CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1632632 Buypass: Illegal Business Category in a PSD2 QWAC ASSIGNED Mads Henriksveen [ca-compliance] Next update 2021-06-20 2021-04-02T17:43:21Z
1647468 D-TRUST: Wrong key usage (Key Encipherment) ASSIGNED Enrico Entschew [ca-compliance] 2020-10-02T13:58:22Z
1649937 GlobalSign: Incorrect OCSP Delegated Responder Certificate ASSIGNED douglas.beattie [ca-compliance] 2021-02-25T08:41:07Z
1652581 Google Trust Services digitalSignature KeyUsage not set ASSIGNED Andy Warner [ca-compliance] 2021-04-09T16:45:02Z
1658792 Entrust: Invalid data in State/Province Field ASSIGNED Dathan Demone [ca-compliance] Next Update 2021-04-01 2021-04-15T21:07:04Z
1663953 TunTrust : OCSP unreachable ASSIGNED Agence Nationale de Certification Electronique [ca-compliance] Next Update 2021-06-15 2021-04-08T15:27:17Z
1670337 Microsoft PKI Services: Certificate Mis-Issuance, DNSNames must have a valid TLD ASSIGNED John Mason [ca-compliance] Next Update 2021-04-19 2021-04-08T04:11:01Z
1674561 Microsoft: DV certificate issued with OV fields ASSIGNED Dustin Hollenback [ca-compliance] Next update 2021-05-01 2021-04-02T17:56:26Z
1676352 Microsec e-Szigno: Validity validity period greater than 398 days ASSIGNED dr. Sándor SZŐKE [ca-compliance] Next update 2021-05-01 2021-04-02T17:34:21Z
1677737 SwissSign: duplicate serial number ASSIGNED Mike Guenther [ca-compliance] 2021-04-08T11:51:44Z
1678183 Google Trust Services - Invalid ASN.1 encoding of singleExtensions in OCSP responses ASSIGNED Andy Warner [ca-compliance] 2021-04-14T20:06:43Z
1680378 Netlock: Replacement of enduser certificates after the EVGL 1.7.4 self-audit ASSIGNED Varga Viktor [ca-compliance] 2021-04-07T14:01:09Z
1685370 Entrust: Incorrect Business Category Value Discovered in an EV SSL Certificate ASSIGNED Dathan Demone [ca-compliance] 2021-03-30T20:09:32Z
1690807 GlobalSign: RSA-1024 leaf certificate issued after 2013-12-31 ASSIGNED Eva Van Steenberge [ca-compliance] 2021-04-06T06:05:10Z
1693930 Microsoft PKI Services: Policy Documentation, Failure to update Subscriber Certificate Max Validity Period ASSIGNED John Mason [ca-compliance] 2021-03-04T22:04:27Z
1694233 Sectigo: Inadequate DCV ASSIGNED Tim Callan [ca-compliance] 2021-04-16T00:22:02Z
1695786 SECOM: Unqualified domain name in SAN ASSIGNED Hisashi Kamo [ca-compliance] 2021-04-15T16:42:33Z
1695938 SECOM: FUJIFILM intermediate not listed in audit statement ASSIGNED Hisashi Kamo [ca-compliance] 2021-04-15T19:27:41Z
1695993 SECOM: Outdated audit statements for intermediate certs ASSIGNED Hisashi Kamo [ca-compliance] 2021-04-08T04:08:53Z
1696227 Entrust - Incorrect Jurisdiction Country Value in an EV Certificate ASSIGNED Dathan Demone [ca-compliance] Next update 2021-06-01 2021-03-30T20:10:22Z
1698936 Sectigo: ZeroSSL: failure to revoke within 24 hours ASSIGNED Tim Callan [ca-compliance] 2021-04-09T17:09:15Z
1699796 HARICA: Certificates with invalid policy tree ASSIGNED Dimitris Zacharopoulos [ca-compliance] 2021-04-07T14:11:47Z
1700145 Firmaprofesional: incorrect reserved CA/B Forum OIDs in certificates ASSIGNED chemalogo [ca-compliance] 2021-03-31T21:57:07Z
1700809 Microsoft PKI Services: Failure to disclose Unconstrained Intermediate within 7 Days ASSIGNED John Mason [ca-compliance] 2021-04-14T22:42:25Z
1703528 Telekom Security: Key Encipherment in two ECC SAN TLS certificates ASSIGNED Arnold Essing [ca-compliance] 2021-04-13T08:36:03Z
1704140 Camerfirma: Govern d'Andorra Audit Delay ASSIGNED Ana Lopes [ca-compliance] [audit-delay] 2021-04-12T14:23:34Z
1704199 FNMT: Minor non-conformities in 2021 audit statement ASSIGNED Brox [ca-compliance] 2021-04-12T09:34:40Z
1705187 KIR S.A.: CN domain not in SAN ASSIGNED Piotr Grabowski [ca-compliance] 2021-04-15T15:22:11Z
1705337 KIR S.A.: Invalid localityName + CRL Revoked but OCSP Unknown ASSIGNED Piotr Grabowski [ca-compliance] 2021-04-15T20:27:48Z
1705419 Microsoft: Underscore in SAN ASSIGNED John Mason [ca-compliance] 2021-04-16T07:19:02Z
1705480 SECOM: CP/CPS does not clearly specify domain validation methods ASSIGNED Hisashi Kamo [ca-compliance] 2021-04-16T01:37:23Z

31 Total; 31 Open (100%); 0 Resolved (0%); 0 Verified (0%);

Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
ID Summary Status Assigned to Whiteboard Last change time
1704140 Camerfirma: Govern d'Andorra Audit Delay ASSIGNED Ana Lopes [ca-compliance] [audit-delay] 2021-04-12T14:23:34Z

1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);

Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1651447 GlobalSign: Failure to revoke noncompliant ICA within 7 days ASSIGNED Arvid Vermote [ca-compliance] [delayed-revocation-ca] 2021-01-12T13:19:27Z
1651637 Firmaprofesional: Failure to revoke ICAs within 7 days: OCSP EKU ASSIGNED Maria Jose Prieto [ca-compliance] [delayed-revocation-ca] Next update 2021-01-04 2021-02-08T16:23:17Z
1652610 SECOM: Delayed Revocation of CA Certificate with OCSP EKU Issue ASSIGNED Hisashi Kamo [ca-compliance] [delayed-revocation-ca] 2021-04-15T06:59:41Z
1688844 Netlock: Delayed revocation report connected to ticket 1680378 ASSIGNED Varga Viktor [ca-compliance] [delayed-revocation-leaf] 2021-04-07T14:05:48Z
1692535 Camerfirma: Delayed revocations of certificates issued by old CAs with an RSA modulus size of 2047 bits ASSIGNED Ana Lopes [ca-compliance][delayed-revocation-leaf] 2021-04-09T13:43:36Z

5 Total; 5 Open (100%); 0 Resolved (0%); 0 Verified (0%);

Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: