CA/Incident Dashboard
From MozillaWiki
< CA
Contents
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| ID | Summary | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| 1563579 | Sectigo: Failure to provide timely incident reports | ASSIGNED | Rob Stradling | [ca-compliance] | 2021-01-25T21:38:31Z |
| 1565270 | Telia: Qualified BR Audit Statement | ASSIGNED | pekka.lahtiharju | [ca-compliance] Next Update 2021-01-15 | 2021-01-15T13:30:20Z |
| 1575880 | GlobalSign: SSL Certificates with US country code and invalid State/Prov | ASSIGNED | douglas.beattie | [ca-compliance] - Next Update 2021-01-15 | 2021-01-22T18:00:31Z |
| 1632632 | Buypass: Illegal Business Category in a PSD2 QWAC | ASSIGNED | Mads Henriksveen | [ca-compliance] Next update 2021-01-15 | 2021-01-15T14:51:44Z |
| 1645686 | Sectigo: Lack of input validation in stateOrProvinceName | ASSIGNED | Rich Smith | [ca-compliance] | 2021-01-25T17:32:09Z |
| 1645832 | GoDaddy: Expired CRLs | ASSIGNED | Daniela Hood | [ca-compliance] Next Update - 2021-01-01 | 2020-12-03T21:18:57Z |
| 1647468 | D-TRUST: Wrong key usage (Key Encipherment) | ASSIGNED | Enrico Entschew | [ca-compliance] | 2020-10-02T13:58:22Z |
| 1648717 | Sectigo: Failure to provide a preliminary report within 24 hours. | ASSIGNED | Rich Smith | [ca-compliance] | 2021-01-21T18:43:17Z |
| 1649726 | Firmaprofesional: 2020 Audit Report Finding 4 out of 4 | ASSIGNED | Maria Jose Prieto | [ca-compliance] | 2021-01-25T08:52:31Z |
| 1649937 | GlobalSign: Incorrect OCSP Delegated Responder Certificate | ASSIGNED | douglas.beattie | [ca-compliance] | 2021-01-25T08:26:31Z |
| 1649938 | QuoVadis: Incorrect OCSP Delegated Responder Certificate | ASSIGNED | Stephen Davidson | [ca-compliance] Next Update 2021-01-07 | 2021-01-22T21:27:30Z |
| 1649951 | DigiCert: Incorrect OCSP Delegated Responder Certificate | ASSIGNED | Martin Sullivan | [ca-compliance] | 2021-01-19T20:57:32Z |
| 1649964 | PKIoverheid: Incorrect OCSP Delegated Responder Certificate | ASSIGNED | Jorik van 't Hof | [ca-compliance] Next Update 2021-01-25 | 2021-01-05T13:15:00Z |
| 1650845 | Sectigo: Certificate Problem Report response issues | ASSIGNED | Nick France | [ca-compliance] Updates in Bug #1648717 | 2020-08-27T03:53:17Z |
| 1651611 | Telekom Security: Finding in 2020 ETSI-Audit regarding weekly review of changes to configurations | ASSIGNED | Arnold Essing | [ca-compliance] | 2021-01-22T18:46:11Z |
| 1652581 | Google Trust Services digitalSignature KeyUsage not set | ASSIGNED | Andy Warner | [ca-compliance] | 2021-01-11T23:24:01Z |
| 1655698 | Telekom Security: CRL also contained unrevoked certificates | ASSIGNED | Arnold Essing | [ca-compliance] | 2021-01-18T00:10:27Z |
| 1658792 | Entrust: Invalid data in State/Province Field | ASSIGNED | Dathan Demone | [ca-compliance] Next Update 2021-04-01 | 2021-01-22T17:55:20Z |
| 1662807 | GoDaddy: Certificates issued with validity periods greater than 398-days | ASSIGNED | Joanna | [ca-compliance] Next Update 2021-01-11 | 2021-01-16T03:37:29Z |
| 1663080 | IdenTrust Issuance of certificates greater than 398 days | ASSIGNED | IdenTrust | [ca-compliance] | 2021-01-06T22:39:57Z |
| 1663953 | TunTrust : OCSP unreachable | ASSIGNED | Agence Nationale de Certification Electronique | [ca-compliance] | 2021-01-05T18:35:02Z |
| 1664328 | GlobalSign: SHA-256 hash algorithm used with ECC P-384 key | ASSIGNED | Arvid Vermote | [ca-compliance] Next Update 15-Jan-2021 | 2021-01-11T11:20:52Z |
| 1667430 | Camerfirma: Invalid stateOrProvinceName field | ASSIGNED | Ana Lopes | [ca-compliance] | 2021-01-20T18:20:40Z |
| 1667690 | Entrust: Failure to provide a preliminary report within 24 hours. | ASSIGNED | Dathan Demone | [ca-compliance] | 2021-01-22T17:51:12Z |
| 1667744 | Dhimyotis/Certigna: Certificates issued with validity periods greater than 398-days | ASSIGNED | Josselin Allemandou | [ca-compliance] | 2021-01-08T11:54:26Z |
| 1667799 | SecureTrust: Failure to provide a preliminary report within 24 hours. | ASSIGNED | Andrea Holland | [ca-compliance] | 2021-01-22T18:43:55Z |
| 1667842 | SecureTrust: Inaccurate value in stateOrProvinceName | ASSIGNED | Andrea Holland | [ca-compliance] | 2020-12-24T21:07:42Z |
| 1667944 | GlobalSign: Empty SingleExtension in OCSP responses | ASSIGNED | Paul Brown | [ca-compliance] | 2021-01-19T15:13:08Z |
| 1667986 | Asseco DS / Certum: Invalid stateOrProvinceName field | ASSIGNED | Aleksandra Kurosz | [ca-compliance] | 2021-01-12T13:26:39Z |
| 1668007 | GlobalSign: Invalid stateOrProvinceName value | ASSIGNED | Arvid Vermote | [ca-compliance] | 2021-01-22T18:16:09Z |
| 1669518 | PKIoverheid: Overdue audit statements for intermediate certificates | ASSIGNED | Jorik van 't Hof | [ca-compliance] | 2021-01-20T12:48:02Z |
| 1669594 | Identrust: Issuance of Subordinate CA’s Without EKU | ASSIGNED | IdenTrust | [ca-compliance] | 2021-01-22T19:48:09Z |
| 1670337 | Microsoft PKI Services: Certificate Mis-Issuance, DNSNames must have a valid TLD | ASSIGNED | John Mason | [ca-compliance] | 2021-01-20T01:25:07Z |
| 1670894 | SwissSign: Invalid stateOrProvinceName field | ASSIGNED | Mike Guenther | [ca-compliance] | 2021-01-25T13:48:49Z |
| 1671037 | SecureTrust: CPS section 6.1.1.1 number 3 non-compliance event | ASSIGNED | Andrea Holland | [ca-compliance] | 2020-12-18T22:06:22Z |
| 1671113 | SwissSign: Failure to provide a preliminary report within 24 hours. | ASSIGNED | Mike Guenther | [ca-compliance] | 2021-01-22T18:37:27Z |
| 1672029 | Camerfirma: Failure to abide by Section 8 of Mozilla Policy: Unauthorized, improperly disclosed Subordinate CA | ASSIGNED | Ana Lopes | [ca-compliance] | 2021-01-22T09:41:51Z |
| 1672409 | Camerfirma: suspicious certificate for com.com | ASSIGNED | Ana Lopes | [ca-compliance] | 2021-01-22T13:20:32Z |
| 1674561 | Microsoft: DV certificate issued with OV fields | ASSIGNED | Dustin Hollenback | [ca-compliance] | 2021-01-22T23:37:19Z |
| 1674886 | certSIGN misissued an OV SSL certificate with no organizationName and localityName, instead of a DV SSL as requested by client | REOPENED | Gabriel PETCU | [ca-compliance] | 2021-01-06T17:35:21Z |
| 1675314 | Telekom Security: Wrong jurisdiction entries in certificates | ASSIGNED | Arnold Essing | [ca-compliance] | 2021-01-14T15:04:44Z |
| 1676352 | Microsec e-Szigno: Validity validity period greater than 398 days | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] | 2021-01-18T18:04:37Z |
| 1676367 | NetLock: Issuance of >398-day precertificates after 2020-09-01 | ASSIGNED | Varga Viktor | [ca-compliance] | 2021-01-08T13:20:26Z |
| 1676440 | Netlock: Cumulative report connected to EV verification | ASSIGNED | Varga Viktor | [ca-compliance] | 2021-01-22T18:23:59Z |
| 1677234 | Apple: OCSP availability 2020-11-12 | ASSIGNED | certification_authority | [ca-compliance] Next Update 2021-01-31 | 2021-01-20T02:52:54Z |
| 1677239 | IdenTrust Service Degradation | ASSIGNED | IdenTrust | [ca-compliance] | 2021-01-07T22:14:34Z |
| 1677737 | SwissSign: duplicate serial number | ASSIGNED | Mike Guenther | [ca-compliance] | 2021-01-25T13:44:20Z |
| 1678183 | Google Trust Services - Invalid ASN.1 encoding of singleExtensions in OCSP responses | ASSIGNED | Andy Warner | [ca-compliance] | 2021-01-25T11:35:34Z |
| 1678410 | IdenTrust: Invalid OCSP Response Held in Cache | ASSIGNED | IdenTrust | [ca-compliance] | 2021-01-05T22:09:06Z |
| 1680083 | Camerfirma: certificate with an incorrect OrganizationName | ASSIGNED | Eusebio Herrera | [ca-compliance] | 2021-01-20T11:31:39Z |
| 1680378 | Netlock: Replacement of enduser certificates after the EVGL 1.7.4 self-audit | ASSIGNED | Varga Viktor | [ca-compliance] | 2021-01-08T11:06:38Z |
| 1682270 | D-TRUST: Private Key Disclosed by Customer as Part of CSR | ASSIGNED | Enrico Entschew | [ca-compliance] | 2020-12-14T22:37:08Z |
| 1684112 | Let's Encrypt: Failure to audit log subscriber certificate OCSP updates | ASSIGNED | Andrew Gabbitas | [ca-compliance] | 2020-12-29T22:36:47Z |
| 1684442 | DigiCert: SHA-1 intermediate issued after 2016-01-01 | ASSIGNED | Jeremy Rowley | [ca-compliance] | 2021-01-22T04:30:53Z |
| 1685370 | Entrust: Incorrect Business Category Value Discovered in an EV SSL Certificate | ASSIGNED | Dathan Demone | [ca-compliance] | 2021-01-21T17:22:45Z |
| 1685557 | Camerfirma: Certificates without CABForum OV Reserved Policy Identifier | ASSIGNED | Ana Lopes | [ca-compliance] | 2021-01-20T20:08:56Z |
| 1686524 | Camerfirma: Certificate issued with 3-year lifespan, unknown policy | ASSIGNED | Eusebio Herrera | [ca-compliance] | 2021-01-20T18:44:29Z |
| 1687139 | E-Tugra: commonName not in SAN | ASSIGNED | Davut Tokgöz | [ca-compliance] | 2021-01-20T05:30:27Z |
| 1687330 | E-Tugra: Intermittent OCSP response with status 'Unknown' | ASSIGNED | Davut Tokgöz | [ca-compliance] | 2021-01-19T16:06:27Z |
| 1687513 | E-Tugra: Delayed Response of Revocation Request | ASSIGNED | Davut Tokgöz | [ca-compliance] | 2021-01-19T17:58:23Z |
| 1688215 | Camerfirma: CP/CPS of Intesa Sanpaolo Sub-CA is Non-Compliant | ASSIGNED | Ana Lopes | [ca-compliance] | 2021-01-25T17:09:05Z |
| 1688382 | CamerFirma: No disclosure of verification sources | ASSIGNED | Ana Lopes | [ca-compliance] | 2021-01-23T19:42:16Z |
62 Total; 62 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
No results.
0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
| ID | Summary | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| 1591005 | GlobalSign: ICAs in CCADB, without EKU extension are listed in WTCA report but not in WTBR report | ASSIGNED | Arvid Vermote | [ca-compliance] [delayed-revocation-ca] Next Update 2021-01-15 | 2021-01-12T10:58:22Z |
| 1620561 | Sectigo: Non-revocation of certificates with subject:organizationalUnitName in DV certificates | ASSIGNED | Nick France | [ca-compliance] [delayed-revocation-leaf] Next update 2021-01-05 | 2021-01-22T18:09:39Z |
| 1651447 | GlobalSign: Failure to revoke noncompliant ICA within 7 days | ASSIGNED | Arvid Vermote | [ca-compliance] [delayed-revocation-ca] | 2021-01-12T13:19:27Z |
| 1651461 | DigiCert: Failure to revoke within 7 days: OCSP EKU issue | ASSIGNED | Brenda Bernal | [ca-compliance] [delayed-revocation-ca] | 2021-01-19T20:57:14Z |
| 1651553 | QuoVadis: Failure to revoke within 7 days: OCSP EKU issue | ASSIGNED | Stephen Davidson | [ca-compliance] [delayed-revocation-ca] Next update 2021-01-22 | 2021-01-22T21:31:38Z |
| 1651637 | Firmaprofesional: Failure to revoke ICAs within 7 days: OCSP EKU | ASSIGNED | Maria Jose Prieto | [ca-compliance] [delayed-revocation-ca] Next update 2021-01-04 | 2020-12-28T14:56:08Z |
| 1652604 | PKIoverheid: Failure to revoke within 7 days: OCSP EKU issue | ASSIGNED | Jorik van 't Hof | [ca-compliance] [delayed-revocation-ca] Next update 2020-12-01 | 2021-01-08T10:53:07Z |
| 1652610 | SECOM: Delayed Revocation of CA Certificate with OCSP EKU Issue | ASSIGNED | Hisashi Kamo | [ca-compliance] [delayed-revocation-ca] | 2021-01-04T08:09:19Z |
| 1668331 | Camerfirma: Delayed revocations related to Invalid stateOrProvinceName field | ASSIGNED | Juan Angel Martin | [ca-compliance] [delayed-revocation-leaf] | 2021-01-22T18:30:03Z |
| 1668523 | Asseco DS/Certum: Failure to revoke within 5 days | ASSIGNED | Aleksandra Kurosz | [ca-compliance] [delayed-revocation-leaf] Next update 2021-01-15 | 2021-01-22T18:40:04Z |
| 1670861 | Actalis: delayed revocation related to inaccurate value in stateOrProvinceName | ASSIGNED | Adriano Santoni | [ca-compliance] [delayed-revocation-leaf] | 2021-01-22T17:58:53Z |
| 1674082 | Dhimyotis/Certigna: Certificates issued with validity periods greater than 398-days | ASSIGNED | r.delval | [ca-compliance] [delayed-revocation-leaf] | 2021-01-11T10:52:22Z |
| 1686966 | Camerfirma: Delayed revocations related to certificates without CABForum OV Reserved Policy Identifier | ASSIGNED | Ana Lopes | [ca-compliance] [delayed-revocation-leaf] | 2021-01-22T15:06:04Z |
| 1687608 | E-Tugra: The failure to revoke a certificate | ASSIGNED | Davut Tokgöz | [ca-compliance] [delayed-revocation-leaf] | 2021-01-20T16:35:02Z |
14 Total; 14 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here:
