CA/Incident Dashboard
Contents
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
Summary | ID | Status | Assigned to | Whiteboard | Last change time |
---|---|---|---|---|---|
Actalis: Certificates issued with validity period greater than 398 days | 1826713 | ASSIGNED | Adriano Santoni | [ca-compliance] [ov-misissuance] | 2023-05-18T10:48:24Z |
Actalis: pre-certificates with “certificateHold” as the revocation reason | 1824319 | ASSIGNED | Adriano Santoni | [ca-compliance] [crl-failure] | 2023-04-11T08:17:00Z |
Amazon Trust Services: Delayed Revocation of Subordinate CA | 1743943 | ASSIGNED | Trevoli (Amazon Trust Services) | [ca-compliance] [ca-revocation-delay] | 2023-05-30T17:17:55Z |
Asseco DS / Certum: Cross-Signed non-EV-audited root with an EV-enabled root | 1815355 | ASSIGNED | Aleksandra Kurosz | [ca-compliance] [ca-misissuance] | 2023-04-27T16:17:31Z |
Asseco DS / Certum: Delayed revocation of SHECA cross certificate | 1825734 | ASSIGNED | Aleksandra Kurosz | [ca-compliance] [ca-revocation-delay] Next update 2023-04-28 | 2023-05-19T21:00:56Z |
Asseco DS / Certum: Delayed revocation of SSL.COM cross certificate | 1826363 | ASSIGNED | Aleksandra Kurosz | [ca-compliance] [ca-revocation-delay] | 2023-05-19T20:58:57Z |
Asseco DS / Certum: Subordinate certificates with sequential serial number | 1832093 | ASSIGNED | Wojciech Trapczyński | [ca-compliance] [ca-misissuance] | 2023-05-30T17:36:56Z |
certSIGN: Findings in 2023 ETSI Audit for certSIGN ROOT CA G2 - Audit Incident Report | 1833667 | ASSIGNED | Gabriel PETCU | [ca-compliance] [audit-finding] | 2023-05-17T16:32:48Z |
CFCA: Certificate with wrong crlDistributionPoints | 1809382 | ASSIGNED | Gao Fei | [ca-compliance] [ov-misissuance] [ev-misissuance] Next update 2023-05-10 | 2023-05-09T01:20:54Z |
CFCA: Delayed reporting of intermediate CA certificate | 1784820 | ASSIGNED | Gao Fei | [ca-compliance] [disclosure-failure] | 2023-04-21T09:03:04Z |
CFCA: EV certificate with wrong PostalCode&Street | 1802845 | ASSIGNED | Gao Fei | [ca-compliance] [ev-misissuance] | 2023-04-13T07:25:58Z |
CFCA: ICA without EKU | 1793053 | ASSIGNED | Gao Fei | [ca-compliance] [ca-misissuance] Next update 2023-03-30 | 2023-04-07T13:48:15Z |
CFCA: The delay in revocation of ICA | 1793059 | ASSIGNED | Gao Fei | [ca-compliance] [ca-revocation-delay] | 2023-04-28T19:37:44Z |
Cybertrust Japan: CRL signature algorithm encoding error | 1827490 | ASSIGNED | masahiro.shikutani | [ca-compliance] [crl-failure] | 2023-05-30T17:41:13Z |
DigiCert: 4 CRL's not responding | 1820269 | ASSIGNED | Martin Sullivan | [ca-compliance] [crl-failure] Next update 2023-05-01 | 2023-05-01T22:49:11Z |
e-commerce monitoring gmbh: certificate issued with two pre-certificates | 1830536 | ASSIGNED | Daniel Zens | [ca-compliance] | 2023-05-05T15:37:07Z |
e-commerce monitoring GmbH: SCT in precertificate | 1815534 | ASSIGNED | Daniel Zens | [ca-compliance] [ov-misissuance] | 2023-04-28T14:22:13Z |
E-Tugra: Incident Report (Security Issues) | 1801345 | ASSIGNED | Ahmed | [ca-compliance] [uncategorized] | 2023-05-30T17:49:01Z |
Firmaprofesional: 2023 - documentary inconsistency | 1832342 | ASSIGNED | Maria Jose Prieto | [ca-compliance] | 2023-05-11T07:29:54Z |
FNMT: CRL problems displayed during the monitoring | 1828717 | ASSIGNED | Amaya Espinosa | [ca-compliance] [crl-failure] | 2023-05-10T07:37:19Z |
IdenTrust Certificate in error flagged by OCSP Watch | 1831004 | ASSIGNED | IdenTrust | [ca-compliance] [ocsp-failure] | 2023-05-12T21:16:52Z |
Netlock: Disclosed CRL is expired | 1819105 | ASSIGNED | Tamás Horváth | [ca-compliance] [crl-failure] | 2023-05-19T20:13:14Z |
NETLOCK: Pre-certificates revoked with certificateHold reason | 1830823 | ASSIGNED | Tamás Horváth | [ca-compliance] | 2023-05-17T14:08:45Z |
NETLOCK: SSL certificates with OU field | 1820174 | ASSIGNED | Tamás Horváth | [ca-compliance] [ov-misissuance] | 2023-05-17T13:17:02Z |
NETLOCK: SSL certificates with OU field - revocation delay | 1822809 | ASSIGNED | Tamás Horváth | [ca-compliance] [leaf-revocation-delay] | 2023-05-17T13:28:34Z |
Sectigo: Certificate issuance delayed for more than 398 days after DCV was completed | 1829746 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [ev-misissuance] | 2023-05-30T17:33:37Z |
Sectigo: Late revocation for incomplete Subject organizationName | 1818073 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [leaf-revocation-delay] Next update 2023-05-31 | 2023-03-31T19:26:43Z |
Sectigo: Late termination of privileged access to Certificate Systems | 1830088 | ASSIGNED | Martijn Katerbarg | [ca-compliance] | 2023-05-24T14:57:32Z |
SHECA: organizationName problems in OV and EV TLS certificates | 1815527 | ASSIGNED | chenxiaotong | [ca-compliance] [ov-misissuance][ev-misissuance] | 2023-04-10T04:53:43Z |
SSL.com: Delayed revocation of certificate with weak key | 1800753 | ASSIGNED | Thomas Zermeno | [ca-compliance] [leaf-revocation-delay] | 2023-04-13T14:18:25Z |
SSL.com: e-Tugra Security Issues | 1832570 | ASSIGNED | Thomas Zermeno | [ca-compliance] [uncategorized] | 2023-05-26T20:21:41Z |
Telekom Security: Improper use of a domain validation method | 1825780 | ASSIGNED | Arnold Essing | [ca-compliance] Next update 2023-04-21 | 2023-05-25T13:57:58Z |
Telia: Misissued certificate - wrong OrganizationName value "Hair 8 Brains" | 1828105 | ASSIGNED | pekka.lahtiharju | [ca-compliance] [ov-misissuance] | 2023-05-16T13:32:54Z |
UniTrust: EV certificate with wrong Registry Country Name | 1798626 | ASSIGNED | chenxiaotong | [ca-compliance] [ev-misissuance] | 2023-04-13T03:13:44Z |
UniTrust: Improper DER results in failure to comply with RFC 5280 - Encoded sequence component with default value | 1735908 | ASSIGNED | chenxiaotong | [ca-compliance] [ca-misissuance] | 2023-04-25T08:08:39Z |
VikingCloud: Incorrect organizationName | 1826235 | ASSIGNED | Janet Hines | [ca-compliance] [ov-misissuance] | 2023-04-21T18:09:22Z |
36 Total; 36 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
No results.
0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
No results.
0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here: