CA/Incident Dashboard

From MozillaWiki
< CA
Jump to navigation Jump to search

Open CA Bugs in Bugzilla

There are three separate lists of open compliance bugs below:

  • Compliance bugs (not including audit delays or leaf revocation delays)
  • Audit Delays
  • Leaf Revocation Delays

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
Actalis: missing CCADB disclosure for new SubCA 1982646 ASSIGNED Nicolò Papi [ca-compliance] [disclosure-failure] 2025-10-10T12:39:27Z 2025-08-12T15:34:24Z
DigiCert: Re-use of WHOIS validation shortly after deadline 1978163 ASSIGNED DigiCert [ca-compliance] [dv-misissuance] [ov-misissuance] 2025-10-15T15:52:21Z 2025-07-18T21:01:12Z
Financijska agencija (Fina): Mis-issued certificates 1986968 ASSIGNED miroslav.perincic [ca-compliance] [dv-misissuance] 2025-09-28T18:33:14Z 2025-09-04T16:47:06Z
FNMT: CP/CPS, Revocation Requests Mechanism, Certificate Problem Report, CRL and OCSP disruption 1963778 ASSIGNED Amaya Espinosa [ca-compliance] [policy-failure] Next update 2025-10-15 2025-10-15T11:44:19Z 2025-05-01T08:21:00Z
Google Trust Services: Missing authorization audit log entry for certificate issuance 1979457 ASSIGNED Google Trust Services [close on 2025-10-20] [ca-compliance] [policy-failure] 2025-10-14T16:40:10Z 2025-07-25T21:06:01Z
IdenTrust: ICA with invalid CDP 1991215 ASSIGNED IdenTrust [ca-compliance] [ca-misissuance] 2025-10-15T13:44:10Z 2025-09-26T20:20:59Z
IdenTrust: TLS self audit testing below 3% 1991558 ASSIGNED IdenTrust [ca-compliance] [policy-failure] 2025-10-14T20:47:33Z 2025-09-29T23:04:25Z
IZENPE: Failed to respond a Certificate Problem Report within 24 hours and create a preliminary report in 72 hours 1985466 ASSIGNED David [ca-compliance] [policy-failure] 2025-09-30T14:35:16Z 2025-08-27T07:53:12Z
IZENPE: IssuingDistributionPoint extension in CRLs not marked as Critical 1976256 ASSIGNED Toni Sáez [ca-compliance] [crl-failure] 2025-09-30T14:27:29Z 2025-07-08T15:19:58Z
Microsoft PKI Services: End Entity Certificate Mis-issuance against CPS (BasicConstraints) 1979475 ASSIGNED Microsoft PKI Services [ca-compliance] [policy-failure] [ov-misissuance] 2025-10-10T18:49:01Z 2025-07-26T00:21:43Z
Microsoft PKI Services: Policy document bug 1962829 ASSIGNED Microsoft PKI Services [ca-compliance] [policy-failure] 2025-10-10T18:47:38Z 2025-04-26T02:10:29Z
Microsoft: improper disclosure of CRL 1990801 ASSIGNED Microsoft PKI Services [ca-compliance] [crl-failure] 2025-10-15T13:25:42Z 2025-09-25T12:48:12Z
PKIoverheid: TSP Cleverbase Findings in 2025 ETSI Audit - Incident Report #1 – Incorrect issuer CA listed in CPS 1985816 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-09-04T12:43:36Z 2025-08-28T15:39:28Z
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #1 – Security Handbook 1983256 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-10-09T15:39:22Z 2025-08-15T13:34:25Z
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #10 – Firewall Rules and Review 1983270 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-10-09T16:06:55Z 2025-08-15T14:12:58Z
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #11 – Anti-Malware Software 1983271 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-10-09T16:09:46Z 2025-08-15T14:14:13Z
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #12 – Outdated Software 1983272 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-10-09T16:12:59Z 2025-08-15T14:15:10Z
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #13 – Restore Test 1983273 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-10-09T16:15:07Z 2025-08-15T14:16:22Z
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #14 – Back-up 1983274 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-10-09T16:23:21Z 2025-08-15T14:17:35Z
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #15 – Outdated Software 1983275 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-10-09T16:24:52Z 2025-08-15T14:18:19Z
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #16 – EJBCA Configuration 1983276 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-10-09T16:26:42Z 2025-08-15T14:19:07Z
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #2 – Compliance Management 1983262 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-10-09T15:40:28Z 2025-08-15T14:03:50Z
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #3 – Internal Audit 1983263 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-10-09T15:42:49Z 2025-08-15T14:05:23Z
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #4 –Training 1983264 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-10-09T15:45:43Z 2025-08-15T14:06:17Z
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #5 – CMDB 1983265 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-10-09T15:48:25Z 2025-08-15T14:07:17Z
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #6 – Security Incident Procedure 1983266 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-10-09T15:54:15Z 2025-08-15T14:08:50Z
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #7 – Change Management 1983267 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-10-09T16:00:03Z 2025-08-15T14:09:40Z
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #8 – Logical Access 1983268 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-10-09T16:02:53Z 2025-08-15T14:10:43Z
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #9 – Lifecycle Management 1983269 ASSIGNED Policy Authority PKIoverheid [ca-compliance] [audit-finding] 2025-10-09T16:04:09Z 2025-08-15T14:11:31Z
SECOM: No updated CRLs published for Cybertrust Japan SureMail CA G4 1986911 ASSIGNED SECOM Trust Systems - ONO Fumiaki [close on 2025-10-20] [ca-compliance] [crl-failure] 2025-10-10T15:38:20Z 2025-09-04T13:23:34Z
Sectigo: OCSP, caIssuers, and CRL endpoints unavailable for a single Subordinate CA 1991196 ASSIGNED incident-response [ca-compliance] [ocsp-failure] [crl-failure] [policy-failure] Next update 2025-10-30 2025-10-14T08:44:38Z 2025-09-26T19:14:13Z
SHECA: TLS certificate key generation online 1993357 ASSIGNED SHECA [ca-compliance] [dv-misissuance] [ov-misissuance] 2025-10-14T22:52:50Z 2025-10-08T19:46:26Z
SwissSign: recommendation on backup testing 1990272 ASSIGNED Sandy Balzer [ca-compliance] [audit-finding] 2025-10-13T11:36:25Z 2025-09-23T17:06:29Z
SwissSign: recommendation on BIA/BCP review 1990263 ASSIGNED Sandy Balzer [ca-compliance] [audit-finding] 2025-10-13T11:33:37Z 2025-09-23T16:53:15Z
SwissSign: recommendation on BIA/BCP test coverage 1990266 ASSIGNED Sandy Balzer [ca-compliance] [audit-finding] 2025-10-13T11:33:53Z 2025-09-23T16:55:40Z
SwissSign: recommendation on CA-specific risk assessment 1990277 ASSIGNED Sandy Balzer [ca-compliance] [audit-finding] 2025-10-13T11:39:18Z 2025-09-23T17:08:41Z
SwissSign: recommendation on document release dual control 1990269 ASSIGNED Sandy Balzer [ca-compliance] [audit-finding] 2025-10-13T11:34:10Z 2025-09-23T17:03:05Z
SwissSign: recommendation on evaluation of cloud service providers 1990276 ASSIGNED Sandy Balzer [ca-compliance] [audit-finding] 2025-10-13T11:37:17Z 2025-09-23T17:08:11Z
SwissSign: recommendation on firewall review 1990271 ASSIGNED Sandy Balzer [ca-compliance] [audit-finding] 2025-10-13T11:36:06Z 2025-09-23T17:05:31Z
SwissSign: recommendation on linting software updates 1990282 ASSIGNED Sandy Balzer [ca-compliance] [audit-finding] 2025-10-13T09:22:19Z 2025-09-23T17:12:55Z
SwissSign: recommendation on log review process 1990285 ASSIGNED Sandy Balzer [ca-compliance] [audit-finding] 2025-10-13T11:40:13Z 2025-09-23T17:14:00Z
SwissSign: recommendation on publication process for CA related data 1990275 ASSIGNED Sandy Balzer [ca-compliance] [audit-finding] 2025-10-13T11:36:56Z 2025-09-23T17:07:40Z
SwissSign: recommendation on review of key pair generation implementation 1990284 ASSIGNED Sandy Balzer [ca-compliance] [audit-finding] 2025-10-13T11:40:00Z 2025-09-23T17:13:29Z
SwissSign: recommendation on risk assessment 1990254 ASSIGNED Sandy Balzer [ca-compliance] [audit-finding] 2025-10-13T11:33:18Z 2025-09-23T16:08:48Z
SwissSign: recommendation on self-assessment tool 1990281 ASSIGNED Sandy Balzer [ca-compliance] [audit-finding] 2025-10-13T11:39:37Z 2025-09-23T17:12:19Z
SwissSign: recommendation on synchronization of staging and production environments 1990274 ASSIGNED Sandy Balzer [ca-compliance] [audit-finding] 2025-10-13T11:36:41Z 2025-09-23T17:07:10Z
TunTrust: Issue with Valid test Certificate 1988405 ASSIGNED Agence Nationale de Certification Electronique [close on 2025-10-20] [ca-compliance] [policy-failure] 2025-10-10T15:39:37Z 2025-09-13T17:05:34Z

47 Total; 47 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
[meta] Delayed Revocation 1911183 ASSIGNED Ben Wilson [ca-compliance] [meta] [leaf-revocation-delay] 2025-06-10T20:05:50Z 2024-08-01T20:05:04Z
Microsoft PKI Services: Failure to Revoke in 5 Days for 1962829 1965612 ASSIGNED Microsoft PKI Services [ca-compliance] [leaf-revocation-delay] 2025-10-13T20:51:22Z 2025-05-10T01:34:01Z
SHECA: Delayed revocation of TLS certificates affected by bug #1993357 1994051 ASSIGNED SHECA [ca-compliance] [leaf-revocation-delay] 2025-10-15T18:22:50Z 2025-10-13T18:23:58Z
VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 1885568 ASSIGNED VikingCloud CA [ca-compliance] [ov-misissuance] [leaf-revocation-delay] 2025-09-10T01:25:15Z 2024-03-15T16:20:17Z

4 Total; 4 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: