CA/Incident Dashboard
From MozillaWiki
< CA
Contents
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| Actalis: Issuance of intermediates after 2020-08-20 that do not comply with Mozilla Policy and the Baseline Requirements | 1717357 | ASSIGNED | Adriano Santoni | [ca-compliance] Next update 2021-09-22 | 2021-09-21T08:02:42Z |
| Apple: Test web page certificates expired | 1730291 | ASSIGNED | certification_authority | [ca-compliance] | 2021-09-21T02:17:20Z |
| E-Tugra: CA Certificate Missing from Audit Reports | 1716843 | ASSIGNED | Davut Tokgöz | [ca-compliance] Next update 2021-11-01 | 2021-08-24T14:50:03Z |
| E-Tugra: Forbidden Domain Validation Method 3.2.2.4.6 | 1716902 | ASSIGNED | Davut Tokgöz | [ca-compliance] | 2021-08-25T14:17:48Z |
| emSign Audit Delay: Incident Report | 1728790 | ASSIGNED | Vijay Kumar | [ca-compliance][audit-delay][covid-19] | 2021-09-07T06:51:28Z |
| Entrust: Incorrect value in Business Category field for Government Entities | 1728796 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] | 2021-09-20T22:00:47Z |
| Entrust: Invalid localityName | 1712106 | ASSIGNED | Dathan Demone | [ca-compliance] Next update 2021-11-15 | 2021-09-15T20:33:20Z |
| Entrust: Test Website Certificates Expired | 1731887 | ASSIGNED | Bruce Morton | [ca-compliance] | 2021-09-23T18:50:10Z |
| Firmaprofesional: 2021 Audit Report Finding 2 out of 3 | 1717791 | ASSIGNED | Maria Jose Prieto | [ca-compliance] Next update 2021-10-01 | 2021-08-06T17:33:28Z |
| GlobalSign: Incorrect OCSP Delegated Responder Certificate | 1649937 | ASSIGNED | douglas.beattie | [ca-compliance] Next Update 2021-10-01 | 2021-09-08T16:57:33Z |
| GlobalSign: Invalid stateOrProvinceName and locality pair | 1708834 | ASSIGNED | Arvid Vermote | [ca-compliance] Next update 2021-10-01 | 2021-08-16T22:18:44Z |
| GoDaddy: Issued EV Wildcard Certificate | 1731939 | ASSIGNED | Brittany Randall | [ca-compliance] | 2021-09-22T15:43:14Z |
| Google Trust Services: CRL validity period set to expected value plus one second | 1731164 | ASSIGNED | Cade Cairns | [ca-compliance] | 2021-09-23T17:24:09Z |
| Google Trust Services: Delayed publication of CPS removing DNS Operator Exception | 1729097 | ASSIGNED | Brett L | [ca-compliance] Next update 2021-09-24 | 2021-09-24T20:38:42Z |
| iTrusChina: verification errors for the roots' CRLs(ARL) | 1712664 | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] | 2021-09-08T09:39:51Z |
| KIR S.A.: Invalid organizationName | 1705647 | ASSIGNED | Piotr Grabowski | [ca-compliance] Next update 2021-10-15 | 2021-09-08T19:57:20Z |
| Let's Encrypt: certificate lifetimes 90 days plus one second | 1715455 | ASSIGNED | Josh Aas | [ca-compliance] Next update 2021-11-12 | 2021-07-26T19:52:17Z |
| Let’s Encrypt: Delay updating OCSP responses | 1729567 | ASSIGNED | Aaron Gable | [ca-compliance] Next update 2021-10-01 | 2021-09-17T20:17:05Z |
| Microsec: Misissuance of one OV certificate with Key Usage KeyEncipherment | 1728384 | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] | 2021-09-15T09:36:53Z |
| Microsoft PKI Services: Malformed ICAs (missing certificate policy extensions) | 1711147 | ASSIGNED | John Mason | [ca-compliance] Next update 2021-10-01 | 2021-07-30T04:26:26Z |
| Microsoft PKI Services: Overdue Audit Reports 2021 | 1724530 | ASSIGNED | mohanr | [ca-compliance] | 2021-09-17T22:26:13Z |
| Netlock: CA Certificate Missing from Audit Reports | 1716874 | ASSIGNED | Zoltán Kővári-Szabó | [ca-compliance] | 2021-09-21T08:03:25Z |
| Netlock: Replacement of enduser certificates after the EVGL 1.7.4 self-audit | 1680378 | ASSIGNED | Zoltán Kővári-Szabó | [ca-compliance] | 2021-08-31T15:13:29Z |
| Network Solutions: 2021 Audit Observation #1 | 1725039 | ASSIGNED | Keith McKenney | [ca-compliance] | 2021-09-24T18:43:18Z |
| Network Solutions: 2021 Audit Observation #3 | 1725043 | ASSIGNED | Keith McKenney | [ca-compliance] | 2021-09-21T18:47:45Z |
| Network Solutions: All test CA test website certificates are expired | 1726333 | ASSIGNED | Keith McKenney | [ca-compliance] | 2021-09-10T18:58:50Z |
| PKIoverheid: KPN CPS Lists Forbidden Domain Validation Method 3.2.2.4.6 | 1719451 | ASSIGNED | David Weissenberg | [ca-compliance] Next update 2021-10-01 | 2021-09-16T11:31:07Z |
| QuoVadis/PKIoverheid: incorrect OCSP response for precertificate | 1724276 | ASSIGNED | Stephen Davidson | [ca-compliance] Next update 2021-10-01 | 2021-09-16T16:14:56Z |
| SECOM: CA Certificates Missing from Audit Reports | 1717044 | ASSIGNED | Hisashi Kamo | [ca-compliance] | 2021-09-10T11:01:30Z |
| SECOM: FUJIFILM intermediate not listed in audit statement | 1695938 | ASSIGNED | Hisashi Kamo | [ca-compliance] Next update 2021-10-01 | 2021-09-08T17:06:38Z |
| Sectigo: Inappropriate subject:serialNumber information in EV certificates obtained through ACME | 1712120 | ASSIGNED | Tim Callan | [ca-compliance] Next update 2021-10-01 | 2021-08-03T15:22:54Z |
| Sectigo: Missing registration numbers in EV certificates | 1721271 | ASSIGNED | Tim Callan | [ca-compliance] Next update 2021-10-18 | 2021-09-15T15:48:33Z |
| Sectigo: Mojibake in certificate Subject fields | 1724458 | ASSIGNED | Tim Callan | [ca-compliance] Next update 2021-09-18 | 2021-09-24T15:52:00Z |
| Sectigo: test certificates issued from trusted CA | 1712188 | ASSIGNED | Tim Callan | [ca-compliance] | 2021-09-21T15:39:52Z |
| SecureTrust: Invalid localityName | 1720723 | ASSIGNED | Andrea Holland | [ca-compliance] Next update 2021-09-22 | 2021-09-22T20:24:25Z |
| SSL.com: Incorrect Domain Validation for 1 TLS certificate with FQDN having "www." string within domain labels | 1724520 | ASSIGNED | Chris Kemmerer | [ca-compliance] | 2021-09-17T22:20:23Z |
| SSL.com: Issuance of 3 EV TLS certificates without 2-person validation of the organization information | 1722089 | ASSIGNED | Chris Kemmerer | [ca-compliance] | 2021-09-11T00:08:19Z |
| SSL.com: Issuance of an EV TLS certificate with incorrect O Field Value | 1719916 | ASSIGNED | Chris Kemmerer | [ca-compliance] | 2021-09-03T21:47:29Z |
| SwissSign: Certificate with key length 16258 | 1731586 | ASSIGNED | Mike Guenther | [ca-compliance] | 2021-09-25T16:03:16Z |
| Web.com: Failure to respond in time to revocation requests | 1723121 | ASSIGNED | Keith McKenney | [ca-compliance] | 2021-09-24T18:42:40Z |
| Web.com: Overdue Audit Statements 2021 | 1721473 | ASSIGNED | Keith McKenney | [ca-compliance] | 2021-09-24T18:42:57Z |
41 Total; 41 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| emSign Audit Delay: Incident Report | 1728790 | ASSIGNED | Vijay Kumar | [ca-compliance][audit-delay][covid-19] | 2021-09-07T06:51:28Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| Actalis: Delayed revocation of non-BR-compliant CA Certificate within 7 days | 1718554 | ASSIGNED | Adriano Santoni | [ca-compliance] [delayed-revocation-ca] Next update 2021-09-22 | 2021-08-09T19:29:40Z |
| Camerfirma: Delayed revocations of certificates issued by old CAs with an RSA modulus size of 2047 bits | 1692535 | ASSIGNED | Ana Lopes | [ca-compliance] [delayed-revocation-leaf] Next update 2021-10-01 | 2021-08-31T15:14:59Z |
| KIR S.A.: Delayed revocations of certificates | 1709872 | ASSIGNED | Piotr Grabowski | [ca-compliance] [delayed-revocation-leaf] Next update 2021-12-01 | 2021-09-15T20:41:23Z |
| Let's Encrypt: Failure to revoke for Certificate Lifetime Incident | 1715672 | ASSIGNED | Aaron Gable | [ca-compliance] [delayed-revocation-leaf] Next update 2021-10-14 | 2021-09-15T20:34:32Z |
| SECOM: Delayed Revocation of non-technically constrained FUJIFILM Certificates | 1707229 | ASSIGNED | Hisashi Kamo | [ca-compliance] [delayed-revocation-leaf] Next update 2021-10-01 | 2021-09-17T09:45:53Z |
5 Total; 5 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here:
