CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time
Actalis: Certificates issued with validity period greater than 398 days 1826713 ASSIGNED Adriano Santoni [ca-compliance] [ov-misissuance] 2023-05-18T10:48:24Z
Actalis: pre-certificates with “certificateHold” as the revocation reason 1824319 ASSIGNED Adriano Santoni [ca-compliance] [crl-failure] 2023-04-11T08:17:00Z
Amazon Trust Services: Delayed Revocation of Subordinate CA 1743943 ASSIGNED Trevoli (Amazon Trust Services) [ca-compliance] [ca-revocation-delay] 2023-05-30T17:17:55Z
Asseco DS / Certum: Cross-Signed non-EV-audited root with an EV-enabled root 1815355 ASSIGNED Aleksandra Kurosz [ca-compliance] [ca-misissuance] 2023-04-27T16:17:31Z
Asseco DS / Certum: Delayed revocation of SHECA cross certificate 1825734 ASSIGNED Aleksandra Kurosz [ca-compliance] [ca-revocation-delay] Next update 2023-04-28 2023-05-19T21:00:56Z
Asseco DS / Certum: Delayed revocation of SSL.COM cross certificate 1826363 ASSIGNED Aleksandra Kurosz [ca-compliance] [ca-revocation-delay] 2023-05-19T20:58:57Z
Asseco DS / Certum: Subordinate certificates with sequential serial number 1832093 ASSIGNED Wojciech Trapczyński [ca-compliance] [ca-misissuance] 2023-05-30T17:36:56Z
certSIGN: Findings in 2023 ETSI Audit for certSIGN ROOT CA G2 - Audit Incident Report 1833667 ASSIGNED Gabriel PETCU [ca-compliance] [audit-finding] 2023-05-17T16:32:48Z
CFCA: Certificate with wrong crlDistributionPoints 1809382 ASSIGNED Gao Fei [ca-compliance] [ov-misissuance] [ev-misissuance] Next update 2023-05-10 2023-05-09T01:20:54Z
CFCA: Delayed reporting of intermediate CA certificate 1784820 ASSIGNED Gao Fei [ca-compliance] [disclosure-failure] 2023-04-21T09:03:04Z
CFCA: EV certificate with wrong PostalCode&Street 1802845 ASSIGNED Gao Fei [ca-compliance] [ev-misissuance] 2023-04-13T07:25:58Z
CFCA: ICA without EKU 1793053 ASSIGNED Gao Fei [ca-compliance] [ca-misissuance] Next update 2023-03-30 2023-04-07T13:48:15Z
CFCA: The delay in revocation of ICA 1793059 ASSIGNED Gao Fei [ca-compliance] [ca-revocation-delay] 2023-04-28T19:37:44Z
Cybertrust Japan: CRL signature algorithm encoding error 1827490 ASSIGNED masahiro.shikutani [ca-compliance] [crl-failure] 2023-05-30T17:41:13Z
DigiCert: 4 CRL's not responding 1820269 ASSIGNED Martin Sullivan [ca-compliance] [crl-failure] Next update 2023-05-01 2023-05-01T22:49:11Z
e-commerce monitoring gmbh: certificate issued with two pre-certificates 1830536 ASSIGNED Daniel Zens [ca-compliance] 2023-05-05T15:37:07Z
e-commerce monitoring GmbH: SCT in precertificate 1815534 ASSIGNED Daniel Zens [ca-compliance] [ov-misissuance] 2023-04-28T14:22:13Z
E-Tugra: Incident Report (Security Issues) 1801345 ASSIGNED Ahmed [ca-compliance] [uncategorized] 2023-05-30T17:49:01Z
Firmaprofesional: 2023 - documentary inconsistency 1832342 ASSIGNED Maria Jose Prieto [ca-compliance] 2023-05-11T07:29:54Z
FNMT: CRL problems displayed during the monitoring 1828717 ASSIGNED Amaya Espinosa [ca-compliance] [crl-failure] 2023-05-10T07:37:19Z
IdenTrust Certificate in error flagged by OCSP Watch 1831004 ASSIGNED IdenTrust [ca-compliance] [ocsp-failure] 2023-05-12T21:16:52Z
Netlock: Disclosed CRL is expired 1819105 ASSIGNED Tamás Horváth [ca-compliance] [crl-failure] 2023-05-19T20:13:14Z
NETLOCK: Pre-certificates revoked with certificateHold reason 1830823 ASSIGNED Tamás Horváth [ca-compliance] 2023-05-17T14:08:45Z
NETLOCK: SSL certificates with OU field 1820174 ASSIGNED Tamás Horváth [ca-compliance] [ov-misissuance] 2023-05-17T13:17:02Z
NETLOCK: SSL certificates with OU field - revocation delay 1822809 ASSIGNED Tamás Horváth [ca-compliance] [leaf-revocation-delay] 2023-05-17T13:28:34Z
Sectigo: Certificate issuance delayed for more than 398 days after DCV was completed 1829746 ASSIGNED Martijn Katerbarg [ca-compliance] [ev-misissuance] 2023-05-30T17:33:37Z
Sectigo: Late revocation for incomplete Subject organizationName 1818073 ASSIGNED Martijn Katerbarg [ca-compliance] [leaf-revocation-delay] Next update 2023-05-31 2023-03-31T19:26:43Z
Sectigo: Late termination of privileged access to Certificate Systems 1830088 ASSIGNED Martijn Katerbarg [ca-compliance] 2023-05-24T14:57:32Z
SHECA: organizationName problems in OV and EV TLS certificates 1815527 ASSIGNED chenxiaotong [ca-compliance] [ov-misissuance][ev-misissuance] 2023-04-10T04:53:43Z
SSL.com: Delayed revocation of certificate with weak key 1800753 ASSIGNED Thomas Zermeno [ca-compliance] [leaf-revocation-delay] 2023-04-13T14:18:25Z
SSL.com: e-Tugra Security Issues 1832570 ASSIGNED Thomas Zermeno [ca-compliance] [uncategorized] 2023-05-26T20:21:41Z
Telekom Security: Improper use of a domain validation method 1825780 ASSIGNED Arnold Essing [ca-compliance] Next update 2023-04-21 2023-05-25T13:57:58Z
Telia: Misissued certificate - wrong OrganizationName value "Hair 8 Brains" 1828105 ASSIGNED pekka.lahtiharju [ca-compliance] [ov-misissuance] 2023-05-16T13:32:54Z
UniTrust: EV certificate with wrong Registry Country Name 1798626 ASSIGNED chenxiaotong [ca-compliance] [ev-misissuance] 2023-04-13T03:13:44Z
UniTrust: Improper DER results in failure to comply with RFC 5280 - Encoded sequence component with default value 1735908 ASSIGNED chenxiaotong [ca-compliance] [ca-misissuance] 2023-04-25T08:08:39Z
VikingCloud: Incorrect organizationName 1826235 ASSIGNED Janet Hines [ca-compliance] [ov-misissuance] 2023-04-21T18:09:22Z

36 Total; 36 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: