CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1463975 GRCA: Misissued certificates: Invalid commonName, commonName not in SAN ASSIGNED National Development Council [ca-compliance] CKA_NSS_SERVER_DISTRUST_AFTER 2020-03-09T23:02:23Z
1496616 Consorci AOC: Qualified audit statements ASSIGNED Francesc Ferrer [ca-compliance] CKA_NSS_SERVER_DISTRUST_AFTER 2020-03-09T22:58:28Z
1502957 Camerfirma: MULTICERT Misissuance and missing audits ASSIGNED Juan Angel Martin [ca-compliance] 2020-03-24T22:31:14Z
1532436 Chunghwa Telecom: Test certificate with unregistered domain name ASSIGNED Li-Chun CHEN [ca-compliance] - 19-February 2020 2020-04-01T16:12:53Z
1532559 CFCA: Wrong SerialNumber encoding ASSIGNED Jonathan Sun [ca-compliance] 2020-02-05T18:43:38Z
1550645 Digicert: CAA Checking Issue ASSIGNED Brenda Bernal [ca-compliance] 2020-04-01T23:28:22Z
1551372 Telia: "Some-State" in stateOrProvinceName ASSIGNED pekka.lahtiharju [ca-compliance] 2020-01-24T16:34:03Z
1559765 Izenpe: Multiple invalid EV certificates issued ASSIGNED Oscar Garcia [ca-compliance] 2020-02-06T18:11:26Z
1563579 Sectigo: Failure to provide timely incident reports ASSIGNED Robin Alden [ca-compliance] 2020-03-19T22:46:05Z
1565270 Telia: Qualified BR Audit Statement ASSIGNED pekka.lahtiharju [ca-compliance] 2020-04-01T07:24:21Z
1575022 Sectigo: EV SSL Certificates with incorrect subject details. ASSIGNED Robin Alden [ca-compliance] 2020-03-19T22:44:08Z
1575880 GlobalSign: SSL Certificates with US country code and invalid State/Prov ASSIGNED douglas.beattie [ca-compliance] 2020-03-31T19:11:45Z
1576013 DigiCert: JOI Issue ASSIGNED Jeremy Rowley [ca-compliance] 2020-03-31T22:12:58Z
1578505 LuxTrust: Outdated audit statement for intermediate cert NEW Yves Nullens [ca-compliance] - Overdue Audit for intermediate cert 2020-03-13T16:56:11Z
1586795 NetLock: Issuance of intermediates after 2019-01-01 that do not comply with Mozilla Policy ASSIGNED Varga Viktor [ca-compliance] 2019-11-11T12:57:54Z
1588001 Apple OCSP responders return responses with incorrect issuer ASSIGNED certification_authority [ca-compliance] - Next Update - 01-June 2020 2020-03-31T19:13:38Z
1588213 IdenTrust: Missing Thumbprints In Some Annual Audit Reports ASSIGNED roots [ca-compliance] 2019-11-23T00:20:10Z
1590810 Sectigo: EV SSL Certificates with incorrect businessCategory ASSIGNED Robin Alden [ca-compliance] - 10-February 2020 2020-03-19T22:42:58Z
1593776 Sectigo: invalid subject:organizationalUnitName on DV certificates ASSIGNED Robin Alden [ca-compliance] 2020-03-20T18:44:58Z
1597947 Sectigo: CCADB failed ALV - Network Solutions Certificate Authority ASSIGNED Robin Alden [ca-compliance] 2019-12-02T14:48:51Z
1597948 Sectigo: CCADB failed ALV - D-TRUST CA 2-1 2015 ASSIGNED Robin Alden [ca-compliance] 2019-12-02T14:48:50Z
1597950 Sectigo: CCADB failed ALV - Ensured Root CA ASSIGNED Robin Alden [ca-compliance] 2019-12-02T14:48:54Z
1599503 TrustCor: Non-mention of Email CAs in WTBR audit reports ASSIGNED Neil Dunbar [ca-compliance] 2020-04-01T16:58:45Z
1605804 GoDaddy: Domain Validation Reuse Issue ASSIGNED Joanna [ca-compliance] 2020-01-07T22:45:44Z
1606380 Firmaprofesional: 2019 Audit Report Findings ASSIGNED chemalogo [ca-compliance] 2020-02-06T12:26:59Z
1610303 D-TRUST: Issuance of non-conformant SSL certificate ASSIGNED Enrico Entschew [ca-compliance] 2020-02-14T16:33:42Z
1611458 Asseco DS / Certum: Invalid value in SAN dNSName ASSIGNED Wojciech Trapczyński [ca-compliance] - Next Update - 01-July 2020 2020-02-19T19:37:27Z
1612332 Telia CA: Ambiguity on KeyUsage with ECC public key ASSIGNED pekka.lahtiharju [ca-compliance] 2020-02-05T11:56:41Z
1613334 SwissSign: Misissuance with mispellings in Location for a number of Certificates ASSIGNED Nathalie Weiler [ca-compliance] 2020-03-09T14:40:34Z
1613505 DigiCert: WTCA / WTBR Audit 2019 - Matters to be resolved ASSIGNED Brenda Bernal [ca-compliance] 2020-04-01T16:03:27Z
1614290 WISeKey: Unofficial DBA in Organization field ASSIGNED Pedro Fuentes [ca-compliance] 2020-02-10T19:33:13Z
1614311 Telia: Two CA certificates not listed in audit report ASSIGNED pekka.lahtiharju [ca-compliance] 2020-02-18T07:59:49Z
1614448 GRCA: Audit Letter Validation failures on intermediate certificates NEW National Development Council [ca-compliance] 2020-02-24T06:16:31Z
1618256 DigiCert: Failure to properly encode Subject name ASSIGNED Brenda Bernal [ca-compliance] 2020-04-02T20:53:39Z
1619047 Let's Encrypt: CAA Rechecking bug ASSIGNED Jacob Hoffman-Andrews [ca-compliance] Next Update - 28-April 2020 2020-04-01T01:45:53Z
1619359 Sectigo: Failure to provide a preliminary report within 24 hours ASSIGNED Robin Alden [ca-compliance] 2020-04-04T06:23:14Z
1622505 GlobalSign: OCSP Status HTTP 530 ASSIGNED Arvid Vermote [ca-compliance] 2020-03-31T22:18:23Z
1622539 Microsec: Issuance of 2 IVCP precertificates without givenName, surName, localityName fields ASSIGNED dr. Sándor SZŐKE [ca-compliance] 2020-04-01T21:06:16Z
1623356 GlobalSign: Misissuance of QWAC Certificates ASSIGNED douglas.beattie [ca-compliance] 2020-04-03T19:15:17Z
1623384 Camerfirma: Invalid authorityKeyIdentifier - recurrent incident ASSIGNED Ana Lopes [ca-compliance] 2020-04-01T15:53:07Z
1623472 Trustis: Gap between audit periods NEW Blake Morgan [ca-compliance] Audit Gap 2020-03-27T14:16:04Z
1624527 DigiCert: Issuance of Cert with Compromised Key ASSIGNED Jeremy Rowley [ca-compliance] 2020-03-31T23:27:32Z
1625498 Google Trust Services: Tracking bug for possible audit delays (audit due 2020-12) ASSIGNED kluge [ca-compliance] [audit-delay] [covid-19] Next Update - 1 July, 2020 2020-03-30T11:03:45Z
1625715 Sectigo: Failure to revoke certificate with previously-compromised key within 24 hours ASSIGNED Robin Alden [ca-compliance] 2020-04-04T06:16:11Z
1625767 Microsec: Audit Letter Validation Failures ASSIGNED dr. Sándor SZŐKE [ca-compliance] 2020-03-30T10:58:14Z
1626078 Buypass: Missing NCA identifier in cabfOrganizationIdentifier in PSD2 QWACs ASSIGNED Mads Henriksveen [ca-compliance] 2020-04-04T16:34:43Z
1626355 Atos: Tracking bug for possible audit delays ASSIGNED michael.schwieters [ca-compliance][audit-delay][covid-19] Next Update 2020-04-19 2020-03-31T18:55:46Z
1626805 FNMT: Minor non-conformities in 2020 audit statement NEW alain [ca-compliance] 2020-04-03T17:05:00Z
1626868 WISeKey: Issuance of certificate with two potentially conflicting policy OIDs ASSIGNED Pedro Fuentes [ca-compliance] 2020-04-03T15:35:26Z
1627152 DigiCert: OCSP NextUpdate ASSIGNED Brenda Bernal [ca-compliance] 2020-04-03T15:56:41Z

50 Total; 50 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
ID Summary Status Assigned to Whiteboard Last change time
1625498 Google Trust Services: Tracking bug for possible audit delays (audit due 2020-12) ASSIGNED kluge [ca-compliance] [audit-delay] [covid-19] Next Update - 1 July, 2020 2020-03-30T11:03:45Z
1626355 Atos: Tracking bug for possible audit delays ASSIGNED michael.schwieters [ca-compliance][audit-delay][covid-19] Next Update 2020-04-19 2020-03-31T18:55:46Z

2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1532113 CFCA: O > 64 characters ASSIGNED Oliver Bi [ca-compliance] [delayed-revocation-leaf] 2020-02-06T04:38:00Z
1575530 Camerfirma: Govern d'Andorra audits ASSIGNED Juan Angel Martin [ca-compliance] [delayed-revocation-ca] 2020-01-03T13:21:47Z
1580525 D-TRUST: Delayed revocation of EV certificates ASSIGNED Enrico Entschew [ca-compliance] [delayed-revocation-leaf] 2019-12-27T19:30:35Z
1581597 QuoVadis: Unconstrained CAs missing audits ASSIGNED Stephen Davidson [ca-compliance] [delayed-revocation-ca] [covid-19] - Next Update - 29-April 2020 2020-03-27T19:40:26Z
1591005 GlobalSign: ICAs in CCADB, without EKU extension are listed in WTCA report but not in WTBR report ASSIGNED Arvid Vermote [ca-compliance] [delayed-revocation-ca] 2020-03-19T12:34:11Z
1598319 Buypass: intermediate certificates not revoked within BR time period ASSIGNED Mads Henriksveen [ca-compliance] [delayed-revocation-ca] Next Update - 21-April 2020 2020-03-30T16:50:06Z
1598807 IdenTrust: Undisclosed Unrevoked ICA’s ASSIGNED roots [ca-compliance] [delayed-revocation-ca] [covid-19] - Next Update - 30-April 2020 2020-03-30T18:22:31Z
1599571 TrustCor: Non-revocation of CA certificates within 7 days ASSIGNED Neil Dunbar [ca-compliance] [delayed-revocation-ca] 2020-04-01T16:57:57Z
1599788 GlobalSign: Failure to revoke noncompliant ICA not revoked within 7 days ASSIGNED Arvid Vermote [ca-compliance] [delayed-revocation-ca] Next Update - 4-Dec 2019 2019-12-03T00:04:22Z
1599916 QuoVadis: Unconstrained CAs revocation ASSIGNED Stephen Davidson [ca-compliance] [delayed-revocation-ca] Next Update - 31-March 2020 2020-02-05T04:24:44Z
1610767 WISeKey: Failure to meet revocation deadline ASSIGNED Pedro Fuentes [ca-compliance] [delayed-revocation-leaf] Next Update - 23-January 2020 2020-01-23T22:04:52Z
1613406 SwissSign: Delayed revocation for mispellings in Location for a number of Certificates ASSIGNED Nathalie Weiler [ca-compliance] [delayed-revocation-leaf] 2020-02-10T12:55:18Z
1619179 Let's Encrypt: Incomplete revocation for CAA rechecking bug ASSIGNED Josh Aas [ca-compliance] [delayed-revocation-leaf] 2020-04-03T22:29:26Z
1620561 Sectigo: Non-revocation of certificates with subject:organizationalUnitName in DV certificates ASSIGNED Robin Alden [ca-compliance] [delayed-revocation-leaf] 2020-03-19T22:44:39Z
1624504 QuoVadis: Failure to revoke certificates with compromised private keys UNCONFIRMED Stephen Davidson [ca-compliance] [delayed-revocation-leaf] 2020-03-31T22:21:25Z
1624658 Camerfirma: BR revocation period exceeded ASSIGNED Ana Lopes [ca-compliance] [delayed-revocation-leaf] [covid-19] Next Update - 15-April 2020 2020-03-30T17:08:18Z
1625322 Let's Encrypt: Failure to revoke key-compromised certificates within 24 hours ASSIGNED Josh Aas [ca-compliance] [delayed-revocation-leaf] 2020-04-04T06:06:01Z
1625445 GlobalSign: Failure to revoke 2 noncompliant QWACs within 5 days ASSIGNED Paul Brown [ca-compliance] [delayed-revocation-leaf] 2020-04-02T15:59:38Z

18 Total; 18 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: