CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1532436 Chunghwa Telecom: Test certificate with unregistered domain name ASSIGNED Li-Chun CHEN [ca-compliance] 2020-10-05T17:07:55Z
1559765 Izenpe: Multiple invalid EV certificates issued ASSIGNED Oscar Garcia [ca-compliance] - Next Update - 9-October 2020 2020-08-04T07:07:21Z
1563579 Sectigo: Failure to provide timely incident reports ASSIGNED Rob Stradling [ca-compliance] 2020-10-15T14:12:57Z
1565270 Telia: Qualified BR Audit Statement ASSIGNED pekka.lahtiharju [ca-compliance] - Next Update - 1-November 2020 2020-10-12T14:52:04Z
1575880 GlobalSign: SSL Certificates with US country code and invalid State/Prov ASSIGNED douglas.beattie [ca-compliance] - Next Update 1-Oct-2020 2020-09-15T16:25:35Z
1576013 DigiCert: JOI Issue ASSIGNED Jeremy Rowley [ca-compliance] Next Update - 1-Oct-2020 2020-10-19T16:49:40Z
1586795 NetLock: Issuance of intermediates after 2019-01-01 that do not comply with Mozilla Policy ASSIGNED Varga Viktor [ca-compliance] 2020-09-11T15:24:14Z
1597947 Sectigo: CCADB failed ALV - Network Solutions Certificate Authority ASSIGNED Rob Stradling [ca-compliance] 2020-10-21T10:41:28Z
1626355 Atos: Tracking bug for possible audit delays ASSIGNED michael.schwieters [ca-compliance][audit-delay][covid-19] Next Update 1-Oct-2020 2020-09-28T12:32:47Z
1632632 Buypass: Illegal Business Category in a PSD2 QWAC ASSIGNED Mads Henriksveen [ca-compliance] Next update 1-Oct-2020 2020-10-08T16:56:07Z
1639801 Digicert: Failure to revoke key-compromised certificates within 24 hours ASSIGNED Brenda Bernal [ca-compliance] 2020-10-16T18:22:24Z
1640310 GoDaddy: Failure to revoke certificate with compromised key within 24 hours ASSIGNED Daniela Hood [ca-compliance] 2020-10-05T21:16:43Z
1645686 Sectigo: Lack of input validation in stateOrProvinceName ASSIGNED Rich Smith [ca-compliance] 2020-10-21T00:56:07Z
1645832 GoDaddy: Expired CRLs ASSIGNED Daniela Hood [ca-compliance] Next Update - 2020-11-30 2020-09-16T19:47:11Z
1647468 D-TRUST: Wrong key usage (Key Encipherment) ASSIGNED Enrico Entschew [ca-compliance] 2020-10-02T13:58:22Z
1648593 Sectigo: Potential audit report delay ASSIGNED Nick France [ca-compliance] [audit-delay] 2020-10-21T10:40:26Z
1648717 Sectigo: Failure to provide a preliminary report within 24 hours. ASSIGNED Rich Smith [ca-compliance] 2020-10-21T12:57:11Z
1648997 Actalis: inaccurate value in stateOrProvinceName ASSIGNED Adriano Santoni [ca-compliance] - Next Update - 1-October 2020 2020-10-13T06:59:05Z
1649277 DigiCert: Failure to provide a preliminary report within 24 hours. ASSIGNED Brenda Bernal [ca-compliance] Next Update 1-October-2020 2020-10-22T18:22:46Z
1649679 Firmaprofesional: 2020 Audit Report Finding 2 out of 4 ASSIGNED Maria Jose Prieto [ca-compliance] 2020-09-14T16:07:42Z
1649726 Firmaprofesional: 2020 Audit Report Finding 4 out of 4 ASSIGNED Maria Jose Prieto [ca-compliance] 2020-10-08T13:23:31Z
1649880 QuoVadis: Failure to provide a preliminary report within 24 hours. ASSIGNED Stephen Davidson [ca-compliance] Next Update 1-October 2020 2020-10-14T22:48:06Z
1649937 GlobalSign: Incorrect OCSP Delegated Responder Certificate ASSIGNED douglas.beattie [ca-compliance] Next Update 15-Oct 2020 2020-10-20T12:23:35Z
1649938 QuoVadis: Incorrect OCSP Delegated Responder Certificate ASSIGNED Stephen Davidson [ca-compliance] 2020-10-20T19:13:38Z
1649945 HARICA: Incorrect OCSP Delegated Responder Certificate ASSIGNED Dimitris Zacharopoulos [ca-compliance] Next update 2-Nov-2020 2020-10-21T20:50:48Z
1649951 DigiCert: Incorrect OCSP Delegated Responder Certificate ASSIGNED Martin Sullivan [ca-compliance] 2020-10-22T20:04:52Z
1649964 PKIoverheid: Incorrect OCSP Delegated Responder Certificate ASSIGNED Jorik van 't Hof [ca-compliance] Next Update 30-September-2020 2020-10-12T14:50:54Z
1650845 Sectigo: Certificate Problem Report response issues ASSIGNED Nick France [ca-compliance] Updates in Bug #1648717 2020-08-27T03:53:17Z
1651026 Izenpe: certificate issued to internal domain ASSIGNED Oscar Garcia [ca-compliance] Next Update 1-October-2020 2020-10-14T04:58:11Z
1651132 T-Systems / DFN-PKI: 42 certificates with RSA modulus size in bits not divisable by 8 ASSIGNED Jürgen Brauckmann [ca-compliance] - Next Update - 2-Oct-2020 2020-10-12T14:51:26Z
1651611 Telekom Security: Finding in 2020 ETSI-Audit regarding weekly review of changes to configurations ASSIGNED Arnold Essing [ca-compliance] 2020-10-21T20:48:14Z
1652581 Google Trust Services digitalSignature KeyUsage not set ASSIGNED Andy Warner [ca-compliance] 2020-10-05T19:46:01Z
1653284 Izenpe: incorrect value in stateOrProvinceName ASSIGNED Oscar Garcia [ca-compliance] Next Update 1-October-2020 2020-10-01T13:25:21Z
1653680 IdenTrust: OCSP Responder missing id-pkix-ocsp-nocheck ASSIGNED IdenTrust [ca-compliance] 2020-09-09T22:38:28Z
1654896 GlobalSign: Certificates with RSA keys where modulus is not divisible by 8 ASSIGNED Arvid Vermote [ca-compliance] 2020-09-09T22:49:52Z
1654967 DigiCert: Malformed ICA ASSIGNED Martin Sullivan [ca-compliance] 2020-10-15T16:37:02Z
1655698 Telekom Security: CRL also contained unrevoked certificates ASSIGNED Arnold Essing [ca-compliance] 2020-10-14T17:11:05Z
1658437 Let's Encrypt intent to issue root and intermediate certificates with organizationName and CABF DV OID ASSIGNED Josh Aas [ca-compliance] 2020-08-17T17:16:04Z
1658792 Entrust: Invalid data in State/Province Field ASSIGNED Dathan Demone [ca-compliance] 2020-10-21T15:51:21Z
1659426 E-Tugra: audit delay because of an environmental disaster/pandemic ASSIGNED Davut Tokgöz [ca-compliance][audit-delay][covid-19] 2020-09-28T12:57:31Z
1662807 GoDaddy: Certificates issued with validity periods greater than 398-days ASSIGNED Joanna [ca-compliance] 2020-10-16T18:29:31Z
1663080 IdenTrust Issuance of certificates greater than 398 days ASSIGNED IdenTrust [ca-compliance] 2020-10-08T14:25:31Z
1663953 TunTrust : OCSP unreachable ASSIGNED Agence Nationale de Certification Electronique [ca-compliance] 2020-10-08T16:11:18Z
1664328 GlobalSign: SHA-256 hash algorithm used with ECC P-384 key ASSIGNED Arvid Vermote [ca-compliance] 2020-09-28T19:49:01Z
1666872 SSL.com: Insufficient validation evidence for the localityName attribute of an OV certificate ASSIGNED Chris Kemmerer [ca-compliance] 2020-10-09T16:21:57Z
1667430 Camerfirma: Invalid stateOrProvinceName field ASSIGNED Ana Lopes [ca-compliance] 2020-10-19T17:25:50Z
1667448 Entrust: Incorrect keyUsage for ECC certificate ASSIGNED Bruce Morton [ca-compliance] 2020-10-08T21:47:07Z
1667518 QuoVadis: Incorrect keyUsage for ECC certificate ASSIGNED Stephen Davidson [ca-compliance] 2020-10-12T23:21:33Z
1667684 Asseco DS / Certum: Failure to provide a preliminary report within 24 hours. ASSIGNED Wojciech Trapczyński [ca-compliance] 2020-10-08T12:31:32Z
1667690 Entrust: Failure to provide a preliminary report within 24 hours. ASSIGNED Dathan Demone [ca-compliance] 2020-10-08T17:28:20Z
1667744 Dhimyotis/Certigna: Certificates issued with validity periods greater than 398-days ASSIGNED Josselin Allemandou [ca-compliance] 2020-09-30T07:46:38Z
1667799 SecureTrust: Failure to provide a preliminary report within 24 hours. ASSIGNED Andrea Holland [ca-compliance] 2020-10-17T23:39:50Z
1667842 SecureTrust: Inaccurate value in stateOrProvinceName ASSIGNED Andrea Holland [ca-compliance] 2020-10-21T20:56:25Z
1667844 Google Trust Services: Certificates not disclosed in CCADB ASSIGNED Ryan Hurst [ca-compliance] 2020-10-05T19:09:17Z
1667944 GlobalSign: Empty SingleExtension in OCSP responses ASSIGNED Paul Brown [ca-compliance] 2020-09-29T15:10:26Z
1667986 Asseco DS / Certum: Invalid stateOrProvinceName field ASSIGNED Aleksandra Kurosz [ca-compliance] 2020-10-16T13:02:00Z
1668005 GlobalSign: Failure to provide a preliminary report within 24 hours ASSIGNED Arvid Vermote [ca-compliance] 2020-10-02T18:18:45Z
1668007 GlobalSign: Invalid stateOrProvinceName value ASSIGNED Arvid Vermote [ca-compliance] 2020-10-07T13:50:22Z
1669518 PKIoverheid: Overdue audit statements for intermediate certificates ASSIGNED Jorik van 't Hof [ca-compliance] 2020-10-06T16:00:27Z
1669594 Identrust: Issuance of Subordinate CA’s Without EKU ASSIGNED IdenTrust [ca-compliance] 2020-10-17T00:28:29Z
1669618 Apple: Empty SingleExtension in OCSP responses ASSIGNED certification_authority [ca-compliance] 2020-10-17T00:17:31Z
1670337 Microsoft PKI Services: Certificate Mis-Issuance, DNSNames must have a valid TLD ASSIGNED John Mason [ca-compliance] 2020-10-21T17:03:43Z
1670458 Disig: Failure to provide a preliminary report within 24 hours. ASSIGNED Peter Miskovic [ca-compliance] 2020-10-21T08:37:07Z
1670894 SwissSign: Invalid stateOrProvinceName field ASSIGNED Mike Guenther [ca-compliance] 2020-10-19T16:58:43Z
1671037 SecureTrust: CPS section 6.1.1.1 number 3 non-compliance event ASSIGNED Andrea Holland [ca-compliance] 2020-10-14T21:33:36Z
1671113 SwissSign: Failure to provide a preliminary report within 24 hours. ASSIGNED Mike Guenther [ca-compliance] 2020-10-19T17:06:09Z
1671410 IdenTrust / ISRG: Inconsistent Disclosure of Externally-Operated Intermediate ASSIGNED IdenTrust [ca-compliance] 2020-10-19T22:55:32Z
1672029 Camerfirma: Failure to abide by Section 8 of Mozilla Policy: Unauthorized, improperly disclosed Subordinate CA ASSIGNED Ana Lopes [ca-compliance] 2020-10-21T19:01:27Z
1672208 DFN-PKI: Finding in 2020 ETSI audit ASSIGNED Jürgen Brauckmann [ca-compliance] 2020-10-21T01:54:48Z
1672409 Camerfirma: suspicious certificate for com.com ASSIGNED Ana Lopes [ca-compliance] 2020-10-21T15:42:55Z
1672562 Camerfirma: Incorrect disclosure of Intesa Sanpaolo sub-CA ASSIGNED Ana Lopes [ca-compliance] 2020-10-22T09:43:51Z

71 Total; 71 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
ID Summary Status Assigned to Whiteboard Last change time
1626355 Atos: Tracking bug for possible audit delays ASSIGNED michael.schwieters [ca-compliance][audit-delay][covid-19] Next Update 1-Oct-2020 2020-09-28T12:32:47Z
1648593 Sectigo: Potential audit report delay ASSIGNED Nick France [ca-compliance] [audit-delay] 2020-10-21T10:40:26Z
1659426 E-Tugra: audit delay because of an environmental disaster/pandemic ASSIGNED Davut Tokgöz [ca-compliance][audit-delay][covid-19] 2020-09-28T12:57:31Z

3 Total; 3 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1591005 GlobalSign: ICAs in CCADB, without EKU extension are listed in WTCA report but not in WTBR report ASSIGNED Arvid Vermote [ca-compliance] [delayed-revocation-ca] Next Update 1-Oct-2020 2020-09-30T08:59:43Z
1620561 Sectigo: Non-revocation of certificates with subject:organizationalUnitName in DV certificates ASSIGNED Nick France [ca-compliance] [delayed-revocation-leaf] 2020-10-19T20:29:10Z
1628292 Buypass: Failure to revoke PSD2 QWACs within mandated 5 days ASSIGNED Mads Henriksveen [ca-compliance] [delayed-revocation-leaf] 2020-09-28T12:20:21Z
1647099 Camerfirma: Delayed revocations related to Invalid authorityKeyIdentifier - recurrent incident ASSIGNED Ana Lopes [ca-compliance] [delayed-revocation-leaf] [covid-19] 2020-10-14T19:23:23Z
1651447 GlobalSign: Failure to revoke noncompliant ICA within 7 days ASSIGNED Arvid Vermote [ca-compliance] [delayed-revocation-ca] 2020-10-12T14:48:51Z
1651461 DigiCert: Failure to revoke within 7 days: OCSP EKU issue ASSIGNED Brenda Bernal [ca-compliance] [delayed-revocation-ca] 2020-10-22T20:04:17Z
1651465 HARICA: Delayed revocation for non-BR-compliant CA Certificates within 7 days ASSIGNED Dimitris Zacharopoulos [ca-compliance] [delayed-revocation-ca] Next update 5-Oct-2020 2020-10-19T18:45:36Z
1651481 Entrust: Late Revocation due to SHA-256 hash algorithm ASSIGNED Bruce Morton [ca-compliance] [delayed-revocation-leaf] 2020-10-05T21:05:20Z
1651487 Telekom Security: Delayed Revocations of Sub-CA certificates ASSIGNED Arnold Essing [ca-compliance] [delayed-revocation-ca] Next update 2-Oct-2020 2020-10-19T10:25:54Z
1651553 QuoVadis: Failure to revoke within 7 days: OCSP EKU issue ASSIGNED Stephen Davidson [ca-compliance] [delayed-revocation-ca] Next update 1-Oct-2020 2020-10-20T19:14:48Z
1651632 Microsec: Failure to revoke noncompliant ICA within 7 days ASSIGNED dr. Sándor SZŐKE [ca-compliance] [delayed-revocation-ca] Next update 15-Oct-2020 2020-10-18T11:02:09Z
1651637 Firmaprofesional: Failure to revoke ICAs within 7 days: OCSP EKU ASSIGNED Maria Jose Prieto [ca-compliance] [delayed-revocation-ca] 2020-10-15T15:05:38Z
1651651 Actalis: Failure to revoke within 7 days: OCSP EKU issue ASSIGNED Adriano Santoni [ca-compliance] [delayed-revocation-ca] Next Update - 1-Oct-2020 2020-10-12T23:07:31Z
1651730 WISeKey: Failure to revoke ICA Certificates within 7 days (OCSP EKU) ASSIGNED Pedro Fuentes [ca-compliance] [delayed-revocation-ca] Next Update - 1-Oct-2020 2020-10-03T18:21:52Z
1652603 Camerfirma: Failure to revoke within 7 days: OCSP EKU issue ASSIGNED Eusebio Herrera [ca-compliance] [delayed-revocation-ca] 2020-10-02T12:31:02Z
1652604 PKIoverheid: Failure to revoke within 7 days: OCSP EKU issue ASSIGNED Jorik van 't Hof [ca-compliance] [delayed-revocation-ca] Next update 30-Sept-2020 2020-10-09T07:33:51Z
1652610 SECOM: Delayed Revocation of CA Certificate with OCSP EKU Issue ASSIGNED Hisashi Kamo [ca-compliance] [delayed-revocation-ca] 2020-10-12T19:31:36Z
1656487 Izenpe: Failure to revoke within 5 days ASSIGNED Oscar Garcia [ca-compliance][delayed-revocation-leaf] 2020-09-29T14:30:29Z
1656882 Netlock - Failure to revoke noncompliant ICA within 7 days ASSIGNED Varga Viktor [ca-compliance] [delayed-revocation-ca] 2020-10-05T21:11:47Z
1665763 Sectigo: Failure to revoke within 5 days ASSIGNED Rich Smith [ca-compliance] [delayed-revocation-leaf] 2020-10-15T14:47:26Z
1668331 Camerfirma: Delayed revocations related to Invalid stateOrProvinceName field ASSIGNED Juan Angel Martin [ca-compliance] [delayed-revocation-leaf] 2020-10-20T09:01:55Z
1668523 Asseco DS/Certum: Failure to revoke within 5 days ASSIGNED Aleksandra Kurosz [ca-compliance] [delayed-revocation-leaf] 2020-10-17T00:13:31Z
1670861 Actalis: delayed revocation related to inaccurate value in stateOrProvinceName ASSIGNED Adriano Santoni [ca-compliance] [delayed-revocation-leaf] 2020-10-16T20:36:14Z

23 Total; 23 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: