CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time
Certigna: Certificate issued with validity period greater than 398-days 1774418 ASSIGNED Josselin Allemandou [ca-compliance] 2022-11-14T22:22:57Z
CFCA: Certificate with wrong crlDistributionPoints 1809382 ASSIGNED Gao Fei [ca-compliance] [ov-misissuance] [ev-misissuance] 2023-01-16T14:56:09Z
CFCA: Delayed reporting of intermediate CA certificate 1784820 ASSIGNED Gao Fei [ca-compliance] 2022-11-14T22:22:57Z
CFCA: Delayed reporting of revocation of an intermediate CA certificate 1798812 ASSIGNED Gao Fei [ca-compliance] 2022-11-22T07:48:30Z
CFCA: EV certificate with wrong PostalCode&Street 1802845 ASSIGNED Gao Fei [ca-compliance] [ev-misissuance] 2023-01-06T17:25:40Z
CFCA: ICA without EKU 1793053 ASSIGNED Gao Fei [ca-compliance] 2023-01-04T02:09:11Z
CFCA: Overdue Audit Statements 2021 1741497 ASSIGNED Oliver Bi [ca-compliance] [audit-delay] 2022-11-14T22:22:57Z
CFCA: The delay in revocation of ICA 1793059 ASSIGNED Gao Fei [ca-compliance] [ca-revocation-delay] 2023-01-11T00:28:12Z
CFCA: The wrong status of OCSP 1778035 ASSIGNED Gao Fei [ca-compliance] Next update 2022-10-15 2022-11-14T22:22:57Z
E-Tugra: Incident Report (Security Issues) 1801345 ASSIGNED Ahmed [ca-compliance] Next update 2023-01-06 2023-01-24T20:10:15Z
Entrust: Delayed Revocation for EV TLS Certificate incorrect jurisdiction 1804753 ASSIGNED Bruce Morton [ca-compliance] [leaf-revocation-delay] 2023-01-16T18:00:46Z
Entrust: EV TLS Certificate incorrect jurisdiction 1802916 ASSIGNED Bruce Morton [ca-compliance] [ev-misissuance] 2023-01-06T17:23:50Z
Entrust: TLS Certificate issued with an incorrect state or province 1792231 ASSIGNED Bruce Morton [ca-compliance] 2023-03-31 2022-11-14T22:22:57Z
Hongkong Post: Subject CN converted to Unicode representation incident 1804843 ASSIGNED Man Ho [ca-compliance] [ov-misissuance] 2023-01-12T14:36:02Z
IdenTrust: Bad OCSP Responses 1806728 ASSIGNED IdenTrust [ca-compliance] 2023-01-06T17:21:47Z
NAVER Cloud: DV certificate issued with no subject alternative name extension 1785865 ASSIGNED Han Yong, Park [ca-compliance] 2022-11-14T22:22:57Z
SECOM: One of the EV certificate was mis-issued with the incorrect Registration Number by Cybertrust Japan (CTJ) 1805866 ASSIGNED ONO Fumiaki [ca-compliance] [ev-misissuance] 2023-01-26T17:01:39Z
Sectigo: Late CCADB update after CPS update 1812336 ASSIGNED Martijn Katerbarg [ca-compliance] [disclosure-failure] 2023-01-25T15:03:04Z
SecureTrust: 2 certificates with non-DER encoded keyUsage extension 1776764 ASSIGNED Andrea Holland [ca-compliance] Next update 2023-01-01 2023-01-03T22:48:54Z
SSL.com: Delayed revocation of certificate with weak key 1800753 ASSIGNED Chris Kemmerer [ca-compliance] [leaf-revocation-delay] 2023-01-06T17:29:03Z
SSL.com: Issuance of 1 EV TLS certificate using a Registration/Incorporation Agency not included in our approved public list. 1790693 ASSIGNED Chris Kemmerer [ca-compliance] 2022-11-14T22:22:57Z
TWCA: "unknown" OCSP response for issued certificates 1793445 ASSIGNED Hao-Chun Li [ca-compliance] 2022-11-14T22:22:57Z
UniTrust: EV certificate with wildcard domain in common name and SAN 1787537 ASSIGNED chenxiaotong [ca-compliance] 2022-11-14T22:22:57Z
UniTrust: EV certificate with wrong Registry Country Name 1798626 ASSIGNED chenxiaotong [ca-compliance] 2022-11-14T22:22:57Z
UniTrust: Improper DER results in failure to comply with RFC 5280 - Encoded sequence component with default value 1735908 ASSIGNED chenxiaotong [ca-compliance] Next update 2022-10-15 2022-11-14T22:22:57Z
WISeKey: Bad ECDSA algorithm encoding in test certificate 1804587 ASSIGNED Pedro Fuentes [ca-compliance] [ov-misissuance] 2023-01-06T17:31:27Z
WISeKey: Incorrect businessCategory in EV certificate 1808485 ASSIGNED Pedro Fuentes [ca-compliance] [ev-misissuance] 2023-01-09T11:46:34Z

27 Total; 27 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
Summary ID Status Assigned to Whiteboard Last change time
CFCA: Overdue Audit Statements 2021 1741497 ASSIGNED Oliver Bi [ca-compliance] [audit-delay] 2022-11-14T22:22:57Z

1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
Summary ID Status Assigned to Whiteboard Last change time
Amazon Trust Services: Delayed Revocation of Subordinate CA 1743943 ASSIGNED Trevoli (Amazon Trust Services) [ca-compliance] [delayed-revocation-ca] Next update 2023-03-17 2023-01-25T19:19:57Z

1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: