CA/Incident Dashboard
From MozillaWiki
< CA
Contents
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
| ID | Summary | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| 1463975 | GRCA: Misissued certificates: Invalid commonName, commonName not in SAN | ASSIGNED | National Development Council | [ca-compliance] | 2020-01-22T23:54:10Z |
| 1496616 | Consorci AOC: Qualified audit statements | ASSIGNED | Francesc Ferrer | [ca-compliance] | 2020-01-22T20:46:43Z |
| 1502957 | Camerfirma: MULTICERT Misissuance and missing audits | ASSIGNED | Juan Angel Martin | [ca-compliance] | 2020-01-22T23:20:59Z |
| 1523221 | GRCA: Misissued certificates - invalid CN, bad validity period, missing extensions | ASSIGNED | National Development Council | [ca-compliance] | 2020-01-23T00:03:30Z |
| 1524733 | CFCA: invalid dnsNames | ASSIGNED | Jonathan Sun | [ca-compliance] - Next Update - 05-February 2020 | 2020-01-23T16:58:56Z |
| 1532113 | CFCA: O > 64 characters | ASSIGNED | Oliver Bi | [ca-compliance] - Next Update - 05-Febrruary 2020 | 2020-01-23T17:48:25Z |
| 1532436 | Chunghwa Telecom: Test certificate with unregistered domain name | ASSIGNED | Li-Chun CHEN | [ca-compliance] - 19-February 2020 | 2020-01-23T17:36:14Z |
| 1532559 | CFCA: Wrong SerialNumber encoding | ASSIGNED | Jonathan Sun | [ca-compliance] - Next Update - 05 February 2020 | 2020-01-23T16:57:13Z |
| 1533774 | GoDaddy: Insufficient serial number entropy | ASSIGNED | Joanna | [ca-compliance] | 2020-01-24T00:58:14Z |
| 1550645 | Digicert: CAA Checking Issue | ASSIGNED | Brenda Bernal | [ca-compliance] | 2019-11-12T00:39:46Z |
| 1551362 | Sectigo: "Some-State" in stateOrProvinceName | ASSIGNED | Robin Alden | [ca-compliance] | 2020-01-23T21:50:19Z |
| 1551372 | Telia: "Some-State" in stateOrProvinceName | ASSIGNED | pekka.lahtiharju | [ca-compliance] | 2020-01-24T10:37:31Z |
| 1558552 | SwissSign: CP/CPS certificate profile issue | ASSIGNED | Mike Guenther | [ca-compliance] - Next Update - 01-September 2019 | 2019-10-22T15:01:09Z |
| 1559765 | Izenpe: Multiple invalid EV certificates issued | ASSIGNED | Oscar Garcia | [ca-compliance] - Next Update - 01-January 2020 | 2019-12-03T04:49:22Z |
| 1563573 | DigiCert: Failure to disclose Unconstrained Intermediate within 7 Days | ASSIGNED | Brenda Bernal | [ca-compliance] | 2020-01-24T01:22:05Z |
| 1563579 | Sectigo: Failure to provide timely incident reports | ASSIGNED | Robin Alden | [ca-compliance] | 2020-01-22T20:02:51Z |
| 1565270 | Telia: Qualified BR Audit Statement | ASSIGNED | pekka.lahtiharju | [ca-compliance] | 2020-01-23T17:31:29Z |
| 1573937 | DigiCert/Verizon: Qualified 2019 Audit Statements | ASSIGNED | Brenda Bernal | [ca-compliance] - Next Update - 30-January 2020 | 2020-01-15T15:27:59Z |
| 1575022 | Sectigo: EV SSL Certificates with incorrect subject details. | ASSIGNED | Robin Alden | [ca-compliance] | 2020-01-22T17:44:29Z |
| 1575880 | GlobalSign: SSL Certificates with US country code and invalid State/Prov | ASSIGNED | douglas.beattie | [ca-compliance] | 2020-01-22T20:07:29Z |
| 1576013 | DigiCert: JOI Issue | ASSIGNED | Jeremy Rowley | [ca-compliance] | 2020-01-15T13:47:29Z |
| 1578505 | LuxTrust: Outdated audit statement for intermediate cert | NEW | Yves Nullens | [ca-compliance] - Overdue Audit for intermediate cert | 2020-01-21T20:51:07Z |
| 1581597 | QuoVadis: Unconstrained CAs missing audits | ASSIGNED | Stephen Davidson | [ca-compliance] | 2019-12-31T05:02:38Z |
| 1586125 | PKIoverheid: No BR Audit for subCAs technically capable of issuing TLS certs | REOPENED | Jorik van 't Hof | [ca-compliance] - Next Update - 21-March-2020 | 2020-01-21T08:11:19Z |
| 1586787 | Actalis: Issuance of intermediates after 2019-01-01 that do not comply with Mozilla Policy | ASSIGNED | Giorgio Girelli | [ca-compliance] | 2019-10-22T10:17:35Z |
| 1586795 | NetLock: Issuance of intermediates after 2019-01-01 that do not comply with Mozilla Policy | ASSIGNED | Varga Viktor | [ca-compliance] | 2019-11-11T12:57:54Z |
| 1588001 | Apple OCSP responders return responses with incorrect issuer | ASSIGNED | certification_authority | [ca-compliance] - Next Update - 31-March 2020 | 2020-01-11T01:28:21Z |
| 1588213 | IdenTrust: Missing Thumbprints In Some Annual Audit Reports | ASSIGNED | roots | [ca-compliance] | 2019-11-23T00:20:10Z |
| 1589047 | QuoVadis: Incorrect EV jurisdiction of incorporation information | REOPENED | Stephen Davidson | [ca-compliance] - Next Update - 31-January 2020 | 2020-01-23T16:56:06Z |
| 1590810 | Sectigo: EV SSL Certificates with incorrect businessCategory | ASSIGNED | Robin Alden | [ca-compliance] | 2019-12-27T23:24:18Z |
| 1593776 | Sectigo: invalid subject:organizationalUnitName on DV certificates | ASSIGNED | Robin Alden | [ca-compliance] | 2020-01-22T20:05:43Z |
| 1595113 | Buypass: Intermediate certificates not listed in audit reports | ASSIGNED | Mads Henriksveen | [ca-compliance] | 2019-11-12T16:31:56Z |
| 1597947 | Sectigo: CCADB failed ALV - Network Solutions Certificate Authority | ASSIGNED | Robin Alden | [ca-compliance] | 2019-12-02T14:48:51Z |
| 1597948 | Sectigo: CCADB failed ALV - D-TRUST CA 2-1 2015 | ASSIGNED | Robin Alden | [ca-compliance] | 2019-12-02T14:48:50Z |
| 1597950 | Sectigo: CCADB failed ALV - Ensured Root CA | ASSIGNED | Robin Alden | [ca-compliance] | 2019-12-02T14:48:54Z |
| 1598319 | Buypass: intermediate certificates not revoked within BR time period | ASSIGNED | Mads Henriksveen | [ca-compliance] | 2019-11-21T19:44:49Z |
| 1598390 | Microsoft: Null Character Bug and Microsoft Root CAs | ASSIGNED | Jason Cooper | [ca-compliance] | 2020-01-22T21:42:38Z |
| 1598829 | Apple: Patch Management | ASSIGNED | certification_authority | [ca-compliance] | 2019-11-26T01:08:20Z |
| 1599484 | Entrust: EV Certificates Issued with Business Category "Non-Commercial" when it should have been set to "Private Organization" | ASSIGNED | Dathan Demone | [ca-compliance] - Next Update - 31-January 2020 | 2020-01-21T20:33:02Z |
| 1599503 | TrustCor: Non-mention of Email CAs in WTBR audit reports | ASSIGNED | Neil Dunbar | [ca-compliance] | 2019-11-26T21:10:05Z |
| 1604124 | Microsoft: problem reporting e-mail in CPS does not work | ASSIGNED | Jason Cooper | [ca-compliance] | 2020-01-22T21:44:30Z |
| 1605126 | PKIoverheid: Missing WTBR audit statements Staat der Nederlanden 2017/2018 | ASSIGNED | Jorik van 't Hof | [ca-compliance] | 2020-01-21T23:34:06Z |
| 1605804 | GoDaddy: Domain Validation Reuse Issue | ASSIGNED | Joanna | [ca-compliance] | 2020-01-07T22:45:44Z |
| 1606031 | SecureTrust: BR Audit 2019 - matters to be resolved | ASSIGNED | Corey Bonnell | [ca-compliance] | 2020-01-22T21:25:59Z |
| 1606380 | Firmaprofesional: 2019 Audit Report Findings | ASSIGNED | chemalogo | [ca-compliance] | 2020-01-21T09:50:34Z |
| 1609501 | WISeKey: Typo in Organization field | ASSIGNED | Pedro Fuentes | [ca-compliance] | 2020-01-23T13:57:30Z |
| 1609706 | PKIoverheid: Missing audit statement "UZI-register Medewerker Niet op Naam CA G21" | ASSIGNED | Jorik van 't Hof | [ca-compliance] | 2020-01-17T18:15:04Z |
| 1610000 | SSL.com: Intermediate certificate not listed in audit reports | ASSIGNED | Chris Kemmerer | [ca-compliance] | 2020-01-17T19:21:23Z |
| 1610303 | D-TRUST: Issuance of non-conformant SSL certificate | ASSIGNED | Enrico Entschew | [ca-compliance] | 2020-01-23T17:29:44Z |
| 1610448 | Firmaprofesional: 2019 audit Finding #1 - 6.2 Identification and Authorization | ASSIGNED | chemalogo | [ca-compliance] | 2020-01-21T20:55:44Z |
50 Total; 50 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
| ID | Summary | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| 1575530 | Camerfirma: Govern d'Andorra audits | ASSIGNED | Juan Angel Martin | [ca-compliance] [delayed-revocation-ca] | 2020-01-03T13:21:47Z |
| 1580525 | D-TRUST: Delayed revocation of EV certificates | ASSIGNED | Enrico Entschew | [ca-compliance] [delayed-revocation-leaf] | 2019-12-27T19:30:35Z |
| 1586860 | Camerfirma: Invalid authorityKeyIdentifier, violating Mozilla Policy and RFC 5280 | ASSIGNED | Juan Angel Martin | [ca-compliance] [delayed-revocation-ca] | 2020-01-20T16:46:22Z |
| 1591005 | GlobalSign: ICAs in CCADB, without EKU extension are listed in WTCA report but not in WTBR report | ASSIGNED | Arvid Vermote | [ca-compliance] [delayed-revocation-ca] | 2020-01-06T16:43:43Z |
| 1598608 | Izenpe: intermediate certificates not revoked within BR time period | ASSIGNED | Oscar Garcia | [ca-compliance] [delayed-revocation-ca] | 2020-01-22T21:51:41Z |
| 1598807 | IdenTrust: Undisclosed Unrevoked ICA’s | ASSIGNED | roots | [ca-compliance] [delayed-revocation-ca] Next Update - 31-Jan 2020 | 2019-12-30T22:24:32Z |
| 1599571 | TrustCor: Non-revocation of CA certificates within 7 days | ASSIGNED | Neil Dunbar | [ca-compliance] [delayed-revocation-ca] Next Update - 1-Apr 2020 | 2019-12-14T00:06:59Z |
| 1599788 | GlobalSign: Failure to revoke noncompliant ICA not revoked within 7 days | ASSIGNED | Arvid Vermote | [ca-compliance] [delayed-revocation-ca] Next Update - 4-Dec 2019 | 2019-12-03T00:04:22Z |
| 1599916 | QuoVadis: Unconstrained CAs revocation | ASSIGNED | Stephen Davidson | [ca-compliance] [delayed-revocation-ca] Next Update - 31-Dec 2019 | 2019-12-02T23:59:20Z |
| 1609828 | Camerfirma: Decision not to revoke certificates with authorityKeyIdentifier that violates Mozilla Policy | ASSIGNED | Juan Angel Martin | [ca-compliance] [delayed-revocation-leaf] | 2020-01-17T23:08:19Z |
| 1610767 | WISeKey: Failure to meet revocation deadline | ASSIGNED | Pedro Fuentes | [ca-compliance] [delayed-revocation-leaf] Next Update - 23-January 2020 | 2020-01-23T22:04:52Z |
| 1611241 | Entrust: Compromised Private Key was not Revoked in Less than 24 Hours | ASSIGNED | Dathan Demone | [ca-compliance] [delayed-revocation-leaf] | 2020-01-23T21:53:37Z |
12 Total; 12 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here:
