CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1563579 Sectigo: Failure to provide timely incident reports ASSIGNED Rob Stradling [ca-compliance] 2021-01-25T21:38:31Z
1565270 Telia: Qualified BR Audit Statement ASSIGNED pekka.lahtiharju [ca-compliance] Next Update 2021-01-15 2021-01-15T13:30:20Z
1575880 GlobalSign: SSL Certificates with US country code and invalid State/Prov ASSIGNED douglas.beattie [ca-compliance] - Next Update 2021-01-15 2021-01-22T18:00:31Z
1632632 Buypass: Illegal Business Category in a PSD2 QWAC ASSIGNED Mads Henriksveen [ca-compliance] Next update 2021-01-15 2021-01-15T14:51:44Z
1645686 Sectigo: Lack of input validation in stateOrProvinceName ASSIGNED Rich Smith [ca-compliance] 2021-01-25T17:32:09Z
1645832 GoDaddy: Expired CRLs ASSIGNED Daniela Hood [ca-compliance] Next Update - 2021-01-01 2020-12-03T21:18:57Z
1647468 D-TRUST: Wrong key usage (Key Encipherment) ASSIGNED Enrico Entschew [ca-compliance] 2020-10-02T13:58:22Z
1648717 Sectigo: Failure to provide a preliminary report within 24 hours. ASSIGNED Rich Smith [ca-compliance] 2021-01-21T18:43:17Z
1649726 Firmaprofesional: 2020 Audit Report Finding 4 out of 4 ASSIGNED Maria Jose Prieto [ca-compliance] 2021-01-25T08:52:31Z
1649937 GlobalSign: Incorrect OCSP Delegated Responder Certificate ASSIGNED douglas.beattie [ca-compliance] 2021-01-25T08:26:31Z
1649938 QuoVadis: Incorrect OCSP Delegated Responder Certificate ASSIGNED Stephen Davidson [ca-compliance] Next Update 2021-01-07 2021-01-22T21:27:30Z
1649951 DigiCert: Incorrect OCSP Delegated Responder Certificate ASSIGNED Martin Sullivan [ca-compliance] 2021-01-19T20:57:32Z
1649964 PKIoverheid: Incorrect OCSP Delegated Responder Certificate ASSIGNED Jorik van 't Hof [ca-compliance] Next Update 2021-01-25 2021-01-05T13:15:00Z
1650845 Sectigo: Certificate Problem Report response issues ASSIGNED Nick France [ca-compliance] Updates in Bug #1648717 2020-08-27T03:53:17Z
1651611 Telekom Security: Finding in 2020 ETSI-Audit regarding weekly review of changes to configurations ASSIGNED Arnold Essing [ca-compliance] 2021-01-22T18:46:11Z
1652581 Google Trust Services digitalSignature KeyUsage not set ASSIGNED Andy Warner [ca-compliance] 2021-01-11T23:24:01Z
1655698 Telekom Security: CRL also contained unrevoked certificates ASSIGNED Arnold Essing [ca-compliance] 2021-01-18T00:10:27Z
1658792 Entrust: Invalid data in State/Province Field ASSIGNED Dathan Demone [ca-compliance] Next Update 2021-04-01 2021-01-22T17:55:20Z
1662807 GoDaddy: Certificates issued with validity periods greater than 398-days ASSIGNED Joanna [ca-compliance] Next Update 2021-01-11 2021-01-16T03:37:29Z
1663080 IdenTrust Issuance of certificates greater than 398 days ASSIGNED IdenTrust [ca-compliance] 2021-01-06T22:39:57Z
1663953 TunTrust : OCSP unreachable ASSIGNED Agence Nationale de Certification Electronique [ca-compliance] 2021-01-05T18:35:02Z
1664328 GlobalSign: SHA-256 hash algorithm used with ECC P-384 key ASSIGNED Arvid Vermote [ca-compliance] Next Update 15-Jan-2021 2021-01-11T11:20:52Z
1667430 Camerfirma: Invalid stateOrProvinceName field ASSIGNED Ana Lopes [ca-compliance] 2021-01-20T18:20:40Z
1667690 Entrust: Failure to provide a preliminary report within 24 hours. ASSIGNED Dathan Demone [ca-compliance] 2021-01-22T17:51:12Z
1667744 Dhimyotis/Certigna: Certificates issued with validity periods greater than 398-days ASSIGNED Josselin Allemandou [ca-compliance] 2021-01-08T11:54:26Z
1667799 SecureTrust: Failure to provide a preliminary report within 24 hours. ASSIGNED Andrea Holland [ca-compliance] 2021-01-22T18:43:55Z
1667842 SecureTrust: Inaccurate value in stateOrProvinceName ASSIGNED Andrea Holland [ca-compliance] 2020-12-24T21:07:42Z
1667944 GlobalSign: Empty SingleExtension in OCSP responses ASSIGNED Paul Brown [ca-compliance] 2021-01-19T15:13:08Z
1667986 Asseco DS / Certum: Invalid stateOrProvinceName field ASSIGNED Aleksandra Kurosz [ca-compliance] 2021-01-12T13:26:39Z
1668007 GlobalSign: Invalid stateOrProvinceName value ASSIGNED Arvid Vermote [ca-compliance] 2021-01-22T18:16:09Z
1669518 PKIoverheid: Overdue audit statements for intermediate certificates ASSIGNED Jorik van 't Hof [ca-compliance] 2021-01-20T12:48:02Z
1669594 Identrust: Issuance of Subordinate CA’s Without EKU ASSIGNED IdenTrust [ca-compliance] 2021-01-22T19:48:09Z
1670337 Microsoft PKI Services: Certificate Mis-Issuance, DNSNames must have a valid TLD ASSIGNED John Mason [ca-compliance] 2021-01-20T01:25:07Z
1670894 SwissSign: Invalid stateOrProvinceName field ASSIGNED Mike Guenther [ca-compliance] 2021-01-25T13:48:49Z
1671037 SecureTrust: CPS section 6.1.1.1 number 3 non-compliance event ASSIGNED Andrea Holland [ca-compliance] 2020-12-18T22:06:22Z
1671113 SwissSign: Failure to provide a preliminary report within 24 hours. ASSIGNED Mike Guenther [ca-compliance] 2021-01-22T18:37:27Z
1672029 Camerfirma: Failure to abide by Section 8 of Mozilla Policy: Unauthorized, improperly disclosed Subordinate CA ASSIGNED Ana Lopes [ca-compliance] 2021-01-22T09:41:51Z
1672409 Camerfirma: suspicious certificate for com.com ASSIGNED Ana Lopes [ca-compliance] 2021-01-22T13:20:32Z
1674561 Microsoft: DV certificate issued with OV fields ASSIGNED Dustin Hollenback [ca-compliance] 2021-01-22T23:37:19Z
1674886 certSIGN misissued an OV SSL certificate with no organizationName and localityName, instead of a DV SSL as requested by client REOPENED Gabriel PETCU [ca-compliance] 2021-01-06T17:35:21Z
1675314 Telekom Security: Wrong jurisdiction entries in certificates ASSIGNED Arnold Essing [ca-compliance] 2021-01-14T15:04:44Z
1676352 Microsec e-Szigno: Validity validity period greater than 398 days ASSIGNED dr. Sándor SZŐKE [ca-compliance] 2021-01-18T18:04:37Z
1676367 NetLock: Issuance of >398-day precertificates after 2020-09-01 ASSIGNED Varga Viktor [ca-compliance] 2021-01-08T13:20:26Z
1676440 Netlock: Cumulative report connected to EV verification ASSIGNED Varga Viktor [ca-compliance] 2021-01-22T18:23:59Z
1677234 Apple: OCSP availability 2020-11-12 ASSIGNED certification_authority [ca-compliance] Next Update 2021-01-31 2021-01-20T02:52:54Z
1677239 IdenTrust Service Degradation ASSIGNED IdenTrust [ca-compliance] 2021-01-07T22:14:34Z
1677737 SwissSign: duplicate serial number ASSIGNED Mike Guenther [ca-compliance] 2021-01-25T13:44:20Z
1678183 Google Trust Services - Invalid ASN.1 encoding of singleExtensions in OCSP responses ASSIGNED Andy Warner [ca-compliance] 2021-01-25T11:35:34Z
1678410 IdenTrust: Invalid OCSP Response Held in Cache ASSIGNED IdenTrust [ca-compliance] 2021-01-05T22:09:06Z
1680083 Camerfirma: certificate with an incorrect OrganizationName ASSIGNED Eusebio Herrera [ca-compliance] 2021-01-20T11:31:39Z
1680378 Netlock: Replacement of enduser certificates after the EVGL 1.7.4 self-audit ASSIGNED Varga Viktor [ca-compliance] 2021-01-08T11:06:38Z
1682270 D-TRUST: Private Key Disclosed by Customer as Part of CSR ASSIGNED Enrico Entschew [ca-compliance] 2020-12-14T22:37:08Z
1684112 Let's Encrypt: Failure to audit log subscriber certificate OCSP updates ASSIGNED Andrew Gabbitas [ca-compliance] 2020-12-29T22:36:47Z
1684442 DigiCert: SHA-1 intermediate issued after 2016-01-01 ASSIGNED Jeremy Rowley [ca-compliance] 2021-01-22T04:30:53Z
1685370 Entrust: Incorrect Business Category Value Discovered in an EV SSL Certificate ASSIGNED Dathan Demone [ca-compliance] 2021-01-21T17:22:45Z
1685557 Camerfirma: Certificates without CABForum OV Reserved Policy Identifier ASSIGNED Ana Lopes [ca-compliance] 2021-01-20T20:08:56Z
1686524 Camerfirma: Certificate issued with 3-year lifespan, unknown policy ASSIGNED Eusebio Herrera [ca-compliance] 2021-01-20T18:44:29Z
1687139 E-Tugra: commonName not in SAN ASSIGNED Davut Tokgöz [ca-compliance] 2021-01-20T05:30:27Z
1687330 E-Tugra: Intermittent OCSP response with status 'Unknown' ASSIGNED Davut Tokgöz [ca-compliance] 2021-01-19T16:06:27Z
1687513 E-Tugra: Delayed Response of Revocation Request ASSIGNED Davut Tokgöz [ca-compliance] 2021-01-19T17:58:23Z
1688215 Camerfirma: CP/CPS of Intesa Sanpaolo Sub-CA is Non-Compliant ASSIGNED Ana Lopes [ca-compliance] 2021-01-25T17:09:05Z
1688382 CamerFirma: No disclosure of verification sources ASSIGNED Ana Lopes [ca-compliance] 2021-01-23T19:42:16Z

62 Total; 62 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1591005 GlobalSign: ICAs in CCADB, without EKU extension are listed in WTCA report but not in WTBR report ASSIGNED Arvid Vermote [ca-compliance] [delayed-revocation-ca] Next Update 2021-01-15 2021-01-12T10:58:22Z
1620561 Sectigo: Non-revocation of certificates with subject:organizationalUnitName in DV certificates ASSIGNED Nick France [ca-compliance] [delayed-revocation-leaf] Next update 2021-01-05 2021-01-22T18:09:39Z
1651447 GlobalSign: Failure to revoke noncompliant ICA within 7 days ASSIGNED Arvid Vermote [ca-compliance] [delayed-revocation-ca] 2021-01-12T13:19:27Z
1651461 DigiCert: Failure to revoke within 7 days: OCSP EKU issue ASSIGNED Brenda Bernal [ca-compliance] [delayed-revocation-ca] 2021-01-19T20:57:14Z
1651553 QuoVadis: Failure to revoke within 7 days: OCSP EKU issue ASSIGNED Stephen Davidson [ca-compliance] [delayed-revocation-ca] Next update 2021-01-22 2021-01-22T21:31:38Z
1651637 Firmaprofesional: Failure to revoke ICAs within 7 days: OCSP EKU ASSIGNED Maria Jose Prieto [ca-compliance] [delayed-revocation-ca] Next update 2021-01-04 2020-12-28T14:56:08Z
1652604 PKIoverheid: Failure to revoke within 7 days: OCSP EKU issue ASSIGNED Jorik van 't Hof [ca-compliance] [delayed-revocation-ca] Next update 2020-12-01 2021-01-08T10:53:07Z
1652610 SECOM: Delayed Revocation of CA Certificate with OCSP EKU Issue ASSIGNED Hisashi Kamo [ca-compliance] [delayed-revocation-ca] 2021-01-04T08:09:19Z
1668331 Camerfirma: Delayed revocations related to Invalid stateOrProvinceName field ASSIGNED Juan Angel Martin [ca-compliance] [delayed-revocation-leaf] 2021-01-22T18:30:03Z
1668523 Asseco DS/Certum: Failure to revoke within 5 days ASSIGNED Aleksandra Kurosz [ca-compliance] [delayed-revocation-leaf] Next update 2021-01-15 2021-01-22T18:40:04Z
1670861 Actalis: delayed revocation related to inaccurate value in stateOrProvinceName ASSIGNED Adriano Santoni [ca-compliance] [delayed-revocation-leaf] 2021-01-22T17:58:53Z
1674082 Dhimyotis/Certigna: Certificates issued with validity periods greater than 398-days ASSIGNED r.delval [ca-compliance] [delayed-revocation-leaf] 2021-01-11T10:52:22Z
1686966 Camerfirma: Delayed revocations related to certificates without CABForum OV Reserved Policy Identifier ASSIGNED Ana Lopes [ca-compliance] [delayed-revocation-leaf] 2021-01-22T15:06:04Z
1687608 E-Tugra: The failure to revoke a certificate ASSIGNED Davut Tokgöz [ca-compliance] [delayed-revocation-leaf] 2021-01-20T16:35:02Z

14 Total; 14 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: