CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
ACCV: Certificates issued with cRLIssuer in CDP extension 1884532 ASSIGNED Jose Amador [ca-compliance] [ov-misissuance] 2024-05-07T06:01:02Z 2024-03-09T18:14:05Z
ACCV: Certificates issued with Policy qualifiers other than id-qt-cps 1889567 ASSIGNED Jose Amador [ca-compliance] [ev-misissuance] 2024-05-06T07:05:58Z 2024-04-04T07:53:32Z
ACCV: Delayed response to CPR 1886785 ASSIGNED Jose Amador [ca-compliance] [policy-failure] 2024-05-07T11:38:17Z 2024-03-21T15:13:02Z
AGCE: Non-Compliant VPN Certificate Issuance 1882256 ASSIGNED ance.certification.info [ca-compliance] [ov-misissuance] 2024-07-02T14:37:29Z 2024-02-27T10:44:42Z
Asseco DS / Certum: CRL non-conformance with the TLS BRs 1888689 ASSIGNED Kateryna Aleksieieva [ca-compliance] [crl-failure] [external] Next update 2024-10-01 2024-05-09T20:57:15Z 2024-03-29T17:37:14Z
Asseco DS / Certum: Cross-certificate not included in 2024 S/MIME Audit statement 1904494 ASSIGNED Kateryna Aleksieieva [ca-compliance] [audit-failure] 2024-06-27T07:51:24Z 2024-06-25T07:05:47Z
Asseco DS / Certum: S/MIME certificates with error in subjectAlternativeName 1879845 REOPENED Kateryna Aleksieieva [ca-compliance] [smime-misissuance] Next update 2024-10-01 2024-06-27T18:02:12Z 2024-02-12T13:22:11Z
Buypass: Using an external DNS Resolver for DNS lookups 1872371 ASSIGNED Mads Henriksveen [ca-compliance] [ov-misissuance] Next update 2024-07-15 2024-06-26T14:54:36Z 2023-12-29T16:02:59Z
Certigna: ARL without reasoncode for recent revoked CA certificates 1900654 ASSIGNED Josselin Allemandou [ca-compliance] [crl-failure] [external] 2024-06-21T16:07:00Z 2024-06-04T16:32:05Z
Certigna: TLS certificates with Basic constraint non-critical 1883416 ASSIGNED Josselin Allemandou [ca-compliance] [ov-misissuance] 2024-04-10T15:30:22Z 2024-03-04T16:36:15Z
certSIGN: Findings in 2024 ETSI Audit - Audit Incident Report 1897134 ASSIGNED Gabriel PETCU [ca-compliance] [audit-finding] 2024-05-20T03:47:59Z 2024-05-16T12:21:22Z
CFCA: certificate basicConstraints extension not marked as critical 1886135 ASSIGNED Gao Fei [ca-compliance] [ov-misissuance] 2024-07-01T01:45:28Z 2024-03-19T10:57:32Z
CFCA: Failure to respond to a CPR in a complete and/or timely manner 1888881 ASSIGNED Gao Fei [ca-compliance] [policy-failure] 2024-06-30T20:21:59Z 2024-04-01T07:17:16Z
Chunghwa Telecom: “Test Website - Valid" URL disclosed to CCADB is expired 1904038 ASSIGNED Tsung-Min Kuo [ca-compliance] [policy-failure] 2024-06-24T12:07:22Z 2024-06-21T12:48:21Z
Chunghwa Telecom: Controversial Values within Extension (2.5.29.9, subjectDirectoryAttributes) 1899466 ASSIGNED Leo Fang [ca-compliance] [ov-misissuance] 2024-06-29T13:19:49Z 2024-05-29T04:13:45Z
Chunghwa Telecom: Wrong Extended Key Usage setting by GTLSCA 1887096 ASSIGNED Tsung-Min Kuo [ca-compliance] [ov-misissuance] 2024-05-29T04:16:27Z 2024-03-22T17:25:13Z
CommScope: Certificates were issued in which third-party web-based tools were used during validation. 1901578 ASSIGNED Nicol So [ca-compliance] [dv-misissuance] 2024-07-01T22:48:09Z 2024-06-10T17:24:44Z
D-Trust: Issuance of 15 certificates with incorrect subject attribute order 1891225 ASSIGNED Leyla Sahin [ca-compliance] [ev-misissuance] Next update 2024-07-01 2024-06-28T14:59:47Z 2024-04-12T13:48:03Z
D-Trust: Issuance of an EV certificate containing a mixup of the Subject's postalCode and localityName 1896190 ASSIGNED Enrico Entschew [ca-compliance] [ev-misissuance] Next update 2024-08-15 2024-05-24T00:20:21Z 2024-05-10T19:14:04Z
D-Trust: LDAP-URL in Subscriber Certificate Authority Information Access field 1884714 ASSIGNED Enrico Entschew [ca-compliance] [ov-misissuance] 2024-06-28T15:02:04Z 2024-03-11T16:29:07Z
DigiCert: Incorrect case in Business Category 1894560 ASSIGNED Martin Sullivan [ca-compliance] [ev-misissuance] 2024-06-27T20:53:57Z 2024-05-01T22:04:07Z
Disig: TLS certificate with basicConstraints not marked as critical 1888104 ASSIGNED Jozef Nigut [ca-compliance] [ov-misissuance] 2024-06-27T12:05:50Z 2024-03-27T10:37:26Z
e-commerce monitoring GmbH: CRLs with mismatched issuer 1888371 ASSIGNED Daniel Zens [ca-compliance] [crl-failure] [external] 2024-06-14T15:45:14Z 2024-03-28T10:58:07Z
e-commerce monitoring gmbh: failure to follow incident report requirements 1893546 ASSIGNED Daniel Zens [ca-compliance] [policy-failure] [external] 2024-06-14T15:45:23Z 2024-04-25T21:59:49Z
e-commerce monitoring gmbh: failure to maintain links to historic CP/CPS versions 1897457 ASSIGNED Daniel Zens [ca-compliance] [policy-failure] 2024-06-14T15:45:35Z 2024-05-17T13:42:49Z
e-commerce monitoring gmbh: precertificate validity does not match leaf certificate 1883711 ASSIGNED Daniel Zens [ca-compliance] [ov-misissuance] 2024-06-14T15:45:04Z 2024-03-05T17:00:37Z
Entrust: Action Items from June 2024 Report 1901270 ASSIGNED Ben Wilson [ca-compliance] [meta] 2024-07-01T19:57:47Z 2024-06-07T16:50:41Z
Entrust: CPR was not responded to in 24 hours 1885754 ASSIGNED Paul van Brouwershaven [ca-compliance] [external] [policy-failure] Next update 2024-07-31 2024-06-27T20:41:40Z 2024-03-16T22:14:29Z
Entrust: CPS typographical (text placement) error 1890896 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] 2024-06-28T23:25:14Z 2024-04-11T00:45:36Z
Entrust: Delay in Updating CPS 1887753 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] [ev-misissuance] Next update 2024-06-17 2024-07-01T20:01:50Z 2024-03-25T20:45:35Z
Entrust: Delayed reporting of Jurisdiction issue in some EV TLS & Code Signing certificates 1898847 ASSIGNED ngook.kong [ca-compliance] [policy-failure] Next update 2024-07-31 2024-06-28T23:55:27Z 2024-05-25T03:37:00Z
Entrust: EV Certificate missing Issuer’s EV Policy OID 1888714 ASSIGNED Bruce Morton [ca-compliance] [ev-misissuance] Next update 2024-07-05 2024-06-29T00:02:52Z 2024-03-29T21:05:02Z
Entrust: EV TLS Certificate cPSuri missing 1883843 ASSIGNED Paul van Brouwershaven [ca-compliance] [ev-misissuance] 2024-07-01T19:59:21Z 2024-03-06T08:35:58Z
Entrust: Failed to provide a preliminary incident report according to TLS BR 4.9.5 1890123 ASSIGNED Paul van Brouwershaven [ca-compliance] [policy-failure] 2024-07-01T19:58:13Z 2024-04-06T13:24:25Z
Entrust: Jurisdiction issue in some EV TLS & Code Signing certificates 1897630 ASSIGNED ngook.kong [ca-compliance] [ev-misissuance] 2024-06-29T02:51:14Z 2024-05-19T02:42:21Z
Entrust: Not updating CPR Problem Reporting Mechanism fields in CCADB 1894111 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] 2024-06-30T20:23:27Z 2024-04-29T21:37:24Z
Entrust: OCSP response signed with SHA-1 1879602 ASSIGNED Bruce Morton [ca-compliance] [ocsp-failure] 2024-06-22T18:12:51Z 2024-02-09T18:13:00Z
Firmaprofesional: Policy Qualifiers other than id-qt-cps present for certificate 1889420 ASSIGNED ext-antoni.camon [ca-compliance] [ov-misissuance] 2024-06-25T10:15:03Z 2024-04-03T15:46:27Z
FNMT: Certificates issued included Policy qualifiers other than id-qt-cps 1875942 ASSIGNED Amaya Espinosa [ca-compliance] [ov-misissuance] [ev-misissuance] 2024-02-24T15:58:01Z 2024-01-22T23:10:58Z
GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints 1888060 ASSIGNED capoc [ca-compliance] [ov-misissuance] 2024-07-02T01:28:32Z 2024-03-27T06:15:29Z
GoDaddy : CAA checks did not properly handle issuewild tag allowing FQDN SANs to be added to wildcard certs 1904748 ASSIGNED [:nickname] Star [ca-compliance] 2024-07-01T10:54:26Z 2024-06-26T02:12:50Z
GoDaddy : CAA checks passed when records contained incorrect variants of godaddy.com or starfieldtech.com 1904749 ASSIGNED [:nickname] Star [ca-compliance] 2024-07-01T12:36:46Z 2024-06-26T02:14:20Z
GoDaddy: CPR was not responded to in 24 hours 1902868 ASSIGNED Johnny [ca-compliance] [policy-failure] 2024-06-27T19:18:11Z 2024-06-15T20:49:32Z
GoDaddy: Intermittent unauthorized OCSP response when certificate is freshly issued 1905419 ASSIGNED Johnny [ca-compliance] [ocsp-failure] 2024-07-02T19:57:45Z 2024-06-28T19:25:10Z
Google Trust Services: SXG certificates issued without correctly checking CAA restrictions 1902670 ASSIGNED Google Trust Services [ca-compliance] [uncategorized] 2024-06-28T21:14:00Z 2024-06-14T14:27:02Z
Hongkong Post: Delayed response to CPR 1886722 ASSIGNED Man Ho [ca-compliance] [policy-failure] 2024-05-02T03:30:59Z 2024-03-21T11:36:56Z
Hongkong Post: TLS certificates with basicConstraints not marked as critical 1887008 ASSIGNED Man Ho [ca-compliance] [ov-misissuance] 2024-06-30T04:18:29Z 2024-03-22T13:11:35Z
Hongkong Post: TLS certificates with Certificate Policies extension that does not assert http scheme 1886406 ASSIGNED Man Ho [ca-compliance] [ov-misissuance] 2024-06-30T04:17:54Z 2024-03-20T11:23:23Z
IdenTrust: TLS ICA with User Notice in Policy Qualifier 1897569 ASSIGNED IdenTrust [ca-compliance] [ca-misissuance] 2024-06-13T22:08:54Z 2024-05-17T23:59:46Z
IdenTrust: Unauthorized OCSP response on a Timestamp certificate 1905446 ASSIGNED IdenTrust [ca-compliance] [ocsp-failure] 2024-07-01T14:19:20Z 2024-06-28T22:11:23Z
IdenTrust: unintended creation of a Root CA certificate 1895006 ASSIGNED IdenTrust [ca-compliance] [ca-misissuance] Next update 31-July-2024 2024-07-01T17:20:24Z 2024-05-03T20:19:30Z
Izenpe: Failure to Submit Annual CCADB Self-Assessment 1883493 ASSIGNED David [ca-compliance] [disclosure-failure] [external] 2024-03-21T09:50:35Z 2024-03-04T20:36:07Z
Microsec: Disallowed subject attribute field in DV certificate 1889699 ASSIGNED dr. Sándor SZŐKE [ca-compliance] [dv-misissuance] 2024-04-30T15:21:01Z 2024-04-04T17:01:58Z
Microsec: Late response to a CPR 1886998 ASSIGNED dr. Sándor SZŐKE [ca-compliance] [policy-failure] 2024-06-30T20:24:17Z 2024-03-22T12:22:34Z
Microsec: Misissuance an EV TLS certificate without CPSuri 1886257 ASSIGNED dr. Sándor SZŐKE [ca-compliance] [ev-misissuance] 2024-04-30T15:26:38Z 2024-03-19T18:23:18Z
NETLOCK: CPR was not responded to in 24 hours 1905509 ASSIGNED Tamás Horváth [ca-compliance] [policy-failure] 2024-07-01T14:14:30Z 2024-06-29T19:45:26Z
NETLOCK: Intermediate CA Certificate not disclosed to CCADB 1904041 ASSIGNED dr. Nagy Nikolett [ca-compliance] [policy-failure] [disclosure-failure] 2024-07-02T13:51:23Z 2024-06-21T13:01:09Z
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates 1889570 ASSIGNED Tamás Horváth [ca-compliance] [ev-misissuance] 2024-06-18T11:59:40Z 2024-04-04T08:18:19Z
SECOM: Certificates Issued with lower case value in subject:countryName 1896596 ASSIGNED ONO Fumiaki [ca-compliance] [ov-misissuance] 2024-07-01T10:29:32Z 2024-05-14T09:50:14Z
SECOM: Difference in upper and lower case between CN field and SAN 1897346 ASSIGNED ONO Fumiaki [ca-compliance] [dv-misissuance] 2024-07-01T02:17:38Z 2024-05-17T02:36:40Z
Sectigo: QWAC certificates issued with incorrect subject:organizationIdentifier attribute value 1902748 ASSIGNED Martijn Katerbarg [ca-compliance] [ev-misissuance] 2024-06-26T13:56:29Z 2024-06-14T20:30:02Z
Sectigo: Trusted Role Access provided prior to completion of onboarding process 1902310 ASSIGNED Martijn Katerbarg [ca-compliance] [policy-failure] 2024-06-26T12:48:43Z 2024-06-13T14:52:55Z
SHECA: EV certificate subject RDN order is incorrect 1902592 ASSIGNED jasmine.tang [ca-compliance] [ev-misissuance] 2024-06-27T11:55:03Z 2024-06-14T06:18:45Z
SHECA: The certificate's cpsURI is empty 1902947 ASSIGNED Alvin.Wang [ca-compliance] [ev-misissuance] 2024-06-22T13:06:25Z 2024-06-17T02:51:24Z
Siemens: meaningless characters in personal name fields 1902042 ASSIGNED Thorsten Bergmann [ca-compliance] [smime-misissuance] 2024-06-28T19:55:00Z 2024-06-12T15:50:28Z
SwissSign: MPKI step-up process sets wrong JoI Locality 1894054 ASSIGNED Sandy Balzer [ca-compliance] [ev-misissuance] 2024-06-28T16:22:29Z 2024-04-29T17:00:59Z
Telia: Certificates Issued with lower case value in subject:countryName 1896108 ASSIGNED Antti Backman [ca-compliance] [ov-misissuance] Next update 2024-07-05 2024-07-01T05:54:29Z 2024-05-10T13:39:06Z
TunTrust: CRL and OCSP unavailable 1895312 ASSIGNED TunTrust [ca-compliance] [crl-failure] [ocsp-failure] 2024-05-21T14:48:48Z 2024-05-06T17:10:11Z
TWCA: TLS certificates with non-critical basicConstraints 1885132 ASSIGNED Hao-Chun Li [ca-compliance] [ov-misissuance] [ev-misissuance] 2024-06-28T16:38:21Z 2024-03-13T13:09:19Z
TWCA: TLS EV certificates with invalid subject attribute order 1883620 ASSIGNED Hao-Chun Li [ca-compliance] [ev-misissuance] Next update 2024-06-30 2024-06-28T16:35:51Z 2024-03-05T12:28:02Z
WISeKey: OCSP responding "Unauthorized" for a TLS certificate 1903823 ASSIGNED Pedro Fuentes [ca-compliance] [ocsp-failure] 2024-06-28T17:41:40Z 2024-06-20T15:26:51Z

71 Total; 71 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
Summary ID Status Assigned to Whiteboard Last change time Creation time
Buypass: Delayed revocation of TLS certificates 1872738 REOPENED Mads Henriksveen [ca-compliance] [leaf-revocation-delay] Next update 2024-09-15 2024-06-17T18:53:33Z 2024-01-02T19:18:17Z
CFCA: Delayed revocation of TLS certificates(basicConstraints extension not marked as critical) 1888882 ASSIGNED Gao Fei [ca-compliance] [leaf-revocation-delay] 2024-07-03T00:03:09Z 2024-04-01T07:19:09Z
Chunghwa Telecom: Delayed Revocation Due to GTLSCA EKU Misissuance 1892419 ASSIGNED Leo Fang [ca-compliance] [leaf-revocation-delay] 2024-05-22T02:30:47Z 2024-04-19T10:55:40Z
Chunghwa Telecom: Delayed Revocation with Controversial Extension (2.5.29.9, SubjectDirectoryAttributes) 1903066 ASSIGNED Leo Fang [ca-compliance] [leaf-revocation-delay] 2024-07-02T20:38:57Z 2024-06-17T14:31:08Z
Digicert: Delayed Revocation for bug 1894560 1896053 ASSIGNED Jeremy Rowley [ca-compliance] [leaf-revocation-delay] 2024-07-01T07:07:48Z 2024-05-10T05:00:07Z
e-commerce monitoring GmbH: Delayed revocation 1862004 ASSIGNED Daniel Zens [ca-compliance] [leaf-revocation-delay] [external] 2024-06-14T15:44:42Z 2023-10-30T15:06:09Z
Entrust: Delayed revocation of certificates affected by Jurisdiction issue in some EV TLS & Code Signing certificates 1898848 ASSIGNED ngook.kong [ca-compliance] [leaf-revocation-delay] 2024-06-30T23:19:26Z 2024-05-25T03:48:12Z
Entrust: Delayed revocation of clientAuth TLS Certificates without serverAuth EKU 1887705 ASSIGNED Paul van Brouwershaven [ca-compliance] [leaf-revocation-delay] 2024-07-01T14:22:50Z 2024-03-25T16:44:53Z
Entrust: Delayed revocation of EV TLS certificates with missing cPSuri 1886532 ASSIGNED Paul van Brouwershaven [ca-compliance] [leaf-revocation-delay] 2024-07-01T17:31:44Z 2024-03-20T17:22:26Z
Entrust: Failure to revoke EV TLS certificates issued before CPS update 1890685 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] [leaf-revocation-delay] 2024-07-01T21:04:10Z 2024-04-09T23:40:57Z
Entrust: Failure to revoke OV TLS - CPS typographical (text placement) error 1890898 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] [leaf-revocation-delay] Next update 2024-06-17 2024-07-02T15:25:38Z 2024-04-11T00:52:33Z
GDCA: Delayed revocation of SSL/TLS certificates with Non-critical Basic Constraints 1889062 ASSIGNED capoc [ca-compliance] [leaf-revocation-delay] 2024-06-26T09:49:57Z 2024-04-02T09:18:52Z
Hongkong Post: Delayed revocation of TLS certificates with basicConstraints not marked as critical 1887888 ASSIGNED Man Ho [ca-compliance] [leaf-revocation-delay] 2024-06-30T04:14:19Z 2024-03-26T14:39:37Z
Hongkong Post: Delayed revocation of TLS certificates with Certificate Policies extension problem 1886665 ASSIGNED Man Ho [ca-compliance] [leaf-revocation-delay] 2024-06-30T03:59:18Z 2024-03-21T04:30:30Z
Microsec: Delayed revocation of the misissued certificates 1887110 ASSIGNED dr. Sándor SZŐKE [ca-compliance] [leaf-revocation-delay] 2024-06-22T18:14:03Z 2024-03-22T18:00:56Z
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates - delayed revocation 1891331 ASSIGNED Tamás Horváth [ca-compliance] [leaf-revocation-delay] 2024-07-02T13:48:48Z 2024-04-13T22:07:56Z
Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical 1877388 ASSIGNED Arnold Essing [ca-compliance] [leaf-revocation-delay] 2024-06-28T20:38:35Z 2024-01-30T07:52:58Z
Telia: Delayed revocation of seven (7) certificates related to incident 1896108 1896553 ASSIGNED Antti Backman [ca-compliance] [leaf-revocation-delay] Next update 2024-08-05 2024-06-28T05:32:51Z 2024-05-14T04:48:55Z
TWCA: Revocation delay for EV TLS certificates with invalid subject attribute order 1884568 ASSIGNED Hao-Chun Li [ca-compliance] [leaf-revocation-delay] Next update 2024-08-30 2024-06-28T16:38:53Z 2024-03-10T12:44:57Z
TWCA: Revocation delay for TLS certificates with non-critical basicConstraints 1886110 ASSIGNED chtsai [ca-compliance] [ov-misissuance] [leaf-revocation-delay] Next update 2024-08-30 2024-06-28T16:39:37Z 2024-03-19T07:42:18Z
VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 1885568 ASSIGNED Andrea Holland [ca-compliance] [ov-misissuance] [leaf-revocation-delay] 2024-06-26 2024-06-28T15:26:47Z 2024-03-15T16:20:17Z

21 Total; 21 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: