CA/Incident Dashboard
Contents
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| Certigna: Certificate issued with validity period greater than 398-days | 1774418 | ASSIGNED | Josselin Allemandou | [ca-compliance] | 2022-11-14T22:22:57Z |
| CFCA: Certificate with wrong crlDistributionPoints | 1809382 | ASSIGNED | Gao Fei | [ca-compliance] [ov-misissuance] [ev-misissuance] | 2023-01-16T14:56:09Z |
| CFCA: Delayed reporting of intermediate CA certificate | 1784820 | ASSIGNED | Gao Fei | [ca-compliance] | 2022-11-14T22:22:57Z |
| CFCA: Delayed reporting of revocation of an intermediate CA certificate | 1798812 | ASSIGNED | Gao Fei | [ca-compliance] | 2022-11-22T07:48:30Z |
| CFCA: EV certificate with wrong PostalCode&Street | 1802845 | ASSIGNED | Gao Fei | [ca-compliance] [ev-misissuance] | 2023-01-06T17:25:40Z |
| CFCA: ICA without EKU | 1793053 | ASSIGNED | Gao Fei | [ca-compliance] | 2023-01-04T02:09:11Z |
| CFCA: Overdue Audit Statements 2021 | 1741497 | ASSIGNED | Oliver Bi | [ca-compliance] [audit-delay] | 2022-11-14T22:22:57Z |
| CFCA: The delay in revocation of ICA | 1793059 | ASSIGNED | Gao Fei | [ca-compliance] [ca-revocation-delay] | 2023-01-11T00:28:12Z |
| CFCA: The wrong status of OCSP | 1778035 | ASSIGNED | Gao Fei | [ca-compliance] Next update 2022-10-15 | 2022-11-14T22:22:57Z |
| E-Tugra: Incident Report (Security Issues) | 1801345 | ASSIGNED | Ahmed | [ca-compliance] Next update 2023-01-06 | 2023-01-24T20:10:15Z |
| Entrust: Delayed Revocation for EV TLS Certificate incorrect jurisdiction | 1804753 | ASSIGNED | Bruce Morton | [ca-compliance] [leaf-revocation-delay] | 2023-01-16T18:00:46Z |
| Entrust: EV TLS Certificate incorrect jurisdiction | 1802916 | ASSIGNED | Bruce Morton | [ca-compliance] [ev-misissuance] | 2023-01-06T17:23:50Z |
| Entrust: TLS Certificate issued with an incorrect state or province | 1792231 | ASSIGNED | Bruce Morton | [ca-compliance] 2023-03-31 | 2022-11-14T22:22:57Z |
| Hongkong Post: Subject CN converted to Unicode representation incident | 1804843 | ASSIGNED | Man Ho | [ca-compliance] [ov-misissuance] | 2023-01-12T14:36:02Z |
| IdenTrust: Bad OCSP Responses | 1806728 | ASSIGNED | IdenTrust | [ca-compliance] | 2023-01-06T17:21:47Z |
| NAVER Cloud: DV certificate issued with no subject alternative name extension | 1785865 | ASSIGNED | Han Yong, Park | [ca-compliance] | 2022-11-14T22:22:57Z |
| SECOM: One of the EV certificate was mis-issued with the incorrect Registration Number by Cybertrust Japan (CTJ) | 1805866 | ASSIGNED | ONO Fumiaki | [ca-compliance] [ev-misissuance] | 2023-01-26T17:01:39Z |
| Sectigo: Late CCADB update after CPS update | 1812336 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [disclosure-failure] | 2023-01-25T15:03:04Z |
| SecureTrust: 2 certificates with non-DER encoded keyUsage extension | 1776764 | ASSIGNED | Andrea Holland | [ca-compliance] Next update 2023-01-01 | 2023-01-03T22:48:54Z |
| SSL.com: Delayed revocation of certificate with weak key | 1800753 | ASSIGNED | Chris Kemmerer | [ca-compliance] [leaf-revocation-delay] | 2023-01-06T17:29:03Z |
| SSL.com: Issuance of 1 EV TLS certificate using a Registration/Incorporation Agency not included in our approved public list. | 1790693 | ASSIGNED | Chris Kemmerer | [ca-compliance] | 2022-11-14T22:22:57Z |
| TWCA: "unknown" OCSP response for issued certificates | 1793445 | ASSIGNED | Hao-Chun Li | [ca-compliance] | 2022-11-14T22:22:57Z |
| UniTrust: EV certificate with wildcard domain in common name and SAN | 1787537 | ASSIGNED | chenxiaotong | [ca-compliance] | 2022-11-14T22:22:57Z |
| UniTrust: EV certificate with wrong Registry Country Name | 1798626 | ASSIGNED | chenxiaotong | [ca-compliance] | 2022-11-14T22:22:57Z |
| UniTrust: Improper DER results in failure to comply with RFC 5280 - Encoded sequence component with default value | 1735908 | ASSIGNED | chenxiaotong | [ca-compliance] Next update 2022-10-15 | 2022-11-14T22:22:57Z |
| WISeKey: Bad ECDSA algorithm encoding in test certificate | 1804587 | ASSIGNED | Pedro Fuentes | [ca-compliance] [ov-misissuance] | 2023-01-06T17:31:27Z |
| WISeKey: Incorrect businessCategory in EV certificate | 1808485 | ASSIGNED | Pedro Fuentes | [ca-compliance] [ev-misissuance] | 2023-01-09T11:46:34Z |
27 Total; 27 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| CFCA: Overdue Audit Statements 2021 | 1741497 | ASSIGNED | Oliver Bi | [ca-compliance] [audit-delay] | 2022-11-14T22:22:57Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| Amazon Trust Services: Delayed Revocation of Subordinate CA | 1743943 | ASSIGNED | Trevoli (Amazon Trust Services) | [ca-compliance] [delayed-revocation-ca] Next update 2023-03-17 | 2023-01-25T19:19:57Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here:
