CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
ACCV: Certificates issued with Policy qualifiers other than id-qt-cps 1889567 ASSIGNED Jose Amador [ca-compliance] [ev-misissuance] 2024-05-06T07:05:58Z 2024-04-04T07:53:32Z
Actalis: CRL distribution point with ldap scheme 1906690 ASSIGNED Marco Menonna [ca-compliance] [crl-failure] 2024-07-19T11:51:09Z 2024-07-08T15:44:42Z
AGCE: Non-Compliant VPN Certificate Issuance 1882256 ASSIGNED ance.certification.info [ca-compliance] [ov-misissuance] 2024-07-02T14:37:29Z 2024-02-27T10:44:42Z
Asseco DS / Certum: CP/CPS, Revocation Requests Mechanism, Certificate Problem Report, CRL and OCSP disruption 1909203 ASSIGNED Wojciech Trapczyński [ca-compliance] [disclosure-failure] 2024-07-26T12:26:32Z 2024-07-22T12:44:23Z
Asseco DS / Certum: CRL non-conformance with the TLS BRs 1888689 ASSIGNED Kateryna Aleksieieva [ca-compliance] [crl-failure] [external] Next update 2024-10-01 2024-05-09T20:57:15Z 2024-03-29T17:37:14Z
Asseco DS / Certum: Cross-certificate not included in 2024 S/MIME Audit statement 1904494 ASSIGNED Kateryna Aleksieieva [ca-compliance] [audit-failure] 2024-07-25T08:18:54Z 2024-06-25T07:05:47Z
Asseco DS / Certum: S/MIME certificates with error in subjectAlternativeName 1879845 REOPENED Kateryna Aleksieieva [ca-compliance] [smime-misissuance] Next update 2024-10-01 2024-06-27T18:02:12Z 2024-02-12T13:22:11Z
Buypass: Using an external DNS Resolver for DNS lookups 1872371 ASSIGNED Mads Henriksveen [ca-compliance] [ov-misissuance] 2024-07-16T15:03:01Z 2023-12-29T16:02:59Z
Certigna: ARL without reasoncode for recent revoked CA certificates 1900654 ASSIGNED Josselin Allemandou [ca-compliance] [crl-failure] [external] 2024-06-21T16:07:00Z 2024-06-04T16:32:05Z
Certigna: Findings in 2024 ETSI Audit – Audit Incident Report 1907833 ASSIGNED Josselin Allemandou [ca-compliance] [audit-finding] 2024-07-16T13:22:21Z 2024-07-15T10:19:37Z
Certigna: TLS certificates with Basic constraint non-critical 1883416 ASSIGNED Josselin Allemandou [ca-compliance] [ov-misissuance] 2024-04-10T15:30:22Z 2024-03-04T16:36:15Z
certSIGN: Findings in 2024 ETSI Audit - Audit Incident Report 1897134 ASSIGNED Gabriel PETCU [ca-compliance] [audit-finding] 2024-07-26T12:37:47Z 2024-05-16T12:21:22Z
CFCA: certificate basicConstraints extension not marked as critical 1886135 ASSIGNED Gao Fei [ca-compliance] [ov-misissuance] Next update 2024-07-30 2024-07-12T16:23:30Z 2024-03-19T10:57:32Z
CFCA: Failure to respond to a CPR in a complete and/or timely manner 1888881 ASSIGNED Gao Fei [ca-compliance] [policy-failure] 2024-06-30T20:21:59Z 2024-04-01T07:17:16Z
Chunghwa Telecom: “Test Website - Valid" URL disclosed to CCADB is expired 1904038 ASSIGNED Tsung-Min Kuo [ca-compliance] [policy-failure] 2024-07-23T15:45:19Z 2024-06-21T12:48:21Z
Chunghwa Telecom: Controversial Values within Extension (2.5.29.9, subjectDirectoryAttributes) 1899466 ASSIGNED Leo Fang [ca-compliance] [ov-misissuance] 2024-07-21T01:54:56Z 2024-05-29T04:13:45Z
Chunghwa Telecom: Wrong Extended Key Usage setting by GTLSCA 1887096 ASSIGNED Tsung-Min Kuo [ca-compliance] [ov-misissuance] 2024-05-29T04:16:27Z 2024-03-22T17:25:13Z
CommScope: Certificates were issued in which third-party web-based tools were used during validation. 1901578 ASSIGNED Nicol So [ca-compliance] [dv-misissuance] 2024-07-24T19:28:02Z 2024-06-10T17:24:44Z
CommScope: Incomplete Incident Report 1904402 ASSIGNED Nicol So [ca-compliance] [policy-failure] 2024-07-24T19:54:26Z 2024-06-24T18:20:49Z
CommScope: OCSP responses have invalid signatures 1904399 ASSIGNED Nicol So [ca-compliance] [ocsp-failure] 2024-07-23T13:47:15Z 2024-06-24T18:07:12Z
D-Trust: Issuance of 15 certificates with incorrect subject attribute order 1891225 ASSIGNED Leyla Sahin [ca-compliance] [ev-misissuance] Next update 2024-08-01 2024-07-26T09:31:28Z 2024-04-12T13:48:03Z
D-Trust: Issuance of an EV certificate containing a mixup of the Subject's postalCode and localityName 1896190 ASSIGNED Enrico Entschew [ca-compliance] [ev-misissuance] Next update 2024-09-01 2024-07-12T16:25:09Z 2024-05-10T19:14:04Z
D-Trust: LDAP-URL in Subscriber Certificate Authority Information Access field 1884714 ASSIGNED Enrico Entschew [ca-compliance] [ov-misissuance] 2024-07-26T09:28:55Z 2024-03-11T16:29:07Z
Disig has issued two certificates with the serial number 0c1f909d0770fcbe9c00000000000007db 1907667 ASSIGNED Peter Miskovic [ca-compliance] [ov-misissuance] 2024-07-25T15:20:19Z 2024-07-12T20:38:40Z
Entrust: Action Items from June 2024 Report 1901270 ASSIGNED Ben Wilson [ca-compliance] [meta] Next update 2024-07-31 2024-07-09T14:45:09Z 2024-06-07T16:50:41Z
Entrust: CPR was not responded to in 24 hours 1885754 ASSIGNED Paul van Brouwershaven [ca-compliance] [external] [policy-failure] Next update 2024-07-31 2024-06-27T20:41:40Z 2024-03-16T22:14:29Z
Entrust: CPS typographical (text placement) error 1890896 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] Next update 2024-07-31 2024-07-05T20:22:16Z 2024-04-11T00:45:36Z
Entrust: Delayed reporting of Jurisdiction issue in some EV TLS & Code Signing certificates 1898847 ASSIGNED ngook.kong [ca-compliance] [policy-failure] Next update 2024-07-31 2024-06-28T23:55:27Z 2024-05-25T03:37:00Z
Entrust: EV TLS Certificate cPSuri missing 1883843 ASSIGNED Paul van Brouwershaven [ca-compliance] [ev-misissuance] Next update 2024-07-31 2024-07-16T23:19:28Z 2024-03-06T08:35:58Z
Entrust: Failed to provide a preliminary incident report according to TLS BR 4.9.5 1890123 ASSIGNED Paul van Brouwershaven [ca-compliance] [policy-failure] Next update 2024-07-31 2024-07-18T14:42:20Z 2024-04-06T13:24:25Z
Entrust: Jurisdiction issue in some EV TLS & Code Signing certificates 1897630 ASSIGNED ngook.kong [ca-compliance] [ev-misissuance] Next update 2024-07-31 2024-07-12T20:27:47Z 2024-05-19T02:42:21Z
Entrust: Not updating CPR Problem Reporting Mechanism fields in CCADB 1894111 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] Next update 2024-07-31 2024-07-05T20:21:49Z 2024-04-29T21:37:24Z
Entrust: S/MIME mailbox address case mismatch between subject and subjectAltName 1906470 ASSIGNED Bruce Morton [ca-compliance] [smime-misissuance] 2024-07-18T16:11:12Z 2024-07-05T18:24:44Z
Entrust: S/MIME mailbox address not in subjectAltName 1906467 ASSIGNED Bruce Morton [ca-compliance] [smime-misissuance] 2024-07-23T15:31:13Z 2024-07-05T18:16:34Z
Firmaprofesional: Policy Qualifiers other than id-qt-cps present for certificate 1889420 ASSIGNED ext-antoni.camon [ca-compliance] [ov-misissuance] 2024-06-25T10:15:03Z 2024-04-03T15:46:27Z
FNMT: Certificates issued included Policy qualifiers other than id-qt-cps 1875942 ASSIGNED Amaya Espinosa [ca-compliance] [ov-misissuance] [ev-misissuance] 2024-02-24T15:58:01Z 2024-01-22T23:10:58Z
GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints 1888060 ASSIGNED capoc [ca-compliance] [ov-misissuance] 2024-07-24T09:28:33Z 2024-03-27T06:15:29Z
GoDaddy : CAA checks did not properly handle issuewild tag allowing FQDN SANs to be added to wildcard certs 1904748 ASSIGNED [:nickname] Star [ca-compliance] 2024-07-16T21:33:00Z 2024-06-26T02:12:50Z
GoDaddy : CAA checks passed when records contained incorrect variants of godaddy.com or starfieldtech.com 1904749 ASSIGNED [:nickname] Star [ca-compliance] 2024-07-16T21:32:52Z 2024-06-26T02:14:20Z
GoDaddy: CPR was not responded to in 24 hours 1902868 ASSIGNED Johnny [ca-compliance] [policy-failure] 2024-06-27T19:18:11Z 2024-06-15T20:49:32Z
GoDaddy: Edge Case for Data Reuse Outside of Timeframes 1909948 ASSIGNED [:nickname] Star [ca-compliance] [dv-misissuance] 2024-07-26T14:31:54Z 2024-07-25T17:47:50Z
GoDaddy: Intermittent unauthorized OCSP response when certificate is freshly issued 1905419 ASSIGNED [:nickname] Star [ca-compliance] [ocsp-failure] 2024-07-18T03:58:05Z 2024-06-28T19:25:10Z
Google Trust Services: SXG certificates issued without correctly checking CAA restrictions 1902670 ASSIGNED Google Trust Services [ca-compliance] [uncategorized] Next update 2024-07-12 2024-07-26T16:15:15Z 2024-06-14T14:27:02Z
Hongkong Post: Delayed response to CPR 1886722 ASSIGNED Man Ho [ca-compliance] [policy-failure] 2024-05-02T03:30:59Z 2024-03-21T11:36:56Z
Hongkong Post: TLS certificates with basicConstraints not marked as critical 1887008 ASSIGNED Man Ho [ca-compliance] [ov-misissuance] 2024-07-12T15:32:25Z 2024-03-22T13:11:35Z
Hongkong Post: TLS certificates with Certificate Policies extension that does not assert http scheme 1886406 ASSIGNED Man Ho [ca-compliance] [ov-misissuance] 2024-07-12T15:31:15Z 2024-03-20T11:23:23Z
IdenTrust: TLS ICA with User Notice in Policy Qualifier 1897569 ASSIGNED IdenTrust [ca-compliance] [ca-misissuance] 2024-07-22T21:17:36Z 2024-05-17T23:59:46Z
IdenTrust: Unauthorized OCSP response on a Timestamp certificate 1905446 ASSIGNED IdenTrust [ca-compliance] [ocsp-failure] 2024-07-17T23:50:27Z 2024-06-28T22:11:23Z
IdenTrust: unintended creation of a Root CA certificate 1895006 ASSIGNED IdenTrust [ca-compliance] [ca-misissuance] Next update 31-July-2024 2024-07-01T17:20:24Z 2024-05-03T20:19:30Z
iTrusChina: CRL Reason Codes 1907949 ASSIGNED iTrusChina Co.,Ltd. [ca-compliance] [crl-failure] [external] 2024-07-25T08:38:59Z 2024-07-15T16:38:29Z
Izenpe: Failure to Submit Annual CCADB Self-Assessment 1883493 ASSIGNED David [ca-compliance] [disclosure-failure] [external] 2024-03-21T09:50:35Z 2024-03-04T20:36:07Z
Microsec: Disallowed subject attribute field in DV certificate 1889699 ASSIGNED dr. Sándor SZŐKE [ca-compliance] [dv-misissuance] 2024-04-30T15:21:01Z 2024-04-04T17:01:58Z
Microsec: Late response to a CPR 1886998 ASSIGNED dr. Sándor SZŐKE [ca-compliance] [policy-failure] 2024-06-30T20:24:17Z 2024-03-22T12:22:34Z
Microsec: Misissuance an EV TLS certificate without CPSuri 1886257 ASSIGNED dr. Sándor SZŐKE [ca-compliance] [ev-misissuance] 2024-04-30T15:26:38Z 2024-03-19T18:23:18Z
Microsoft PKI Services: Vulnerability Management Exception Tracking 1906028 ASSIGNED Dustin Hollenback [ca-compliance] [audit-finding] Next update 2024-08-13 2024-07-26T16:26:20Z 2024-07-03T03:40:36Z
NAVER Cloud Trust Services: Certificate issued with incorrect OCSP URI in AIA 1908128 ASSIGNED Hogeun Yoo [ca-compliance] [ocsp-failure] 2024-07-24T20:18:21Z 2024-07-16T13:28:05Z
NAVER Cloud Trust Services: Incorrect keyUsage for ECC certificate 1908130 ASSIGNED Hogeun Yoo [ca-compliance] [ov-misissuance] 2024-07-23T05:10:18Z 2024-07-16T13:34:57Z
NETLOCK: CPR was not responded to in 24 hours 1905509 ASSIGNED Tamás Horváth [ca-compliance] [policy-failure] 2024-07-12T13:25:24Z 2024-06-29T19:45:26Z
NETLOCK: CPS 1.5.2. problem and contact information update 1907568 ASSIGNED Nikolett [ca-compliance] [policy-failure] 2024-07-12T16:27:28Z 2024-07-12T13:29:39Z
Netlock: Delayed reply from CPR sent to contact listed in section 1.5.2 of CP/S 1906115 ASSIGNED Nikolett [ca-compliance] [policy-failure] 2024-07-06T06:05:11Z 2024-07-03T14:05:41Z
NETLOCK: Intermediate CA Certificate not disclosed to CCADB 1904041 ASSIGNED Nikolett [ca-compliance] [policy-failure] [disclosure-failure] 2024-07-19T14:42:55Z 2024-06-21T13:01:09Z
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates 1889570 ASSIGNED Tamás Horváth [ca-compliance] [ev-misissuance] 2024-07-06T06:09:54Z 2024-04-04T08:18:19Z
Sectigo: QWAC certificates issued with incorrect subject:organizationIdentifier attribute value 1902748 ASSIGNED Martijn Katerbarg [ca-compliance] [ev-misissuance] Next Update 2024-08-31 2024-07-18T14:53:40Z 2024-06-14T20:30:02Z
Sectigo: Temporary unavailability for subset of CRLs 1908690 ASSIGNED Martijn Katerbarg [ca-compliance] [crl-failure] Next update 2024-08-15 2024-07-26T16:23:11Z 2024-07-18T15:08:34Z
SHECA: EV certificate subject RDN order is incorrect 1902592 ASSIGNED jasmine.tang [ca-compliance] [ev-misissuance] 2024-06-27T11:55:03Z 2024-06-14T06:18:45Z
SHECA: The certificate's cpsURI is empty 1902947 ASSIGNED Alvin.Wang [ca-compliance] [ev-misissuance] 2024-07-04T09:52:44Z 2024-06-17T02:51:24Z
Siemens: meaningless characters in personal name fields 1902042 ASSIGNED Thorsten Bergmann [ca-compliance] [smime-misissuance] Next update 2024-08-16 2024-07-26T16:17:12Z 2024-06-12T15:50:28Z
Telia: Certificates Issued with lower case value in subject:countryName 1896108 ASSIGNED Antti Backman [ca-compliance] [ov-misissuance] Next update 2024-07-05 2024-07-19T13:05:44Z 2024-05-10T13:39:06Z
TunTrust: CRL and OCSP unavailable 1895312 ASSIGNED TunTrust [ca-compliance] [crl-failure] [ocsp-failure] 2024-05-21T14:48:48Z 2024-05-06T17:10:11Z
WISeKey: OCSP responding "Unauthorized" for a TLS certificate 1903823 ASSIGNED Pedro Fuentes [ca-compliance] [ocsp-failure] 2024-07-26T16:24:40Z 2024-06-20T15:26:51Z

70 Total; 70 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
Buypass: Delayed revocation of TLS certificates 1872738 REOPENED Mads Henriksveen [ca-compliance] [leaf-revocation-delay] Next update 2024-09-15 2024-07-08T23:49:45Z 2024-01-02T19:18:17Z
CFCA: Delayed revocation of TLS certificates(basicConstraints extension not marked as critical) 1888882 ASSIGNED Gao Fei [ca-compliance] [leaf-revocation-delay] 2024-07-19T09:45:01Z 2024-04-01T07:19:09Z
Chunghwa Telecom: Delayed Revocation Due to GTLSCA EKU Misissuance 1892419 ASSIGNED Leo Fang [ca-compliance] [leaf-revocation-delay] 2024-05-22T02:30:47Z 2024-04-19T10:55:40Z
Chunghwa Telecom: Delayed Revocation with Controversial Extension (2.5.29.9, SubjectDirectoryAttributes) 1903066 ASSIGNED Leo Fang [ca-compliance] [leaf-revocation-delay] 2024-07-23T15:18:15Z 2024-06-17T14:31:08Z
Digicert: Delayed Revocation for bug 1894560 1896053 ASSIGNED Jeremy Rowley [ca-compliance] [leaf-revocation-delay] 2024-07-26T21:26:45Z 2024-05-10T05:00:07Z
Entrust: Delayed revocation of certificates affected by Jurisdiction issue in some EV TLS & Code Signing certificates 1898848 ASSIGNED ngook.kong [ca-compliance] [leaf-revocation-delay] Next update 2024-07-24 2024-07-24T16:46:42Z 2024-05-25T03:48:12Z
Entrust: Delayed revocation of EV TLS certificates with missing cPSuri 1886532 ASSIGNED Paul van Brouwershaven [ca-compliance] [leaf-revocation-delay] Next update 2024-07-31 2024-07-05T20:21:13Z 2024-03-20T17:22:26Z
Entrust: Failure to revoke EV TLS certificates issued before CPS update 1890685 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] [leaf-revocation-delay] Next update 2024-07-31 2024-07-12T20:29:11Z 2024-04-09T23:40:57Z
Entrust: Failure to revoke OV TLS - CPS typographical (text placement) error 1890898 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] [leaf-revocation-delay] Next update 2024-06-17 2024-07-24T19:20:22Z 2024-04-11T00:52:33Z
GDCA: Delayed revocation of SSL/TLS certificates with Non-critical Basic Constraints 1889062 ASSIGNED capoc [ca-compliance] [leaf-revocation-delay] 2024-07-24T09:29:06Z 2024-04-02T09:18:52Z
Hongkong Post: Delayed revocation of TLS certificates with basicConstraints not marked as critical 1887888 ASSIGNED Man Ho [ca-compliance] [leaf-revocation-delay] 2024-07-12T15:30:00Z 2024-03-26T14:39:37Z
Hongkong Post: Delayed revocation of TLS certificates with Certificate Policies extension problem 1886665 ASSIGNED Man Ho [ca-compliance] [leaf-revocation-delay] 2024-07-12T15:28:51Z 2024-03-21T04:30:30Z
Microsec: Delayed revocation of the misissued certificates 1887110 ASSIGNED dr. Sándor SZŐKE [ca-compliance] [leaf-revocation-delay] 2024-06-22T18:14:03Z 2024-03-22T18:00:56Z
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates - delayed revocation 1891331 ASSIGNED Tamás Horváth [ca-compliance] [leaf-revocation-delay] 2024-07-06T06:25:42Z 2024-04-13T22:07:56Z
Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical 1877388 ASSIGNED Arnold Essing [ca-compliance] [leaf-revocation-delay] 2024-07-26T12:47:48Z 2024-01-30T07:52:58Z
Telia: Delayed revocation of seven (7) certificates related to incident 1896108 1896553 ASSIGNED Antti Backman [ca-compliance] [leaf-revocation-delay] Next update 2024-08-05 2024-07-19T13:10:19Z 2024-05-14T04:48:55Z
TWCA: Revocation delay for EV TLS certificates with invalid subject attribute order 1884568 ASSIGNED Hao-Chun Li [ca-compliance] [leaf-revocation-delay] Next update 2024-08-30 2024-06-28T16:38:53Z 2024-03-10T12:44:57Z
TWCA: Revocation delay for TLS certificates with non-critical basicConstraints 1886110 ASSIGNED chtsai [ca-compliance] [ov-misissuance] [leaf-revocation-delay] Next update 2024-08-30 2024-06-28T16:39:37Z 2024-03-19T07:42:18Z
VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 1885568 ASSIGNED Andrea Holland [ca-compliance] [ov-misissuance] [leaf-revocation-delay] 2024-06-26 2024-07-26T19:32:48Z 2024-03-15T16:20:17Z

19 Total; 19 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: