CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1463975 GRCA: Misissued certificates: Invalid commonName, commonName not in SAN ASSIGNED National Development Council [ca-compliance] CKA_NSS_SERVER_DISTRUST_AFTER 2020-05-26T18:09:40Z
1496616 Consorci AOC: Qualified audit statements ASSIGNED Francesc Ferrer [ca-compliance] CKA_NSS_SERVER_DISTRUST_AFTER 2020-05-22T10:08:58Z
1532436 Chunghwa Telecom: Test certificate with unregistered domain name ASSIGNED Li-Chun CHEN [ca-compliance] 2020-06-03T09:16:49Z
1532559 CFCA: Wrong SerialNumber encoding ASSIGNED Jonathan Sun [ca-compliance] 2020-06-02T06:22:32Z
1551372 Telia: "Some-State" in stateOrProvinceName ASSIGNED pekka.lahtiharju [ca-compliance] 2020-05-25T06:44:52Z
1559765 Izenpe: Multiple invalid EV certificates issued ASSIGNED Oscar Garcia [ca-compliance] - Next Update - 1-June 2020 2020-05-28T07:09:30Z
1563579 Sectigo: Failure to provide timely incident reports ASSIGNED Robin Alden [ca-compliance] 2020-06-02T15:13:51Z
1565270 Telia: Qualified BR Audit Statement ASSIGNED pekka.lahtiharju [ca-compliance] - Next Update - 8-June 2020 2020-06-05T10:18:48Z
1575022 Sectigo: EV SSL Certificates with incorrect subject details. ASSIGNED Robin Alden [ca-compliance] - Next Update - 15-June 2020 2020-06-03T01:46:39Z
1575880 GlobalSign: SSL Certificates with US country code and invalid State/Prov ASSIGNED douglas.beattie [ca-compliance] - Next Update 30-June 2020 2020-06-01T17:39:23Z
1576013 DigiCert: JOI Issue ASSIGNED Jeremy Rowley [ca-compliance] 2020-05-27T18:42:26Z
1578505 LuxTrust: Outdated audit statement for intermediate cert ASSIGNED ca [ca-compliance] - Overdue Audit for intermediate cert 2020-05-25T16:53:03Z
1586795 NetLock: Issuance of intermediates after 2019-01-01 that do not comply with Mozilla Policy ASSIGNED Varga Viktor [ca-compliance] 2020-06-03T21:59:24Z
1588001 Apple OCSP responders return responses with incorrect issuer ASSIGNED certification_authority [ca-compliance] - Next Update - 30-June 2020 2020-05-20T21:42:06Z
1590810 Sectigo: EV SSL Certificates with incorrect businessCategory ASSIGNED Robin Alden [ca-compliance] - Next Update - 1-June 2020 2020-06-03T14:49:34Z
1593776 Sectigo: invalid subject:organizationalUnitName on DV certificates ASSIGNED Robin Alden [ca-compliance] - Next Update - 15-June 2020 2020-05-22T18:52:18Z
1597947 Sectigo: CCADB failed ALV - Network Solutions Certificate Authority ASSIGNED Robin Alden [ca-compliance] 2020-06-02T21:40:37Z
1597948 Sectigo: CCADB failed ALV - D-TRUST CA 2-1 2015 ASSIGNED Robin Alden [ca-compliance] 2020-06-02T21:36:19Z
1597950 Sectigo: CCADB failed ALV - Ensured Root CA ASSIGNED Robin Alden [ca-compliance] 2020-06-03T08:49:08Z
1605804 GoDaddy: Domain Validation Reuse Issue ASSIGNED Joanna [ca-compliance] - Next Update - 1-June 2020 2020-05-26T15:09:18Z
1610303 D-TRUST: Issuance of non-conformant SSL certificate ASSIGNED Enrico Entschew [ca-compliance] - Next Update - 15-June 2020 2020-05-22T17:17:32Z
1613334 SwissSign: Misissuance with mispellings in Location for a number of Certificates ASSIGNED Mike Guenther [ca-compliance] 2020-06-05T15:12:51Z
1614448 GRCA: Audit Letter Validation failures on intermediate certificates ASSIGNED National Development Council [ca-compliance] - Next Update - 1-June 2020 2020-05-26T16:30:09Z
1619047 Let's Encrypt: CAA Rechecking bug ASSIGNED Jacob Hoffman-Andrews [ca-compliance] Next Update - 28-April 2020 2020-05-28T20:23:40Z
1619359 Sectigo: Failure to provide a preliminary report within 24 hours ASSIGNED Robin Alden [ca-compliance] 2020-06-03T03:22:50Z
1622505 GlobalSign: OCSP Status HTTP 530 ASSIGNED Arvid Vermote [ca-compliance] Next Update - 15-June 2020 2020-05-17T20:10:51Z
1622539 Microsec: Issuance of 2 IVCP precertificates without givenName, surName, localityName fields ASSIGNED dr. Sándor SZŐKE [ca-compliance] Next Update - 20 May, 2020 2020-05-26T12:35:26Z
1623356 GlobalSign: Misissuance of QWAC Certificates ASSIGNED douglas.beattie [ca-compliance] - Next Update - 15-June 2020 2020-05-22T20:12:33Z
1623384 Camerfirma: Invalid authorityKeyIdentifier - recurrent incident ASSIGNED Ana Lopes [ca-compliance] 2020-05-22T12:12:26Z
1624527 DigiCert: Issuance of Cert with Compromised Key ASSIGNED Jeremy Rowley [ca-compliance] Next Update - 1-June 2020 2020-06-02T21:26:14Z
1625498 Google Trust Services: Tracking bug for possible audit delays (audit due 2020-12) ASSIGNED kluge [ca-compliance] [audit-delay] [covid-19] Next Update - 1 July, 2020 2020-03-30T11:03:45Z
1625767 Microsec: Audit Letter Validation Failures ASSIGNED dr. Sándor SZŐKE [ca-compliance] - Next Update - 1-June 2020 2020-06-05T12:20:25Z
1626355 Atos: Tracking bug for possible audit delays ASSIGNED michael.schwieters [ca-compliance][audit-delay][covid-19] Next Update 2020-05-04 2020-06-02T13:42:25Z
1628292 Buypass: Failure to revoke PSD2 QWACs within mandated 5 days ASSIGNED Mads Henriksveen [ca-compliance] 2020-05-26T14:53:14Z
1630870 GlobalSign: Certificate issued with RSASSA-PSS public key ASSIGNED Paul Brown [ca-compliance] Next update - 30-June, 2020 2020-06-04T15:54:22Z
1632632 Buypass: Illegal Business Category in a PSD2 QWAC ASSIGNED Mads Henriksveen [ca-compliance] 2020-05-26T18:54:01Z
1634795 Google Trust Services: Incorrect revocation data temporarily served for GTS Y3 & Y4 ASSIGNED Andy Warner [ca-compliance] 2020-06-01T17:16:19Z
1635096 Entrust: Printable String Constraint Failure ASSIGNED Bruce Morton [ca-compliance] 2020-05-29T18:28:49Z
1635279 Identrust: Incorrect Subject Details for HydrantId ASSIGNED IdenTrust [ca-compliance] - Next Update - 1-October 2020 2020-06-01T17:17:45Z
1636140 SwissSign: duplicate serial number ASSIGNED Mike Guenther [ca-compliance] 2020-06-02T15:36:13Z
1636141 SwissSign: failure to provide a preliminary report within 24 hours ASSIGNED Mike Guenther [ca-compliance] 2020-06-02T13:29:01Z
1636544 IdenTrust: OCSP Outage ASSIGNED IdenTrust [ca-compliance] Next Update - 30-July 2020 2020-05-30T00:00:12Z
1637093 Multicert: AIA CA Issuer field pointing to PEM encoded cert ASSIGNED ca.forum [ca-compliance] 2020-06-03T15:02:40Z
1639032 DigiCert: "Internet Widgits Pty Ltd" in organizationalUnitName ASSIGNED Brenda Bernal [ca-compliance] 2020-05-31T21:41:31Z
1639502 Asseco DS / Certum: Incorrect OCSP response encoding ASSIGNED Wojciech Trapczyński [ca-compliance] 2020-05-28T13:41:08Z
1639794 Let's Encrypt: Failure to revoke key-compromised certificate within 24 hours ASSIGNED Jacob Hoffman-Andrews [ca-compliance] 2020-06-06T10:29:19Z
1639798 GoDaddy: Failure to revoke key-compromised certificates within 24 hours ASSIGNED Joanna [ca-compliance] 2020-06-06T10:24:22Z
1639799 Globalsign: Failure to revoke key-compromised certificate within 24 hours ASSIGNED Arvid Vermote [ca-compliance] Next Update - 12-June 2020 2020-06-02T16:29:22Z
1639801 Digicert: Failure to revoke key-compromised certificates within 24 hours ASSIGNED Brenda Bernal [ca-compliance] 2020-06-03T15:50:18Z
1639802 Digicert: Failure to revoke key-compromised certificate ASSIGNED Brenda Bernal [ca-compliance] 2020-06-03T15:50:49Z
1639804 Sectigo: Failure to revoke key-compromised certificate within 24 hours ASSIGNED Robin Alden [ca-compliance] 2020-06-03T18:39:35Z
1639805 Sectigo: Failure to revoke key-compromised certificates ASSIGNED Robin Alden [ca-compliance] 2020-06-01T22:43:08Z
1640310 GoDaddy: Failure to revoke certificate with compromised key within 24 hours ASSIGNED Daniela Hood [ca-compliance] 2020-06-06T14:47:28Z
1640805 Digicert: delayed publication of revocation information ASSIGNED Jeremy Rowley [ca-compliance] 2020-06-02T22:38:29Z

54 Total; 54 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
ID Summary Status Assigned to Whiteboard Last change time
1625498 Google Trust Services: Tracking bug for possible audit delays (audit due 2020-12) ASSIGNED kluge [ca-compliance] [audit-delay] [covid-19] Next Update - 1 July, 2020 2020-03-30T11:03:45Z
1626355 Atos: Tracking bug for possible audit delays ASSIGNED michael.schwieters [ca-compliance][audit-delay][covid-19] Next Update 2020-05-04 2020-06-02T13:42:25Z

2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1575530 Camerfirma: Govern d'Andorra audits ASSIGNED Juan Angel Martin [ca-compliance] [delayed-revocation-ca] 2020-05-25T17:12:01Z
1581597 QuoVadis: Unconstrained CAs missing audits ASSIGNED Stephen Davidson [ca-compliance] [delayed-revocation-ca] [covid-19] 2020-05-29T17:10:07Z
1591005 GlobalSign: ICAs in CCADB, without EKU extension are listed in WTCA report but not in WTBR report ASSIGNED Arvid Vermote [ca-compliance] [delayed-revocation-ca] 2020-06-03T08:45:52Z
1598807 IdenTrust: Undisclosed Unrevoked ICAs ASSIGNED IdenTrust [ca-compliance] [delayed-revocation-ca] [covid-19] - Next Update - 30-June 2020 2020-05-29T19:16:36Z
1599916 QuoVadis: Unconstrained CAs revocation ASSIGNED Stephen Davidson [ca-compliance] [delayed-revocation-ca] Next Update - 31-March 2020 2020-05-28T16:36:52Z
1610767 WISeKey: Failure to meet revocation deadline ASSIGNED Pedro Fuentes [ca-compliance] [delayed-revocation-leaf] Next Update - 23-January 2020 2020-05-25T06:54:54Z
1613406 SwissSign: Delayed revocation for mispellings in Location for a number of Certificates ASSIGNED Mike Guenther [ca-compliance] [delayed-revocation-leaf] 2020-06-07T00:21:48Z
1620561 Sectigo: Non-revocation of certificates with subject:organizationalUnitName in DV certificates ASSIGNED Robin Alden [ca-compliance] [delayed-revocation-leaf] 2020-06-03T17:29:12Z
1624504 QuoVadis: Failure to revoke certificates with compromised private keys ASSIGNED Stephen Davidson [ca-compliance] [delayed-revocation-leaf] - Next update 15-June 2020 2020-05-22T19:00:29Z
1635840 Sectigo: Failure to properly respond to a report of subscriber key compromise ASSIGNED Robin Alden [ca-compliance] [delayed-revocation-leaf] 2020-06-02T21:24:44Z
1636339 Entrust: Failure to revoke a certificate ASSIGNED Bruce Morton [ca-compliance] [delayed-revocation-leaf] 2020-06-01T08:30:56Z

11 Total; 11 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: