CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time
Certainly: Serving Expired OCSP Responses 1771238 ASSIGNED Wayne Thayer [ca-compliance] 2022-05-26T16:18:55Z
certSIGN: Incorrect data in stateOrProvinceName 1763173 ASSIGNED Gabriel PETCU [ca-compliance] 2022-05-26T14:10:50Z
certSIGN: Subscriber precertificate without Certificate Policies 1762707 ASSIGNED Valentin Necoara [ca-compliance] 2022-05-26T16:36:40Z
CFCA: Overdue Audit Statements 2021 1741497 ASSIGNED Oliver Bi [ca-compliance] [audit-delay] 2022-01-05T03:13:44Z
D-Trust: Wrong key usage (Key Agreement) 1756122 ASSIGNED Enrico Entschew [ca-compliance] 2022-05-06T14:45:06Z
eMudhra emSign CA: Invalid AIA Extension Value 1763700 ASSIGNED Vijay Kumar [ca-compliance] 2022-05-02T11:03:01Z
eMudhra emSign CA: Invalid OrganizationalUnitName 1745015 ASSIGNED Vijay Kumar [ca-compliance] 2022-05-02T11:06:37Z
Entrust: TLS Certificate issued with a key that is impacted by the Close Primes vulnerability 1766525 ASSIGNED Bruce Morton [ca-compliance] 2022-05-16T19:04:53Z
Firmaprofesional: 2022 - SSL certificates issued with wrong Organization ID number 1769240 ASSIGNED Maria Jose Prieto [ca-compliance] 2022-05-16T07:37:24Z
GoDaddy: OV Documentation Reuse 1759959 ASSIGNED Brittany Randall [ca-compliance] Next update 2022-06-30 2022-04-12T14:33:41Z
Google Trust Services: Failure to provide preliminary report within 24h 1770510 ASSIGNED Cade Cairns [ca-compliance] 2022-05-23T15:28:21Z
IdenTrust: Failure to provide OCSP responses for valid ICA certificates 1758213 ASSIGNED IdenTrust [ca-compliance] 2022-04-29T22:19:22Z
IdenTrust: OCSP Signer Certificate Missing No-Check Extension 1749089 ASSIGNED IdenTrust [ca-compliance] Next update 2022-02-28 2022-04-29T22:25:46Z
IdenTrust: Pre-certificates without a final certificate showing OCSP error 1758027 ASSIGNED IdenTrust [ca-compliance] 2022-05-24T22:26:45Z
PKIoverheid: (KPN) Incorrect Subject OrganizationName 1746421 ASSIGNED David Weissenberg [ca-compliance] 2022-04-04T16:26:15Z
SECOM: Failed an annual update of Cybertrust Japan (CTJ) CPS 1769222 ASSIGNED Hisashi Kamo [ca-compliance] 2022-05-20T08:07:59Z
Sectigo: OCSP responses directly signed using root certificates without KU=digitalSignature 1741777 ASSIGNED Rob Stradling [ca-compliance] Next update 2022-06-14 2022-05-24T21:02:57Z
SecureTrust: Incorrect OCSP response 1765800 ASSIGNED Andrea Holland [ca-compliance] Next update 2022-09-01 2022-05-20T17:45:51Z
SecureTrust: Invalid localityName 1720723 ASSIGNED Andrea Holland [ca-compliance] Next update 2022-06-01 2022-03-11T16:11:58Z
SSL.com: Incorrect Domain Validation for 1 TLS certificate with FQDN having "www." string within domain labels 1724520 ASSIGNED Chris Kemmerer [ca-compliance] Next update 2022-02-18 2022-02-18T20:31:04Z
SSL.com: Issuance of 3 EV TLS certificates without 2-person validation of the organization information 1722089 ASSIGNED Chris Kemmerer [ca-compliance] Next update 2022-02-18 2022-02-18T20:27:43Z
SSL.com: Issuance of TLS certificates with validation methods prohibited by SC-45 1750631 ASSIGNED Chris Kemmerer [ca-compliance] 2022-02-18T21:42:02Z
SwissSign: Mis-Issuance of S/MIME certificates 1766255 ASSIGNED Mike Guenther [ca-compliance] 2022-05-02T09:27:12Z
Telia CA: Issued three precertificates with non-NIST EC curve 1738207 ASSIGNED pekka.lahtiharju [ca-compliance] 2022-01-28T14:13:40Z
TWCA: Policy OID not set to indicate the assurance level to the issued certs 1738778 ASSIGNED Hao-Chun Li [ca-compliance] 2022-02-16T08:03:46Z
UniTrust: Improper DER results in failure to comply with RFC 5280 - Encoded sequence component with default value 1735908 ASSIGNED chenxiaotong [ca-compliance] 2022-02-24T01:36:43Z

26 Total; 26 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
Summary ID Status Assigned to Whiteboard Last change time
CFCA: Overdue Audit Statements 2021 1741497 ASSIGNED Oliver Bi [ca-compliance] [audit-delay] 2022-01-05T03:13:44Z

1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
Summary ID Status Assigned to Whiteboard Last change time
Amazon Trust Services: Delayed Revocation of Subordinate CA 1743943 ASSIGNED Trevoli (Amazon Trust Services) [ca-compliance] [delayed-revocation-ca] Next update 2022-03-04 2022-05-20T21:56:23Z
SSL.com: Delayed revocation of 53 certificates affected by bug #1750631 1752636 ASSIGNED Chris Kemmerer [ca-compliance] [delayed-revocation-leaf] 2022-03-11T21:38:49Z

2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: