days in ccadb | 1921596 | ASSIGNED | Piotr Grabowski | [ca-compliance] [disclosure-failure] | 2024-10-07T11:55:07Z | 2024-09-28T09:18:06Z |
| KIR: Intermediate CA - SZAFIR Trusted CA3 - Certificate Policies extension - non-compliance | 1921598 | ASSIGNED | Piotr Grabowski | [ca-compliance] [ca-misissuance] | 2024-10-17T17:22:28Z | 2024-09-28T09:36:58Z |
| KIR: Intermediate CA - SZAFIR Trusted CA4 - Certificate Policies extension - non-compliance | 1921597 | ASSIGNED | Piotr Grabowski | [ca-compliance] [ca-misissuance] | 2024-10-17T17:22:54Z | 2024-09-28T09:28:40Z |
| Microsec: Expired Certificates on test Pages for Revocation | 1925239 | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] [policy-failure] | 2024-11-15T16:40:03Z | 2024-10-17T10:05:59Z |
| NETLOCK: CPR was not responded to in 24 hours | 1905509 | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] | 2024-09-05T17:30:54Z | 2024-06-29T19:45:26Z |
| NETLOCK: Findings in 2024 Audit | 1917046 | ASSIGNED | Nikolett | [ca-compliance] [audit-finding] | 2024-10-18T15:56:04Z | 2024-09-05T17:25:24Z |
| NETLOCK: Intermediate CA Certificate not disclosed to CCADB | 1904041 | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] [disclosure-failure] | 2024-08-30T16:07:55Z | 2024-06-21T13:01:09Z |
| SECOM: Issuance of TLS server certificates using keys previously compromised | 1931515 | ASSIGNED | ONO Fumiaki | [ca-compliance] [ov-misissuance] | 2024-11-18T18:32:38Z | 2024-11-15T11:21:37Z |
| SHECA: CRLReason code usage error | 1914365 | ASSIGNED | Alvin.Wang | [ca-compliance] [crl-failure] | 2024-11-20T16:21:46Z | 2024-08-22T11:43:31Z |
| SSL.com: Delay in publishing OCSP responses | 1931636 | ASSIGNED | Rebecca Kelley | [ca-compliance] [ocsp-failure] | 2024-11-18T18:19:14Z | 2024-11-15T22:42:53Z |
| SSL.com: Entrust API and CAA checking | 1931615 | ASSIGNED | Rebecca Kelley | [ca-compliance] [ov-misissuance] | 2024-11-20T21:17:21Z | 2024-11-15T20:24:25Z |
| SSL.com: Issuance of certificates using keys previously reported as compromised | 1927532 | ASSIGNED | Rebecca Kelley | [ca-compliance] [dv-misissuance] | 2024-11-18T08:07:36Z | 2024-10-28T18:17:59Z |
| SwissSign: S/MIME certificates deviate from CPR | 1929189 | ASSIGNED | Mike Guenther | [ca-compliance] [smime-misissuance] | 2024-11-18T13:18:05Z | 2024-11-05T08:25:05Z |
| SwissSign: S/MIME LCP not-permitted key usage | 1914023 | ASSIGNED | Sandy Balzer | [ca-compliance] [smime-misissuance] Next update 2024-11-15 | 2024-11-15T13:25:25Z | 2024-08-20T18:42:01Z |
| Telekom Security: CRL-Entries with wrong CRL Reason Codes | 1914383 | ASSIGNED | Arnold Essing | [ca-compliance] [crl-failure] | 2024-11-20T07:38:25Z | 2024-08-22T12:56:33Z |
| Telia: S/MIME Certificate issued to expired domain | 1920659 | ASSIGNED | Antti Backman | [ca-compliance] [smime-misissuance] | 2024-11-20T05:13:16Z | 2024-09-24T09:05:29Z |
52 Total; 52 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| Chunghwa Telecom:Delayed Annual Audit Report 2024 | 1917224 | ASSIGNED | Li-Chun CHEN | [ca-compliance] [audit-delay] | 2024-11-18T21:18:44Z | 2024-09-06T12:29:32Z |
| PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA | 1911335 | ASSIGNED | Jochem van den Berge | [ca-compliance] [audit-delay] | 2024-10-01T13:56:00Z | 2024-08-02T15:40:40Z |
2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| [meta] Delayed Revocation | 1911183 | ASSIGNED | Ben Wilson | [ca-compliance] [meta] [leaf-revocation-delay] | 2024-11-20T16:01:15Z | 2024-08-01T20:05:04Z |
| Buypass: Delayed revocation of TLS certificates | 1872738 | ASSIGNED | Mads Henriksveen | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:49:51Z | 2024-01-02T19:18:17Z |
| CFCA: Delayed revocation of TLS certificates(basicConstraints extension not marked as critical) | 1888882 | ASSIGNED | Gao Fei | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:55:14Z | 2024-04-01T07:19:09Z |
| Chunghwa Telecom: Delayed Revocation Due to GTLSCA EKU Misissuance | 1892419 | ASSIGNED | Leo Fang | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:57:07Z | 2024-04-19T10:55:40Z |
| Chunghwa Telecom: Delayed Revocation with Controversial Extension (2.5.29.9, SubjectDirectoryAttributes) | 1903066 | ASSIGNED | Leo Fang | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:58:55Z | 2024-06-17T14:31:08Z |
| D-Trust: Missed Revocation of TLS certificates affected by Bugzilla 1884714 | 1924385 | ASSIGNED | Enrico Entschew | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T16:02:05Z | 2024-10-13T17:26:55Z |
| Digicert: Delayed Revocation for bug 1894560 | 1896053 | ASSIGNED | Tim Hollebeek | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:57:34Z | 2024-05-10T05:00:07Z |
| DigiCert: Delayed revocation of 1910322 | 1910805 | ASSIGNED | Tim Hollebeek | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:59:31Z | 2024-07-31T00:45:12Z |
| eMudhra emSign PKI Services: Delayed Revocation of SSL/TLS Certificates | 1916478 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T16:01:38Z | 2024-09-03T15:24:26Z |
| Entrust: Delayed revocation of certificates affected by Jurisdiction issue in some EV TLS & Code Signing certificates | 1898848 | ASSIGNED | ngook.kong | [ca-compliance] [leaf-revocation-delay] Next update 2025-03-31 | 2024-11-20T15:58:29Z | 2024-05-25T03:48:12Z |
| Entrust: Delayed revocation of EV TLS certificates with missing cPSuri | 1886532 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [leaf-revocation-delay] Next update 2025-03-31 | 2024-11-20T15:53:00Z | 2024-03-20T17:22:26Z |
| Entrust: Failure to revoke EV TLS certificates issued before CPS update | 1890685 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] [leaf-revocation-delay] Next update 2025-03-31 | 2024-11-20T15:56:05Z | 2024-04-09T23:40:57Z |
| GDCA: Delayed revocation of SSL/TLS certificates with Non-critical Basic Constraints | 1889062 | ASSIGNED | capoc | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:55:43Z | 2024-04-02T09:18:52Z |
| Hongkong Post: Delayed revocation of TLS certificates with basicConstraints not marked as critical | 1887888 | ASSIGNED | Man Ho | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:54:44Z | 2024-03-26T14:39:37Z |
| Hongkong Post: Delayed revocation of TLS certificates with Certificate Policies extension problem | 1886665 | ASSIGNED | Man Ho | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:53:35Z | 2024-03-21T04:30:30Z |
| Microsec: Delayed revocation of the misissued certificates | 1887110 | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:54:08Z | 2024-03-22T18:00:56Z |
| NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates - delayed revocation | 1891331 | ASSIGNED | Nikolett | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:56:38Z | 2024-04-13T22:07:56Z |
| Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical | 1877388 | ASSIGNED | Arnold Essing | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:50:35Z | 2024-01-30T07:52:58Z |
| Telia: Delayed revocation of seven (7) certificates related to incident 1896108 | 1896553 | ASSIGNED | Antti Backman | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:58:07Z | 2024-05-14T04:48:55Z |
| TWCA: Revocation delay for EV TLS certificates with invalid subject attribute order | 1884568 | ASSIGNED | Hao-Chun Li | [ca-compliance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:51:05Z | 2024-03-10T12:44:57Z |
| TWCA: Revocation delay for TLS certificates with non-critical basicConstraints | 1886110 | ASSIGNED | chtsai | [ca-compliance] [ov-misissuance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:52:35Z | 2024-03-19T07:42:18Z |
| VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 | 1885568 | ASSIGNED | Andrea Holland | [ca-compliance] [ov-misissuance] [leaf-revocation-delay] Next update 2025-02-01 | 2024-11-20T15:51:59Z | 2024-03-15T16:20:17Z |
22 Total; 22 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here:
