CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time
Amazon Trust Services: ALV Errors 1713668 ASSIGNED Trevoli (Amazon Trust Services) [ca-compliance] Next update 2021-07-01 2021-06-15T20:45:36Z
Amazon Trust Services: CP/CPS does not specify key compromise methods 1713976 ASSIGNED Trevoli (Amazon Trust Services) [ca-compliance] 2021-06-12T00:07:21Z
Amazon Trust Services: Forbidden Domain Validation Method 1713978 ASSIGNED Trevoli (Amazon Trust Services) [ca-compliance] 2021-06-14T16:37:55Z
Asseco DS / Certum: CPS does not refer to BR domain validation methods 1717034 ASSIGNED Aleksandra Kurosz [ca-compliance] 2021-06-17T14:54:17Z
Asseco DS / Certum: Incorrect localityName 1711208 ASSIGNED Aleksandra Kurosz [ca-compliance] 2021-06-11T12:08:40Z
Asseco DS / Certum: Invalid stateOrProvinceName field (recurrent incident) 1709392 ASSIGNED Aleksandra Kurosz [ca-compliance] 2021-06-11T12:07:00Z
Buypass: Illegal Business Category in a PSD2 QWAC 1632632 ASSIGNED Mads Henriksveen [ca-compliance] Next update 2021-06-20 2021-04-02T17:43:21Z
Camerfirma: Govern d'Andorra Audit Delay 1704140 ASSIGNED Ana Lopes [ca-compliance] [audit-delay] 2021-05-14T10:42:17Z
DigiCert: Incorrect RegNumber-Org Type combination 1714439 ASSIGNED Brenda Bernal [ca-compliance] 2021-06-15T20:27:03Z
Disig: CPS does not refer to BR domain validation methods 1717001 ASSIGNED Peter Miskovic [ca-compliance] 2021-06-17T16:19:14Z
E-Tugra: CA Certificate Missing from Audit Reports 1716843 ASSIGNED Davut Tokgöz [ca-compliance] 2021-06-17T00:38:24Z
E-Tugra: Forbidden Domain Validation Method 1716902 ASSIGNED Davut Tokgöz [ca-compliance] 2021-06-17T03:08:38Z
Entrust: Incorrect Business Category Value Discovered in an EV SSL Certificate 1685370 ASSIGNED Dathan Demone [ca-compliance] 2021-06-16T08:34:25Z
Entrust: Incorrect Jurisdiction Country Value in an EV Certificate 1696227 ASSIGNED Dathan Demone [ca-compliance] Next update 2021-06-01 2021-06-07T20:22:22Z
Entrust: Invalid localityName 1712106 ASSIGNED Dathan Demone [ca-compliance] Next update 2021-07-01 2021-06-01T15:58:27Z
GlobalSign: Incorrect OCSP Delegated Responder Certificate 1649937 ASSIGNED douglas.beattie [ca-compliance] Next Update 2021-07-01 2021-06-01T15:56:24Z
GlobalSign: Incorrect RegNumber-Org Type combination 1714968 ASSIGNED Eva Van Steenberge [ca-compliance] 2021-06-14T06:57:00Z
GlobalSign: Invalid countryName 1707073 ASSIGNED Eva Van Steenberge [ca-compliance] Next update 2021-07-14 2021-06-04T14:48:22Z
GlobalSign: Invalid stateOrProvinceName and locality pair 1708834 ASSIGNED Arvid Vermote [ca-compliance] 2021-06-16T08:33:50Z
GLOBALTRUST: CN domain not in SAN 1716123 ASSIGNED Daniel Zens [ca-compliance] 2021-06-17T10:34:19Z
GLOBALTRUST: Revoked test website not using revoked certificate 1716163 ASSIGNED Daniel Zens [ca-compliance] 2021-06-17T13:42:19Z
Google Trust Services: Failure to provide regular and timely incident updates 1708516 ASSIGNED Andy Warner [ca-compliance] 2021-06-16T16:53:40Z
Google Trust Services: Forbidden Domain Validation Method 1706967 ASSIGNED Andy Warner [ca-compliance] 2021-06-14T18:55:47Z
Google Trust Services: Signing SHA-1 Hash for existing CA certificate with changes in Key Usage 1709223 ASSIGNED Ryan Hurst [ca-compliance] 2021-06-15T16:33:18Z
IdenTrust: Unavailable CRL for IdenTrust ‘DST Root CA X3’. 1709192 ASSIGNED IdenTrust [ca-compliance] Next update 2021-07-01 2021-06-01T15:45:19Z
iTrusChina: verification errors for the roots' CRLs(ARL) 1712664 ASSIGNED iTrusChina Co.,Ltd. [ca-compliance] 2021-05-26T14:07:26Z
KIR S.A.: CN domain not in SAN 1705187 ASSIGNED Piotr Grabowski [ca-compliance] 2021-06-09T14:02:54Z
KIR S.A.: CP/CPS contains noncompliant DV method, does not specify CAA domains 1705904 ASSIGNED Piotr Grabowski [ca-compliance] 2021-06-09T14:03:05Z
KIR S.A.: DV certificates with locality name, organization name and stateOrProvinceName 1705832 ASSIGNED Piotr Grabowski [ca-compliance] Next update 2021-07-01 2021-06-09T14:03:03Z
KIR S.A.: Invalid localityName + CRL Revoked but OCSP Unknown 1705337 ASSIGNED Piotr Grabowski [ca-compliance] 2021-06-09T20:20:45Z
KIR S.A.: Invalid organizationName 1705647 ASSIGNED Piotr Grabowski [ca-compliance] 2021-06-09T14:02:59Z
KIR S.A.: Many certificates with OCSP Unknown 1705657 ASSIGNED Piotr Grabowski [ca-compliance] 2021-06-09T14:03:01Z
Let's Encrypt: certificate lifetimes 90 days plus one second 1715455 ASSIGNED Josh Aas [ca-compliance] 2021-06-17T14:54:56Z
Microsoft PKI Services: Failure to disclose Unconstrained Intermediate within 7 Days 1700809 ASSIGNED John Mason [ca-compliance] 2021-05-16T14:38:06Z
Microsoft PKI Services: Malformed ICAs (missing certificate policy extensions) 1711147 ASSIGNED John Mason [ca-compliance] 2021-06-11T18:05:38Z
Microsoft PKI Services: Policy Documentation, Failure to update Subscriber Certificate Max Validity Period 1693930 ASSIGNED John Mason [ca-compliance] 2021-06-01T22:17:29Z
Microsoft PKI Services: Underscore in SAN 1705419 ASSIGNED John Mason [ca-compliance] 2021-06-11T18:06:55Z
Netlock: CA Certificate Missing from Audit Reports 1716874 ASSIGNED Zoltán Kővári-Szabó [ca-compliance] 2021-06-17T05:30:22Z
Netlock: Replacement of enduser certificates after the EVGL 1.7.4 self-audit 1680378 ASSIGNED Zoltán Kővári-Szabó [ca-compliance] 2021-06-07T16:48:31Z
PKIoverheid: KPN issued Invalid organizationalUnitName 1706950 ASSIGNED Jorik van 't Hof [ca-compliance] 2021-06-10T21:10:35Z
SECOM: CA Certificates Missing from Audit Reports 1717044 ASSIGNED Hisashi Kamo [ca-compliance] 2021-06-17T16:12:46Z
SECOM: CP/CPS does not clearly specify domain validation methods 1705480 ASSIGNED Hisashi Kamo [ca-compliance] 2021-06-01T10:20:17Z
SECOM: FUJIFILM intermediate not listed in audit statement 1695938 ASSIGNED Hisashi Kamo [ca-compliance] Next update 2021-06-25 2021-06-07T16:59:34Z
SECOM: Unqualified domain name in SAN 1695786 ASSIGNED Hisashi Kamo [ca-compliance] Next update 2021-07-01 2021-06-03T13:01:43Z
Sectigo: Forbidden Domain Validation Method 1714628 ASSIGNED Tim Callan [ca-compliance] 2021-06-11T20:16:20Z
Sectigo: Inappropriate subject:serialNumber information in EV certificates obtained through ACME 1712120 ASSIGNED Tim Callan [ca-compliance] 2021-06-14T22:42:01Z
Sectigo: Incorrect EV businessCategory 1715929 ASSIGNED Tim Callan [ca-compliance] 2021-06-11T21:56:10Z
Sectigo: Incorrect locality information 1714193 ASSIGNED Tim Callan [ca-compliance] 2021-06-16T19:19:59Z
Sectigo: Invalid postalCode field 1708934 ASSIGNED Tim Callan [ca-compliance] 2021-06-17T16:46:41Z
Sectigo: Invalid stateOrProvinceName 1710243 ASSIGNED Rob Stradling [ca-compliance] 2021-06-14T20:38:53Z
Sectigo: Misspellings in stateOrProvince or localityName fields 1715024 ASSIGNED Tim Callan [ca-compliance] 2021-06-14T20:25:35Z
Sectigo: test certificates issued from trusted CA 1712188 ASSIGNED Tim Callan [ca-compliance] 2021-06-14T22:55:28Z
Taiwan-CA: Invalid stateOrProvinceName 1709070 ASSIGNED Hao-Chun Li [ca-compliance] 2021-05-06T09:46:41Z
Telekom Security: Key Encipherment in two ECC SAN TLS certificates 1703528 ASSIGNED Arnold Essing [ca-compliance] 2021-06-08T07:30:12Z
TunTrust: OCSP unreachable 1663953 ASSIGNED Agence Nationale de Certification Electronique [ca-compliance] Next Update 2021-06-15 2021-05-04T12:26:43Z
TWCA: CA Certificate Missing from Audit Reports 1716670 ASSIGNED Hao-Chun Li [ca-compliance] 2021-06-16T09:57:02Z

56 Total; 56 Open (100%); 0 Resolved (0%); 0 Verified (0%);

Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
Summary ID Status Assigned to Whiteboard Last change time
Camerfirma: Govern d'Andorra Audit Delay 1704140 ASSIGNED Ana Lopes [ca-compliance] [audit-delay] 2021-05-14T10:42:17Z

1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);

Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
Summary ID Status Assigned to Whiteboard Last change time
Camerfirma: Delayed revocations of certificates issued by old CAs with an RSA modulus size of 2047 bits 1692535 ASSIGNED Ana Lopes [ca-compliance][delayed-revocation-leaf] 2021-06-11T11:36:47Z
Google Trust Services: Failure to revoke subscriber certificates within BR timeframe 1715421 ASSIGNED Fotis Loukos [ca-compliance] [delayed-revocation-leaf] 2021-06-16T10:53:19Z
KIR S.A.: Delayed revocations of certificates 1709872 ASSIGNED Piotr Grabowski [ca-compliance] [delayed-revocation-leaf] 2021-06-16T11:00:19Z
Let’s Encrypt: Failure to revoke for Certificate Lifetime Incident 1715672 ASSIGNED Aaron Gable [ca-compliance] [delayed-revocation-leaf] 2021-06-16T08:33:32Z
SECOM: Delayed Revocation of non-technically constrained FUJIFILM Certificates 1707229 ASSIGNED Hisashi Kamo [ca-compliance] [delayed-revocation-leaf] Next update 2021-06-25 2021-06-07T16:58:27Z

5 Total; 5 Open (100%); 0 Resolved (0%); 0 Verified (0%);

Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: