CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time
Actalis: Issuance of intermediates after 2020-08-20 that do not comply with Mozilla Policy and the Baseline Requirements 1717357 ASSIGNED Adriano Santoni [ca-compliance] Next update 2021-09-22 2021-09-21T08:02:42Z
Apple: Test web page certificates expired 1730291 ASSIGNED certification_authority [ca-compliance] 2021-09-21T02:17:20Z
E-Tugra: CA Certificate Missing from Audit Reports 1716843 ASSIGNED Davut Tokgöz [ca-compliance] Next update 2021-11-01 2021-08-24T14:50:03Z
E-Tugra: Forbidden Domain Validation Method 3.2.2.4.6 1716902 ASSIGNED Davut Tokgöz [ca-compliance] 2021-08-25T14:17:48Z
emSign Audit Delay: Incident Report 1728790 ASSIGNED Vijay Kumar [ca-compliance][audit-delay][covid-19] 2021-09-07T06:51:28Z
Entrust: Incorrect value in Business Category field for Government Entities 1728796 ASSIGNED Paul van Brouwershaven [ca-compliance] 2021-09-20T22:00:47Z
Entrust: Invalid localityName 1712106 ASSIGNED Dathan Demone [ca-compliance] Next update 2021-11-15 2021-09-15T20:33:20Z
Entrust: Test Website Certificates Expired 1731887 ASSIGNED Bruce Morton [ca-compliance] 2021-09-23T18:50:10Z
Firmaprofesional: 2021 Audit Report Finding 2 out of 3 1717791 ASSIGNED Maria Jose Prieto [ca-compliance] Next update 2021-10-01 2021-08-06T17:33:28Z
GlobalSign: Incorrect OCSP Delegated Responder Certificate 1649937 ASSIGNED douglas.beattie [ca-compliance] Next Update 2021-10-01 2021-09-08T16:57:33Z
GlobalSign: Invalid stateOrProvinceName and locality pair 1708834 ASSIGNED Arvid Vermote [ca-compliance] Next update 2021-10-01 2021-08-16T22:18:44Z
GoDaddy: Issued EV Wildcard Certificate 1731939 ASSIGNED Brittany Randall [ca-compliance] 2021-09-22T15:43:14Z
Google Trust Services: CRL validity period set to expected value plus one second 1731164 ASSIGNED Cade Cairns [ca-compliance] 2021-09-23T17:24:09Z
Google Trust Services: Delayed publication of CPS removing DNS Operator Exception 1729097 ASSIGNED Brett L [ca-compliance] Next update 2021-09-24 2021-09-24T20:38:42Z
iTrusChina: verification errors for the roots' CRLs(ARL) 1712664 ASSIGNED iTrusChina Co.,Ltd. [ca-compliance] 2021-09-08T09:39:51Z
KIR S.A.: Invalid organizationName 1705647 ASSIGNED Piotr Grabowski [ca-compliance] Next update 2021-10-15 2021-09-08T19:57:20Z
Let's Encrypt: certificate lifetimes 90 days plus one second 1715455 ASSIGNED Josh Aas [ca-compliance] Next update 2021-11-12 2021-07-26T19:52:17Z
Let’s Encrypt: Delay updating OCSP responses 1729567 ASSIGNED Aaron Gable [ca-compliance] Next update 2021-10-01 2021-09-17T20:17:05Z
Microsec: Misissuance of one OV certificate with Key Usage KeyEncipherment 1728384 ASSIGNED dr. Sándor SZŐKE [ca-compliance] 2021-09-15T09:36:53Z
Microsoft PKI Services: Malformed ICAs (missing certificate policy extensions) 1711147 ASSIGNED John Mason [ca-compliance] Next update 2021-10-01 2021-07-30T04:26:26Z
Microsoft PKI Services: Overdue Audit Reports 2021 1724530 ASSIGNED mohanr [ca-compliance] 2021-09-17T22:26:13Z
Netlock: CA Certificate Missing from Audit Reports 1716874 ASSIGNED Zoltán Kővári-Szabó [ca-compliance] 2021-09-21T08:03:25Z
Netlock: Replacement of enduser certificates after the EVGL 1.7.4 self-audit 1680378 ASSIGNED Zoltán Kővári-Szabó [ca-compliance] 2021-08-31T15:13:29Z
Network Solutions: 2021 Audit Observation #1 1725039 ASSIGNED Keith McKenney [ca-compliance] 2021-09-24T18:43:18Z
Network Solutions: 2021 Audit Observation #3 1725043 ASSIGNED Keith McKenney [ca-compliance] 2021-09-21T18:47:45Z
Network Solutions: All test CA test website certificates are expired 1726333 ASSIGNED Keith McKenney [ca-compliance] 2021-09-10T18:58:50Z
PKIoverheid: KPN CPS Lists Forbidden Domain Validation Method 3.2.2.4.6 1719451 ASSIGNED David Weissenberg [ca-compliance] Next update 2021-10-01 2021-09-16T11:31:07Z
QuoVadis/PKIoverheid: incorrect OCSP response for precertificate 1724276 ASSIGNED Stephen Davidson [ca-compliance] Next update 2021-10-01 2021-09-16T16:14:56Z
SECOM: CA Certificates Missing from Audit Reports 1717044 ASSIGNED Hisashi Kamo [ca-compliance] 2021-09-10T11:01:30Z
SECOM: FUJIFILM intermediate not listed in audit statement 1695938 ASSIGNED Hisashi Kamo [ca-compliance] Next update 2021-10-01 2021-09-08T17:06:38Z
Sectigo: Inappropriate subject:serialNumber information in EV certificates obtained through ACME 1712120 ASSIGNED Tim Callan [ca-compliance] Next update 2021-10-01 2021-08-03T15:22:54Z
Sectigo: Missing registration numbers in EV certificates 1721271 ASSIGNED Tim Callan [ca-compliance] Next update 2021-10-18 2021-09-15T15:48:33Z
Sectigo: Mojibake in certificate Subject fields 1724458 ASSIGNED Tim Callan [ca-compliance] Next update 2021-09-18 2021-09-24T15:52:00Z
Sectigo: test certificates issued from trusted CA 1712188 ASSIGNED Tim Callan [ca-compliance] 2021-09-21T15:39:52Z
SecureTrust: Invalid localityName 1720723 ASSIGNED Andrea Holland [ca-compliance] Next update 2021-09-22 2021-09-22T20:24:25Z
SSL.com: Incorrect Domain Validation for 1 TLS certificate with FQDN having "www." string within domain labels 1724520 ASSIGNED Chris Kemmerer [ca-compliance] 2021-09-17T22:20:23Z
SSL.com: Issuance of 3 EV TLS certificates without 2-person validation of the organization information 1722089 ASSIGNED Chris Kemmerer [ca-compliance] 2021-09-11T00:08:19Z
SSL.com: Issuance of an EV TLS certificate with incorrect O Field Value 1719916 ASSIGNED Chris Kemmerer [ca-compliance] 2021-09-03T21:47:29Z
SwissSign: Certificate with key length 16258 1731586 ASSIGNED Mike Guenther [ca-compliance] 2021-09-25T16:03:16Z
Web.com: Failure to respond in time to revocation requests 1723121 ASSIGNED Keith McKenney [ca-compliance] 2021-09-24T18:42:40Z
Web.com: Overdue Audit Statements 2021 1721473 ASSIGNED Keith McKenney [ca-compliance] 2021-09-24T18:42:57Z

41 Total; 41 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
Summary ID Status Assigned to Whiteboard Last change time
emSign Audit Delay: Incident Report 1728790 ASSIGNED Vijay Kumar [ca-compliance][audit-delay][covid-19] 2021-09-07T06:51:28Z

1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
Summary ID Status Assigned to Whiteboard Last change time
Actalis: Delayed revocation of non-BR-compliant CA Certificate within 7 days 1718554 ASSIGNED Adriano Santoni [ca-compliance] [delayed-revocation-ca] Next update 2021-09-22 2021-08-09T19:29:40Z
Camerfirma: Delayed revocations of certificates issued by old CAs with an RSA modulus size of 2047 bits 1692535 ASSIGNED Ana Lopes [ca-compliance] [delayed-revocation-leaf] Next update 2021-10-01 2021-08-31T15:14:59Z
KIR S.A.: Delayed revocations of certificates 1709872 ASSIGNED Piotr Grabowski [ca-compliance] [delayed-revocation-leaf] Next update 2021-12-01 2021-09-15T20:41:23Z
Let's Encrypt: Failure to revoke for Certificate Lifetime Incident 1715672 ASSIGNED Aaron Gable [ca-compliance] [delayed-revocation-leaf] Next update 2021-10-14 2021-09-15T20:34:32Z
SECOM: Delayed Revocation of non-technically constrained FUJIFILM Certificates 1707229 ASSIGNED Hisashi Kamo [ca-compliance] [delayed-revocation-leaf] Next update 2021-10-01 2021-09-17T09:45:53Z

5 Total; 5 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: