CA/Incident Dashboard
From MozillaWiki
< CA
Contents
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| ID | Summary | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| 1463975 | GRCA: Misissued certificates: Invalid commonName, commonName not in SAN | ASSIGNED | National Development Council | [ca-compliance] CKA_NSS_SERVER_DISTRUST_AFTER | 2020-05-26T18:09:40Z |
| 1496616 | Consorci AOC: Qualified audit statements | ASSIGNED | Francesc Ferrer | [ca-compliance] CKA_NSS_SERVER_DISTRUST_AFTER | 2020-05-22T10:08:58Z |
| 1532436 | Chunghwa Telecom: Test certificate with unregistered domain name | ASSIGNED | Li-Chun CHEN | [ca-compliance] | 2020-06-03T09:16:49Z |
| 1532559 | CFCA: Wrong SerialNumber encoding | ASSIGNED | Jonathan Sun | [ca-compliance] | 2020-06-02T06:22:32Z |
| 1551372 | Telia: "Some-State" in stateOrProvinceName | ASSIGNED | pekka.lahtiharju | [ca-compliance] | 2020-05-25T06:44:52Z |
| 1559765 | Izenpe: Multiple invalid EV certificates issued | ASSIGNED | Oscar Garcia | [ca-compliance] - Next Update - 1-June 2020 | 2020-05-28T07:09:30Z |
| 1563579 | Sectigo: Failure to provide timely incident reports | ASSIGNED | Robin Alden | [ca-compliance] | 2020-06-02T15:13:51Z |
| 1565270 | Telia: Qualified BR Audit Statement | ASSIGNED | pekka.lahtiharju | [ca-compliance] - Next Update - 8-June 2020 | 2020-06-05T10:18:48Z |
| 1575022 | Sectigo: EV SSL Certificates with incorrect subject details. | ASSIGNED | Robin Alden | [ca-compliance] - Next Update - 15-June 2020 | 2020-06-03T01:46:39Z |
| 1575880 | GlobalSign: SSL Certificates with US country code and invalid State/Prov | ASSIGNED | douglas.beattie | [ca-compliance] - Next Update 30-June 2020 | 2020-06-01T17:39:23Z |
| 1576013 | DigiCert: JOI Issue | ASSIGNED | Jeremy Rowley | [ca-compliance] | 2020-05-27T18:42:26Z |
| 1578505 | LuxTrust: Outdated audit statement for intermediate cert | ASSIGNED | ca | [ca-compliance] - Overdue Audit for intermediate cert | 2020-05-25T16:53:03Z |
| 1586795 | NetLock: Issuance of intermediates after 2019-01-01 that do not comply with Mozilla Policy | ASSIGNED | Varga Viktor | [ca-compliance] | 2020-06-03T21:59:24Z |
| 1588001 | Apple OCSP responders return responses with incorrect issuer | ASSIGNED | certification_authority | [ca-compliance] - Next Update - 30-June 2020 | 2020-05-20T21:42:06Z |
| 1590810 | Sectigo: EV SSL Certificates with incorrect businessCategory | ASSIGNED | Robin Alden | [ca-compliance] - Next Update - 1-June 2020 | 2020-06-03T14:49:34Z |
| 1593776 | Sectigo: invalid subject:organizationalUnitName on DV certificates | ASSIGNED | Robin Alden | [ca-compliance] - Next Update - 15-June 2020 | 2020-05-22T18:52:18Z |
| 1597947 | Sectigo: CCADB failed ALV - Network Solutions Certificate Authority | ASSIGNED | Robin Alden | [ca-compliance] | 2020-06-02T21:40:37Z |
| 1597948 | Sectigo: CCADB failed ALV - D-TRUST CA 2-1 2015 | ASSIGNED | Robin Alden | [ca-compliance] | 2020-06-02T21:36:19Z |
| 1597950 | Sectigo: CCADB failed ALV - Ensured Root CA | ASSIGNED | Robin Alden | [ca-compliance] | 2020-06-03T08:49:08Z |
| 1605804 | GoDaddy: Domain Validation Reuse Issue | ASSIGNED | Joanna | [ca-compliance] - Next Update - 1-June 2020 | 2020-05-26T15:09:18Z |
| 1610303 | D-TRUST: Issuance of non-conformant SSL certificate | ASSIGNED | Enrico Entschew | [ca-compliance] - Next Update - 15-June 2020 | 2020-05-22T17:17:32Z |
| 1613334 | SwissSign: Misissuance with mispellings in Location for a number of Certificates | ASSIGNED | Mike Guenther | [ca-compliance] | 2020-06-05T15:12:51Z |
| 1614448 | GRCA: Audit Letter Validation failures on intermediate certificates | ASSIGNED | National Development Council | [ca-compliance] - Next Update - 1-June 2020 | 2020-05-26T16:30:09Z |
| 1619047 | Let's Encrypt: CAA Rechecking bug | ASSIGNED | Jacob Hoffman-Andrews | [ca-compliance] Next Update - 28-April 2020 | 2020-05-28T20:23:40Z |
| 1619359 | Sectigo: Failure to provide a preliminary report within 24 hours | ASSIGNED | Robin Alden | [ca-compliance] | 2020-06-03T03:22:50Z |
| 1622505 | GlobalSign: OCSP Status HTTP 530 | ASSIGNED | Arvid Vermote | [ca-compliance] Next Update - 15-June 2020 | 2020-05-17T20:10:51Z |
| 1622539 | Microsec: Issuance of 2 IVCP precertificates without givenName, surName, localityName fields | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] Next Update - 20 May, 2020 | 2020-05-26T12:35:26Z |
| 1623356 | GlobalSign: Misissuance of QWAC Certificates | ASSIGNED | douglas.beattie | [ca-compliance] - Next Update - 15-June 2020 | 2020-05-22T20:12:33Z |
| 1623384 | Camerfirma: Invalid authorityKeyIdentifier - recurrent incident | ASSIGNED | Ana Lopes | [ca-compliance] | 2020-05-22T12:12:26Z |
| 1624527 | DigiCert: Issuance of Cert with Compromised Key | ASSIGNED | Jeremy Rowley | [ca-compliance] Next Update - 1-June 2020 | 2020-06-02T21:26:14Z |
| 1625498 | Google Trust Services: Tracking bug for possible audit delays (audit due 2020-12) | ASSIGNED | kluge | [ca-compliance] [audit-delay] [covid-19] Next Update - 1 July, 2020 | 2020-03-30T11:03:45Z |
| 1625767 | Microsec: Audit Letter Validation Failures | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] - Next Update - 1-June 2020 | 2020-06-05T12:20:25Z |
| 1626355 | Atos: Tracking bug for possible audit delays | ASSIGNED | michael.schwieters | [ca-compliance][audit-delay][covid-19] Next Update 2020-05-04 | 2020-06-02T13:42:25Z |
| 1628292 | Buypass: Failure to revoke PSD2 QWACs within mandated 5 days | ASSIGNED | Mads Henriksveen | [ca-compliance] | 2020-05-26T14:53:14Z |
| 1630870 | GlobalSign: Certificate issued with RSASSA-PSS public key | ASSIGNED | Paul Brown | [ca-compliance] Next update - 30-June, 2020 | 2020-06-04T15:54:22Z |
| 1632632 | Buypass: Illegal Business Category in a PSD2 QWAC | ASSIGNED | Mads Henriksveen | [ca-compliance] | 2020-05-26T18:54:01Z |
| 1634795 | Google Trust Services: Incorrect revocation data temporarily served for GTS Y3 & Y4 | ASSIGNED | Andy Warner | [ca-compliance] | 2020-06-01T17:16:19Z |
| 1635096 | Entrust: Printable String Constraint Failure | ASSIGNED | Bruce Morton | [ca-compliance] | 2020-05-29T18:28:49Z |
| 1635279 | Identrust: Incorrect Subject Details for HydrantId | ASSIGNED | IdenTrust | [ca-compliance] - Next Update - 1-October 2020 | 2020-06-01T17:17:45Z |
| 1636140 | SwissSign: duplicate serial number | ASSIGNED | Mike Guenther | [ca-compliance] | 2020-06-02T15:36:13Z |
| 1636141 | SwissSign: failure to provide a preliminary report within 24 hours | ASSIGNED | Mike Guenther | [ca-compliance] | 2020-06-02T13:29:01Z |
| 1636544 | IdenTrust: OCSP Outage | ASSIGNED | IdenTrust | [ca-compliance] Next Update - 30-July 2020 | 2020-05-30T00:00:12Z |
| 1637093 | Multicert: AIA CA Issuer field pointing to PEM encoded cert | ASSIGNED | ca.forum | [ca-compliance] | 2020-06-03T15:02:40Z |
| 1639032 | DigiCert: "Internet Widgits Pty Ltd" in organizationalUnitName | ASSIGNED | Brenda Bernal | [ca-compliance] | 2020-05-31T21:41:31Z |
| 1639502 | Asseco DS / Certum: Incorrect OCSP response encoding | ASSIGNED | Wojciech Trapczyński | [ca-compliance] | 2020-05-28T13:41:08Z |
| 1639794 | Let's Encrypt: Failure to revoke key-compromised certificate within 24 hours | ASSIGNED | Jacob Hoffman-Andrews | [ca-compliance] | 2020-06-06T10:29:19Z |
| 1639798 | GoDaddy: Failure to revoke key-compromised certificates within 24 hours | ASSIGNED | Joanna | [ca-compliance] | 2020-06-06T10:24:22Z |
| 1639799 | Globalsign: Failure to revoke key-compromised certificate within 24 hours | ASSIGNED | Arvid Vermote | [ca-compliance] Next Update - 12-June 2020 | 2020-06-02T16:29:22Z |
| 1639801 | Digicert: Failure to revoke key-compromised certificates within 24 hours | ASSIGNED | Brenda Bernal | [ca-compliance] | 2020-06-03T15:50:18Z |
| 1639802 | Digicert: Failure to revoke key-compromised certificate | ASSIGNED | Brenda Bernal | [ca-compliance] | 2020-06-03T15:50:49Z |
| 1639804 | Sectigo: Failure to revoke key-compromised certificate within 24 hours | ASSIGNED | Robin Alden | [ca-compliance] | 2020-06-03T18:39:35Z |
| 1639805 | Sectigo: Failure to revoke key-compromised certificates | ASSIGNED | Robin Alden | [ca-compliance] | 2020-06-01T22:43:08Z |
| 1640310 | GoDaddy: Failure to revoke certificate with compromised key within 24 hours | ASSIGNED | Daniela Hood | [ca-compliance] | 2020-06-06T14:47:28Z |
| 1640805 | Digicert: delayed publication of revocation information | ASSIGNED | Jeremy Rowley | [ca-compliance] | 2020-06-02T22:38:29Z |
54 Total; 54 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
| ID | Summary | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| 1625498 | Google Trust Services: Tracking bug for possible audit delays (audit due 2020-12) | ASSIGNED | kluge | [ca-compliance] [audit-delay] [covid-19] Next Update - 1 July, 2020 | 2020-03-30T11:03:45Z |
| 1626355 | Atos: Tracking bug for possible audit delays | ASSIGNED | michael.schwieters | [ca-compliance][audit-delay][covid-19] Next Update 2020-05-04 | 2020-06-02T13:42:25Z |
2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
| ID | Summary | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| 1575530 | Camerfirma: Govern d'Andorra audits | ASSIGNED | Juan Angel Martin | [ca-compliance] [delayed-revocation-ca] | 2020-05-25T17:12:01Z |
| 1581597 | QuoVadis: Unconstrained CAs missing audits | ASSIGNED | Stephen Davidson | [ca-compliance] [delayed-revocation-ca] [covid-19] | 2020-05-29T17:10:07Z |
| 1591005 | GlobalSign: ICAs in CCADB, without EKU extension are listed in WTCA report but not in WTBR report | ASSIGNED | Arvid Vermote | [ca-compliance] [delayed-revocation-ca] | 2020-06-03T08:45:52Z |
| 1598807 | IdenTrust: Undisclosed Unrevoked ICAs | ASSIGNED | IdenTrust | [ca-compliance] [delayed-revocation-ca] [covid-19] - Next Update - 30-June 2020 | 2020-05-29T19:16:36Z |
| 1599916 | QuoVadis: Unconstrained CAs revocation | ASSIGNED | Stephen Davidson | [ca-compliance] [delayed-revocation-ca] Next Update - 31-March 2020 | 2020-05-28T16:36:52Z |
| 1610767 | WISeKey: Failure to meet revocation deadline | ASSIGNED | Pedro Fuentes | [ca-compliance] [delayed-revocation-leaf] Next Update - 23-January 2020 | 2020-05-25T06:54:54Z |
| 1613406 | SwissSign: Delayed revocation for mispellings in Location for a number of Certificates | ASSIGNED | Mike Guenther | [ca-compliance] [delayed-revocation-leaf] | 2020-06-07T00:21:48Z |
| 1620561 | Sectigo: Non-revocation of certificates with subject:organizationalUnitName in DV certificates | ASSIGNED | Robin Alden | [ca-compliance] [delayed-revocation-leaf] | 2020-06-03T17:29:12Z |
| 1624504 | QuoVadis: Failure to revoke certificates with compromised private keys | ASSIGNED | Stephen Davidson | [ca-compliance] [delayed-revocation-leaf] - Next update 15-June 2020 | 2020-05-22T19:00:29Z |
| 1635840 | Sectigo: Failure to properly respond to a report of subscriber key compromise | ASSIGNED | Robin Alden | [ca-compliance] [delayed-revocation-leaf] | 2020-06-02T21:24:44Z |
| 1636339 | Entrust: Failure to revoke a certificate | ASSIGNED | Bruce Morton | [ca-compliance] [delayed-revocation-leaf] | 2020-06-01T08:30:56Z |
11 Total; 11 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here:
