CA/Incident Dashboard
Contents
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
---|---|---|---|---|---|---|
ACCV: Certificates issued with cRLIssuer in CDP extension | 1884532 | ASSIGNED | Jose Amador | [ca-compliance] [ov-misissuance] | 2024-04-17T08:49:29Z | 2024-03-09T18:14:05Z |
ACCV: Certificates issued with Policy qualifiers other than id-qt-cps | 1889567 | ASSIGNED | Jose Amador | [ca-compliance] [ev-misissuance] | 2024-04-17T17:40:17Z | 2024-04-04T07:53:32Z |
ACCV: Delayed response to CPR | 1886785 | ASSIGNED | Jose Amador | [ca-compliance] [policy-failure] | 2024-04-17T08:48:50Z | 2024-03-21T15:13:02Z |
Actalis: Certificates issued with invalid RDN order | 1883731 | ASSIGNED | Marco Menonna | [ca-compliance] [ev-misissuance] | 2024-04-15T14:23:20Z | 2024-03-05T18:26:39Z |
AGCE: Non-Compliant VPN Certificate Issuance | 1882256 | ASSIGNED | ance.certification.info | [ca-compliance] [ov-misissuance] | 2024-03-20T16:47:20Z | 2024-02-27T10:44:42Z |
Asseco Data Systems S.A. (Certum): CRL non-conformance with the TLS BRs | 1888689 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [crl-failure] [external] | 2024-04-17T12:34:49Z | 2024-03-29T17:37:14Z |
Buypass: TLS certificates with incorrect Subject attribute order | 1864204 | ASSIGNED | Mads Henriksveen | [ca-compliance] [ov-misissuance] [ev-misissuance] Next update 2024-05-06 | 2024-04-10T16:05:49Z | 2023-11-10T16:21:34Z |
Buypass: Using an external DNS Resolver for DNS lookups | 1872371 | ASSIGNED | Mads Henriksveen | [ca-compliance] [ov-misissuance] Next update 2024-05-06 | 2024-04-03T17:42:14Z | 2023-12-29T16:02:59Z |
Certigna: TLS certificates with Basic constraint non-critical | 1883416 | ASSIGNED | Josselin Allemandou | [ca-compliance] [ov-misissuance] | 2024-04-10T15:30:22Z | 2024-03-04T16:36:15Z |
certSIGN: Certificates with incorrect Subject attribute order | 1886624 | ASSIGNED | Gabriel PETCU | [ca-compliance] [ov-misissuance] | 2024-04-09T11:44:42Z | 2024-03-20T22:28:05Z |
certSIGN: Delayed response to CPR | 1886626 | ASSIGNED | Gabriel PETCU | [ca-compliance] [policy-failure] | 2024-04-09T11:44:55Z | 2024-03-20T22:29:39Z |
CFCA: certificate basicConstraints extension not marked as critical | 1886135 | ASSIGNED | Gao Fei | [ca-compliance] [ov-misissuance] | 2024-04-06T05:05:04Z | 2024-03-19T10:57:32Z |
CFCA: Failure to respond to a Certificate Problem Report in a complete and/or timely manner | 1888881 | ASSIGNED | Gao Fei | [ca-compliance] [policy-failure] | 2024-04-08T03:47:00Z | 2024-04-01T07:17:16Z |
Chunghwa Telecom: Wrong Extended Key Usage setting by GTLSCA | 1887096 | ASSIGNED | Tsung-Min Kuo | [ca-compliance] [ov-misissuance] | 2024-04-12T19:46:30Z | 2024-03-22T17:25:13Z |
D-Trust: Issuance of 15 certificates with incorrect subject attribute order | 1891225 | ASSIGNED | Leyla Sahin | [ca-compliance] [ev-misissuance] | 2024-04-15T15:30:24Z | 2024-04-12T13:48:03Z |
D-Trust: Issuance of 15 DV certificates containing ‘serialNumber’ field within subject | 1861069 | ASSIGNED | Enrico Entschew | [ca-compliance] [dv-misissuance] | 2024-04-17T01:43:45Z | 2023-10-25T14:25:07Z |
D-Trust: LDAP-URL in Subscriber Certificate Authority Information Access field | 1884714 | ASSIGNED | Enrico Entschew | [ca-compliance] [ov-misissuance] | 2024-04-05T08:48:06Z | 2024-03-11T16:29:07Z |
Digicert: Failure to include CPS URI in 1 certificate | 1888016 | ASSIGNED | Jeremy Rowley | [ca-compliance] [policy-failure] [ev-misissuance] Next update 2024-06-01 | 2024-04-09T22:02:16Z | 2024-03-27T01:23:16Z |
Digicert: Government Entity listed instead of registration number | 1891531 | ASSIGNED | Jeremy Rowley | [ca-compliance] [ev-misissuance] | 2024-04-16T16:35:21Z | 2024-04-15T17:06:23Z |
Disig: Certificates with incorrect Subject attribute order | 1889672 | ASSIGNED | Jozef Nigut | [ca-compliance] [ov-misissuance] | 2024-04-16T12:29:42Z | 2024-04-04T15:16:17Z |
Disig: TLS certificate with basicConstraints not marked as critical | 1888104 | ASSIGNED | Jozef Nigut | [ca-compliance] [ov-misissuance] | 2024-04-17T16:09:26Z | 2024-03-27T10:37:26Z |
e-commerce monitoring GmbH: CRLs with mismatched issuer | 1888371 | ASSIGNED | Daniel Zens | [ca-compliance] [crl-failure] [external] | 2024-04-04T15:39:36Z | 2024-03-28T10:58:07Z |
e-commerce monitoring gmbh: precertificate validity does not match leaf certificate | 1883711 | ASSIGNED | Daniel Zens | [ca-compliance] [ov-misissuance] | 2024-04-09T08:18:47Z | 2024-03-05T17:00:37Z |
Entrust: clientAuth TLS Certificates without serverAuth EKU | 1886467 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [ev-misissuance] Next update 2024-04-30 | 2024-04-15T13:35:35Z | 2024-03-20T14:42:35Z |
Entrust: CPR was not responded to in 24 hours | 1885754 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [external] [policy-failure] Next update 2024-05-03 | 2024-04-10T14:00:02Z | 2024-03-16T22:14:29Z |
Entrust: CPS typographical (text placement) error | 1890896 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] | 2024-04-17T19:16:45Z | 2024-04-11T00:45:36Z |
Entrust: CRL non-conformance with the TLS BRs | 1889217 | ASSIGNED | Bruce Morton | [ca-compliance] [crl-failure] [external] | 2024-04-12T01:39:11Z | 2024-04-02T19:39:57Z |
Entrust: Delayed incident report - CPS typographical (text placement) error | 1890901 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] | 2024-04-17T17:14:02Z | 2024-04-11T01:04:16Z |
Entrust: EV Certificate missing Issuer’s EV Policy OID | 1888714 | ASSIGNED | Bruce Morton | [ca-compliance] [ev-misissuance] | 2024-04-12T18:43:59Z | 2024-03-29T21:05:02Z |
Entrust: EV TLS Certificate cPSuri missing | 1883843 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [ev-misissuance] | 2024-04-16T01:16:57Z | 2024-03-06T08:35:58Z |
Entrust: Failed to provide a preliminary incident report according to TLS BR 4.9.5 | 1890123 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [policy-failure] | 2024-04-12T11:21:13Z | 2024-04-06T13:24:25Z |
Entrust: Failure to revoke EV TLS certificates issued before CPS update | 1890685 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] | 2024-04-15T20:23:35Z | 2024-04-09T23:40:57Z |
Entrust: Failure to revoke OV TLS - CPS typographical (text placement) error | 1890898 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] | 2024-04-12T20:42:44Z | 2024-04-11T00:52:33Z |
Entrust: Late CPS Update | 1887753 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] [ev-misissuance] | 2024-04-12T18:47:43Z | 2024-03-25T20:45:35Z |
Entrust: OCSP response signed with SHA-1 | 1879602 | ASSIGNED | Bruce Morton | [ca-compliance] [ocsp-failure] Next update 2024-05-03 | 2024-04-16T17:25:48Z | 2024-02-09T18:13:00Z |
Firmaprofesional: Policy Qualifiers other than id-qt-cps present for certificate | 1889420 | ASSIGNED | ext-antoni.camon | [ca-compliance] [ov-misissuance] | 2024-04-11T15:26:07Z | 2024-04-03T15:46:27Z |
FNMT: Certificates issued included Policy qualifiers other than id-qt-cps | 1875942 | ASSIGNED | Amaya Espinosa | [ca-compliance] [ov-misissuance] [ev-misissuance] | 2024-02-24T15:58:01Z | 2024-01-22T23:10:58Z |
GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints | 1888060 | ASSIGNED | capoc | [ca-compliance] [ov-misissuance] | 2024-04-16T13:05:18Z | 2024-03-27T06:15:29Z |
Google Trust Services: Incorrect OCSP responses for new ICAs under test | 1882904 | ASSIGNED | Google Trust Services | [ca-compliance] [ocsp-failure] Next update 2024-04-26 | 2024-04-15T03:38:48Z | 2024-02-29T22:32:18Z |
Hongkong Post: Delayed response to CPR | 1886722 | ASSIGNED | Man Ho | [ca-compliance] [policy-failure] | 2024-03-26T08:30:26Z | 2024-03-21T11:36:56Z |
Hongkong Post: TLS certificates with basicConstraints not marked as critical | 1887008 | ASSIGNED | Man Ho | [ca-compliance] [ov-misissuance] | 2024-03-26T03:49:51Z | 2024-03-22T13:11:35Z |
Hongkong Post: TLS certificates with Certificate Policies extension that does not assert http scheme | 1886406 | ASSIGNED | Man Ho | [ca-compliance] [ov-misissuance] | 2024-03-25T14:07:14Z | 2024-03-20T11:23:23Z |
Izenpe: Failure to Submit Annual CCADB Self-Assessment | 1883493 | ASSIGNED | David | [ca-compliance] [disclosure-failure] [external] | 2024-03-21T09:50:35Z | 2024-03-04T20:36:07Z |
Microsec: Disallowed subject attribute field in DV certificate | 1889699 | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] [dv-misissuance] | 2024-04-11T15:24:41Z | 2024-04-04T17:01:58Z |
Microsec: Late response to a certificate problem report | 1886998 | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] [policy-failure] | 2024-04-05T13:22:41Z | 2024-03-22T12:22:34Z |
Microsec: Misissuance an EV TLS certificate without CPSuri | 1886257 | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] [ev-misissuance] | 2024-04-11T14:50:58Z | 2024-03-19T18:23:18Z |
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates | 1889570 | ASSIGNED | Tamás Horváth | [ca-compliance] [ev-misissuance] | 2024-04-15T20:23:42Z | 2024-04-04T08:18:19Z |
Sectigo: EV Certificate issuance with incorrect subject:serialNumber attribute value | 1891245 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [ev-misissuance] | 2024-04-15T15:31:41Z | 2024-04-12T15:53:42Z |
Sectigo: Premature disabling of CRL generation for an inactive CA | 1891039 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [crl-failure] | 2024-04-17T15:09:21Z | 2024-04-11T14:49:46Z |
SSL.com - Issuance of one Sponsored-Validated S/MIME certificate with organization information in givenName and surName of the subjectDN | 1871113 | ASSIGNED | Thomas Zermeno | [ca-compliance] [smime-misissuance] | 2024-02-22T22:18:09Z | 2023-12-20T18:56:27Z |
SSL.com: Findings in 2023 audit | 1867851 | ASSIGNED | Thomas Zermeno | [ca-compliance] [audit-finding] Next update 2024-02-16 | 2024-04-05T20:59:48Z | 2023-12-01T19:23:02Z |
SSL.com: subCA/Reseller Issues | 1832570 | ASSIGNED | Thomas Zermeno | [ca-compliance] [policy-failure] | 2024-03-15T02:45:13Z | 2023-05-11T13:53:25Z |
Telekom Security: TLS certificates with basicConstraints not marked as critical | 1875820 | ASSIGNED | Arnold Essing | [ca-compliance] [ov-misissuance] | 2024-04-15T07:09:36Z | 2024-01-22T14:27:18Z |
TWCA: Revocation delay for TLS certificates with non-critical basicConstraints | 1886110 | ASSIGNED | chtsai | [ca-compliance] [ov-misissuance] | 2024-04-12T10:59:51Z | 2024-03-19T07:42:18Z |
TWCA: TLS certificates with non-critical basicConstraints | 1885132 | ASSIGNED | Hao-Chun Li | [ca-compliance] [ov-misissuance] [ev-misissuance] | 2024-04-15T09:06:10Z | 2024-03-13T13:09:19Z |
TWCA: TLS EV certificates with invalid subject attribute order | 1883620 | ASSIGNED | Hao-Chun Li | [ca-compliance] [ev-misissuance] Next update 2024-04-30 | 2024-04-15T13:26:03Z | 2024-03-05T12:28:02Z |
VikingCloud: Delayed preliminary report of CPR to affected Subscribers | 1888667 | ASSIGNED | Andrea Holland | [ca-compliance] [policy-failure] | 2024-04-15T20:37:17Z | 2024-03-29T15:15:35Z |
VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 | 1885568 | ASSIGNED | Andrea Holland | [ca-compliance] [ov-misissuance] | 2024-04-12T21:34:48Z | 2024-03-15T16:20:17Z |
VikingCloud: OV Precertificates with incorrect Subject RDN encoding order | 1883779 | ASSIGNED | Andrea Holland | [ca-compliance] [ov-misissuance] | 2024-04-16T22:06:47Z | 2024-03-05T21:42:27Z |
59 Total; 59 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
No results.
0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
---|---|---|---|---|---|---|
ACCV: Delayed revocation of TLS certificates affected by bug #1884532 | 1886788 | ASSIGNED | Jose Amador | [ca-compliance] [leaf-revocation-delay] | 2024-04-17T08:48:24Z | 2024-03-21T15:34:41Z |
Actalis: revocation delay for certificates issued with invalid RDN Order | 1887941 | ASSIGNED | Marco Menonna | [ca-compliance] [leaf-revocation-delay] | 2024-04-15T14:23:23Z | 2024-03-26T17:50:20Z |
Buypass: Delayed revocation of TLS certificates | 1872738 | ASSIGNED | Mads Henriksveen | [ca-compliance] [leaf-revocation-delay] Next update 2024-05-06 | 2024-04-03T17:38:42Z | 2024-01-02T19:18:17Z |
Certigna: Revocation delay for TLS certificates with basic constraint not marked as critical | 1886442 | ASSIGNED | Josselin Allemandou | [ca-compliance] [leaf-revocation-delay] | 2024-03-28T17:20:01Z | 2024-03-20T13:44:20Z |
certSIGN: Delayed revocation | 1886627 | ASSIGNED | Gabriel PETCU | [ca-compliance] [leaf-revocation-delay] | 2024-04-09T11:45:04Z | 2024-03-20T22:30:47Z |
CFCA:Delayed revocation of TLS certificates(basicConstraints extension not marked as critical) | 1888882 | ASSIGNED | Gao Fei | [ca-compliance] [leaf-revocation-delay] | 2024-04-17T15:27:24Z | 2024-04-01T07:19:09Z |
e-commerce monitoring GmbH: Delayed revocation | 1862004 | ASSIGNED | Daniel Zens | [ca-compliance] [leaf-revocation-delay] [external] | 2024-04-12T16:51:21Z | 2023-10-30T15:06:09Z |
Entrust: Delayed revocation of clientAuth TLS Certificates without serverAuth EKU | 1887705 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [leaf-revocation-delay] | 2024-04-15T12:05:18Z | 2024-03-25T16:44:53Z |
Entrust: Delayed revocation of EV TLS certificates with missing cPSuri | 1886532 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [leaf-revocation-delay] | 2024-04-15T12:04:12Z | 2024-03-20T17:22:26Z |
FIRMAPROFESIONAL: Delayed leaf revocation | 1891251 | ASSIGNED | ext-antoni.camon | [ca-compliance] [leaf-revocation-delay] | 2024-04-15T14:48:50Z | 2024-04-12T16:11:20Z |
GDCA: Delayed revocation of SSL/TLS certificates with Non-critical Basic Constraints | 1889062 | ASSIGNED | capoc | [ca-compliance] [leaf-revocation-delay] | 2024-04-17T02:35:25Z | 2024-04-02T09:18:52Z |
Hongkong Post: Delayed revocation of TLS certificates with basicConstraints not marked as critical | 1887888 | ASSIGNED | Man Ho | [ca-compliance] [leaf-revocation-delay] | 2024-03-26T14:43:39Z | 2024-03-26T14:39:37Z |
Hongkong Post: Delayed revocation of TLS certificates with Certificate Policies extension problem | 1886665 | ASSIGNED | Man Ho | [ca-compliance] [leaf-revocation-delay] | 2024-03-21T15:55:40Z | 2024-03-21T04:30:30Z |
Microsec: Delayed revocation of the misissued certificates | 1887110 | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] [leaf-revocation-delay] | 2024-04-10T15:33:18Z | 2024-03-22T18:00:56Z |
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates - delayed revocation | 1891331 | ASSIGNED | Tamás Horváth | [ca-compliance] [leaf-revocation-delay] | 2024-04-15T02:39:43Z | 2024-04-13T22:07:56Z |
Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical | 1877388 | ASSIGNED | Arnold Essing | [ca-compliance] [leaf-revocation-delay] | 2024-04-16T20:29:13Z | 2024-01-30T07:52:58Z |
TWCA: Revocation delay for EV TLS certificates with invalid subject attribute order | 1884568 | ASSIGNED | Hao-Chun Li | [ca-compliance] [leaf-revocation-delay] Next update 2024-04-30 | 2024-04-16T17:56:39Z | 2024-03-10T12:44:57Z |
17 Total; 17 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here: