CA/Incident Dashboard
Contents
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=CA+Program&component=CA+Certificate+Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
---|---|---|---|---|---|---|
Actalis: CRL distribution point with ldap scheme | 1906690 | ASSIGNED | Marco Menonna | [ca-compliance] [crl-failure] | 2024-09-03T15:59:27Z | 2024-07-08T15:44:42Z |
Actalis: Use of CRLReason Code in Certificate Revocation | 1914419 | ASSIGNED | Marco Menonna | [ca-compliance] [crl-failure] | 2024-09-05T13:30:59Z | 2024-08-22T15:13:31Z |
Amazon Trust Services: CRL not DER-encoded | 1914893 | ASSIGNED | Trevoli (Amazon Trust Services) | [ca-compliance] [crl-failure] [external] | 2024-09-05T20:50:06Z | 2024-08-26T12:35:54Z |
Asseco DS / Certum: CRL non-conformance with the TLS BRs | 1888689 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [crl-failure] [external] Next update 2024-10-01 | 2024-08-27T09:04:45Z | 2024-03-29T17:37:14Z |
Asseco DS / Certum: Organization Identifier and Country field discrepancies | 1917571 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [smime-misissuance] | 2024-09-10T14:35:28Z | 2024-09-09T11:32:46Z |
Asseco DS / Certum: S/MIME certificates with error in subjectAlternativeName | 1879845 | REOPENED | Kateryna Aleksieieva | [ca-compliance] [smime-misissuance] Next update 2024-10-01 | 2024-08-27T09:06:08Z | 2024-02-12T13:22:11Z |
CFCA: certificate basicConstraints extension not marked as critical | 1886135 | ASSIGNED | Gao Fei | [ca-compliance] [ov-misissuance] Next update 2024-07-30 | 2024-08-22T03:51:07Z | 2024-03-19T10:57:32Z |
CFCA: Failure to respond to a CPR in a complete and/or timely manner | 1888881 | ASSIGNED | Gao Fei | [ca-compliance] [policy-failure] | 2024-08-26T16:27:02Z | 2024-04-01T07:17:16Z |
Chunghwa Telecom: “Test Website - Valid" URL disclosed to CCADB is expired | 1904038 | ASSIGNED | Tsung-Min Kuo | [ca-compliance] [policy-failure] | 2024-09-06T11:14:46Z | 2024-06-21T12:48:21Z |
Chunghwa Telecom: Controversial Values within Extension (2.5.29.9, subjectDirectoryAttributes) | 1899466 | ASSIGNED | Leo Fang | [ca-compliance] [ov-misissuance] | 2024-09-06T15:28:05Z | 2024-05-29T04:13:45Z |
Chunghwa Telecom: TLS Certificates Contains two LocalityName Values in SubjectDN by GTLSCA | 1916392 | ASSIGNED | Leo Fang | [ca-compliance] [ov-misissuance] | 2024-09-06T11:14:47Z | 2024-09-03T10:00:29Z |
CommScope: Certificates not logged in CT logs as stated in CP/CPS | 1910512 | ASSIGNED | Nicol So | [ca-compliance] [policy-failure] | 2024-09-08T16:05:00Z | 2024-07-30T00:10:18Z |
CommScope: Incomplete Incident Report | 1904402 | ASSIGNED | Nicol So | [ca-compliance] [policy-failure] | 2024-08-28T22:39:08Z | 2024-06-24T18:20:49Z |
D-Trust: CRL-Entries without required CRL Reason Code | 1913310 | ASSIGNED | Enrico Entschew | [ca-compliance] [crl-failure] | 2024-09-06T15:16:02Z | 2024-08-15T11:46:15Z |
D-Trust: Issuance of an EV certificate containing a mixup of the Subject's postalCode and localityName | 1896190 | ASSIGNED | Enrico Entschew | [ca-compliance] [ev-misissuance] Next update 2024-10-21 | 2024-09-06T15:32:07Z | 2024-05-10T19:14:04Z |
D-Trust: LDAP-URL in Subscriber Certificate Authority Information Access field | 1884714 | ASSIGNED | Enrico Entschew | [ca-compliance] [ov-misissuance] | 2024-09-06T15:15:31Z | 2024-03-11T16:29:07Z |
DigiCert: Random value in CNAME without underscore prefix | 1910322 | ASSIGNED | Jeremy Rowley | [ca-compliance] | 2024-09-07T11:08:49Z | 2024-07-29T02:17:59Z |
DigiCert: Typo in TLS Org Name | 1910258 | ASSIGNED | Martin Sullivan | [ca-compliance] [ov-misissuance] | 2024-09-06T22:21:06Z | 2024-07-27T20:48:42Z |
DigiCert: Unclear Disclosure of CAA Issuer Domain Names | 1914911 | ASSIGNED | Tim Hollebeek | [ca-compliance] [policy-failure] [external] | 2024-09-05T22:19:01Z | 2024-08-26T13:21:22Z |
emSign PKI Services : OCSP Responder Time Inconsistency | 1917459 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [ocsp-failure] | 2024-09-09T15:49:06Z | 2024-09-08T09:06:01Z |
Entrust: Action Items from June 2024 Report | 1901270 | ASSIGNED | Ben Wilson | [ca-compliance] [meta] Next update 2024-10-31 | 2024-09-09T18:18:47Z | 2024-06-07T16:50:41Z |
Entrust: CPR was not responded to in 24 hours | 1885754 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [external] [policy-failure] | 2024-09-06T15:14:01Z | 2024-03-16T22:14:29Z |
Entrust: Not updating CPR Problem Reporting Mechanism fields in CCADB | 1894111 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] Next update 2024-10-31 | 2024-08-30T16:10:46Z | 2024-04-29T21:37:24Z |
Entrust: S/MIME certificates lacking OU verification | 1914065 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-09-30 | 2024-08-30T16:05:20Z | 2024-08-20T21:35:45Z |
Entrust: S/MIME mailbox address case mismatch between subject and subjectAltName | 1906470 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-10-31 | 2024-08-30T16:21:07Z | 2024-07-05T18:24:44Z |
Entrust: S/MIME mailbox address not in subjectAltName | 1906467 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-10-31 | 2024-08-30T16:14:58Z | 2024-07-05T18:16:34Z |
Entrust: S/MIME OrgID Country not matching C field | 1914999 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-10-01 | 2024-09-06T15:42:41Z | 2024-08-26T17:57:09Z |
GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints | 1888060 | ASSIGNED | capoc | [ca-compliance] [ov-misissuance] | 2024-08-29T09:17:53Z | 2024-03-27T06:15:29Z |
GoDaddy : CAA checks did not properly handle issuewild tag allowing FQDN SANs to be added to wildcard certs | 1904748 | ASSIGNED | [:nickname] Star | [ca-compliance] | 2024-08-27T20:51:35Z | 2024-06-26T02:12:50Z |
GoDaddy : CAA checks passed when records contained incorrect variants of godaddy.com or starfieldtech.com | 1904749 | ASSIGNED | [:nickname] Star | [ca-compliance] | 2024-08-27T20:51:43Z | 2024-06-26T02:14:20Z |
GoDaddy: Edge Case for Data Reuse Outside of Timeframes | 1909948 | ASSIGNED | [:nickname] Star | [ca-compliance] [dv-misissuance] | 2024-08-05T16:25:38Z | 2024-07-25T17:47:50Z |
GoDaddy: Intermittent unauthorized OCSP response when certificate is freshly issued | 1905419 | ASSIGNED | [:nickname] Star | [ca-compliance] [ocsp-failure] | 2024-08-23T18:01:43Z | 2024-06-28T19:25:10Z |
IdenTrust: Expired CRLs | 1914067 | ASSIGNED | IdenTrust | [ca-compliance] [crl-failure] | 2024-09-03T21:48:11Z | 2024-08-20T21:50:05Z |
IdenTrust: Unauthorized OCSP response on a Timestamp certificate | 1905446 | ASSIGNED | IdenTrust | [ca-compliance] [ocsp-failure] Next update 2024-10-15 | 2024-08-30T22:20:28Z | 2024-06-28T22:11:23Z |
Izenpe: Failure to Submit Annual CCADB Self-Assessment | 1883493 | ASSIGNED | David | [ca-compliance] [disclosure-failure] [external] | 2024-08-26T16:07:19Z | 2024-03-04T20:36:07Z |
NETLOCK: CPR was not responded to in 24 hours | 1905509 | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] | 2024-09-05T17:30:54Z | 2024-06-29T19:45:26Z |
NETLOCK: Intermediate CA Certificate not disclosed to CCADB | 1904041 | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] [disclosure-failure] | 2024-08-30T16:07:55Z | 2024-06-21T13:01:09Z |
Sectigo: HTML encoded characters in subject attribute values | 1912225 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [ov-misissuance] Next update 2024-09-15 | 2024-08-23T15:36:04Z | 2024-08-08T09:16:17Z |
Sectigo: Missing data in cabfOrganizationIdentifier | 1915883 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [ev-misissuance] | 2024-09-06T08:11:40Z | 2024-08-30T15:11:31Z |
Sectigo: S/MIME OV Mis-issuance | 1917405 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [smime-misissuance] [external] | 2024-09-10T10:03:51Z | 2024-09-07T09:34:22Z |
SHECA: CRLReason code usage error | 1914365 | ASSIGNED | Alvin.Wang | [ca-compliance] [crl-failure] | 2024-08-27T05:59:45Z | 2024-08-22T11:43:31Z |
SwissSign: LDAP URL still in CRL distribution point (CDP) | 1916489 | ASSIGNED | Sandy Balzer | [ca-compliance] [crl-failure] | 2024-09-11T09:15:54Z | 2024-09-03T16:00:28Z |
SwissSign: S/MIME LCP not-permitted key usage | 1914023 | ASSIGNED | Sandy Balzer | [ca-compliance] [smime-misissuance] | 2024-09-06T15:46:25Z | 2024-08-20T18:42:01Z |
SwissSign: S/MIME NCP non ASCII symbols in email and SAN field wrong coding | 1914020 | ASSIGNED | Sandy Balzer | [ca-compliance] [smime-misissuance] | 2024-09-06T15:47:49Z | 2024-08-20T18:32:23Z |
Telekom Security: CRL-Entries with wrong CRL Reason Codes | 1914383 | ASSIGNED | Arnold Essing | [ca-compliance] [crl-failure] | 2024-09-09T07:39:54Z | 2024-08-22T12:56:33Z |
TunTrust: CRL and OCSP unavailable | 1895312 | ASSIGNED | TunTrust | [ca-compliance] [crl-failure] [ocsp-failure] | 2024-08-27T11:36:09Z | 2024-05-06T17:10:11Z |
46 Total; 46 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
---|---|---|---|---|---|---|
Chunghwa Telecom:Delayed Annual Audit Report 2024 | 1917224 | ASSIGNED | Li-Chun CHEN | [ca-compliance] [audit-delay] | 2024-09-10T09:55:32Z | 2024-09-06T12:29:32Z |
PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA | 1911335 | ASSIGNED | Jochem van den Berge | [ca-compliance] [audit-delay] | 2024-08-29T14:36:38Z | 2024-08-02T15:40:40Z |
2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
---|---|---|---|---|---|---|
[meta] Delayed Revocation | 1911183 | ASSIGNED | Ben Wilson | [ca-compliance] [meta] [leaf-revocation-delay] | 2024-09-03T16:06:09Z | 2024-08-01T20:05:04Z |
Buypass: Delayed revocation of TLS certificates | 1872738 | REOPENED | Mads Henriksveen | [ca-compliance] [leaf-revocation-delay] Next update 2024-09-15 | 2024-08-01T20:05:04Z | 2024-01-02T19:18:17Z |
CFCA: Delayed revocation of TLS certificates(basicConstraints extension not marked as critical) | 1888882 | ASSIGNED | Gao Fei | [ca-compliance] [leaf-revocation-delay] Next update 2024-08-20 | 2024-08-22T03:56:56Z | 2024-04-01T07:19:09Z |
Chunghwa Telecom: Delayed Revocation Due to GTLSCA EKU Misissuance | 1892419 | ASSIGNED | Leo Fang | [ca-compliance] [leaf-revocation-delay] | 2024-09-06T11:14:45Z | 2024-04-19T10:55:40Z |
Chunghwa Telecom: Delayed Revocation with Controversial Extension (2.5.29.9, SubjectDirectoryAttributes) | 1903066 | ASSIGNED | Leo Fang | [ca-compliance] [leaf-revocation-delay] | 2024-09-06T11:14:46Z | 2024-06-17T14:31:08Z |
Digicert: Delayed Revocation for bug 1894560 | 1896053 | ASSIGNED | Tim Hollebeek | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 | 2024-09-09T15:38:42Z | 2024-05-10T05:00:07Z |
DigiCert: Delayed revocation of 1910322 | 1910805 | ASSIGNED | Tim Hollebeek | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 | 2024-09-09T15:41:52Z | 2024-07-31T00:45:12Z |
emSign PKI Services: Delayed Revocation of SSL/TLS Certificates | 1916478 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [leaf-revocation-delay] | 2024-09-07T15:39:46Z | 2024-09-03T15:24:26Z |
Entrust: Delayed Revocation for S/MIME certificates | 1910237 | ASSIGNED | Bruce Morton | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-31 | 2024-08-30T16:14:29Z | 2024-07-27T15:07:49Z |
Entrust: Delayed revocation of certificates affected by Jurisdiction issue in some EV TLS & Code Signing certificates | 1898848 | ASSIGNED | ngook.kong | [ca-compliance] [leaf-revocation-delay] Next update 2024-09-30 | 2024-08-30T16:01:01Z | 2024-05-25T03:48:12Z |
Entrust: Delayed revocation of EV TLS certificates with missing cPSuri | 1886532 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [leaf-revocation-delay] Next update 2024-09-30 | 2024-08-13T17:18:47Z | 2024-03-20T17:22:26Z |
Entrust: Failure to revoke EV TLS certificates issued before CPS update | 1890685 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] [leaf-revocation-delay] Next update 2024-09-30 | 2024-08-30T16:01:31Z | 2024-04-09T23:40:57Z |
GDCA: Delayed revocation of SSL/TLS certificates with Non-critical Basic Constraints | 1889062 | ASSIGNED | capoc | [ca-compliance] [leaf-revocation-delay] | 2024-08-29T09:18:11Z | 2024-04-02T09:18:52Z |
Hongkong Post: Delayed revocation of TLS certificates with basicConstraints not marked as critical | 1887888 | ASSIGNED | Man Ho | [ca-compliance] [leaf-revocation-delay] | 2024-08-01T20:05:04Z | 2024-03-26T14:39:37Z |
Hongkong Post: Delayed revocation of TLS certificates with Certificate Policies extension problem | 1886665 | ASSIGNED | Man Ho | [ca-compliance] [leaf-revocation-delay] | 2024-08-01T20:05:04Z | 2024-03-21T04:30:30Z |
Microsec: Delayed revocation of the misissued certificates | 1887110 | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] [leaf-revocation-delay] | 2024-08-31T20:11:28Z | 2024-03-22T18:00:56Z |
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates - delayed revocation | 1891331 | ASSIGNED | Tamás Horváth | [ca-compliance] [leaf-revocation-delay] | 2024-08-01T20:05:04Z | 2024-04-13T22:07:56Z |
Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical | 1877388 | ASSIGNED | Arnold Essing | [ca-compliance] [leaf-revocation-delay] | 2024-09-11T06:06:23Z | 2024-01-30T07:52:58Z |
Telia: Delayed revocation of seven (7) certificates related to incident 1896108 | 1896553 | ASSIGNED | Antti Backman | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 | 2024-09-06T15:25:20Z | 2024-05-14T04:48:55Z |
TWCA: Revocation delay for EV TLS certificates with invalid subject attribute order | 1884568 | ASSIGNED | Hao-Chun Li | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 | 2024-09-09T15:32:53Z | 2024-03-10T12:44:57Z |
TWCA: Revocation delay for TLS certificates with non-critical basicConstraints | 1886110 | ASSIGNED | chtsai | [ca-compliance] [ov-misissuance] [leaf-revocation-delay] Next update 2024-08-30 | 2024-09-06T22:27:40Z | 2024-03-19T07:42:18Z |
VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 | 1885568 | ASSIGNED | Andrea Holland | [ca-compliance] [ov-misissuance] [leaf-revocation-delay] Next update 2024-10-23 | 2024-08-16T18:58:11Z | 2024-03-15T16:20:17Z |
22 Total; 22 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here: