CA/Incident Dashboard
From MozillaWiki
< CA
Contents
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| ID | Summary | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| 1632632 | Buypass: Illegal Business Category in a PSD2 QWAC | ASSIGNED | Mads Henriksveen | [ca-compliance] Next update 2021-06-20 | 2021-04-02T17:43:21Z |
| 1647468 | D-TRUST: Wrong key usage (Key Encipherment) | ASSIGNED | Enrico Entschew | [ca-compliance] | 2020-10-02T13:58:22Z |
| 1649937 | GlobalSign: Incorrect OCSP Delegated Responder Certificate | ASSIGNED | douglas.beattie | [ca-compliance] | 2021-02-25T08:41:07Z |
| 1652581 | Google Trust Services digitalSignature KeyUsage not set | ASSIGNED | Andy Warner | [ca-compliance] | 2021-04-09T16:45:02Z |
| 1658792 | Entrust: Invalid data in State/Province Field | ASSIGNED | Dathan Demone | [ca-compliance] Next Update 2021-04-01 | 2021-04-15T21:07:04Z |
| 1663953 | TunTrust : OCSP unreachable | ASSIGNED | Agence Nationale de Certification Electronique | [ca-compliance] Next Update 2021-06-15 | 2021-04-08T15:27:17Z |
| 1670337 | Microsoft PKI Services: Certificate Mis-Issuance, DNSNames must have a valid TLD | ASSIGNED | John Mason | [ca-compliance] Next Update 2021-04-19 | 2021-04-08T04:11:01Z |
| 1674561 | Microsoft: DV certificate issued with OV fields | ASSIGNED | Dustin Hollenback | [ca-compliance] Next update 2021-05-01 | 2021-04-02T17:56:26Z |
| 1676352 | Microsec e-Szigno: Validity validity period greater than 398 days | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] Next update 2021-05-01 | 2021-04-02T17:34:21Z |
| 1677737 | SwissSign: duplicate serial number | ASSIGNED | Mike Guenther | [ca-compliance] | 2021-04-08T11:51:44Z |
| 1678183 | Google Trust Services - Invalid ASN.1 encoding of singleExtensions in OCSP responses | ASSIGNED | Andy Warner | [ca-compliance] | 2021-04-14T20:06:43Z |
| 1680378 | Netlock: Replacement of enduser certificates after the EVGL 1.7.4 self-audit | ASSIGNED | Varga Viktor | [ca-compliance] | 2021-04-07T14:01:09Z |
| 1685370 | Entrust: Incorrect Business Category Value Discovered in an EV SSL Certificate | ASSIGNED | Dathan Demone | [ca-compliance] | 2021-03-30T20:09:32Z |
| 1690807 | GlobalSign: RSA-1024 leaf certificate issued after 2013-12-31 | ASSIGNED | Eva Van Steenberge | [ca-compliance] | 2021-04-06T06:05:10Z |
| 1693930 | Microsoft PKI Services: Policy Documentation, Failure to update Subscriber Certificate Max Validity Period | ASSIGNED | John Mason | [ca-compliance] | 2021-03-04T22:04:27Z |
| 1694233 | Sectigo: Inadequate DCV | ASSIGNED | Tim Callan | [ca-compliance] | 2021-04-16T00:22:02Z |
| 1695786 | SECOM: Unqualified domain name in SAN | ASSIGNED | Hisashi Kamo | [ca-compliance] | 2021-04-15T16:42:33Z |
| 1695938 | SECOM: FUJIFILM intermediate not listed in audit statement | ASSIGNED | Hisashi Kamo | [ca-compliance] | 2021-04-15T19:27:41Z |
| 1695993 | SECOM: Outdated audit statements for intermediate certs | ASSIGNED | Hisashi Kamo | [ca-compliance] | 2021-04-08T04:08:53Z |
| 1696227 | Entrust - Incorrect Jurisdiction Country Value in an EV Certificate | ASSIGNED | Dathan Demone | [ca-compliance] Next update 2021-06-01 | 2021-03-30T20:10:22Z |
| 1698936 | Sectigo: ZeroSSL: failure to revoke within 24 hours | ASSIGNED | Tim Callan | [ca-compliance] | 2021-04-09T17:09:15Z |
| 1699796 | HARICA: Certificates with invalid policy tree | ASSIGNED | Dimitris Zacharopoulos | [ca-compliance] | 2021-04-07T14:11:47Z |
| 1700145 | Firmaprofesional: incorrect reserved CA/B Forum OIDs in certificates | ASSIGNED | chemalogo | [ca-compliance] | 2021-03-31T21:57:07Z |
| 1700809 | Microsoft PKI Services: Failure to disclose Unconstrained Intermediate within 7 Days | ASSIGNED | John Mason | [ca-compliance] | 2021-04-14T22:42:25Z |
| 1703528 | Telekom Security: Key Encipherment in two ECC SAN TLS certificates | ASSIGNED | Arnold Essing | [ca-compliance] | 2021-04-13T08:36:03Z |
| 1704140 | Camerfirma: Govern d'Andorra Audit Delay | ASSIGNED | Ana Lopes | [ca-compliance] [audit-delay] | 2021-04-12T14:23:34Z |
| 1704199 | FNMT: Minor non-conformities in 2021 audit statement | ASSIGNED | Brox | [ca-compliance] | 2021-04-12T09:34:40Z |
| 1705187 | KIR S.A.: CN domain not in SAN | ASSIGNED | Piotr Grabowski | [ca-compliance] | 2021-04-15T15:22:11Z |
| 1705337 | KIR S.A.: Invalid localityName + CRL Revoked but OCSP Unknown | ASSIGNED | Piotr Grabowski | [ca-compliance] | 2021-04-15T20:27:48Z |
| 1705419 | Microsoft: Underscore in SAN | ASSIGNED | John Mason | [ca-compliance] | 2021-04-16T07:19:02Z |
| 1705480 | SECOM: CP/CPS does not clearly specify domain validation methods | ASSIGNED | Hisashi Kamo | [ca-compliance] | 2021-04-16T01:37:23Z |
31 Total; 31 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
| ID | Summary | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| 1704140 | Camerfirma: Govern d'Andorra Audit Delay | ASSIGNED | Ana Lopes | [ca-compliance] [audit-delay] | 2021-04-12T14:23:34Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
| ID | Summary | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| 1651447 | GlobalSign: Failure to revoke noncompliant ICA within 7 days | ASSIGNED | Arvid Vermote | [ca-compliance] [delayed-revocation-ca] | 2021-01-12T13:19:27Z |
| 1651637 | Firmaprofesional: Failure to revoke ICAs within 7 days: OCSP EKU | ASSIGNED | Maria Jose Prieto | [ca-compliance] [delayed-revocation-ca] Next update 2021-01-04 | 2021-02-08T16:23:17Z |
| 1652610 | SECOM: Delayed Revocation of CA Certificate with OCSP EKU Issue | ASSIGNED | Hisashi Kamo | [ca-compliance] [delayed-revocation-ca] | 2021-04-15T06:59:41Z |
| 1688844 | Netlock: Delayed revocation report connected to ticket 1680378 | ASSIGNED | Varga Viktor | [ca-compliance] [delayed-revocation-leaf] | 2021-04-07T14:05:48Z |
| 1692535 | Camerfirma: Delayed revocations of certificates issued by old CAs with an RSA modulus size of 2047 bits | ASSIGNED | Ana Lopes | [ca-compliance][delayed-revocation-leaf] | 2021-04-09T13:43:36Z |
5 Total; 5 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here:
