CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
ACCV: Certificates issued with cRLIssuer in CDP extension 1884532 ASSIGNED Jose Amador [ca-compliance] [ov-misissuance] 2024-04-17T08:49:29Z 2024-03-09T18:14:05Z
ACCV: Certificates issued with Policy qualifiers other than id-qt-cps 1889567 ASSIGNED Jose Amador [ca-compliance] 2024-04-17T15:23:53Z 2024-04-04T07:53:32Z
ACCV: Delayed response to CPR 1886785 ASSIGNED Jose Amador [ca-compliance] [policy-failure] 2024-04-17T08:48:50Z 2024-03-21T15:13:02Z
Actalis: Certificates issued with invalid RDN order 1883731 ASSIGNED Marco Menonna [ca-compliance] [ev-misissuance] 2024-04-15T14:23:20Z 2024-03-05T18:26:39Z
AGCE: Non-Compliant VPN Certificate Issuance 1882256 ASSIGNED ance.certification.info [ca-compliance] [ov-misissuance] 2024-03-20T16:47:20Z 2024-02-27T10:44:42Z
Asseco Data Systems S.A. (Certum): CRL non-conformance with the TLS BRs 1888689 ASSIGNED Kateryna Aleksieieva [ca-compliance] [crl-failure] [external] 2024-04-17T12:34:49Z 2024-03-29T17:37:14Z
Buypass: TLS certificates with incorrect Subject attribute order 1864204 ASSIGNED Mads Henriksveen [ca-compliance] [ov-misissuance] [ev-misissuance] Next update 2024-05-06 2024-04-10T16:05:49Z 2023-11-10T16:21:34Z
Buypass: Using an external DNS Resolver for DNS lookups 1872371 ASSIGNED Mads Henriksveen [ca-compliance] [ov-misissuance] Next update 2024-05-06 2024-04-03T17:42:14Z 2023-12-29T16:02:59Z
Certigna: TLS certificates with Basic constraint non-critical 1883416 ASSIGNED Josselin Allemandou [ca-compliance] [ov-misissuance] 2024-04-10T15:30:22Z 2024-03-04T16:36:15Z
certSIGN: Certificates with incorrect Subject attribute order 1886624 ASSIGNED Gabriel PETCU [ca-compliance] [ov-misissuance] 2024-04-09T11:44:42Z 2024-03-20T22:28:05Z
certSIGN: Delayed response to CPR 1886626 ASSIGNED Gabriel PETCU [ca-compliance] [policy-failure] 2024-04-09T11:44:55Z 2024-03-20T22:29:39Z
CFCA: certificate basicConstraints extension not marked as critical 1886135 ASSIGNED Gao Fei [ca-compliance] [ov-misissuance] 2024-04-06T05:05:04Z 2024-03-19T10:57:32Z
CFCA: Failure to respond to a Certificate Problem Report in a complete and/or timely manner 1888881 ASSIGNED Gao Fei [ca-compliance] [policy-failure] 2024-04-08T03:47:00Z 2024-04-01T07:17:16Z
Chunghwa Telecom: Wrong Extended Key Usage setting by GTLSCA 1887096 ASSIGNED Tsung-Min Kuo [ca-compliance] [ov-misissuance] 2024-04-12T19:46:30Z 2024-03-22T17:25:13Z
D-Trust: Issuance of 15 certificates with incorrect subject attribute order 1891225 ASSIGNED Leyla Sahin [ca-compliance] [ev-misissuance] 2024-04-15T15:30:24Z 2024-04-12T13:48:03Z
D-Trust: Issuance of 15 DV certificates containing ‘serialNumber’ field within subject 1861069 ASSIGNED Enrico Entschew [ca-compliance] [dv-misissuance] 2024-04-17T01:43:45Z 2023-10-25T14:25:07Z
D-Trust: LDAP-URL in Subscriber Certificate Authority Information Access field 1884714 ASSIGNED Enrico Entschew [ca-compliance] [ov-misissuance] 2024-04-05T08:48:06Z 2024-03-11T16:29:07Z
Digicert: Failure to include CPS URI in 1 certificate 1888016 ASSIGNED Jeremy Rowley [ca-compliance] [policy-failure] [ev-misissuance] Next update 2024-06-01 2024-04-09T22:02:16Z 2024-03-27T01:23:16Z
Digicert: Government Entity listed instead of registration number 1891531 ASSIGNED Jeremy Rowley [ca-compliance] [ev-misissuance] 2024-04-16T16:35:21Z 2024-04-15T17:06:23Z
Disig: Certificates with incorrect Subject attribute order 1889672 ASSIGNED Jozef Nigut [ca-compliance] [ov-misissuance] 2024-04-16T12:29:42Z 2024-04-04T15:16:17Z
Disig: TLS certificate with basicConstraints not marked as critical 1888104 ASSIGNED Jozef Nigut [ca-compliance] [ov-misissuance] 2024-04-17T15:30:41Z 2024-03-27T10:37:26Z
e-commerce monitoring GmbH: CRLs with mismatched issuer 1888371 ASSIGNED Daniel Zens [ca-compliance] [crl-failure] [external] 2024-04-04T15:39:36Z 2024-03-28T10:58:07Z
e-commerce monitoring gmbh: precertificate validity does not match leaf certificate 1883711 ASSIGNED Daniel Zens [ca-compliance] [ov-misissuance] 2024-04-09T08:18:47Z 2024-03-05T17:00:37Z
e-commerce monitoring GmbH: SCT in precertificate 1815534 ASSIGNED Daniel Zens [ca-compliance] [ov-misissuance] [external] 2024-04-15T14:27:54Z 2023-02-07T19:33:26Z
Entrust: clientAuth TLS Certificates without serverAuth EKU 1886467 ASSIGNED Paul van Brouwershaven [ca-compliance] [ev-misissuance] Next update 2024-04-30 2024-04-15T13:35:35Z 2024-03-20T14:42:35Z
Entrust: CPR was not responded to in 24 hours 1885754 ASSIGNED Paul van Brouwershaven [ca-compliance] [external] [policy-failure] Next update 2024-05-03 2024-04-10T14:00:02Z 2024-03-16T22:14:29Z
Entrust: CPS typographical (text placement) error 1890896 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] 2024-04-12T20:47:47Z 2024-04-11T00:45:36Z
Entrust: CRL non-conformance with the TLS BRs 1889217 ASSIGNED Bruce Morton [ca-compliance] [crl-failure] [external] 2024-04-12T01:39:11Z 2024-04-02T19:39:57Z
Entrust: Delayed incident report - CPS typographical (text placement) error 1890901 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] 2024-04-11T15:28:06Z 2024-04-11T01:04:16Z
Entrust: EV Certificate missing Issuer’s EV Policy OID 1888714 ASSIGNED Bruce Morton [ca-compliance] [ev-misissuance] 2024-04-12T18:43:59Z 2024-03-29T21:05:02Z
Entrust: EV TLS Certificate cPSuri missing 1883843 ASSIGNED Paul van Brouwershaven [ca-compliance] [ev-misissuance] 2024-04-16T01:16:57Z 2024-03-06T08:35:58Z
Entrust: Failed to provide a preliminary incident report according to TLS BR 4.9.5 1890123 ASSIGNED Paul van Brouwershaven [ca-compliance] [policy-failure] 2024-04-12T11:21:13Z 2024-04-06T13:24:25Z
Entrust: Failure to revoke EV TLS certificates issued before CPS update 1890685 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] 2024-04-15T20:23:35Z 2024-04-09T23:40:57Z
Entrust: Failure to revoke OV TLS - CPS typographical (text placement) error 1890898 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] 2024-04-12T20:42:44Z 2024-04-11T00:52:33Z
Entrust: Late CPS Update 1887753 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] [ev-misissuance] 2024-04-12T18:47:43Z 2024-03-25T20:45:35Z
Entrust: OCSP response signed with SHA-1 1879602 ASSIGNED Bruce Morton [ca-compliance] [ocsp-failure] Next update 2024-05-03 2024-04-16T17:25:48Z 2024-02-09T18:13:00Z
Firmaprofesional: Policy Qualifiers other than id-qt-cps present for certificate 1889420 ASSIGNED ext-antoni.camon [ca-compliance] [ov-misissuance] 2024-04-11T15:26:07Z 2024-04-03T15:46:27Z
FNMT: Certificates issued included Policy qualifiers other than id-qt-cps 1875942 ASSIGNED Amaya Espinosa [ca-compliance] [ov-misissuance] [ev-misissuance] 2024-02-24T15:58:01Z 2024-01-22T23:10:58Z
GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints 1888060 ASSIGNED capoc [ca-compliance] [ov-misissuance] 2024-04-16T13:05:18Z 2024-03-27T06:15:29Z
Google Trust Services: Failure to properly validate IP address 1876593 ASSIGNED Google Trust Services [ca-compliance] [dv-misissuance] 2024-04-15T03:27:54Z 2024-01-25T18:58:10Z
Google Trust Services: Incorrect OCSP responses for new ICAs under test 1882904 ASSIGNED Google Trust Services [ca-compliance] [ocsp-failure] Next update 2024-04-26 2024-04-15T03:38:48Z 2024-02-29T22:32:18Z
Hongkong Post: Delayed response to CPR 1886722 ASSIGNED Man Ho [ca-compliance] [policy-failure] 2024-03-26T08:30:26Z 2024-03-21T11:36:56Z
Hongkong Post: TLS certificates with basicConstraints not marked as critical 1887008 ASSIGNED Man Ho [ca-compliance] [ov-misissuance] 2024-03-26T03:49:51Z 2024-03-22T13:11:35Z
Hongkong Post: TLS certificates with Certificate Policies extension that does not assert http scheme 1886406 ASSIGNED Man Ho [ca-compliance] [ov-misissuance] 2024-03-25T14:07:14Z 2024-03-20T11:23:23Z
Izenpe: Failure to Submit Annual CCADB Self-Assessment 1883493 ASSIGNED David [ca-compliance] [disclosure-failure] [external] 2024-03-21T09:50:35Z 2024-03-04T20:36:07Z
Let's Encrypt: keyCompromise key blocking deviation from CP/CPS 1886876 ASSIGNED J.C. Jones [:jcj] (he/him) [ca-compliance] [policy-failure] 2024-04-15T08:31:29Z 2024-03-21T20:45:28Z
Microsec: Disallowed subject attribute field in DV certificate 1889699 ASSIGNED dr. Sándor SZŐKE [ca-compliance] [dv-misissuance] 2024-04-11T15:24:41Z 2024-04-04T17:01:58Z
Microsec: Late response to a certificate problem report 1886998 ASSIGNED dr. Sándor SZŐKE [ca-compliance] [policy-failure] 2024-04-05T13:22:41Z 2024-03-22T12:22:34Z
Microsec: Misissuance an EV TLS certificate without CPSuri 1886257 ASSIGNED dr. Sándor SZŐKE [ca-compliance] [ev-misissuance] 2024-04-11T14:50:58Z 2024-03-19T18:23:18Z
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates 1889570 ASSIGNED Tamás Horváth [ca-compliance] [ev-misissuance] 2024-04-15T20:23:42Z 2024-04-04T08:18:19Z
Sectigo: EV Certificate issuance with incorrect subject:serialNumber attribute value 1891245 ASSIGNED Martijn Katerbarg [ca-compliance] [ev-misissuance] 2024-04-15T15:31:41Z 2024-04-12T15:53:42Z
Sectigo: Premature disabling of CRL generation for an inactive CA 1891039 ASSIGNED Martijn Katerbarg [ca-compliance] [crl-failure] 2024-04-17T15:09:21Z 2024-04-11T14:49:46Z
SSL.com - Issuance of one Sponsored-Validated S/MIME certificate with organization information in givenName and surName of the subjectDN 1871113 ASSIGNED Thomas Zermeno [ca-compliance] [smime-misissuance] 2024-02-22T22:18:09Z 2023-12-20T18:56:27Z
SSL.com: Findings in 2023 audit 1867851 ASSIGNED Thomas Zermeno [ca-compliance] [audit-finding] Next update 2024-02-16 2024-04-05T20:59:48Z 2023-12-01T19:23:02Z
SSL.com: subCA/Reseller Issues 1832570 ASSIGNED Thomas Zermeno [ca-compliance] [policy-failure] 2024-03-15T02:45:13Z 2023-05-11T13:53:25Z
Telekom Security: TLS certificates with basicConstraints not marked as critical 1875820 ASSIGNED Arnold Essing [ca-compliance] [ov-misissuance] 2024-04-15T07:09:36Z 2024-01-22T14:27:18Z
TWCA: Revocation delay for TLS certificates with non-critical basicConstraints 1886110 ASSIGNED chtsai [ca-compliance] [ov-misissuance] 2024-04-12T10:59:51Z 2024-03-19T07:42:18Z
TWCA: TLS certificates with non-critical basicConstraints 1885132 ASSIGNED Hao-Chun Li [ca-compliance] [ov-misissuance] [ev-misissuance] 2024-04-15T09:06:10Z 2024-03-13T13:09:19Z
TWCA: TLS EV certificates with invalid subject attribute order 1883620 ASSIGNED Hao-Chun Li [ca-compliance] [ev-misissuance] Next update 2024-04-30 2024-04-15T13:26:03Z 2024-03-05T12:28:02Z
VikingCloud: Delayed preliminary report of CPR to affected Subscribers 1888667 ASSIGNED Andrea Holland [ca-compliance] [policy-failure] 2024-04-15T20:37:17Z 2024-03-29T15:15:35Z
VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 1885568 ASSIGNED Andrea Holland [ca-compliance] [ov-misissuance] 2024-04-12T21:34:48Z 2024-03-15T16:20:17Z
VikingCloud: OV Precertificates with incorrect Subject RDN encoding order 1883779 ASSIGNED Andrea Holland [ca-compliance] [ov-misissuance] 2024-04-16T22:06:47Z 2024-03-05T21:42:27Z

62 Total; 62 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
ACCV: Delayed revocation of TLS certificates affected by bug #1884532 1886788 ASSIGNED Jose Amador [ca-compliance] [leaf-revocation-delay] 2024-04-17T08:48:24Z 2024-03-21T15:34:41Z
Actalis: revocation delay for certificates issued with invalid RDN Order 1887941 ASSIGNED Marco Menonna [ca-compliance] [leaf-revocation-delay] 2024-04-15T14:23:23Z 2024-03-26T17:50:20Z
Buypass: Delayed revocation of TLS certificates 1872738 ASSIGNED Mads Henriksveen [ca-compliance] [leaf-revocation-delay] Next update 2024-05-06 2024-04-03T17:38:42Z 2024-01-02T19:18:17Z
Certigna: Revocation delay for TLS certificates with basic constraint not marked as critical 1886442 ASSIGNED Josselin Allemandou [ca-compliance] [leaf-revocation-delay] 2024-03-28T17:20:01Z 2024-03-20T13:44:20Z
certSIGN: Delayed revocation 1886627 ASSIGNED Gabriel PETCU [ca-compliance] [leaf-revocation-delay] 2024-04-09T11:45:04Z 2024-03-20T22:30:47Z
CFCA:Delayed revocation of TLS certificates(basicConstraints extension not marked as critical) 1888882 ASSIGNED Gao Fei [ca-compliance] [leaf-revocation-delay] 2024-04-17T15:27:24Z 2024-04-01T07:19:09Z
e-commerce monitoring GmbH: Delayed revocation 1862004 ASSIGNED Daniel Zens [ca-compliance] [leaf-revocation-delay] [external] 2024-04-12T16:51:21Z 2023-10-30T15:06:09Z
Entrust: Delayed revocation of clientAuth TLS Certificates without serverAuth EKU 1887705 ASSIGNED Paul van Brouwershaven [ca-compliance] [leaf-revocation-delay] 2024-04-15T12:05:18Z 2024-03-25T16:44:53Z
Entrust: Delayed revocation of EV TLS certificates with missing cPSuri 1886532 ASSIGNED Paul van Brouwershaven [ca-compliance] [leaf-revocation-delay] 2024-04-15T12:04:12Z 2024-03-20T17:22:26Z
FIRMAPROFESIONAL: Delayed leaf revocation 1891251 ASSIGNED ext-antoni.camon [ca-compliance] [leaf-revocation-delay] 2024-04-15T14:48:50Z 2024-04-12T16:11:20Z
GDCA: Delayed revocation of SSL/TLS certificates with Non-critical Basic Constraints 1889062 ASSIGNED capoc [ca-compliance] [leaf-revocation-delay] 2024-04-17T02:35:25Z 2024-04-02T09:18:52Z
Hongkong Post: Delayed revocation of TLS certificates with basicConstraints not marked as critical 1887888 ASSIGNED Man Ho [ca-compliance] [leaf-revocation-delay] 2024-03-26T14:43:39Z 2024-03-26T14:39:37Z
Hongkong Post: Delayed revocation of TLS certificates with Certificate Policies extension problem 1886665 ASSIGNED Man Ho [ca-compliance] [leaf-revocation-delay] 2024-03-21T15:55:40Z 2024-03-21T04:30:30Z
Microsec: Delayed revocation of the misissued certificates 1887110 ASSIGNED dr. Sándor SZŐKE [ca-compliance] [leaf-revocation-delay] 2024-04-10T15:33:18Z 2024-03-22T18:00:56Z
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates - delayed revocation 1891331 ASSIGNED Tamás Horváth [ca-compliance] [leaf-revocation-delay] 2024-04-15T02:39:43Z 2024-04-13T22:07:56Z
Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical 1877388 ASSIGNED Arnold Essing [ca-compliance] [leaf-revocation-delay] 2024-04-16T20:29:13Z 2024-01-30T07:52:58Z
TWCA: Revocation delay for EV TLS certificates with invalid subject attribute order 1884568 ASSIGNED Hao-Chun Li [ca-compliance] [leaf-revocation-delay] Next update 2024-04-30 2024-04-16T17:56:39Z 2024-03-10T12:44:57Z

17 Total; 17 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: