CA/Incident Dashboard
From MozillaWiki
< CA
Contents
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| Amazon Trust Services: ALV Errors | 1713668 | ASSIGNED | Trevoli (Amazon Trust Services) | [ca-compliance] Next update 2021-07-01 | 2021-06-19T00:14:50Z |
| Amazon Trust Services: CP/CPS does not specify key compromise methods | 1713976 | ASSIGNED | Trevoli (Amazon Trust Services) | [ca-compliance] | 2021-06-19T00:15:38Z |
| Amazon Trust Services: Forbidden Domain Validation Method 3.2.2.4.6 | 1713978 | ASSIGNED | Trevoli (Amazon Trust Services) | [ca-compliance] | 2021-06-19T00:15:49Z |
| Asseco DS / Certum: CPS does not refer to BR domain validation methods | 1717034 | ASSIGNED | Aleksandra Kurosz | [ca-compliance] | 2021-06-18T13:17:50Z |
| Asseco DS / Certum: Incorrect localityName | 1711208 | ASSIGNED | Aleksandra Kurosz | [ca-compliance] | 2021-06-18T13:35:54Z |
| Asseco DS / Certum: Invalid stateOrProvinceName field (recurrent incident) | 1709392 | ASSIGNED | Aleksandra Kurosz | [ca-compliance] | 2021-06-18T12:16:10Z |
| Buypass: Illegal Business Category in a PSD2 QWAC | 1632632 | ASSIGNED | Mads Henriksveen | [ca-compliance] Next update 2021-06-20 | 2021-06-18T14:04:41Z |
| Camerfirma: Govern d'Andorra Audit Delay | 1704140 | ASSIGNED | Ana Lopes | [ca-compliance] [audit-delay] | 2021-05-14T10:42:17Z |
| DigiCert: Incorrect RegNumber-Org Type combination | 1714439 | ASSIGNED | Brenda Bernal | [ca-compliance] | 2021-06-15T20:27:03Z |
| Disig: CPS does not refer to BR domain validation methods | 1717001 | ASSIGNED | Peter Miskovic | [ca-compliance] | 2021-06-18T13:29:12Z |
| E-Tugra: CA Certificate Missing from Audit Reports | 1716843 | ASSIGNED | Davut Tokgöz | [ca-compliance] | 2021-06-18T16:52:23Z |
| E-Tugra: Forbidden Domain Validation Method 3.2.2.4.6 | 1716902 | ASSIGNED | Davut Tokgöz | [ca-compliance] | 2021-06-17T17:19:40Z |
| Entrust: Incorrect Business Category Value Discovered in an EV SSL Certificate | 1685370 | ASSIGNED | Dathan Demone | [ca-compliance] | 2021-06-16T08:34:25Z |
| Entrust: Incorrect Jurisdiction Country Value in an EV Certificate | 1696227 | ASSIGNED | Dathan Demone | [ca-compliance] Next update 2021-06-01 | 2021-06-07T20:22:22Z |
| Entrust: Invalid localityName | 1712106 | ASSIGNED | Dathan Demone | [ca-compliance] Next update 2021-07-01 | 2021-06-01T15:58:27Z |
| GlobalSign: Incorrect OCSP Delegated Responder Certificate | 1649937 | ASSIGNED | douglas.beattie | [ca-compliance] Next Update 2021-07-01 | 2021-06-01T15:56:24Z |
| GlobalSign: Incorrect RegNumber-Org Type combination | 1714968 | ASSIGNED | Eva Van Steenberge | [ca-compliance] | 2021-06-19T00:33:41Z |
| GlobalSign: Invalid countryName | 1707073 | ASSIGNED | Eva Van Steenberge | [ca-compliance] Next update 2021-07-14 | 2021-06-04T14:48:22Z |
| GlobalSign: Invalid stateOrProvinceName and locality pair | 1708834 | ASSIGNED | Arvid Vermote | [ca-compliance] | 2021-06-18T18:18:50Z |
| GLOBALTRUST: CN domain not in SAN | 1716123 | ASSIGNED | Daniel Zens | [ca-compliance] | 2021-06-19T03:59:49Z |
| GLOBALTRUST: Revoked test website not using revoked certificate | 1716163 | ASSIGNED | Daniel Zens | [ca-compliance] | 2021-06-18T13:43:55Z |
| Google Trust Services: Failure to provide regular and timely incident updates | 1708516 | ASSIGNED | Andy Warner | [ca-compliance] | 2021-06-16T16:53:40Z |
| Google Trust Services: Forbidden Domain Validation Method 3.2.2.4.10 | 1706967 | ASSIGNED | Andy Warner | [ca-compliance] | 2021-06-14T18:55:47Z |
| Google Trust Services: Signing SHA-1 Hash for existing CA certificate with changes in Key Usage | 1709223 | ASSIGNED | Ryan Hurst | [ca-compliance] | 2021-06-15T16:33:18Z |
| IdenTrust: Unavailable CRL for IdenTrust ‘DST Root CA X3’. | 1709192 | ASSIGNED | IdenTrust | [ca-compliance] Next update 2021-07-01 | 2021-06-01T15:45:19Z |
| iTrusChina: verification errors for the roots' CRLs(ARL) | 1712664 | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] | 2021-06-18T15:31:09Z |
| KIR S.A.: CN domain not in SAN | 1705187 | ASSIGNED | Piotr Grabowski | [ca-compliance] | 2021-06-17T19:43:32Z |
| KIR S.A.: CP/CPS contains noncompliant DV method, does not specify CAA domains | 1705904 | ASSIGNED | Piotr Grabowski | [ca-compliance] | 2021-06-17T19:47:59Z |
| KIR S.A.: DV certificates with locality name, organization name and stateOrProvinceName | 1705832 | ASSIGNED | Piotr Grabowski | [ca-compliance] Next update 2021-07-01 | 2021-06-17T19:48:44Z |
| KIR S.A.: Invalid localityName + CRL Revoked but OCSP Unknown | 1705337 | ASSIGNED | Piotr Grabowski | [ca-compliance] | 2021-06-17T19:45:30Z |
| KIR S.A.: Invalid organizationName | 1705647 | ASSIGNED | Piotr Grabowski | [ca-compliance] | 2021-06-17T19:50:27Z |
| KIR S.A.: Many certificates with OCSP Unknown | 1705657 | ASSIGNED | Piotr Grabowski | [ca-compliance] | 2021-06-18T15:18:13Z |
| Let's Encrypt: certificate lifetimes 90 days plus one second | 1715455 | ASSIGNED | Josh Aas | [ca-compliance] | 2021-06-17T22:11:09Z |
| Microsoft PKI Services: Failure to disclose Unconstrained Intermediate within 7 Days | 1700809 | ASSIGNED | John Mason | [ca-compliance] | 2021-05-16T14:38:06Z |
| Microsoft PKI Services: Malformed ICAs (missing certificate policy extensions) | 1711147 | ASSIGNED | John Mason | [ca-compliance] | 2021-06-18T14:41:49Z |
| Microsoft PKI Services: Policy Documentation, Failure to update Subscriber Certificate Max Validity Period | 1693930 | ASSIGNED | John Mason | [ca-compliance] | 2021-06-01T22:17:29Z |
| Microsoft PKI Services: Underscore in SAN | 1705419 | ASSIGNED | John Mason | [ca-compliance] | 2021-06-11T18:06:55Z |
| Netlock: CA Certificate Missing from Audit Reports | 1716874 | ASSIGNED | Zoltán Kővári-Szabó | [ca-compliance] | 2021-06-17T05:30:22Z |
| Netlock: Replacement of enduser certificates after the EVGL 1.7.4 self-audit | 1680378 | ASSIGNED | Zoltán Kővári-Szabó | [ca-compliance] | 2021-06-07T16:48:31Z |
| PKIoverheid: KPN issued Invalid organizationalUnitName | 1706950 | ASSIGNED | Jorik van 't Hof | [ca-compliance] | 2021-06-10T21:10:35Z |
| SECOM: CA Certificates Missing from Audit Reports | 1717044 | ASSIGNED | Hisashi Kamo | [ca-compliance] | 2021-06-17T16:12:46Z |
| SECOM: CP/CPS does not clearly specify domain validation methods | 1705480 | ASSIGNED | Hisashi Kamo | [ca-compliance] | 2021-06-18T14:33:46Z |
| SECOM: FUJIFILM intermediate not listed in audit statement | 1695938 | ASSIGNED | Hisashi Kamo | [ca-compliance] Next update 2021-06-25 | 2021-06-07T16:59:34Z |
| SECOM: Unqualified domain name in SAN | 1695786 | ASSIGNED | Hisashi Kamo | [ca-compliance] Next update 2021-07-01 | 2021-06-03T13:01:43Z |
| Sectigo: Forbidden Domain Validation Method | 1714628 | ASSIGNED | Tim Callan | [ca-compliance] | 2021-06-18T20:41:08Z |
| Sectigo: Inappropriate subject:serialNumber information in EV certificates obtained through ACME | 1712120 | ASSIGNED | Tim Callan | [ca-compliance] | 2021-06-14T22:42:01Z |
| Sectigo: Incorrect EV businessCategory | 1715929 | ASSIGNED | Tim Callan | [ca-compliance] | 2021-06-11T21:56:10Z |
| Sectigo: Incorrect locality information | 1714193 | ASSIGNED | Tim Callan | [ca-compliance] | 2021-06-18T14:38:40Z |
| Sectigo: Invalid postalCode field | 1708934 | ASSIGNED | Tim Callan | [ca-compliance] | 2021-06-17T16:46:41Z |
| Sectigo: Invalid stateOrProvinceName | 1710243 | ASSIGNED | Rob Stradling | [ca-compliance] | 2021-06-18T17:08:57Z |
| Sectigo: Misspellings in stateOrProvince or localityName fields | 1715024 | ASSIGNED | Tim Callan | [ca-compliance] | 2021-06-18T15:53:17Z |
| Sectigo: test certificates issued from trusted CA | 1712188 | ASSIGNED | Tim Callan | [ca-compliance] | 2021-06-17T19:06:43Z |
| Taiwan-CA: Invalid stateOrProvinceName | 1709070 | ASSIGNED | Hao-Chun Li | [ca-compliance] | 2021-05-06T09:46:41Z |
| Telekom Security: Key Encipherment in two ECC SAN TLS certificates | 1703528 | ASSIGNED | Arnold Essing | [ca-compliance] | 2021-06-18T16:27:06Z |
| TunTrust: OCSP unreachable | 1663953 | ASSIGNED | Agence Nationale de Certification Electronique | [ca-compliance] Next Update 2021-06-15 | 2021-05-04T12:26:43Z |
| TWCA: CA Certificate Missing from Audit Reports | 1716670 | ASSIGNED | Hao-Chun Li | [ca-compliance] | 2021-06-16T09:57:02Z |
56 Total; 56 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| Camerfirma: Govern d'Andorra Audit Delay | 1704140 | ASSIGNED | Ana Lopes | [ca-compliance] [audit-delay] | 2021-05-14T10:42:17Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| Camerfirma: Delayed revocations of certificates issued by old CAs with an RSA modulus size of 2047 bits | 1692535 | ASSIGNED | Ana Lopes | [ca-compliance][delayed-revocation-leaf] | 2021-06-18T11:33:46Z |
| Google Trust Services: Failure to revoke subscriber certificates within BR timeframe | 1715421 | ASSIGNED | Fotis Loukos | [ca-compliance] [delayed-revocation-leaf] | 2021-06-16T10:53:19Z |
| KIR S.A.: Delayed revocations of certificates | 1709872 | ASSIGNED | Piotr Grabowski | [ca-compliance] [delayed-revocation-leaf] | 2021-06-17T19:36:22Z |
| Let's Encrypt: Failure to revoke for Certificate Lifetime Incident | 1715672 | ASSIGNED | Aaron Gable | [ca-compliance] [delayed-revocation-leaf] | 2021-06-18T13:25:51Z |
| SECOM: Delayed Revocation of non-technically constrained FUJIFILM Certificates | 1707229 | ASSIGNED | Hisashi Kamo | [ca-compliance] [delayed-revocation-leaf] Next update 2021-06-25 | 2021-06-07T16:58:27Z |
5 Total; 5 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here:
