CA/Incident Dashboard

From MozillaWiki
< CA
Jump to navigation Jump to search

Open CA Bugs in Bugzilla

There are three separate lists of open compliance bugs below:

  • Compliance bugs (not including audit delays or leaf revocation delays)
  • Audit Delays
  • Leaf Revocation Delays

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
Actalis: incorrect CP/S Last Update date in CCADB 1973238 ASSIGNED Adriano Santoni [ca-compliance] [disclosure-failure] 2025-07-25T13:36:43Z 2025-06-20T13:29:15Z
Certainly: Sample Websites Unavailable 1968836 ASSIGNED Daniel Jeffery [ca-compliance] [policy-failure] 2025-07-17T20:46:31Z 2025-05-28T03:00:33Z
D-Trust: Defective certificate incident reporting form 1976837 ASSIGNED Enrico Entschew [ca-compliance] [policy-failure] 2025-07-24T06:57:47Z 2025-07-11T09:23:52Z
DigiCert: DCV logging issue 1974539 ASSIGNED DigiCert [ca-compliance] [policy-failure] 2025-07-23T20:57:16Z 2025-06-27T23:09:04Z
DigiCert: Re-use of WHOIS validation shortly after deadline 1978163 ASSIGNED DigiCert [ca-compliance] [dv-misissuance] [ov-misissuance] 2025-07-25T23:50:04Z 2025-07-18T21:01:12Z
eMudhra emSign PKI Services: Policy Document Inconsistency 1973341 ASSIGNED Naveen Kumar ML [ca-compliance] [policy-failure] 2025-07-25T07:22:41Z 2025-06-21T10:33:57Z
Entrust: Missing or Inconsistent Disclosure of S/MIME BR Audits 1952635 ASSIGNED Bruce Morton [ca-compliance] [audit-failure] 2025-07-17T23:11:49Z 2025-03-08T12:20:57Z
FNMT: CP/CPS, Revocation Requests Mechanism, Certificate Problem Report, CRL and OCSP disruption 1963778 ASSIGNED Amaya Espinosa [ca-compliance] [policy-failure] Next update 2025-07-31 2025-07-07T13:21:30Z 2025-05-01T08:21:00Z
Google Trust Services: Missing authorization audit log entry for certificate issuance 1979457 UNCONFIRMED Google Trust Services [ca-compliance] [policy-failure] 2025-07-29T15:37:25Z 2025-07-25T21:06:01Z
IZENPE: IssuingDistributionPoint extension in CRLs not marked as Critical 1976256 ASSIGNED Toni Sáez [ca-compliance] [crl-failure] 2025-07-22T04:01:29Z 2025-07-08T15:19:58Z
Let's Encrypt: Deployed Unreviewed Boulder Code 1972745 ASSIGNED Jacob Hoffman-Andrews [close on 2025-07-29] [ca-compliance] [policy-failure] 2025-07-22T12:23:17Z 2025-06-18T04:10:38Z
Microsoft PKI Services: End Entity Certificate Mis-issuance against CPS (BasicConstraints) 1979475 UNCONFIRMED Microsoft PKI Services [ca-compliance] [policy-failure] [ov-misissuance] 2025-07-28T16:43:52Z 2025-07-26T00:21:43Z
Microsoft PKI Services: Policy document bug 1962829 ASSIGNED Microsoft PKI Services [ca-compliance] [policy-failure] 2025-07-25T22:05:26Z 2025-04-26T02:10:29Z
Microsoft PKI Services: Pre-Sign Linting Validation did not occur in ICA creation 1974592 ASSIGNED Microsoft PKI Services [ca-compliance] [ca-misissuance] 2025-07-25T22:17:56Z 2025-06-28T22:36:23Z
NETLOCK: Expired Test Website Certificate 1979287 UNCONFIRMED Roland [ca-compliance] [policy-failure] 2025-07-28T16:40:40Z 2025-07-25T09:42:54Z
SECOM: Cybertrust Japan's CRL lacks the critical flag in the issuingDistributionPoint extension 1975624 ASSIGNED SECOM Trust Systems - ONO Fumiaki [ca-compliance] [crl-failure] 2025-07-25T05:04:00Z 2025-07-04T01:10:58Z
SECOM: S/MIME CA Modified Opinion Report of Cybertrust Japan (CTJ) 1950574 ASSIGNED SECOM Trust Systems - ONO Fumiaki [ca-compliance] [audit-finding] Next update 2025-09-01 2025-02-28T15:35:46Z 2025-02-26T09:11:03Z
Sectigo: OV reuse data applied for wrong organization 1977253 ASSIGNED Tim Callan [ca-compliance] [ov-misissuance] 2025-07-25T09:44:58Z 2025-07-14T19:30:45Z
SHECA: New CPS disclosure of CCADB exceeds the required 14-day deadline 1974198 ASSIGNED SHECA [ca-compliance] [disclosure-failure] 2025-07-22T02:21:27Z 2025-06-26T11:01:25Z
SHECA: The stateOrProvinceName and streetAddress of the certificate DN item are issued incorrectly 1978186 ASSIGNED SHECA [ca-compliance] [ov-misissuance] 2025-07-25T17:34:33Z 2025-07-19T00:54:04Z
SSL.com: "unknown" OCSP response for issued certificates 1957140 ASSIGNED SSL.com [ca-compliance] [ocsp-failure] Next update 2025-07-31 2025-07-22T15:21:52Z 2025-03-28T19:39:09Z
SSL.com: Issuance of certificates using keys previously reported as compromised 1927532 ASSIGNED Rebecca Kelley [ca-compliance] [dv-misissuance] Next update 2025-07-23 2025-07-23T15:22:47Z 2024-10-28T18:17:59Z
SwissSign: OCSP outage 1965828 ASSIGNED Roman Fischer [ca-compliance] [ocsp-failure] Next update 2025-07-31 2025-07-21T14:24:45Z 2025-05-12T14:01:24Z
Telekom Security: Failure to file a bug for two findings from the 2024 Audit 1976860 ASSIGNED Stefan Kirch [ca-compliance] [disclosure-failure] 2025-07-24T15:51:52Z 2025-07-11T11:09:45Z

24 Total; 24 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA 1911335 ASSIGNED Jochem van den Berge [ca-compliance] [audit-delay] 2025-07-10T16:06:54Z 2024-08-02T15:40:40Z

1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
[meta] Delayed Revocation 1911183 ASSIGNED Ben Wilson [ca-compliance] [meta] [leaf-revocation-delay] 2025-06-10T20:05:50Z 2024-08-01T20:05:04Z
eMudhra emSign PKI Services : Delayed Revocation of TLS Certificates due to Policy Inconsistency. 1974435 ASSIGNED Naveen Kumar ML [ca-compliance] [leaf-revocation-delay] 2025-07-28T07:17:49Z 2025-06-27T13:09:27Z
Microsoft PKI Services: Failure to Revoke in 5 Days for 1962829 1965612 ASSIGNED Microsoft PKI Services [ca-compliance] [leaf-revocation-delay] 2025-07-28T16:39:44Z 2025-05-10T01:34:01Z
NETLOCK: Bug 1891331 replacement - delayed revocation - 1947691 ASSIGNED Nikolett [ca-compliance] [leaf-revocation-delay] 2025-07-29T09:47:35Z 2025-02-12T09:43:02Z
VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 1885568 ASSIGNED VikingCloud CA [ca-compliance] [ov-misissuance] [leaf-revocation-delay] 2025-07-29T20:57:40Z 2024-03-15T16:20:17Z

5 Total; 5 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here:

Retrieved from "https://wiki.mozilla.org/index.php?title=CA/Incident_Dashboard&oldid=1252030"