CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open Incident Related Bugs

Investigation or Discussion

Concern has been raised about certificates that a CA has issued. Investigation and/or discussion in progress.

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);


Resulting CA Action Items

The concern about a CA's certificates has been confirmed, and the CA has follow-up action items.

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1424305 Incident report for Microsoft Dynamics incident NEW Jeremy Rowley [ca-incident] - Need Incident Report 2018-02-16T19:11:06Z
1429639 DigiCert: BR 3.2.5 Validation of Authority Failure for OV Certs NEW Jeremy Rowley [ca-incident] - Need remediation status 2018-02-15T21:13:53Z

2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern.

Anyone may create a CA Compliance bug as follows:

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1304895 DigiCert: TI Trust Technologies Global CA issued certificate with no subject alternative name extension NEW Ben Wilson [ca-compliance] 2018-02-14T23:12:35Z
1390977 Camerfirma: Non-BR-Compliant Certificate Issuance NEW Ramiro Muñoz Muñoz [ca-compliance] 2018-02-14T23:12:40Z
1390988 Consorci AOC: Non-BR-Compliant Certificate Issuance NEW Francesc Ferrer [ca-compliance] 2018-02-14T19:58:50Z
1390990 D-TRUST: Non-BR-Compliant Certificate Issuance NEW Arno Fiedler [ca-compliance] [remediation-accepted] Next Action: 2018-06-16 2018-02-20T23:48:41Z
1391063 QuoVadis: Non-BR-Compliant Certificate Issuance NEW Stephen Davidson [ca-compliance] [remediation-accepted] Next Update - 2018-06-30 2018-02-20T23:33:41Z
1391068 Taiwan-CA: Non-BR-Compliant Certificate Issuance NEW Robin Lin [ca-compliance] - Next Update - 15-May 2018 2018-02-14T23:12:36Z
1391074 T-Systems: Non-BR-Compliant Certificate Issuance NEW Lothar Eickholt [ca-compliance] 2018-02-14T23:12:33Z
1391087 Visa: Non-BR-Compliant Certificate Issuance NEW Marcelo B. Silva [ca-compliance] 2018-02-23T15:31:44Z
1397957 DigiCert / CTJ: Metadata in OU fields, Reserved IP Address NEW Jeremy Rowley [ca-compliance] 2018-02-14T23:12:34Z
1397960 DigiCert / Telecom Italia: Several Problems NEW Jeremy Rowley [ca-compliance] 2018-02-14T23:12:40Z
1397961 DigiCert / Justica: Invalid DNS names NEW Jeremy Rowley [ca-compliance] - Need updated audit statements for the subCA 2018-02-14T23:12:36Z
1398242 Disig: Non-BR-Compliant OCSP Responders NEW Peter Miskovic [ca-compliance] 2018-02-14T23:12:37Z
1398246 Consorci AOC: Non-BR-Compliant OCSP Responders NEW Francesc Ferrer [ca-compliance] 2018-02-14T23:12:33Z
1398247 DocuSign/Keynectis: Non-BR-Compliant OCSP Responders NEW Erwann Abalea [ca-compliance] 2018-02-14T23:12:31Z
1398259 SECOM: Non-BR-Compliant OCSP Responders NEW Hisashi Kamo [ca-compliance] [remediation-accepted] Next Update - 5-Mar 2018 2018-02-14T23:12:37Z
1398261 Visa: Non-BR-Compliant OCSP Responders NEW Marcelo B. Silva [ca-compliance] 2018-02-23T15:32:02Z
1398269 DigiCert: Non-BR-Compliant OCSP Responders NEW Jeremy Rowley [ca-compliance] - Next Update - 30-April 2018 2018-02-14T23:12:39Z
1409766 Certum: CAA Mis-Issuance on CNAME pointing directly to restrictive CAA record UNCONFIRMED Arkadiusz Ławniczak [ca-compliance] 2018-02-14T23:12:36Z
1410834 Comodo: CAA Mis-Issuance on basic test case UNCONFIRMED Robin Alden [ca-compliance] 2018-02-14T23:12:31Z
1417771 DigiCert: Symantec non-constrained/non-disclosed intermediates UNCONFIRMED Jeremy Rowley [ca-compliance] 2018-02-14T23:12:38Z
1420860 Asseco/Certum: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN UNCONFIRMED Arkadiusz Ławniczak [ca-compliance] 2018-02-14T23:12:41Z
1425805 Consorci AOC: Insufficient Audit Statements UNCONFIRMED Francesc Ferrer [ca-compliance] 2018-02-14T23:12:32Z
1426247 Telia: Non-BR-Compliant OCSP Responder NEW pekka.lahtiharju [ca-compliance] 2018-02-14T23:12:38Z
1426249 Trustis: Non-Br-Compliant OCSP Responder NEW Blake Morgan [ca-compliance] 2018-02-14T23:12:34Z
1428877 SwissSign: Invalid DNSName in SAN NEW Reinhard Dietrich [ca-compliance] 2018-02-19T08:50:43Z
1430909 Quovadis: Non-BR-Compliant issuance --improper characters in DNSName (BIT sub-CA) NEW Stephen Davidson [ca-compliance] - Next Update - mid-Feb 2018 2018-02-14T23:12:39Z
1431164 Camerfirma: Non-BR-Compliant Issuance - Non-printable characters in OU field NEW Juan Angel Martin [ca-compliance] 2018-02-17T22:47:30Z
1436173 Digicert: SCEE / Justica: Non-BR-Compliant Certificate Issuance NEW Ben Wilson [ca-compliance] 2018-02-14T23:12:39Z
1439123 GoDaddy: Failure to respond to January 2018 survey REOPENED Daymion Reynolds [ca-compliance] 2018-02-20T07:12:42Z
1439126 Certinomis/Docapost: Failure to respond to January 2018 survey NEW Franck Leroy [ca-compliance] 2018-02-20T18:41:59Z
1439127 TurkTrust: Failure to respond to January 2018 survey NEW Atilla Biler [ca-compliance] 2018-02-17T22:34:12Z
1439128 E-Tugra: Failure to respond to January 2018 survey NEW Davut Tokgöz [ca-compliance] 2018-02-20T16:21:44Z
1439129 DSV-Gruppe: Failure to respond to January 2018 survey NEW Wayne Thayer [:wayne] [ca-compliance] 2018-02-17T22:33:20Z

33 Total; 33 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs. These bugs may have been valid and remedied by the CA, or may have been deemed invalid and closed as unnecessary.

Full Query
ID Summary Status Resolution Last change time
988633 GoDaddy: improperly encoded certificate issued by Go Daddy Secure Certification Authority RESOLVED FIXED 2017-09-20T01:27:06Z
1017157 DigiCert: no subject alternative name in Siemens certs RESOLVED FIXED 2017-04-26T19:23:50Z
1029147 [meta] Bug for Tracking BR Compliance Issues RESOLVED WORKSFORME 2018-01-18T18:13:04Z
1195115 Swisscom: certificates without DNS names in subjectAltName RESOLVED WONTFIX 2017-05-02T06:37:04Z
1262610 DigiCert: ECCE 001 issuing certificates without subject alternative name extension RESOLVED FIXED 2017-04-26T19:23:50Z
1267049 Izenpe: EV certificate with various issues RESOLVED FIXED 2017-04-26T19:23:50Z
1335132 DigiCert: Verizon mis-issued test certificates RESOLVED FIXED 2017-11-28T10:37:09Z
1339339 DigiCert: Non-BR Compliant Certificates - missing CP/CPS OID RESOLVED FIXED 2017-04-26T19:23:50Z
1353827 DigiCert: DigiCert issued cert with CN too long RESOLVED FIXED 2017-09-21T04:55:30Z
1357067 Camerfirma: certs with duplicate SANs and without localityName or stateOrProvinceName RESOLVED FIXED 2017-10-13T16:52:00Z
1367842 TurkTrust: Non-audited, non-technically-constrained intermediate certs RESOLVED FIXED 2017-10-09T12:01:43Z
1368171 Firmaprofesional: Non-audited, non-technically-constrained intermediate certs RESOLVED FIXED 2017-10-13T21:42:23Z
1368176 DigiCert: Non-audited, non-technically-constrained intermediate certs RESOLVED FIXED 2017-09-18T14:26:46Z
1368178 Symantec: Non-audited, non-technically-constrained intermediate cert RESOLVED FIXED 2017-08-18T21:57:16Z
1369342 StartCom: 'un-revoking' intermediate certificates RESOLVED FIXED 2017-09-21T14:04:49Z
1369359 StartCom: mis-issuance of certs with unvalidated domain names and bogus field values RESOLVED FIXED 2017-10-09T12:02:21Z
1374381 SwissSign: BRs require full annual audits RESOLVED FIXED 2017-12-05T22:11:40Z
1386891 Certinomis: Cross-signing of StartCom intermediate certs, and delay in reporting it in CCADB RESOLVED FIXED 2017-10-24T09:52:02Z
1386894 StartCom: Non-BR-Compliant Certificate Issuance -- adding Certnomis intermediates to OneCRL RESOLVED DUPLICATE 2017-09-21T23:32:55Z
1389172 DigiCert: Certificate Issues Identified on the Mailing List RESOLVED FIXED 2017-09-20T05:01:50Z
1390974 Actalis: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2017-09-20T05:24:05Z
1390978 Certinomis: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2017-11-29T14:19:25Z
1390979 certSIGN: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2017-10-13T18:10:15Z
1390981 Comodo: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2017-12-08T11:36:13Z
1390991 Disig: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2018-02-09T22:09:08Z
1390994 DocuSign/Keynectis: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2017-12-01T13:23:51Z
1390996 Entrust: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2017-12-01T11:53:40Z
1390997 GlobalSign: Non-BR-Compliant Certificate Issuance - metadata-only subject fields RESOLVED FIXED 2017-09-05T19:52:28Z
1390998 Kamu SM: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2017-08-24T19:03:11Z
1391000 IdenTrust: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2017-10-13T16:09:23Z
1391054 Izenpe: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2018-01-15T16:59:19Z
1391055 Microsec e-Szigno: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2017-12-01T12:04:56Z
1391056 NetLock: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2018-02-09T22:13:50Z
1391058 PROCERT: Non-BR-Compliant Certificate Issuance RESOLVED DUPLICATE 2017-10-18T13:50:29Z
1391064 SECOM: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2018-02-09T21:45:58Z
1391066 SwissSign: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2017-11-30T16:21:32Z
1391067 Symantec: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2018-02-09T21:52:08Z
1391089 WISeKey: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2017-11-28T11:14:09Z
1391429 GoDaddy: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2017-12-01T10:21:56Z
1391864 Staat der Nederlandend / PKIoverheid: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2017-09-01T14:34:07Z
1391867 Let's Encrypt: Non-BR-Compliant Certificate Issuance RESOLVED FIXED 2017-08-21T19:00:02Z
1393555 GlobalSign: Non-BR-Compliant Certificate Issuance -- double-dots in dnsName RESOLVED FIXED 2017-12-05T15:44:16Z
1393557 GlobalSign: Non-BR-Compliant Certificate Issuance -- RSA key smaller than 2048 bits RESOLVED FIXED 2017-11-22T14:44:37Z
1397832 GRCA: Signing SHA-1 OCSP responses with unconstrained certificate RESOLVED FIXED 2017-11-28T11:47:07Z
1397951 DigiCert / InfoCert: Insufficient Serial Number Entropy RESOLVED FIXED 2017-10-13T21:36:08Z
1397954 DigiCert / Siemens: Insufficient Serial Number Entropy RESOLVED FIXED 2017-10-12T12:59:18Z
1397958 DigiCert / Terena: Metadata in OU fields RESOLVED FIXED 2017-09-20T05:13:05Z
1397963 DigiCert / Wells Fargo: Invalid DNS names RESOLVED FIXED 2018-02-06T17:24:54Z
1397965 DigiCert / Swiss Government: CommonName not in SANs RESOLVED FIXED 2017-09-20T05:36:53Z
1397968 DigiCert / Verizon: Reserved/Intranet domain name RESOLVED DUPLICATE 2017-09-08T12:24:16Z
1397969 DigiCert / Inteso San Paulo: Double dot characters RESOLVED FIXED 2018-02-05T19:06:40Z
1398233 Sertifitseerimiskeskuse: Non-BR-Compliant OCSP Responders RESOLVED FIXED 2017-11-28T11:57:11Z
1398240 Firmaprofesional: Non-BR-Compliant OCSP Responders RESOLVED FIXED 2017-11-28T11:59:22Z
1398243 certSIGN: Non-BR-Compliant OCSP Responders RESOLVED FIXED 2018-02-07T18:05:33Z
1398251 Staat der Nederlandend / PKIoverheid: Non-BR-Compliant OCSP Responders RESOLVED FIXED 2017-11-28T12:05:23Z
1398255 IdenTrust: Non-BR-Compliant OCSP Responders RESOLVED FIXED 2018-01-11T15:33:46Z
1398258 Izenpe: Non-BR-Compliant OCSP Responders RESOLVED FIXED 2017-10-11T15:26:13Z
1398427 ISRG / Let's Encrypt: CAA Misissuances RESOLVED FIXED 2017-09-21T16:48:03Z
1398428 Amazon: CAA Misissuances RESOLVED FIXED 2017-11-03T12:10:13Z
1398545 Comodo: CAA Misissuance RESOLVED FIXED 2017-12-06T16:36:39Z
1401211 NetLock: Non-BR-Compliant Certificate Issuance -- * in not the leftmost position in dnsName RESOLVED FIXED 2017-10-24T14:14:40Z
1401486 T-Systems/DFN-PKI cablint findings, follow up to T-Systems Bug 1391074 RESOLVED FIXED 2018-01-18T13:14:56Z
1404403 SwissSign: Two certs issued with same issuer and serial number RESOLVED FIXED 2017-10-12T16:54:04Z
1405815 Camerfirma: Certs issued with same issuer and serial number RESOLVED FIXED 2017-10-13T08:25:10Z
1405817 Actalis: Certs issued with same issuer and serial number RESOLVED FIXED 2018-01-18T15:49:40Z
1405826 Trustwave: Certs issued with same issuer and serial number RESOLVED FIXED 2017-10-07T08:39:54Z
1409735 RapidSSL CAA Mis-Issuance: Lookup failure on DNSSEC-signed zone RESOLVED FIXED 2018-02-09T21:58:17Z
1409760 StartCom: CAA Mis-Issuance on CNAME pointing directly to restrictive CAA record RESOLVED WONTFIX 2017-11-28T12:14:29Z
1409764 Certum: CAA mis-issuance on critical flag and unknown CAA tag RESOLVED FIXED 2017-11-28T16:43:00Z
1409859 Startcom CAA Mis-Issuance: Lookup failure on DNSSEC-signed zone RESOLVED INVALID 2017-11-28T12:17:06Z
1412950 Firmaprofesional: Insufficient Audit Statements RESOLVED FIXED 2018-01-09T16:48:32Z
1413761 Digicert/Symantec: EV JOI Issue RESOLVED FIXED 2017-11-28T12:18:04Z
1417777 DigiCert: Insufficient entropy in serial numbers RESOLVED FIXED 2017-11-28T12:19:34Z
1420766 AlphaSSL/Globalsign: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN RESOLVED INVALID 2017-11-29T15:41:06Z
1420858 Comodo: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN RESOLVED FIXED 2017-12-06T15:51:14Z
1420861 DigitCert/Thawte: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN RESOLVED INVALID 2017-11-30T22:14:19Z
1420871 Camerfirma: Potential Mis-Issuance based on CAA records RESOLVED FIXED 2018-01-17T17:58:16Z
1420873 Comodo/cPanel: Potential Mis-Issuance based on CAA records (Sep 28, 2017) RESOLVED INVALID 2017-12-06T17:53:07Z
1423624 Comodo: CAA misissuances due to race condition RESOLVED FIXED 2017-12-20T14:53:35Z
1425998 Certinomis/Docapost: Non-BR-Compliant OCSP Responders RESOLVED FIXED 2018-01-16T22:37:43Z
1426009 T-Systems: Non-BR-Compliant OCSP Responders RESOLVED FIXED 2018-01-04T17:58:05Z
1426233 Camerfirma: Non-BR-Compliant OCSP Responders RESOLVED FIXED 2018-01-04T17:04:02Z
1426238 QuoVadis: Non-BR-Compliant OCSP Responder RESOLVED FIXED 2018-01-16T22:36:02Z
1428832 Consorci AOC: Problem reporting mechanism for Consorci AOC points to URL with invalid cert RESOLVED FIXED 2018-01-09T16:46:49Z
1428891 Entrust: Non-BR-Compliant OCSP Responder RESOLVED FIXED 2018-01-26T02:43:12Z
1435770 Certum: Non-BR-Compliant Issuance - Debian Weak Keys RESOLVED FIXED 2018-02-20T23:39:58Z

86 Total; 0 Open (0%); 86 Resolved (100%); 0 Verified (0%);