CA/Incident Dashboard
Contents
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
Summary | ID | Status | Assigned to | Whiteboard | Last change time |
---|---|---|---|---|---|
Certigna: Certificate issued with validity period greater than 398-days | 1774418 | ASSIGNED | Josselin Allemandou | [ca-compliance] | 2022-11-14T22:22:57Z |
CFCA: Certificate with wrong crlDistributionPoints | 1809382 | ASSIGNED | Gao Fei | [ca-compliance] [ov-misissuance] [ev-misissuance] | 2023-01-16T14:56:09Z |
CFCA: Delayed reporting of intermediate CA certificate | 1784820 | ASSIGNED | Gao Fei | [ca-compliance] | 2022-11-14T22:22:57Z |
CFCA: Delayed reporting of revocation of an intermediate CA certificate | 1798812 | ASSIGNED | Gao Fei | [ca-compliance] | 2022-11-22T07:48:30Z |
CFCA: EV certificate with wrong PostalCode&Street | 1802845 | ASSIGNED | Gao Fei | [ca-compliance] [ev-misissuance] | 2023-01-06T17:25:40Z |
CFCA: ICA without EKU | 1793053 | ASSIGNED | Gao Fei | [ca-compliance] | 2023-01-04T02:09:11Z |
CFCA: Overdue Audit Statements 2021 | 1741497 | ASSIGNED | Oliver Bi | [ca-compliance] [audit-delay] | 2022-11-14T22:22:57Z |
CFCA: The delay in revocation of ICA | 1793059 | ASSIGNED | Gao Fei | [ca-compliance] [ca-revocation-delay] | 2023-01-11T00:28:12Z |
CFCA: The wrong status of OCSP | 1778035 | ASSIGNED | Gao Fei | [ca-compliance] Next update 2022-10-15 | 2022-11-14T22:22:57Z |
E-Tugra: Incident Report (Security Issues) | 1801345 | ASSIGNED | Ahmed | [ca-compliance] Next update 2023-01-06 | 2023-01-24T20:10:15Z |
Entrust: Delayed Revocation for EV TLS Certificate incorrect jurisdiction | 1804753 | ASSIGNED | Bruce Morton | [ca-compliance] [leaf-revocation-delay] | 2023-01-16T18:00:46Z |
Entrust: EV TLS Certificate incorrect jurisdiction | 1802916 | ASSIGNED | Bruce Morton | [ca-compliance] [ev-misissuance] | 2023-01-06T17:23:50Z |
Entrust: TLS Certificate issued with an incorrect state or province | 1792231 | ASSIGNED | Bruce Morton | [ca-compliance] 2023-03-31 | 2022-11-14T22:22:57Z |
Hongkong Post: Subject CN converted to Unicode representation incident | 1804843 | ASSIGNED | Man Ho | [ca-compliance] [ov-misissuance] | 2023-01-12T14:36:02Z |
IdenTrust: Bad OCSP Responses | 1806728 | ASSIGNED | IdenTrust | [ca-compliance] | 2023-01-06T17:21:47Z |
NAVER Cloud: DV certificate issued with no subject alternative name extension | 1785865 | ASSIGNED | Han Yong, Park | [ca-compliance] | 2022-11-14T22:22:57Z |
SECOM: One of the EV certificate was mis-issued with the incorrect Registration Number by Cybertrust Japan (CTJ) | 1805866 | ASSIGNED | ONO Fumiaki | [ca-compliance] [ev-misissuance] | 2023-01-26T17:01:39Z |
Sectigo: Late CCADB update after CPS update | 1812336 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [disclosure-failure] | 2023-01-25T15:03:04Z |
SecureTrust: 2 certificates with non-DER encoded keyUsage extension | 1776764 | ASSIGNED | Andrea Holland | [ca-compliance] Next update 2023-01-01 | 2023-01-03T22:48:54Z |
SSL.com: Delayed revocation of certificate with weak key | 1800753 | ASSIGNED | Chris Kemmerer | [ca-compliance] [leaf-revocation-delay] | 2023-01-06T17:29:03Z |
SSL.com: Issuance of 1 EV TLS certificate using a Registration/Incorporation Agency not included in our approved public list. | 1790693 | ASSIGNED | Chris Kemmerer | [ca-compliance] | 2022-11-14T22:22:57Z |
TWCA: "unknown" OCSP response for issued certificates | 1793445 | ASSIGNED | Hao-Chun Li | [ca-compliance] | 2022-11-14T22:22:57Z |
UniTrust: EV certificate with wildcard domain in common name and SAN | 1787537 | ASSIGNED | chenxiaotong | [ca-compliance] | 2022-11-14T22:22:57Z |
UniTrust: EV certificate with wrong Registry Country Name | 1798626 | ASSIGNED | chenxiaotong | [ca-compliance] | 2022-11-14T22:22:57Z |
UniTrust: Improper DER results in failure to comply with RFC 5280 - Encoded sequence component with default value | 1735908 | ASSIGNED | chenxiaotong | [ca-compliance] Next update 2022-10-15 | 2022-11-14T22:22:57Z |
WISeKey: Bad ECDSA algorithm encoding in test certificate | 1804587 | ASSIGNED | Pedro Fuentes | [ca-compliance] [ov-misissuance] | 2023-01-06T17:31:27Z |
WISeKey: Incorrect businessCategory in EV certificate | 1808485 | ASSIGNED | Pedro Fuentes | [ca-compliance] [ev-misissuance] | 2023-01-09T11:46:34Z |
27 Total; 27 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Summary | ID | Status | Assigned to | Whiteboard | Last change time |
---|---|---|---|---|---|
CFCA: Overdue Audit Statements 2021 | 1741497 | ASSIGNED | Oliver Bi | [ca-compliance] [audit-delay] | 2022-11-14T22:22:57Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
Summary | ID | Status | Assigned to | Whiteboard | Last change time |
---|---|---|---|---|---|
Amazon Trust Services: Delayed Revocation of Subordinate CA | 1743943 | ASSIGNED | Trevoli (Amazon Trust Services) | [ca-compliance] [delayed-revocation-ca] Next update 2023-03-17 | 2023-01-25T19:19:57Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here: