CA/Incident Dashboard
Contents
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
---|---|---|---|---|---|---|
Asseco DS / Certum: TLS EV certificates with incorrect Subject attribute order | 1865080 | ASSIGNED | Aleksandra Kurosz | [ca-compliance] [ev-misissuance] | 2023-12-09T05:48:13Z | 2023-11-16T14:02:36Z |
Buypass: Domain validation using externally operated DNS tools | 1839305 | ASSIGNED | Mads Henriksveen | [ca-compliance] [dv-misissuance] [ov-misissuance] Next update 2024-01-12 | 2023-12-04T15:56:59Z | 2023-06-20T08:08:51Z |
Buypass: Domain validation using not allowed domain contact | 1838421 | ASSIGNED | Mads Henriksveen | [ca-compliance] [dv-misissuance] Next update 2023-12-04 | 2023-12-04T15:50:21Z | 2023-06-14T12:44:32Z |
Buypass: TLS certificates not revoked within 5 days | 1865368 | ASSIGNED | Mads Henriksveen | [ca-compliance] [leaf-revocation-delay] | 2023-12-04T16:01:48Z | 2023-11-17T15:55:56Z |
Buypass: TLS certificates with incorrect Subject attribute order | 1864204 | ASSIGNED | Mads Henriksveen | [ca-compliance] [ov-misissuance] [ev-misissuance] | 2023-12-04T16:03:07Z | 2023-11-10T16:21:34Z |
CFCA: certificate with an incorrect OrganizationName | 1838371 | ASSIGNED | Gao Fei | [ca-compliance] [ov-misissuance] | 2023-11-06T03:16:37Z | 2023-06-14T06:33:13Z |
CFCA: CRL Error | 1863122 | ASSIGNED | Gao Fei | [ca-compliance] [crl-failure] | 2023-11-07T09:05:21Z | 2023-11-04T08:09:41Z |
CommScope: Certificate not revoked as it was supposed to be | 1859812 | ASSIGNED | Nicol So | [ca-compliance] [policy-failure] | 2023-11-06T16:12:04Z | 2023-10-18T15:41:23Z |
D-Trust: Delay beyond 5 days in revoking misissued certificate | 1862082 | ASSIGNED | Enrico Entschew | [ca-compliance] [leaf-revocation-delay] | 2023-12-09T04:53:54Z | 2023-10-30T22:37:09Z |
D-Trust: Issuance of 15 DV certificates containing ‘serialNumber’ field within subject | 1861069 | ASSIGNED | Enrico Entschew | [ca-compliance] [dv-misissuance] | 2023-12-07T11:12:11Z | 2023-10-25T14:25:07Z |
DigiCert: Certificates issued inconsistent with S/MIME BR v1.0.1 | 1860697 | ASSIGNED | Martin Sullivan | [ca-compliance] [smime-misissuance] Next update 2023-12-21 | 2023-11-08T16:31:13Z | 2023-10-24T01:40:42Z |
e-commerce monitoring GmbH: Delayed revocation | 1862004 | ASSIGNED | Daniel Zens | [ca-compliance] [leaf-revocation-delay] | 2023-10-31T15:52:01Z | 2023-10-30T15:06:09Z |
e-commerce monitoring GmbH: SCT in precertificate | 1815534 | ASSIGNED | Daniel Zens | [ca-compliance] [ov-misissuance] | 2023-11-05T15:40:26Z | 2023-02-07T19:33:26Z |
Entrust - Postal Code used a Jurisdiction City in EV Certificate | 1867130 | ASSIGNED | Bruce Morton | [ca-compliance] [ev-misissuance] | 2023-12-06T18:43:09Z | 2023-11-28T21:11:24Z |
GlobalSign: S/MIME Sponsor validated certificates with CommonName value equal to OrganizationName | 1866806 | ASSIGNED | Christophe Bonjean | [ca-compliance] [smime-misissuance] | 2023-12-04T09:50:44Z | 2023-11-27T15:09:35Z |
IdenTrust: Delay beyond 5 days in revoking misissued certificates | 1851710 | ASSIGNED | IdenTrust | [ca-compliance] [leaf-revocation-delay] | 2023-11-30T15:50:27Z | 2023-09-05T22:28:06Z |
IdenTrust: S/MIME certificates issued in violation of New S/MIME Baseline Requirements v1.0 | 1853783 | ASSIGNED | IdenTrust | [ca-compliance] [smime-misissuance] Next update 30-Nov-2023 | 2023-11-30T21:11:55Z | 2023-09-18T21:07:16Z |
Microsec: Findings in 2023 Audit | 1865880 | REOPENED | dr. Sándor SZŐKE | [ca-compliance] [audit-finding] | 2023-12-07T10:38:17Z | 2023-11-21T17:11:36Z |
NAVER Cloud Trust Services: DV Certificate issued with improperly validated | 1866448 | ASSIGNED | Han Yong, Park | [ca-compliance] [dv-misissuance] | 2023-12-09T05:03:14Z | 2023-11-24T10:14:40Z |
PKIoverheid: Delayed audit statements for intermediate CAs | 1843265 | REOPENED | Jochem van den Berge | [ca-compliance] [audit-delay] | 2023-11-27T10:18:46Z | 2023-07-13T11:05:00Z |
Sectigo: Inadequate vulnerability scanning and patching | 1869056 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [policy-failure] | 2023-12-09T05:28:49Z | 2023-12-08T21:15:16Z |
Sectigo: Late termination of privileged access to Certificate Systems | 1830088 | REOPENED | Martijn Katerbarg | [ca-compliance] [policy-failure] Next update 2024-01-31 | 2023-10-08T19:53:44Z | 2023-04-26T14:27:21Z |
SSL.com: Findings in 2023 audit | 1867851 | ASSIGNED | Thomas Zermeno | [ca-compliance] [audit-finding] | 2023-12-05T22:41:01Z | 2023-12-01T19:23:02Z |
SSL.com: subCA/Reseller Issues | 1832570 | ASSIGNED | Thomas Zermeno | [ca-compliance] [policy-failure] Next update 2023-12-01 | 2023-12-01T18:55:03Z | 2023-05-11T13:53:25Z |
SwissSign: EV JurisdictionStateOrProvinceName - one certificate not selected for revocation | 1866091 | ASSIGNED | Roman Fischer | [ca-compliance] [ev-misissuance] | 2023-12-06T15:50:26Z | 2023-11-22T15:57:14Z |
SwissSign: S/MIME LCP: CN with values other than email address | 1848854 | ASSIGNED | Mike Guenther | [ca-compliance] [smime-misissuance] Next update 2023-12-29 | 2023-11-30T15:57:46Z | 2023-08-15T19:36:22Z |
Telia: S/MIME certificates issued in violation of S/MIME BR v1.0.1 | 1856591 | ASSIGNED | Antti Backman | [ca-compliance] [smime-misissuance] Next update at 29.12.2023 | 2023-11-29T11:32:20Z | 2023-10-03T11:35:40Z |
Telia: TLS certificates issued in violation of TLS BR v2.0.1 | 1859314 | ASSIGNED | Antti Backman | [ca-compliance] [ov-misissuance] Next update at 29.12.2023 | 2023-12-11T05:55:10Z | 2023-10-16T14:37:28Z |
VikingCloud: Incorrect OCSP Response | 1858965 | ASSIGNED | Andrea Holland | [ca-compliance] [ocsp-failure] Next update 2024-01-02 | 2023-11-02T16:06:50Z | 2023-10-13T13:49:21Z |
29 Total; 29 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
---|---|---|---|---|---|---|
PKIoverheid: Delayed audit statements for intermediate CAs | 1843265 | REOPENED | Jochem van den Berge | [ca-compliance] [audit-delay] | 2023-11-27T10:18:46Z | 2023-07-13T11:05:00Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
No results.
0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here: