CA/Incident Dashboard
From MozillaWiki
< CA
Contents
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| Amazon Trust Services: ALV Errors | 1713668 | ASSIGNED | Trevoli (Amazon Trust Services) | [ca-compliance] Next update 2021-07-01 | 2021-06-15T20:45:36Z |
| Amazon Trust Services: CP/CPS does not specify key compromise methods | 1713976 | ASSIGNED | Trevoli (Amazon Trust Services) | [ca-compliance] | 2021-06-12T00:07:21Z |
| Amazon Trust Services: Forbidden Domain Validation Method 3.2.2.4.6 | 1713978 | ASSIGNED | Trevoli (Amazon Trust Services) | [ca-compliance] | 2021-06-14T16:37:55Z |
| Asseco DS / Certum: CPS does not refer to BR domain validation methods | 1717034 | ASSIGNED | Aleksandra Kurosz | [ca-compliance] | 2021-06-17T14:54:17Z |
| Asseco DS / Certum: Incorrect localityName | 1711208 | ASSIGNED | Aleksandra Kurosz | [ca-compliance] | 2021-06-11T12:08:40Z |
| Asseco DS / Certum: Invalid stateOrProvinceName field (recurrent incident) | 1709392 | ASSIGNED | Aleksandra Kurosz | [ca-compliance] | 2021-06-11T12:07:00Z |
| Buypass: Illegal Business Category in a PSD2 QWAC | 1632632 | ASSIGNED | Mads Henriksveen | [ca-compliance] Next update 2021-06-20 | 2021-04-02T17:43:21Z |
| Camerfirma: Govern d'Andorra Audit Delay | 1704140 | ASSIGNED | Ana Lopes | [ca-compliance] [audit-delay] | 2021-05-14T10:42:17Z |
| DigiCert: Incorrect RegNumber-Org Type combination | 1714439 | ASSIGNED | Brenda Bernal | [ca-compliance] | 2021-06-15T20:27:03Z |
| Disig: CPS does not refer to BR domain validation methods | 1717001 | ASSIGNED | Peter Miskovic | [ca-compliance] | 2021-06-17T16:19:14Z |
| E-Tugra: CA Certificate Missing from Audit Reports | 1716843 | ASSIGNED | Davut Tokgöz | [ca-compliance] | 2021-06-17T00:38:24Z |
| E-Tugra: Forbidden Domain Validation Method 3.2.2.4.6 | 1716902 | ASSIGNED | Davut Tokgöz | [ca-compliance] | 2021-06-17T03:08:38Z |
| Entrust: Incorrect Business Category Value Discovered in an EV SSL Certificate | 1685370 | ASSIGNED | Dathan Demone | [ca-compliance] | 2021-06-16T08:34:25Z |
| Entrust: Incorrect Jurisdiction Country Value in an EV Certificate | 1696227 | ASSIGNED | Dathan Demone | [ca-compliance] Next update 2021-06-01 | 2021-06-07T20:22:22Z |
| Entrust: Invalid localityName | 1712106 | ASSIGNED | Dathan Demone | [ca-compliance] Next update 2021-07-01 | 2021-06-01T15:58:27Z |
| GlobalSign: Incorrect OCSP Delegated Responder Certificate | 1649937 | ASSIGNED | douglas.beattie | [ca-compliance] Next Update 2021-07-01 | 2021-06-01T15:56:24Z |
| GlobalSign: Incorrect RegNumber-Org Type combination | 1714968 | ASSIGNED | Eva Van Steenberge | [ca-compliance] | 2021-06-14T06:57:00Z |
| GlobalSign: Invalid countryName | 1707073 | ASSIGNED | Eva Van Steenberge | [ca-compliance] Next update 2021-07-14 | 2021-06-04T14:48:22Z |
| GlobalSign: Invalid stateOrProvinceName and locality pair | 1708834 | ASSIGNED | Arvid Vermote | [ca-compliance] | 2021-06-16T08:33:50Z |
| GLOBALTRUST: CN domain not in SAN | 1716123 | ASSIGNED | Daniel Zens | [ca-compliance] | 2021-06-17T10:34:19Z |
| GLOBALTRUST: Revoked test website not using revoked certificate | 1716163 | ASSIGNED | Daniel Zens | [ca-compliance] | 2021-06-17T13:42:19Z |
| Google Trust Services: Failure to provide regular and timely incident updates | 1708516 | ASSIGNED | Andy Warner | [ca-compliance] | 2021-06-16T16:53:40Z |
| Google Trust Services: Forbidden Domain Validation Method 3.2.2.4.10 | 1706967 | ASSIGNED | Andy Warner | [ca-compliance] | 2021-06-14T18:55:47Z |
| Google Trust Services: Signing SHA-1 Hash for existing CA certificate with changes in Key Usage | 1709223 | ASSIGNED | Ryan Hurst | [ca-compliance] | 2021-06-15T16:33:18Z |
| IdenTrust: Unavailable CRL for IdenTrust ‘DST Root CA X3’. | 1709192 | ASSIGNED | IdenTrust | [ca-compliance] Next update 2021-07-01 | 2021-06-01T15:45:19Z |
| iTrusChina: verification errors for the roots' CRLs(ARL) | 1712664 | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] | 2021-05-26T14:07:26Z |
| KIR S.A.: CN domain not in SAN | 1705187 | ASSIGNED | Piotr Grabowski | [ca-compliance] | 2021-06-09T14:02:54Z |
| KIR S.A.: CP/CPS contains noncompliant DV method, does not specify CAA domains | 1705904 | ASSIGNED | Piotr Grabowski | [ca-compliance] | 2021-06-09T14:03:05Z |
| KIR S.A.: DV certificates with locality name, organization name and stateOrProvinceName | 1705832 | ASSIGNED | Piotr Grabowski | [ca-compliance] Next update 2021-07-01 | 2021-06-09T14:03:03Z |
| KIR S.A.: Invalid localityName + CRL Revoked but OCSP Unknown | 1705337 | ASSIGNED | Piotr Grabowski | [ca-compliance] | 2021-06-09T20:20:45Z |
| KIR S.A.: Invalid organizationName | 1705647 | ASSIGNED | Piotr Grabowski | [ca-compliance] | 2021-06-09T14:02:59Z |
| KIR S.A.: Many certificates with OCSP Unknown | 1705657 | ASSIGNED | Piotr Grabowski | [ca-compliance] | 2021-06-09T14:03:01Z |
| Let's Encrypt: certificate lifetimes 90 days plus one second | 1715455 | ASSIGNED | Josh Aas | [ca-compliance] | 2021-06-17T14:54:56Z |
| Microsoft PKI Services: Failure to disclose Unconstrained Intermediate within 7 Days | 1700809 | ASSIGNED | John Mason | [ca-compliance] | 2021-05-16T14:38:06Z |
| Microsoft PKI Services: Malformed ICAs (missing certificate policy extensions) | 1711147 | ASSIGNED | John Mason | [ca-compliance] | 2021-06-11T18:05:38Z |
| Microsoft PKI Services: Policy Documentation, Failure to update Subscriber Certificate Max Validity Period | 1693930 | ASSIGNED | John Mason | [ca-compliance] | 2021-06-01T22:17:29Z |
| Microsoft PKI Services: Underscore in SAN | 1705419 | ASSIGNED | John Mason | [ca-compliance] | 2021-06-11T18:06:55Z |
| Netlock: CA Certificate Missing from Audit Reports | 1716874 | ASSIGNED | Zoltán Kővári-Szabó | [ca-compliance] | 2021-06-17T05:30:22Z |
| Netlock: Replacement of enduser certificates after the EVGL 1.7.4 self-audit | 1680378 | ASSIGNED | Zoltán Kővári-Szabó | [ca-compliance] | 2021-06-07T16:48:31Z |
| PKIoverheid: KPN issued Invalid organizationalUnitName | 1706950 | ASSIGNED | Jorik van 't Hof | [ca-compliance] | 2021-06-10T21:10:35Z |
| SECOM: CA Certificates Missing from Audit Reports | 1717044 | ASSIGNED | Hisashi Kamo | [ca-compliance] | 2021-06-17T16:12:46Z |
| SECOM: CP/CPS does not clearly specify domain validation methods | 1705480 | ASSIGNED | Hisashi Kamo | [ca-compliance] | 2021-06-01T10:20:17Z |
| SECOM: FUJIFILM intermediate not listed in audit statement | 1695938 | ASSIGNED | Hisashi Kamo | [ca-compliance] Next update 2021-06-25 | 2021-06-07T16:59:34Z |
| SECOM: Unqualified domain name in SAN | 1695786 | ASSIGNED | Hisashi Kamo | [ca-compliance] Next update 2021-07-01 | 2021-06-03T13:01:43Z |
| Sectigo: Forbidden Domain Validation Method | 1714628 | ASSIGNED | Tim Callan | [ca-compliance] | 2021-06-11T20:16:20Z |
| Sectigo: Inappropriate subject:serialNumber information in EV certificates obtained through ACME | 1712120 | ASSIGNED | Tim Callan | [ca-compliance] | 2021-06-14T22:42:01Z |
| Sectigo: Incorrect EV businessCategory | 1715929 | ASSIGNED | Tim Callan | [ca-compliance] | 2021-06-11T21:56:10Z |
| Sectigo: Incorrect locality information | 1714193 | ASSIGNED | Tim Callan | [ca-compliance] | 2021-06-16T19:19:59Z |
| Sectigo: Invalid postalCode field | 1708934 | ASSIGNED | Tim Callan | [ca-compliance] | 2021-06-17T16:46:41Z |
| Sectigo: Invalid stateOrProvinceName | 1710243 | ASSIGNED | Rob Stradling | [ca-compliance] | 2021-06-14T20:38:53Z |
| Sectigo: Misspellings in stateOrProvince or localityName fields | 1715024 | ASSIGNED | Tim Callan | [ca-compliance] | 2021-06-14T20:25:35Z |
| Sectigo: test certificates issued from trusted CA | 1712188 | ASSIGNED | Tim Callan | [ca-compliance] | 2021-06-14T22:55:28Z |
| Taiwan-CA: Invalid stateOrProvinceName | 1709070 | ASSIGNED | Hao-Chun Li | [ca-compliance] | 2021-05-06T09:46:41Z |
| Telekom Security: Key Encipherment in two ECC SAN TLS certificates | 1703528 | ASSIGNED | Arnold Essing | [ca-compliance] | 2021-06-08T07:30:12Z |
| TunTrust: OCSP unreachable | 1663953 | ASSIGNED | Agence Nationale de Certification Electronique | [ca-compliance] Next Update 2021-06-15 | 2021-05-04T12:26:43Z |
| TWCA: CA Certificate Missing from Audit Reports | 1716670 | ASSIGNED | Hao-Chun Li | [ca-compliance] | 2021-06-16T09:57:02Z |
56 Total; 56 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| Camerfirma: Govern d'Andorra Audit Delay | 1704140 | ASSIGNED | Ana Lopes | [ca-compliance] [audit-delay] | 2021-05-14T10:42:17Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| Camerfirma: Delayed revocations of certificates issued by old CAs with an RSA modulus size of 2047 bits | 1692535 | ASSIGNED | Ana Lopes | [ca-compliance][delayed-revocation-leaf] | 2021-06-11T11:36:47Z |
| Google Trust Services: Failure to revoke subscriber certificates within BR timeframe | 1715421 | ASSIGNED | Fotis Loukos | [ca-compliance] [delayed-revocation-leaf] | 2021-06-16T10:53:19Z |
| KIR S.A.: Delayed revocations of certificates | 1709872 | ASSIGNED | Piotr Grabowski | [ca-compliance] [delayed-revocation-leaf] | 2021-06-16T11:00:19Z |
| Let’s Encrypt: Failure to revoke for Certificate Lifetime Incident | 1715672 | ASSIGNED | Aaron Gable | [ca-compliance] [delayed-revocation-leaf] | 2021-06-16T08:33:32Z |
| SECOM: Delayed Revocation of non-technically constrained FUJIFILM Certificates | 1707229 | ASSIGNED | Hisashi Kamo | [ca-compliance] [delayed-revocation-leaf] Next update 2021-06-25 | 2021-06-07T16:58:27Z |
5 Total; 5 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here:
