CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
Actalis: CRL distribution point with ldap scheme 1906690 ASSIGNED Marco Menonna [ca-compliance] [crl-failure] 2024-09-03T15:59:27Z 2024-07-08T15:44:42Z
Actalis: Use of CRLReason Code in Certificate Revocation 1914419 ASSIGNED Marco Menonna [ca-compliance] [crl-failure] 2024-09-05T13:30:59Z 2024-08-22T15:13:31Z
Amazon Trust Services: CRL not DER-encoded 1914893 ASSIGNED Trevoli (Amazon Trust Services) [ca-compliance] [crl-failure] [external] 2024-09-05T20:50:06Z 2024-08-26T12:35:54Z
Asseco DS / Certum: CRL non-conformance with the TLS BRs 1888689 ASSIGNED Kateryna Aleksieieva [ca-compliance] [crl-failure] [external] Next update 2024-10-01 2024-08-27T09:04:45Z 2024-03-29T17:37:14Z
Asseco DS / Certum: Organization Identifier and Country field discrepancies 1917571 ASSIGNED Kateryna Aleksieieva [ca-compliance] [smime-misissuance] 2024-09-10T14:35:28Z 2024-09-09T11:32:46Z
Asseco DS / Certum: S/MIME certificates with error in subjectAlternativeName 1879845 REOPENED Kateryna Aleksieieva [ca-compliance] [smime-misissuance] Next update 2024-10-01 2024-08-27T09:06:08Z 2024-02-12T13:22:11Z
CFCA: certificate basicConstraints extension not marked as critical 1886135 ASSIGNED Gao Fei [ca-compliance] [ov-misissuance] Next update 2024-07-30 2024-08-22T03:51:07Z 2024-03-19T10:57:32Z
CFCA: Failure to respond to a CPR in a complete and/or timely manner 1888881 ASSIGNED Gao Fei [ca-compliance] [policy-failure] 2024-08-26T16:27:02Z 2024-04-01T07:17:16Z
Chunghwa Telecom: “Test Website - Valid" URL disclosed to CCADB is expired 1904038 ASSIGNED Tsung-Min Kuo [ca-compliance] [policy-failure] 2024-09-06T11:14:46Z 2024-06-21T12:48:21Z
Chunghwa Telecom: Controversial Values within Extension (2.5.29.9, subjectDirectoryAttributes) 1899466 ASSIGNED Leo Fang [ca-compliance] [ov-misissuance] 2024-09-06T15:28:05Z 2024-05-29T04:13:45Z
Chunghwa Telecom: TLS Certificates Contains two LocalityName Values in SubjectDN by GTLSCA 1916392 ASSIGNED Leo Fang [ca-compliance] [ov-misissuance] 2024-09-06T11:14:47Z 2024-09-03T10:00:29Z
CommScope: Certificates not logged in CT logs as stated in CP/CPS 1910512 ASSIGNED Nicol So [ca-compliance] [policy-failure] 2024-09-08T16:05:00Z 2024-07-30T00:10:18Z
CommScope: Incomplete Incident Report 1904402 ASSIGNED Nicol So [ca-compliance] [policy-failure] 2024-08-28T22:39:08Z 2024-06-24T18:20:49Z
D-Trust: CRL-Entries without required CRL Reason Code 1913310 ASSIGNED Enrico Entschew [ca-compliance] [crl-failure] 2024-09-06T15:16:02Z 2024-08-15T11:46:15Z
D-Trust: Issuance of an EV certificate containing a mixup of the Subject's postalCode and localityName 1896190 ASSIGNED Enrico Entschew [ca-compliance] [ev-misissuance] Next update 2024-10-21 2024-09-06T15:32:07Z 2024-05-10T19:14:04Z
D-Trust: LDAP-URL in Subscriber Certificate Authority Information Access field 1884714 ASSIGNED Enrico Entschew [ca-compliance] [ov-misissuance] 2024-09-06T15:15:31Z 2024-03-11T16:29:07Z
DigiCert: Random value in CNAME without underscore prefix 1910322 ASSIGNED Jeremy Rowley [ca-compliance] 2024-09-07T11:08:49Z 2024-07-29T02:17:59Z
DigiCert: Typo in TLS Org Name 1910258 ASSIGNED Martin Sullivan [ca-compliance] [ov-misissuance] 2024-09-06T22:21:06Z 2024-07-27T20:48:42Z
DigiCert: Unclear Disclosure of CAA Issuer Domain Names 1914911 ASSIGNED Tim Hollebeek [ca-compliance] [policy-failure] [external] 2024-09-05T22:19:01Z 2024-08-26T13:21:22Z
emSign PKI Services : OCSP Responder Time Inconsistency 1917459 ASSIGNED Naveen Kumar ML [ca-compliance] [ocsp-failure] 2024-09-09T15:49:06Z 2024-09-08T09:06:01Z
Entrust: Action Items from June 2024 Report 1901270 ASSIGNED Ben Wilson [ca-compliance] [meta] Next update 2024-10-31 2024-09-09T18:18:47Z 2024-06-07T16:50:41Z
Entrust: CPR was not responded to in 24 hours 1885754 ASSIGNED Paul van Brouwershaven [ca-compliance] [external] [policy-failure] 2024-09-06T15:14:01Z 2024-03-16T22:14:29Z
Entrust: Not updating CPR Problem Reporting Mechanism fields in CCADB 1894111 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] Next update 2024-10-31 2024-08-30T16:10:46Z 2024-04-29T21:37:24Z
Entrust: S/MIME certificates lacking OU verification 1914065 ASSIGNED Bruce Morton [ca-compliance] [smime-misissuance] Next update 2024-09-30 2024-08-30T16:05:20Z 2024-08-20T21:35:45Z
Entrust: S/MIME mailbox address case mismatch between subject and subjectAltName 1906470 ASSIGNED Bruce Morton [ca-compliance] [smime-misissuance] Next update 2024-10-31 2024-08-30T16:21:07Z 2024-07-05T18:24:44Z
Entrust: S/MIME mailbox address not in subjectAltName 1906467 ASSIGNED Bruce Morton [ca-compliance] [smime-misissuance] Next update 2024-10-31 2024-08-30T16:14:58Z 2024-07-05T18:16:34Z
Entrust: S/MIME OrgID Country not matching C field 1914999 ASSIGNED Bruce Morton [ca-compliance] [smime-misissuance] Next update 2024-10-01 2024-09-06T15:42:41Z 2024-08-26T17:57:09Z
GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints 1888060 ASSIGNED capoc [ca-compliance] [ov-misissuance] 2024-08-29T09:17:53Z 2024-03-27T06:15:29Z
GoDaddy : CAA checks did not properly handle issuewild tag allowing FQDN SANs to be added to wildcard certs 1904748 ASSIGNED [:nickname] Star [ca-compliance] 2024-08-27T20:51:35Z 2024-06-26T02:12:50Z
GoDaddy : CAA checks passed when records contained incorrect variants of godaddy.com or starfieldtech.com 1904749 ASSIGNED [:nickname] Star [ca-compliance] 2024-08-27T20:51:43Z 2024-06-26T02:14:20Z
GoDaddy: Edge Case for Data Reuse Outside of Timeframes 1909948 ASSIGNED [:nickname] Star [ca-compliance] [dv-misissuance] 2024-08-05T16:25:38Z 2024-07-25T17:47:50Z
GoDaddy: Intermittent unauthorized OCSP response when certificate is freshly issued 1905419 ASSIGNED [:nickname] Star [ca-compliance] [ocsp-failure] 2024-08-23T18:01:43Z 2024-06-28T19:25:10Z
IdenTrust: Expired CRLs 1914067 ASSIGNED IdenTrust [ca-compliance] [crl-failure] 2024-09-03T21:48:11Z 2024-08-20T21:50:05Z
IdenTrust: Unauthorized OCSP response on a Timestamp certificate 1905446 ASSIGNED IdenTrust [ca-compliance] [ocsp-failure] Next update 2024-10-15 2024-08-30T22:20:28Z 2024-06-28T22:11:23Z
Izenpe: Failure to Submit Annual CCADB Self-Assessment 1883493 ASSIGNED David [ca-compliance] [disclosure-failure] [external] 2024-08-26T16:07:19Z 2024-03-04T20:36:07Z
NETLOCK: CPR was not responded to in 24 hours 1905509 ASSIGNED Nikolett [ca-compliance] [policy-failure] 2024-09-05T17:30:54Z 2024-06-29T19:45:26Z
NETLOCK: Intermediate CA Certificate not disclosed to CCADB 1904041 ASSIGNED Nikolett [ca-compliance] [policy-failure] [disclosure-failure] 2024-08-30T16:07:55Z 2024-06-21T13:01:09Z
Sectigo: HTML encoded characters in subject attribute values 1912225 ASSIGNED Martijn Katerbarg [ca-compliance] [ov-misissuance] Next update 2024-09-15 2024-08-23T15:36:04Z 2024-08-08T09:16:17Z
Sectigo: Missing data in cabfOrganizationIdentifier 1915883 ASSIGNED Martijn Katerbarg [ca-compliance] [ev-misissuance] 2024-09-06T08:11:40Z 2024-08-30T15:11:31Z
Sectigo: S/MIME OV Mis-issuance 1917405 ASSIGNED Martijn Katerbarg [ca-compliance] [smime-misissuance] [external] 2024-09-10T10:03:51Z 2024-09-07T09:34:22Z
SHECA: CRLReason code usage error 1914365 ASSIGNED Alvin.Wang [ca-compliance] [crl-failure] 2024-08-27T05:59:45Z 2024-08-22T11:43:31Z
SwissSign: LDAP URL still in CRL distribution point (CDP) 1916489 ASSIGNED Sandy Balzer [ca-compliance] [crl-failure] 2024-09-11T09:15:54Z 2024-09-03T16:00:28Z
SwissSign: S/MIME LCP not-permitted key usage 1914023 ASSIGNED Sandy Balzer [ca-compliance] [smime-misissuance] 2024-09-06T15:46:25Z 2024-08-20T18:42:01Z
SwissSign: S/MIME NCP non ASCII symbols in email and SAN field wrong coding 1914020 ASSIGNED Sandy Balzer [ca-compliance] [smime-misissuance] 2024-09-06T15:47:49Z 2024-08-20T18:32:23Z
Telekom Security: CRL-Entries with wrong CRL Reason Codes 1914383 ASSIGNED Arnold Essing [ca-compliance] [crl-failure] 2024-09-09T07:39:54Z 2024-08-22T12:56:33Z
TunTrust: CRL and OCSP unavailable 1895312 ASSIGNED TunTrust [ca-compliance] [crl-failure] [ocsp-failure] 2024-08-27T11:36:09Z 2024-05-06T17:10:11Z

46 Total; 46 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
Chunghwa Telecom:Delayed Annual Audit Report 2024 1917224 ASSIGNED Li-Chun CHEN [ca-compliance] [audit-delay] 2024-09-10T09:55:32Z 2024-09-06T12:29:32Z
PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA 1911335 ASSIGNED Jochem van den Berge [ca-compliance] [audit-delay] 2024-08-29T14:36:38Z 2024-08-02T15:40:40Z

2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
[meta] Delayed Revocation 1911183 ASSIGNED Ben Wilson [ca-compliance] [meta] [leaf-revocation-delay] 2024-09-03T16:06:09Z 2024-08-01T20:05:04Z
Buypass: Delayed revocation of TLS certificates 1872738 REOPENED Mads Henriksveen [ca-compliance] [leaf-revocation-delay] Next update 2024-09-15 2024-08-01T20:05:04Z 2024-01-02T19:18:17Z
CFCA: Delayed revocation of TLS certificates(basicConstraints extension not marked as critical) 1888882 ASSIGNED Gao Fei [ca-compliance] [leaf-revocation-delay] Next update 2024-08-20 2024-08-22T03:56:56Z 2024-04-01T07:19:09Z
Chunghwa Telecom: Delayed Revocation Due to GTLSCA EKU Misissuance 1892419 ASSIGNED Leo Fang [ca-compliance] [leaf-revocation-delay] 2024-09-06T11:14:45Z 2024-04-19T10:55:40Z
Chunghwa Telecom: Delayed Revocation with Controversial Extension (2.5.29.9, SubjectDirectoryAttributes) 1903066 ASSIGNED Leo Fang [ca-compliance] [leaf-revocation-delay] 2024-09-06T11:14:46Z 2024-06-17T14:31:08Z
Digicert: Delayed Revocation for bug 1894560 1896053 ASSIGNED Tim Hollebeek [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 2024-09-09T15:38:42Z 2024-05-10T05:00:07Z
DigiCert: Delayed revocation of 1910322 1910805 ASSIGNED Tim Hollebeek [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 2024-09-09T15:41:52Z 2024-07-31T00:45:12Z
emSign PKI Services: Delayed Revocation of SSL/TLS Certificates 1916478 ASSIGNED Naveen Kumar ML [ca-compliance] [leaf-revocation-delay] 2024-09-07T15:39:46Z 2024-09-03T15:24:26Z
Entrust: Delayed Revocation for S/MIME certificates 1910237 ASSIGNED Bruce Morton [ca-compliance] [leaf-revocation-delay] Next update 2024-10-31 2024-08-30T16:14:29Z 2024-07-27T15:07:49Z
Entrust: Delayed revocation of certificates affected by Jurisdiction issue in some EV TLS & Code Signing certificates 1898848 ASSIGNED ngook.kong [ca-compliance] [leaf-revocation-delay] Next update 2024-09-30 2024-08-30T16:01:01Z 2024-05-25T03:48:12Z
Entrust: Delayed revocation of EV TLS certificates with missing cPSuri 1886532 ASSIGNED Paul van Brouwershaven [ca-compliance] [leaf-revocation-delay] Next update 2024-09-30 2024-08-13T17:18:47Z 2024-03-20T17:22:26Z
Entrust: Failure to revoke EV TLS certificates issued before CPS update 1890685 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] [leaf-revocation-delay] Next update 2024-09-30 2024-08-30T16:01:31Z 2024-04-09T23:40:57Z
GDCA: Delayed revocation of SSL/TLS certificates with Non-critical Basic Constraints 1889062 ASSIGNED capoc [ca-compliance] [leaf-revocation-delay] 2024-08-29T09:18:11Z 2024-04-02T09:18:52Z
Hongkong Post: Delayed revocation of TLS certificates with basicConstraints not marked as critical 1887888 ASSIGNED Man Ho [ca-compliance] [leaf-revocation-delay] 2024-08-01T20:05:04Z 2024-03-26T14:39:37Z
Hongkong Post: Delayed revocation of TLS certificates with Certificate Policies extension problem 1886665 ASSIGNED Man Ho [ca-compliance] [leaf-revocation-delay] 2024-08-01T20:05:04Z 2024-03-21T04:30:30Z
Microsec: Delayed revocation of the misissued certificates 1887110 ASSIGNED dr. Sándor SZŐKE [ca-compliance] [leaf-revocation-delay] 2024-08-31T20:11:28Z 2024-03-22T18:00:56Z
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates - delayed revocation 1891331 ASSIGNED Tamás Horváth [ca-compliance] [leaf-revocation-delay] 2024-08-01T20:05:04Z 2024-04-13T22:07:56Z
Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical 1877388 ASSIGNED Arnold Essing [ca-compliance] [leaf-revocation-delay] 2024-09-11T06:06:23Z 2024-01-30T07:52:58Z
Telia: Delayed revocation of seven (7) certificates related to incident 1896108 1896553 ASSIGNED Antti Backman [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 2024-09-06T15:25:20Z 2024-05-14T04:48:55Z
TWCA: Revocation delay for EV TLS certificates with invalid subject attribute order 1884568 ASSIGNED Hao-Chun Li [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 2024-09-09T15:32:53Z 2024-03-10T12:44:57Z
TWCA: Revocation delay for TLS certificates with non-critical basicConstraints 1886110 ASSIGNED chtsai [ca-compliance] [ov-misissuance] [leaf-revocation-delay] Next update 2024-08-30 2024-09-06T22:27:40Z 2024-03-19T07:42:18Z
VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 1885568 ASSIGNED Andrea Holland [ca-compliance] [ov-misissuance] [leaf-revocation-delay] Next update 2024-10-23 2024-08-16T18:58:11Z 2024-03-15T16:20:17Z

22 Total; 22 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: