CA/Incident Dashboard
From MozillaWiki
< CA
Contents
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| CFCA: Overdue Audit Statements 2021 | 1741497 | ASSIGNED | Oliver Bi | [ca-compliance] [audit-delay] | 2022-01-05T03:13:44Z |
| E-Tugra: CA Certificate Missing from Audit Reports | 1716843 | ASSIGNED | Davut Tokgöz | [ca-compliance] Next update 2022-01-20 | 2022-01-11T16:38:11Z |
| eMudhra emSign CA: Invalid OrganizationalUnitName | 1745015 | ASSIGNED | Vijay Kumar | [ca-compliance] | 2021-12-13T13:52:46Z |
| Entrust: CRLs and OCSP responses not issued as specified in the CPS | 1737057 | ASSIGNED | Bruce Morton | [ca-compliance] | 2021-11-05T17:16:40Z |
| FNMT: Invalid localityName | 1744722 | ASSIGNED | alain | [ca-compliance] Next update 2022-02-28 | 2022-01-12T15:23:24Z |
| GlobalSign: EV certificates with serialNumber Government Entity and businessCategory Private Organization | 1744518 | ASSIGNED | Paul Brown | [ca-compliance] | 2022-01-15T03:39:42Z |
| GlobalSign: Incorrect OCSP Delegated Responder Certificate | 1649937 | ASSIGNED | douglas.beattie | [ca-compliance] Next Update 2022-01-31 | 2022-01-12T17:30:59Z |
| GoDaddy: Failure to Revoke Subscriber Certificates within 24 hours | 1742657 | ASSIGNED | Brittany Randall | [ca-compliance] Next update 2022-02-11 | 2022-01-08T02:00:03Z |
| IdenTrust: Issuance of OV SSL Certificate with doc vetting older than 398 days | 1744627 | ASSIGNED | IdenTrust | [ca-compliance] Next update 2022-01-17 | 2021-12-30T23:08:15Z |
| IdenTrust: Mis-Issued EV Certificates | 1734917 | ASSIGNED | IdenTrust | [ca-compliance] Next update 2022-01-22 | 2022-01-11T17:04:54Z |
| IdenTrust: OCSP Signer Certificate Missing No-Check Extension | 1749089 | ASSIGNED | IdenTrust | [ca-compliance] | 2022-01-10T16:23:26Z |
| Izenpe: CRL and ARL exceed validity period value by one second | 1738421 | ASSIGNED | David | [ca-compliance] | 2021-11-03T15:17:42Z |
| KIR S.A.: Invalid organizationName | 1705647 | ASSIGNED | Piotr Grabowski | [ca-compliance] Next update 2022-01-22 | 2022-01-11T17:21:19Z |
| Microsec: Misissuance of one OV certificate with Key Usage KeyEncipherment | 1728384 | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] | 2022-01-11T13:14:00Z |
| Microsoft PKI Services: Malformed ICAs (missing certificate policy extensions) | 1711147 | ASSIGNED | John Mason | [ca-compliance] Next update 2022-01-17 | 2022-01-07T18:57:48Z |
| Netlock: Replacement of enduser certificates after the EVGL 1.7.4 self-audit | 1680378 | ASSIGNED | Anna Bányai | [ca-compliance] | 2021-11-10T17:45:15Z |
| PKIoverheid: (KPN) Incorrect Subject OrganizationName | 1746421 | ASSIGNED | David Weissenberg | [ca-compliance] | 2022-01-10T09:53:03Z |
| Sectigo: Mojibake in certificate Subject fields | 1724458 | ASSIGNED | Tim Callan | [ca-compliance] Next update 2022-02-15 | 2022-01-14T17:25:15Z |
| Sectigo: OCSP responses directly signed using root certificates without KU=digitalSignature | 1741777 | ASSIGNED | Rob Stradling | [ca-compliance] Next update 2022-02-02 | 2022-01-14T15:30:03Z |
| Sectigo: Subject field with unvalidated information included in certificates | 1736064 | ASSIGNED | Tim Callan | [ca-compliance] Next update 2022-02-07 | 2022-01-10T18:28:04Z |
| SecureTrust: Invalid localityName | 1720723 | ASSIGNED | Andrea Holland | [ca-compliance] Next update 2022-01-18 | 2022-01-11T17:11:25Z |
| SSL.com: Incorrect Domain Validation for 1 TLS certificate with FQDN having "www." string within domain labels | 1724520 | ASSIGNED | Chris Kemmerer | [ca-compliance] Next update 2022-01-17 | 2022-01-10T16:19:33Z |
| SSL.com: Issuance of 3 EV TLS certificates without 2-person validation of the organization information | 1722089 | ASSIGNED | Chris Kemmerer | [ca-compliance] Next update 2022-01-17 | 2022-01-10T16:18:29Z |
| Telia CA: Invalid email contact address was used for few domains | 1736020 | ASSIGNED | pekka.lahtiharju | [ca-compliance] | 2021-10-29T13:23:45Z |
| Telia CA: Issued three precertificates with non-NIST EC curve | 1738207 | ASSIGNED | pekka.lahtiharju | [ca-compliance] | 2021-12-21T08:17:22Z |
| TWCA: [Policy OID not set to indicate the assurance level to the issued certs] | 1738778 | ASSIGNED | Hao-Chun Li | [ca-compliance] | 2022-01-11T17:04:00Z |
| UniTrust: Improper DER results in failure to comply with RFC 5280 - Encoded sequence component with default value | 1735908 | ASSIGNED | chenxiaotong | [ca-compliance] | 2021-10-25T08:28:46Z |
27 Total; 27 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| CFCA: Overdue Audit Statements 2021 | 1741497 | ASSIGNED | Oliver Bi | [ca-compliance] [audit-delay] | 2022-01-05T03:13:44Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| Amazon Trust Services - Delayed Revocation of Subordinate CA | 1743943 | ASSIGNED | Trevoli (Amazon Trust Services) | [ca-compliance] [delayed-revocation-ca] Next update 2022-01-31 | 2022-01-13T01:43:29Z |
| Camerfirma: Delayed revocations of certificates issued by old CAs with an RSA modulus size of 2047 bits | 1692535 | ASSIGNED | Ana Lopes | [ca-compliance] [delayed-revocation-leaf] Next update 2022-01-18 | 2022-01-11T17:19:42Z |
| Entrust: Late Revocation for SSL Certificates issued with Un-verified IP Addresses | 1748634 | ASSIGNED | Bruce Morton | [ca-compliance] [delayed-revocation-leaf] | 2022-01-10T15:36:32Z |
| KIR S.A.: Delayed revocations of certificates | 1709872 | ASSIGNED | Piotr Grabowski | [ca-compliance] [delayed-revocation-leaf] Next update 2022-01-22 | 2022-01-11T17:16:37Z |
| SECOM: Delayed Revocation of non-technically constrained FUJIFILM Certificates | 1707229 | ASSIGNED | Hisashi Kamo | [ca-compliance] [delayed-revocation-leaf] Next update 2022-01-17 | 2022-01-11T17:15:13Z |
| Telia CA: Delayed revocation of 5 EE certificates in connection to id=1736020 | 1737808 | ASSIGNED | pekka.lahtiharju | [ca-compliance] [delayed-revocation-leaf] | 2021-10-29T13:15:28Z |
6 Total; 6 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here:
