CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1463975 GRCA: Misissued certificates: Invalid commonName, commonName not in SAN ASSIGNED National Development Council [ca-compliance] Next Update 15-July 2020 CKA_NSS_SERVER_DISTRUST_AFTER 2020-07-29T21:03:12Z
1532436 Chunghwa Telecom: Test certificate with unregistered domain name ASSIGNED Li-Chun CHEN [ca-compliance] 2020-08-02T22:08:53Z
1559765 Izenpe: Multiple invalid EV certificates issued ASSIGNED Oscar Garcia [ca-compliance] - Next Update - 9-October 2020 2020-08-04T07:07:21Z
1563579 Sectigo: Failure to provide timely incident reports ASSIGNED Rob Stradling [ca-compliance] 2020-08-07T13:50:54Z
1565270 Telia: Qualified BR Audit Statement ASSIGNED pekka.lahtiharju [ca-compliance] - Next Update - 15-September 2020 2020-07-26T23:31:38Z
1575022 Sectigo: EV SSL Certificates with incorrect subject details. ASSIGNED Robin Alden [ca-compliance] - Next Update - 15-Aug 2020 2020-08-03T08:11:48Z
1575880 GlobalSign: SSL Certificates with US country code and invalid State/Prov ASSIGNED douglas.beattie [ca-compliance] - Next Update 7-Aug 2020 2020-08-07T15:51:12Z
1576013 DigiCert: JOI Issue ASSIGNED Jeremy Rowley [ca-compliance] Next Update - 1-Sept, 2020 2020-08-03T23:05:33Z
1586795 NetLock: Issuance of intermediates after 2019-01-01 that do not comply with Mozilla Policy ASSIGNED Varga Viktor [ca-compliance] 2020-08-03T13:37:34Z
1593776 Sectigo: invalid subject:organizationalUnitName on DV certificates ASSIGNED Robin Alden [ca-compliance] 2020-08-07T14:45:16Z
1597947 Sectigo: CCADB failed ALV - Network Solutions Certificate Authority ASSIGNED Robin Alden [ca-compliance] 2020-08-02T20:22:00Z
1610303 D-TRUST: Issuance of non-conformant SSL certificate ASSIGNED Enrico Entschew [ca-compliance] - Next Update - 31-Aug 2020 2020-08-05T13:16:13Z
1613334 SwissSign: Misissuance with mispellings in Location for a number of Certificates ASSIGNED Mike Guenther [ca-compliance] Next Update 31-July 2020 2020-08-05T14:25:06Z
1619047 Let's Encrypt: CAA Rechecking bug ASSIGNED Jacob Hoffman-Andrews [ca-compliance] Next Update - 28-April 2020 2020-07-26T23:03:45Z
1619359 Sectigo: Failure to provide a preliminary report within 24 hours ASSIGNED Robin Alden [ca-compliance] 2020-08-05T21:34:24Z
1622505 GlobalSign: OCSP Status HTTP 530 ASSIGNED Arvid Vermote [ca-compliance] Next Update - 15-June 2020 2020-07-22T16:00:44Z
1625498 Google Trust Services: Tracking bug for possible audit delays (audit due 2020-12) ASSIGNED kluge [ca-compliance] [audit-delay] [covid-19] Next Update - 31-Aug 2020 2020-08-02T22:09:59Z
1626355 Atos: Tracking bug for possible audit delays ASSIGNED michael.schwieters [ca-compliance][audit-delay][covid-19] Next Update 2020-09-15 2020-07-10T11:49:24Z
1632632 Buypass: Illegal Business Category in a PSD2 QWAC ASSIGNED Mads Henriksveen [ca-compliance] Next update 5-Aug-2020 2020-08-05T09:10:37Z
1635096 Entrust: Printable String Constraint Failure ASSIGNED Bruce Morton [ca-compliance] Next Update 15-Aug 2020 2020-07-27T20:46:23Z
1635279 Identrust: Incorrect Subject Details for HydrantId ASSIGNED IdenTrust [ca-compliance] - Next Update - 1-October 2020 2020-06-01T17:17:45Z
1639502 Asseco DS / Certum: Incorrect OCSP response encoding ASSIGNED Wojciech Trapczyński [ca-compliance] 2020-08-07T15:33:52Z
1639801 Digicert: Failure to revoke key-compromised certificates within 24 hours ASSIGNED Brenda Bernal [ca-compliance] 2020-08-06T22:06:02Z
1639804 Sectigo: Failure to revoke key-compromised certificate within 24 hours ASSIGNED Robin Alden [ca-compliance] Next update 15-Aug-2020 2020-08-07T21:26:45Z
1639805 Sectigo: Failure to revoke key-compromised certificates ASSIGNED Rich Smith [ca-compliance] 2020-08-05T19:29:12Z
1640310 GoDaddy: Failure to revoke certificate with compromised key within 24 hours ASSIGNED Daniela Hood [ca-compliance] Next Update 1-Sept 2020 2020-07-08T17:42:19Z
1645276 Let's Encrypt: Expired ISRG Root OCSP X1 Certificate ASSIGNED Andrew Gabbitas [ca-compliance] 2020-08-06T21:48:56Z
1645686 Sectigo: Lack of input validation in stateOrProvinceName ASSIGNED Robin Alden [ca-compliance] 2020-08-07T12:55:12Z
1645832 GoDaddy: Expired CRLs ASSIGNED Daniela Hood [ca-compliance] 2020-08-03T23:32:40Z
1647121 Izenpe: Failure to provide a preliminary report within 24 hours. ASSIGNED Oscar Garcia [ca-compliance] 2020-08-06T08:17:20Z
1647468 D-TRUST: Wrong key usage (Key Encipherment) ASSIGNED Enrico Entschew [ca-compliance] 2020-08-03T15:18:08Z
1648593 Sectigo: Potential audit report delay ASSIGNED Nick France [ca-compliance] [audit-delay] 2020-08-02T20:22:52Z
1648717 Sectigo: Failure to provide a preliminary report within 24 hours. ASSIGNED Robin Alden [ca-compliance] 2020-08-05T21:50:47Z
1648997 Actalis: inaccurate value in stateOrProvinceName ASSIGNED Adriano Santoni [ca-compliance] - Next Update - 1-October 2020 2020-07-01T16:19:38Z
1649277 DigiCert: Failure to provide a preliminary report within 24 hours. ASSIGNED Brenda Bernal [ca-compliance] 2020-08-06T16:43:52Z
1649502 Firmaprofesional: 2020 Audit Report Finding 1 out of 4 ASSIGNED chemalogo [ca-compliance] 2020-08-06T16:27:20Z
1649679 Firmaprofesional: 2020 Audit Report Finding 2 out of 4 ASSIGNED Maria Jose Prieto [ca-compliance] 2020-08-04T13:15:17Z
1649724 Firmaprofesional: 2020 Audit Report Finding 3 out of 4 ASSIGNED Maria Jose Prieto [ca-compliance] 2020-08-04T13:16:16Z
1649726 Firmaprofesional: 2020 Audit Report Finding 4 out of 4 ASSIGNED Maria Jose Prieto [ca-compliance] 2020-08-04T13:17:00Z
1649880 QuoVadis: Failure to provide a preliminary report within 24 hours. ASSIGNED Stephen Davidson [ca-compliance] 2020-08-05T02:10:59Z
1649937 GlobalSign: Incorrect OCSP Delegated Responder Certificate ASSIGNED douglas.beattie [ca-compliance] Next Update 15-Oct 2020 2020-08-04T14:32:04Z
1649938 QuoVadis: Incorrect OCSP Delegated Responder Certificate ASSIGNED Stephen Davidson [ca-compliance] 2020-07-24T22:13:55Z
1649939 WISeKey: Incorrect OCSP Delegated Responder Certificate ASSIGNED Pedro Fuentes [ca-compliance] [covid-19] Next Update - 25 October, 2020 2020-08-05T18:30:59Z
1649942 SK ID Solutions: Incorrect OCSP Delegated Responder Certificate ASSIGNED Kathleen Wilson [ca-compliance] 2020-08-04T16:10:16Z
1649945 HARICA: Incorrect OCSP Delegated Responder Certificate ASSIGNED Dimitris Zacharopoulos [ca-compliance] Next update 31-Aug-2020 2020-07-31T15:58:43Z
1649951 DigiCert: Incorrect OCSP Delegated Responder Certificate ASSIGNED Martin Sullivan [ca-compliance] 2020-07-31T00:55:12Z
1649964 PKIoverheid: Incorrect OCSP Delegated Responder Certificate ASSIGNED Jorik van 't Hof [ca-compliance] 2020-08-05T19:36:50Z
1650018 GlobalSign: Cross Certificate with non-conforming CABF Policy OIDs ASSIGNED Arvid Vermote [ca-compliance] 2020-08-07T08:54:18Z
1650234 PKIOverheid / QuoVadis: CPS inconsistencies ASSIGNED Stephen Davidson [ca-compliance] Next update 7-Aug 2020 2020-08-06T21:41:24Z
1650845 Sectigo: Certificate Problem Report response issues ASSIGNED Nick France [ca-compliance] 2020-08-05T21:50:53Z
1650910 DigiCert: Inconsistent EV audits ASSIGNED Brenda Bernal [ca-compliance] - Next Update - 31 Aug-2020 2020-08-02T00:33:22Z
1651026 Izenpe: certificate issued to internal domain ASSIGNED Oscar Garcia [ca-compliance] 2020-08-06T08:17:44Z
1651132 T-Systems / DFN-PKI: 42 certificates with RSA modulus size in bits not divisable by 8 ASSIGNED Jürgen Brauckmann [ca-compliance] - Next Update - 14-August 2020 2020-08-06T06:11:48Z
1651611 Telekom Security: Finding in 2020 ETSI-Audit regarding weekly review of changes to configurations ASSIGNED Arnold Essing [ca-compliance] 2020-08-07T16:20:52Z
1652581 Google Trust Services digitalSignature KeyUsage not set ASSIGNED Andy Warner [ca-compliance] 2020-08-03T16:06:16Z
1652827 Microsoft: Incomplete Logical Access Review Audit Evidence ASSIGNED Dustin Hollenback [ca-compliance] Next Update - 31-August 2020 2020-07-26T23:37:59Z
1653284 Izenpe: incorrect value in stateOrProvinceName ASSIGNED Oscar Garcia [ca-compliance] 2020-08-06T08:18:04Z
1653504 Sectigo: Certificates with RSA keys where modulus is not divisible by 8 ASSIGNED Nick France [ca-compliance] 2020-08-04T20:43:16Z
1653680 IdenTrust: OCSP Responder missing id-pkix-ocsp-nocheck ASSIGNED IdenTrust [ca-compliance] 2020-08-06T21:17:26Z
1654216 Buypass: PSD2 QWAC with RSA modulus not divisible by 8 ASSIGNED Mads Henriksveen [ca-compliance] Next Update 25-Aug-2020 2020-08-06T21:14:19Z
1654544 GlobalSign: Use of Domain Validation Random Value for more than 30 days ASSIGNED Arvid Vermote [ca-compliance] 2020-07-31T15:29:17Z
1654545 GlobalSign: Failure to revoke noncompliant certificates within 5 days ASSIGNED Arvid Vermote [ca-compliance] 2020-07-27T18:24:36Z
1654896 GlobalSign: Certificates with RSA keys where modulus is not divisible by 8 ASSIGNED Arvid Vermote [ca-compliance] 2020-07-27T03:17:34Z
1654967 DigiCert: Malformed ICA ASSIGNED Martin Sullivan [ca-compliance] 2020-08-07T17:16:51Z
1655698 Telekom Security: CRL also contained unrevoked certificates ASSIGNED Arnold Essing [ca-compliance] 2020-08-06T10:19:39Z
1656487 Izenpe: Failure to revoke within 5 days ASSIGNED Oscar Garcia [ca-compliance][delayed revocation leaf] 2020-08-06T08:18:19Z

66 Total; 66 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
ID Summary Status Assigned to Whiteboard Last change time
1625498 Google Trust Services: Tracking bug for possible audit delays (audit due 2020-12) ASSIGNED kluge [ca-compliance] [audit-delay] [covid-19] Next Update - 31-Aug 2020 2020-08-02T22:09:59Z
1626355 Atos: Tracking bug for possible audit delays ASSIGNED michael.schwieters [ca-compliance][audit-delay][covid-19] Next Update 2020-09-15 2020-07-10T11:49:24Z
1648593 Sectigo: Potential audit report delay ASSIGNED Nick France [ca-compliance] [audit-delay] 2020-08-02T20:22:52Z

3 Total; 3 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1575530 Camerfirma: Govern d'Andorra audits ASSIGNED Juan Angel Martin [ca-compliance] [delayed-revocation-ca] 2020-08-03T11:50:39Z
1591005 GlobalSign: ICAs in CCADB, without EKU extension are listed in WTCA report but not in WTBR report ASSIGNED Arvid Vermote [ca-compliance] [delayed-revocation-ca] Next Update 1-Oct-2020 2020-08-07T14:21:33Z
1598807 IdenTrust: Undisclosed Unrevoked ICAs ASSIGNED IdenTrust [ca-compliance] [delayed-revocation-ca] [covid-19] - Next Update - 7-Aug 2020 2020-07-31T20:22:13Z
1599916 QuoVadis: Unconstrained CAs revocation ASSIGNED Stephen Davidson [ca-compliance] [delayed-revocation-ca] 2020-08-02T22:11:44Z
1613406 SwissSign: Delayed revocation for mispellings in Location for a number of Certificates ASSIGNED Mike Guenther [ca-compliance] [delayed-revocation-leaf] Next Update 15-July 2020 2020-07-26T23:50:36Z
1620561 Sectigo: Non-revocation of certificates with subject:organizationalUnitName in DV certificates ASSIGNED Robin Alden [ca-compliance] [delayed-revocation-leaf] 2020-08-05T00:09:56Z
1628292 Buypass: Failure to revoke PSD2 QWACs within mandated 5 days ASSIGNED Mads Henriksveen [ca-compliance] [delayed-revocation-leaf] 2020-07-26T20:38:12Z
1647099 Camerfirma: Delayed revocations related to Invalid authorityKeyIdentifier - recurrent incident ASSIGNED Ana Lopes [ca-compliance] [delayed-revocation-leaf] [covid-19] 2020-07-31T11:51:18Z
1648472 Entrust: SHA-256 hash algorithm used with ECC P-384 key ASSIGNED Bruce Morton [ca-compliance] [delayed-revocation-leaf] Next Update - 5 August, 2020 2020-08-01T23:39:08Z
1651447 GlobalSign: Failure to revoke noncompliant ICA within 7 days ASSIGNED Arvid Vermote [ca-compliance] [delayed-revocation-ca] 2020-08-04T15:50:02Z
1651461 DigiCert: Failure to revoke within 7 days: OCSP EKU issue ASSIGNED Brenda Bernal [ca-compliance] [delayed-revocation-ca] 2020-07-31T03:08:13Z
1651465 HARICA: Delayed revocation for non-BR-compliant CA Certificates within 7 days ASSIGNED Dimitris Zacharopoulos [ca-compliance] [delayed-revocation-ca] Next update 31-Aug-2020 2020-07-31T15:57:44Z
1651481 Entrust: Late Revocation due to SHA-256 hash algorithm ASSIGNED Bruce Morton [ca-compliance] [delayed-revocation-leaf] 2020-07-31T01:04:34Z
1651487 Telekom Security: Delayed Revocations of Sub-CA certificates ASSIGNED Arnold Essing [ca-compliance] [delayed-revocation-ca] Next update 1-Sept-2020 2020-08-02T22:14:15Z
1651553 QuoVadis: Failure to revoke within 7 days: OCSP EKU issue ASSIGNED Stephen Davidson [ca-compliance] [delayed-revocation-ca] Next update 10-Aug-2020 2020-08-02T22:15:24Z
1651632 Microsec: Failure to revoke noncompliant ICA within 7 days ASSIGNED dr. Sándor SZŐKE [ca-compliance] [delayed-revocation-ca] Next update 20-Sept-2020 2020-07-21T16:01:56Z
1651637 Firmaprofesional: Failure to revoke ICAs within 7 days: OCSP EKU ASSIGNED Maria Jose Prieto [ca-compliance] [delayed-revocation-ca] 2020-08-02T22:13:04Z
1651651 Actalis: Failure to revoke within 7 days: OCSP EKU issue ASSIGNED Adriano Santoni [ca-compliance] [delayed-revocation-ca] Next Update - 15 Sept. 2020 2020-08-07T14:56:40Z
1651730 WISeKey: Failure to revoke ICA Certificates within 7 days (OCSP EKU) ASSIGNED Pedro Fuentes [ca-compliance] [delayed-revocation-ca] Next Update - 15-August 2020 2020-08-01T23:07:48Z
1651828 DigiCert: Delay of revocation for EV audit inconsistency incident ASSIGNED Brenda Bernal [ca-compliance] [delayed-revocation-leaf] [covid-19] 2020-08-04T16:37:25Z
1652603 Camerfirma: Failure to revoke within 7 days: OCSP EKU issue ASSIGNED Eusebio Herrera [ca-compliance] [delayed-revocation-ca] 2020-08-07T11:55:55Z
1652604 PKIoverheid: Failure to revoke within 7 days: OCSP EKU issue ASSIGNED Jorik van 't Hof [ca-compliance] [delayed-revocation-ca] Next update 14-Aug-2020 2020-08-07T15:13:41Z
1652610 SECOM: Delayed Revocation of CA Certificate with OCSP EKU Issue ASSIGNED Hisashi Kamo [ca-compliance] [delayed-revocation-ca] 2020-08-07T11:31:10Z
1656882 Netlock - Failure to revoke noncompliant ICA within 7 days ASSIGNED Varga Viktor [ca-compliance] [delayed-revocation-ca] 2020-08-03T15:13:43Z

24 Total; 24 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: