CA/Incident Dashboard
Open CA Bugs in Bugzilla
There are three separate lists of open compliance bugs below:
- Compliance bugs (not including audit delays or leaf revocation delays)
- Audit Delays
- Leaf Revocation Delays
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=CA+Program&component=CA+Certificate+Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
---|---|---|---|---|---|---|
Actalis: incorrect CP/S Last Update date in CCADB | 1973238 | ASSIGNED | Adriano Santoni | [ca-compliance] [disclosure-failure] | 2025-07-25T13:36:43Z | 2025-06-20T13:29:15Z |
Certainly: Sample Websites Unavailable | 1968836 | ASSIGNED | Daniel Jeffery | [ca-compliance] [policy-failure] | 2025-07-17T20:46:31Z | 2025-05-28T03:00:33Z |
D-Trust: Defective certificate incident reporting form | 1976837 | ASSIGNED | Enrico Entschew | [ca-compliance] [policy-failure] | 2025-07-24T06:57:47Z | 2025-07-11T09:23:52Z |
DigiCert: DCV logging issue | 1974539 | ASSIGNED | DigiCert | [ca-compliance] [policy-failure] | 2025-07-23T20:57:16Z | 2025-06-27T23:09:04Z |
DigiCert: Re-use of WHOIS validation shortly after deadline | 1978163 | ASSIGNED | DigiCert | [ca-compliance] [dv-misissuance] [ov-misissuance] | 2025-07-25T23:50:04Z | 2025-07-18T21:01:12Z |
eMudhra emSign PKI Services: Policy Document Inconsistency | 1973341 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [policy-failure] | 2025-07-25T07:22:41Z | 2025-06-21T10:33:57Z |
Entrust: Missing or Inconsistent Disclosure of S/MIME BR Audits | 1952635 | ASSIGNED | Bruce Morton | [ca-compliance] [audit-failure] | 2025-07-17T23:11:49Z | 2025-03-08T12:20:57Z |
FNMT: CP/CPS, Revocation Requests Mechanism, Certificate Problem Report, CRL and OCSP disruption | 1963778 | ASSIGNED | Amaya Espinosa | [ca-compliance] [policy-failure] Next update 2025-07-31 | 2025-07-07T13:21:30Z | 2025-05-01T08:21:00Z |
Google Trust Services: Missing authorization audit log entry for certificate issuance | 1979457 | UNCONFIRMED | Google Trust Services | [ca-compliance] [policy-failure] | 2025-07-29T15:37:25Z | 2025-07-25T21:06:01Z |
IZENPE: IssuingDistributionPoint extension in CRLs not marked as Critical | 1976256 | ASSIGNED | Toni Sáez | [ca-compliance] [crl-failure] | 2025-07-22T04:01:29Z | 2025-07-08T15:19:58Z |
Let's Encrypt: Deployed Unreviewed Boulder Code | 1972745 | ASSIGNED | Jacob Hoffman-Andrews | [close on 2025-07-29] [ca-compliance] [policy-failure] | 2025-07-22T12:23:17Z | 2025-06-18T04:10:38Z |
Microsoft PKI Services: End Entity Certificate Mis-issuance against CPS (BasicConstraints) | 1979475 | UNCONFIRMED | Microsoft PKI Services | [ca-compliance] [policy-failure] [ov-misissuance] | 2025-07-28T16:43:52Z | 2025-07-26T00:21:43Z |
Microsoft PKI Services: Policy document bug | 1962829 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [policy-failure] | 2025-07-25T22:05:26Z | 2025-04-26T02:10:29Z |
Microsoft PKI Services: Pre-Sign Linting Validation did not occur in ICA creation | 1974592 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [ca-misissuance] | 2025-07-25T22:17:56Z | 2025-06-28T22:36:23Z |
NETLOCK: Expired Test Website Certificate | 1979287 | UNCONFIRMED | Roland | [ca-compliance] [policy-failure] | 2025-07-28T16:40:40Z | 2025-07-25T09:42:54Z |
SECOM: Cybertrust Japan's CRL lacks the critical flag in the issuingDistributionPoint extension | 1975624 | ASSIGNED | SECOM Trust Systems - ONO Fumiaki | [ca-compliance] [crl-failure] | 2025-07-25T05:04:00Z | 2025-07-04T01:10:58Z |
SECOM: S/MIME CA Modified Opinion Report of Cybertrust Japan (CTJ) | 1950574 | ASSIGNED | SECOM Trust Systems - ONO Fumiaki | [ca-compliance] [audit-finding] Next update 2025-09-01 | 2025-02-28T15:35:46Z | 2025-02-26T09:11:03Z |
Sectigo: OV reuse data applied for wrong organization | 1977253 | ASSIGNED | Tim Callan | [ca-compliance] [ov-misissuance] | 2025-07-25T09:44:58Z | 2025-07-14T19:30:45Z |
SHECA: New CPS disclosure of CCADB exceeds the required 14-day deadline | 1974198 | ASSIGNED | SHECA | [ca-compliance] [disclosure-failure] | 2025-07-22T02:21:27Z | 2025-06-26T11:01:25Z |
SHECA: The stateOrProvinceName and streetAddress of the certificate DN item are issued incorrectly | 1978186 | ASSIGNED | SHECA | [ca-compliance] [ov-misissuance] | 2025-07-25T17:34:33Z | 2025-07-19T00:54:04Z |
SSL.com: "unknown" OCSP response for issued certificates | 1957140 | ASSIGNED | SSL.com | [ca-compliance] [ocsp-failure] Next update 2025-07-31 | 2025-07-22T15:21:52Z | 2025-03-28T19:39:09Z |
SSL.com: Issuance of certificates using keys previously reported as compromised | 1927532 | ASSIGNED | Rebecca Kelley | [ca-compliance] [dv-misissuance] Next update 2025-07-23 | 2025-07-23T15:22:47Z | 2024-10-28T18:17:59Z |
SwissSign: OCSP outage | 1965828 | ASSIGNED | Roman Fischer | [ca-compliance] [ocsp-failure] Next update 2025-07-31 | 2025-07-21T14:24:45Z | 2025-05-12T14:01:24Z |
Telekom Security: Failure to file a bug for two findings from the 2024 Audit | 1976860 | ASSIGNED | Stefan Kirch | [ca-compliance] [disclosure-failure] | 2025-07-24T15:51:52Z | 2025-07-11T11:09:45Z |
24 Total; 24 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
---|---|---|---|---|---|---|
PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA | 1911335 | ASSIGNED | Jochem van den Berge | [ca-compliance] [audit-delay] | 2025-07-10T16:06:54Z | 2024-08-02T15:40:40Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
---|---|---|---|---|---|---|
[meta] Delayed Revocation | 1911183 | ASSIGNED | Ben Wilson | [ca-compliance] [meta] [leaf-revocation-delay] | 2025-06-10T20:05:50Z | 2024-08-01T20:05:04Z |
eMudhra emSign PKI Services : Delayed Revocation of TLS Certificates due to Policy Inconsistency. | 1974435 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [leaf-revocation-delay] | 2025-07-28T07:17:49Z | 2025-06-27T13:09:27Z |
Microsoft PKI Services: Failure to Revoke in 5 Days for 1962829 | 1965612 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [leaf-revocation-delay] | 2025-07-28T16:39:44Z | 2025-05-10T01:34:01Z |
NETLOCK: Bug 1891331 replacement - delayed revocation - | 1947691 | ASSIGNED | Nikolett | [ca-compliance] [leaf-revocation-delay] | 2025-07-29T09:47:35Z | 2025-02-12T09:43:02Z |
VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 | 1885568 | ASSIGNED | VikingCloud CA | [ca-compliance] [ov-misissuance] [leaf-revocation-delay] | 2025-07-29T20:57:40Z | 2024-03-15T16:20:17Z |
5 Total; 5 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here: