CA/Incident Dashboard

From MozillaWiki
< CA
Jump to: navigation, search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time
Apple: EV TLS pre-certificates issued without EKU extension 1777757 ASSIGNED certification_authority [ca-compliance] Next update 2022-09-30 2022-09-30T22:18:36Z
Certigna: Certificate issued with validity period greater than 398-days 1774418 ASSIGNED Josselin Allemandou [ca-compliance] 2022-09-26T08:00:45Z
CFCA: not report new root certificate timely 1784820 ASSIGNED bixinlong [ca-compliance] 2022-09-29T12:31:25Z
CFCA: Overdue Audit Statements 2021 1741497 ASSIGNED Oliver Bi [ca-compliance] [audit-delay] 2022-08-15T02:01:50Z
CFCA: The wrong status of OCSP 1778035 ASSIGNED bixinlong [ca-compliance] Next update 2022-10-15 2022-09-30T12:39:17Z
DFN-PKI: OCSP/CRL inconsistencies 1786313 ASSIGNED Jürgen Brauckmann [ca-compliance] Next update 2022-09-24 2022-09-23T07:51:59Z
Entrust: TLS Certificate issued with an incorrect state or province 1792231 ASSIGNED Bruce Morton [ca-compliance] 2022-09-23T17:29:03Z
IdenTrust Expired CRLs 1792111 ASSIGNED IdenTrust [ca-compliance] 2022-09-30T00:09:29Z
Let’s Encrypt: Certificates issued to Elliptic Curve Debian Weak Keys 1789521 ASSIGNED Andrew Gabbitas [ca-compliance] 2022-09-19T18:13:00Z
NAVER Cloud: DV certificate issued with no subject alternative name extension 1785865 ASSIGNED Han Yong, Park [ca-compliance] 2022-09-24T01:12:01Z
Sectigo: Misspelled city name in localityName field 1782356 ASSIGNED Tim Callan [ca-compliance] Next update 2022-09-30 2022-09-28T19:13:03Z
SecureTrust: 2 certificates with non-DER encoded keyUsage extension 1776764 ASSIGNED Andrea Holland [ca-compliance] Next update 2022-10-03 2022-08-09T15:07:45Z
SecureTrust: Incorrect OCSP response 1765800 ASSIGNED Andrea Holland [ca-compliance] Next update 2022-09-28 2022-09-30T12:17:28Z
SecureTrust: Invalid localityName 1720723 ASSIGNED Andrea Holland [ca-compliance] Next update 2022-09-28 2022-09-29T14:34:06Z
SSL.com: Issuance of 1 EV TLS certificate using a Registration/Incorporation Agency not included in our approved public list. 1790693 ASSIGNED Chris Kemmerer [ca-compliance] 2022-09-30T21:18:48Z
SwissSign: Missed deadline of publication of 6 CPs and 1 CP/CPS 1784881 ASSIGNED Mike Guenther [ca-compliance] 2022-09-22T12:14:28Z
UniTrust: EV certificate with wildcard domain in common name and SAN 1787537 ASSIGNED chenxiaotong [ca-compliance] 2022-09-26T16:14:50Z
UniTrust: Improper DER results in failure to comply with RFC 5280 - Encoded sequence component with default value 1735908 ASSIGNED chenxiaotong [ca-compliance] Next update 2022-10-15 2022-08-31T03:11:33Z

18 Total; 18 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
Summary ID Status Assigned to Whiteboard Last change time
CFCA: Overdue Audit Statements 2021 1741497 ASSIGNED Oliver Bi [ca-compliance] [audit-delay] 2022-08-15T02:01:50Z

1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query
Summary ID Status Assigned to Whiteboard Last change time
Amazon Trust Services: Delayed Revocation of Subordinate CA 1743943 ASSIGNED Trevoli (Amazon Trust Services) [ca-compliance] [delayed-revocation-ca] Next update 2022-10-01 2022-09-30T19:42:05Z

1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here: