CA/Incident Dashboard
< CA
Jump to navigation
Jump to search
Open CA Bugs in Bugzilla
There are three separate lists of open compliance bugs below:
- Compliance bugs (not including audit delays or leaf revocation delays)
- Audit Delays
- Leaf Revocation Delays
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=CA+Program&component=CA+Certificate+Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| Agencia Notarial de Certificacion (ANCERT): Missing Contact Information in CCADB | 2015562 | UNCONFIRMED | [ca-compliance] [disclosure-failure] | 2026-02-10T18:04:14Z | 2026-02-09T18:36:46Z | |
| Asseco DS / Certum: CRL URLs disclosed in CCADB do not exactly match the CRL URLs in certificates | 2007105 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [disclosure-failure] Next update 2026-03-31 | 2026-01-16T18:32:55Z | 2025-12-19T13:32:26Z |
| Asseco DS / Certum: Finding in Routine WebTrust Audit – S/MIME certificates issued with mailbox validation older than 30 days | 2021685 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [smime-misissuance] | 2026-03-08T22:50:44Z | 2026-03-07T10:05:43Z |
| Buypass: Findings in 2025 ETSI Audit - Audit Incident Report #1 - Compliance auditing on support processes | 2005194 | ASSIGNED | Mads Henriksveen | [ca-compliance] [audit-finding] | 2026-03-09T09:38:20Z | 2025-12-10T13:20:20Z |
| Buypass: Findings in 2025 ETSI Audit - Audit Incident Report #2 - Supply chain policy | 2005196 | ASSIGNED | Mads Henriksveen | [ca-compliance] [audit-finding] | 2026-03-09T09:39:07Z | 2025-12-10T13:22:48Z |
| Byte Computer: Missing Contact Information in CCADB | 2015563 | ASSIGNED | Spyros Kollias | [ca-compliance] [disclosure-failure] | 2026-02-10T18:07:31Z | 2026-02-09T18:36:51Z |
| Carillon Information Security: Missing Contact Information in CCADB | 2015564 | ASSIGNED | Lyne Brosseau | [ca-compliance] [disclosure-failure] | 2026-03-04T12:40:30Z | 2026-02-09T18:37:02Z |
| Certicamara: Missing Contact Information in CCADB | 2015565 | ASSIGNED | Direccion TICS | [ca-compliance] [disclosure-failure] | 2026-02-10T18:08:45Z | 2026-02-09T18:37:08Z |
| certSIGN: certificates with delayed SCT signature | 2016672 | ASSIGNED | Gabriel PETCU | [ca-compliance] [ov-misissuance] | 2026-03-09T12:49:18Z | 2026-02-13T11:01:07Z |
| D-Trust: CRL HTTP Media Type | 2012511 | ASSIGNED | Ana Laura Martorano | [ca-compliance] [crl-failure] | 2026-03-06T08:10:59Z | 2026-01-26T16:16:11Z |
| D-Trust: CRL URL Disclosure | 2007116 | ASSIGNED | Ana Laura Martorano | [ca-compliance] [disclosure-failure] | 2026-03-06T08:12:29Z | 2025-12-19T14:22:17Z |
| D-Trust: Expired certificate provided on the CA TLS test website for demonstration of valid certificates | 2009149 | ASSIGNED | Ana Laura Martorano | [ca-compliance] [policy-failure] | 2026-03-06T08:10:18Z | 2026-01-08T12:14:02Z |
| DigiCert: CAA processing during network disruption | 2017185 | ASSIGNED | DigiCert | [ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance] | 2026-03-11T20:49:57Z | 2026-02-16T19:53:36Z |
| DigiCert: Subject Serial Numbers for Non-Commercial Entities | 2015186 | ASSIGNED | DigiCert | [close on 2026-03-18] [ca-compliance] [ev-misissuance] | 2026-03-11T18:33:52Z | 2026-02-06T22:18:45Z |
| Echoworx: Missing Contact Information in CCADB | 2015566 | ASSIGNED | Echoworx | [ca-compliance] [disclosure-failure] | 2026-02-10T21:19:01Z | 2026-02-09T18:37:14Z |
| Financijska agencija (Fina): Mis-issued certificates | 1986968 | ASSIGNED | miroslav.perincic | [ca-compliance] [dv-misissuance] | 2026-02-19T16:20:59Z | 2025-09-04T16:47:06Z |
| Firmaprofesional: Delayed preliminary response under BR 4.9.5 (Bug #2009941) | 2016066 | ASSIGNED | ext-antoni.camon | [ca-compliance] [policy-failure] | 2026-03-06T14:33:04Z | 2026-02-11T10:36:54Z |
| Firmaprofesional: Delayed revocation disclosure of TLS Subordinate CA certificate Secure Web 2024 in CCADB | 2016475 | ASSIGNED | ext-antoni.camon | [ca-compliance] [disclosure-failure] | 2026-03-06T14:35:18Z | 2026-02-12T16:15:17Z |
| Firmaprofesional: Misissuance of TLS Subordinate CA "AC Firmaprofesional - Secure Web 2024" | 2009941 | ASSIGNED | ext-antoni.camon | [ca-compliance] [ca-misissuance] | 2026-02-27T13:09:14Z | 2026-01-13T10:59:12Z |
| GoDaddy: CRL Disclosure in CCADB Mismatch with Issued Certificates | 2007216 | ASSIGNED | Steven Deitte | [ca-compliance] [disclosure failure] | 2026-03-06T21:05:20Z | 2025-12-20T00:13:07Z |
| GoDaddy: Partitioned CRL files missing Issuing Distribution Point | 2007217 | ASSIGNED | Steven Deitte | [ca-compliance] [disclosure failure] Next update 2026-03-20 | 2026-03-02T18:50:54Z | 2025-12-20T00:15:11Z |
| Google Trust Services: Outdated BR version in some validation records | 2017747 | ASSIGNED | Google Trust Services | [ca-compliance] [policy-failure] Next update 2026-03-31 | 2026-03-04T16:11:59Z | 2026-02-18T21:48:20Z |
| Government of Saudi Arabia, NIC (SDAIA): Missing Contact Information in CCADB | 2015567 | ASSIGNED | Ammar | [ca-compliance] [disclosure-failure] | 2026-02-18T09:03:16Z | 2026-02-09T18:37:18Z |
| HARICA: Incorrect nCAId in PSD2 QCStatement for QWACs | 2017845 | ASSIGNED | HARICA | [ca-compliance] Next update 2026-03-27 | 2026-03-05T17:47:13Z | 2026-02-19T12:11:13Z |
| IdenTrust: Cross-signed root certificate mis-issuance | 2014609 | ASSIGNED | IdenTrust | [ca-compliance] [ca-misissuance] | 2026-02-20T23:22:44Z | 2026-02-05T00:30:24Z |
| IdenTrust: Gap between audit periods | 2016267 | ASSIGNED | IdenTrust | [ca-compliance] [audit-failure] | 2026-03-05T19:42:35Z | 2026-02-11T22:48:59Z |
| IdenTrust: Root OCSP Signer certificate mis-issuance | 2014610 | ASSIGNED | IdenTrust | [ca-compliance] [uncategorized] | 2026-02-20T23:06:39Z | 2026-02-05T00:38:27Z |
| IdenTrust: Test Certificates from cross-signed roots not disclosed in CT Logs | 2016585 | ASSIGNED | IdenTrust | [ca-compliance] [uncategorized] | 2026-02-26T15:30:29Z | 2026-02-12T23:13:02Z |
| IdenTrust: Unauthorized OCSP responses for cross-signed roots | 2014590 | ASSIGNED | IdenTrust | [ca-compliance] [ocsp-failure] | 2026-03-10T16:21:50Z | 2026-02-04T22:52:56Z |
| iTrusChina: Failure to Respond to Feb 2026 Chrome Root Program Survey | 2020899 | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] [disclosure-failure] | 2026-03-10T08:52:48Z | 2026-03-04T07:18:19Z |
| iTrusChina: Finding in Routine WebTrust Audit - Domain validation records without the TLS BR version | 2013805 | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] [audit-finding] | 2026-03-09T09:56:37Z | 2026-02-02T02:51:31Z |
| Microsec: CT Logging mistakes | 2005939 | ASSIGNED | dr. Sándor SZŐKE | [close on 2026-03-12] [ca-compliance] [uncategorized] | 2026-03-05T17:50:44Z | 2025-12-14T14:45:10Z |
| Microsoft PKI Services: Failure to update action item status within 3 days | 2021175 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [policy-failure] | 2026-03-05T17:52:26Z | 2026-03-05T00:48:22Z |
| Microsoft PKI Services: Policy document bug | 1962829 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [policy-failure] | 2026-03-07T01:36:40Z | 2025-04-26T02:10:29Z |
| Microsoft PKI Services: OCSP Non-Compliance | 1999850 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [ocsp-failure] Next update 2026-04-24 | 2026-02-19T17:29:22Z | 2025-11-13T01:29:14Z |
| Netlock: CA in AIA in PEM format | 2004699 | ASSIGNED | Roland | [ca-compliance] [policy-failure] | 2026-03-09T20:57:13Z | 2025-12-08T13:50:23Z |
| NETLOCK: did not file a preliminary incident report or respond to a third-party report within the 72-hour timeframe | 2013400 | ASSIGNED | Roland | [ca-compliance] [policy-failure] | 2026-03-05T19:28:44Z | 2026-01-29T20:56:39Z |
| NETLOCK: Full Incident Report was not published within 14 days of notification | 2007948 | ASSIGNED | Roland | [ca-compliance] [disclosure failure] | 2026-03-09T20:58:17Z | 2025-12-29T20:30:46Z |
| NETLOCK: Missing Related Incidents section in the bug report | 2013395 | ASSIGNED | Roland | [ca-compliance] [policy-failure] | 2026-03-05T19:02:32Z | 2026-01-29T20:50:07Z |
| NETLOCK: Unavailability of the document repository | 2021559 | ASSIGNED | Roland | [ca-compliance] [policy-failure] | 2026-03-08T22:49:12Z | 2026-03-06T12:10:43Z |
| Netlock: unspecifed revocation code (0) in CRL | 2011314 | ASSIGNED | Roland | [ca-compliance] [crl-failure] | 2026-03-09T20:59:46Z | 2026-01-19T21:40:56Z |
| NISZ Nemzeti Infokommunikacios Szolgaltato: Missing Contact Information in CCADB | 2015568 | UNCONFIRMED | [ca-compliance] [disclosure-failure] | 2026-02-10T18:05:35Z | 2026-02-09T18:37:24Z | |
| PKIoverheid: TSP Cleverbase Findings in 2025 ETSI Audit - Incident Report #1 – Incorrect issuer CA listed in CPS | 1985816 | ASSIGNED | Policy Authority PKIoverheid | [ca-compliance] [audit-finding] Next update 2026-04-14 | 2026-01-27T15:16:50Z | 2025-08-28T15:39:28Z |
| PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #3 – Internal Audit | 1983263 | ASSIGNED | Policy Authority PKIoverheid | [ca-compliance] [audit-finding] | 2026-03-09T14:44:12Z | 2025-08-15T14:05:23Z |
| PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #7 – Change Management | 1983267 | ASSIGNED | Policy Authority PKIoverheid | [ca-compliance] [audit-finding] Next update 2026-03-20 | 2026-03-09T14:45:09Z | 2025-08-15T14:09:40Z |
| PostSignum: Length Subject organizationName | 2021239 | ASSIGNED | CA PostSignum | [ca-compliance] [ov-misissuance] | 2026-03-05T17:53:54Z | 2026-03-05T08:52:41Z |
| PostSignum: Mis-issued certificate | 2016722 | ASSIGNED | CA PostSignum | [close on 2026-03-17] [ca-compliance] [ov-misissuance] | 2026-03-10T15:16:53Z | 2026-02-13T14:49:09Z |
| SECOM: 2025 S/MIME CA Modified Opinion Report of Cybertrust Japan (CTJ) | 2021550 | ASSIGNED | SECOM Trust Systems - ONO Fumiaki | [ca-compliance] [ca-misissuance] [disclosure-failure] [audit-finding] [ca-revocation-delay] | 2026-03-08T22:54:11Z | 2026-03-06T11:16:12Z |
| SECOM: Non conformant SCT Encoding Due to SCT Modification by Cybertrust Japan (CTJ) | 2007070 | ASSIGNED | SECOM Trust Systems - ONO Fumiaki | [ca-compliance] [ov-misissuance] | 2026-03-05T10:29:13Z | 2025-12-19T08:01:55Z |
| SECOM: Repository service disruption affecting subordinate CAs (CTJ) | 2017840 | ASSIGNED | SECOM Trust Systems - ONO Fumiaki | [ca-compliance] [policy-failure] | 2026-03-08T22:52:06Z | 2026-02-19T11:49:12Z |
| Sectigo: Package patching gap within Certificate Systems | 2019995 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [uncategorized] | 2026-03-10T17:06:16Z | 2026-02-27T17:52:48Z |
| SHECA: CRL of root CA not published within 24 hours | 2015383 | ASSIGNED | SHECA | [ca-compliance] [crl-failure] | 2026-03-09T09:54:06Z | 2026-02-09T07:14:45Z |
| SHECA: TLS certificate key generation online | 1993357 | ASSIGNED | SHECA | [ca-compliance] [dv-misissuance] [ov-misissuance] | 2026-03-11T16:47:37Z | 2025-10-08T19:46:26Z |
| Swiss BIT (FOITT): Missing Contact Information in CCADB | 2015569 | ASSIGNED | Steph | [ca-compliance] [disclosure-failure] | 2026-02-10T18:08:09Z | 2026-02-09T18:37:29Z |
| SwissSign: recommendation on backup testing | 1990272 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:09Z | 2025-09-23T17:06:29Z |
| SwissSign: recommendation on BIA/BCP review | 1990263 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:51:27Z | 2025-09-23T16:53:15Z |
| SwissSign: recommendation on BIA/BCP test coverage | 1990266 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:51:38Z | 2025-09-23T16:55:40Z |
| SwissSign: recommendation on CA-specific risk assessment | 1990277 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:51Z | 2025-09-23T17:08:41Z |
| SwissSign: recommendation on document release dual control | 1990269 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:51:48Z | 2025-09-23T17:03:05Z |
| SwissSign: recommendation on evaluation of cloud service providers | 1990276 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:39Z | 2025-09-23T17:08:11Z |
| SwissSign: recommendation on firewall review | 1990271 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:51:54Z | 2025-09-23T17:05:31Z |
| SwissSign: recommendation on linting software updates | 1990282 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-11-03T08:50:16Z | 2025-09-23T17:12:55Z |
| SwissSign: recommendation on log review process | 1990285 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:54:20Z | 2025-09-23T17:14:00Z |
| SwissSign: recommendation on publication process for CA related data | 1990275 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:27Z | 2025-09-23T17:07:40Z |
| SwissSign: recommendation on review of key pair generation implementation | 1990284 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:53:56Z | 2025-09-23T17:13:29Z |
| SwissSign: recommendation on risk assessment | 1990254 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:50:25Z | 2025-09-23T16:08:48Z |
| SwissSign: recommendation on self-assessment tool | 1990281 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:53:00Z | 2025-09-23T17:12:19Z |
| SwissSign: recommendation on synchronization of staging and production environments | 1990274 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:18Z | 2025-09-23T17:07:10Z |
| Telekom Security / DFN: CRL of “DFN-Verein Certification Authority 2“ contains empty revoked certificate list | 2011238 | ASSIGNED | Stefan Kirch | [close on 2026-03-17] [ca-compliance] [crl-failure] | 2026-03-10T15:18:22Z | 2026-01-19T15:10:05Z |
| Telia: S/MIME Misissuance - incorrect subject information for Multipurpose sponsor-validated-profile | 2012101 | ASSIGNED | Antti Backman | [ca-compliance] [smime-misissuance] Next update 2026-03-17 | 2026-03-02T18:51:56Z | 2026-01-23T12:25:35Z |
| TrustAsia: ACME Authorization Reuse Non-Compliance | 2011713 | ASSIGNED | TrustAsia | [close on 2026-03-17] [ca-compliance] [dv-misissuance] | 2026-03-10T14:57:37Z | 2026-01-21T17:12:29Z |
| TrustAsia: SSL DV Mis-issuance against CP/CPS (IPAddress) | 2011865 | ASSIGNED | TrustAsia | [close on 2026-03-17] [ca-compliance] [dv-misissuance] | 2026-03-10T14:56:33Z | 2026-01-22T12:50:09Z |
72 Total; 72 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| D-Trust: Delayed publication of audit attestation letters in the CCADB | 2011430 | ASSIGNED | Ana Laura Martorano | [ca-compliance] [audit-delay] | 2026-03-06T08:10:02Z | 2026-01-20T14:51:29Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| [meta] Delayed Revocation | 1911183 | ASSIGNED | Ben Wilson | [ca-compliance] [meta] [leaf-revocation-delay] | 2025-06-10T20:05:50Z | 2024-08-01T20:05:04Z |
| Firmaprofesional: Delayed revocation of TLS certificates affected by bug #2009941 | 2011855 | ASSIGNED | ext-antoni.camon | [ca-compliance] [leaf-revocation-delay] [ca-revocation-delay] | 2026-03-11T16:49:05Z | 2026-01-22T12:13:47Z |
| Microsoft PKI Services: Failure to Revoke in 5 Days for 1962829 | 1965612 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [leaf-revocation-delay] | 2026-03-12T01:53:06Z | 2025-05-10T01:34:01Z |
| SHECA: Delayed revocation of TLS certificates affected by bug #1993357 | 1994051 | ASSIGNED | SHECA | [ca-compliance] [leaf-revocation-delay] | 2026-03-11T16:49:52Z | 2025-10-13T18:23:58Z |
4 Total; 4 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here: