Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]

Full Query

ID	Summary	Status	Assigned to	Whiteboard	Last change time
1532436	Chunghwa Telecom: Test certificate with unregistered domain name	ASSIGNED	Li-Chun CHEN	[ca-compliance]	2020-10-05T17:07:55Z
1559765	Izenpe: Multiple invalid EV certificates issued	ASSIGNED	Oscar Garcia	[ca-compliance] - Next Update - 9-October 2020	2020-08-04T07:07:21Z
1563579	Sectigo: Failure to provide timely incident reports	ASSIGNED	Rob Stradling	[ca-compliance]	2020-10-15T14:12:57Z
1565270	Telia: Qualified BR Audit Statement	ASSIGNED	pekka.lahtiharju	[ca-compliance] - Next Update - 1-November 2020	2020-10-12T14:52:04Z
1575880	GlobalSign: SSL Certificates with US country code and invalid State/Prov	ASSIGNED	douglas.beattie	[ca-compliance] - Next Update 1-Oct-2020	2020-09-15T16:25:35Z
1576013	DigiCert: JOI Issue	ASSIGNED	Jeremy Rowley	[ca-compliance] Next Update - 1-Oct-2020	2020-10-19T16:49:40Z
1586795	NetLock: Issuance of intermediates after 2019-01-01 that do not comply with Mozilla Policy	ASSIGNED	Varga Viktor	[ca-compliance]	2020-09-11T15:24:14Z
1597947	Sectigo: CCADB failed ALV - Network Solutions Certificate Authority	ASSIGNED	Rob Stradling	[ca-compliance]	2020-10-21T10:41:28Z
1626355	Atos: Tracking bug for possible audit delays	ASSIGNED	michael.schwieters	[ca-compliance][audit-delay][covid-19] Next Update 1-Oct-2020	2020-09-28T12:32:47Z
1632632	Buypass: Illegal Business Category in a PSD2 QWAC	ASSIGNED	Mads Henriksveen	[ca-compliance] Next update 1-Oct-2020	2020-10-08T16:56:07Z
1639801	Digicert: Failure to revoke key-compromised certificates within 24 hours	ASSIGNED	Brenda Bernal	[ca-compliance]	2020-10-16T18:22:24Z
1640310	GoDaddy: Failure to revoke certificate with compromised key within 24 hours	ASSIGNED	Daniela Hood	[ca-compliance]	2020-10-05T21:16:43Z
1645686	Sectigo: Lack of input validation in stateOrProvinceName	ASSIGNED	Rich Smith	[ca-compliance]	2020-10-21T00:56:07Z
1645832	GoDaddy: Expired CRLs	ASSIGNED	Daniela Hood	[ca-compliance] Next Update - 2020-11-30	2020-09-16T19:47:11Z
1647468	D-TRUST: Wrong key usage (Key Encipherment)	ASSIGNED	Enrico Entschew	[ca-compliance]	2020-10-02T13:58:22Z
1648593	Sectigo: Potential audit report delay	ASSIGNED	Nick France	[ca-compliance] [audit-delay]	2020-10-21T10:40:26Z
1648717	Sectigo: Failure to provide a preliminary report within 24 hours.	ASSIGNED	Rich Smith	[ca-compliance]	2020-10-21T12:57:11Z
1648997	Actalis: inaccurate value in stateOrProvinceName	ASSIGNED	Adriano Santoni	[ca-compliance] - Next Update - 1-October 2020	2020-10-13T06:59:05Z
1649277	DigiCert: Failure to provide a preliminary report within 24 hours.	ASSIGNED	Brenda Bernal	[ca-compliance] Next Update 1-October-2020	2020-10-22T18:22:46Z
1649679	Firmaprofesional: 2020 Audit Report Finding 2 out of 4	ASSIGNED	Maria Jose Prieto	[ca-compliance]	2020-09-14T16:07:42Z
1649726	Firmaprofesional: 2020 Audit Report Finding 4 out of 4	ASSIGNED	Maria Jose Prieto	[ca-compliance]	2020-10-08T13:23:31Z
1649880	QuoVadis: Failure to provide a preliminary report within 24 hours.	ASSIGNED	Stephen Davidson	[ca-compliance] Next Update 1-October 2020	2020-10-14T22:48:06Z
1649937	GlobalSign: Incorrect OCSP Delegated Responder Certificate	ASSIGNED	douglas.beattie	[ca-compliance] Next Update 15-Oct 2020	2020-10-20T12:23:35Z
1649938	QuoVadis: Incorrect OCSP Delegated Responder Certificate	ASSIGNED	Stephen Davidson	[ca-compliance]	2020-10-20T19:13:38Z
1649945	HARICA: Incorrect OCSP Delegated Responder Certificate	ASSIGNED	Dimitris Zacharopoulos	[ca-compliance] Next update 2-Nov-2020	2020-10-21T20:50:48Z
1649951	DigiCert: Incorrect OCSP Delegated Responder Certificate	ASSIGNED	Martin Sullivan	[ca-compliance]	2020-10-22T20:04:52Z
1649964	PKIoverheid: Incorrect OCSP Delegated Responder Certificate	ASSIGNED	Jorik van 't Hof	[ca-compliance] Next Update 30-September-2020	2020-10-12T14:50:54Z
1650845	Sectigo: Certificate Problem Report response issues	ASSIGNED	Nick France	[ca-compliance] Updates in Bug #1648717	2020-08-27T03:53:17Z
1651026	Izenpe: certificate issued to internal domain	ASSIGNED	Oscar Garcia	[ca-compliance] Next Update 1-October-2020	2020-10-14T04:58:11Z
1651132	T-Systems / DFN-PKI: 42 certificates with RSA modulus size in bits not divisable by 8	ASSIGNED	Jürgen Brauckmann	[ca-compliance] - Next Update - 2-Oct-2020	2020-10-12T14:51:26Z
1651611	Telekom Security: Finding in 2020 ETSI-Audit regarding weekly review of changes to configurations	ASSIGNED	Arnold Essing	[ca-compliance]	2020-10-21T20:48:14Z
1652581	Google Trust Services digitalSignature KeyUsage not set	ASSIGNED	Andy Warner	[ca-compliance]	2020-10-05T19:46:01Z
1653284	Izenpe: incorrect value in stateOrProvinceName	ASSIGNED	Oscar Garcia	[ca-compliance] Next Update 1-October-2020	2020-10-01T13:25:21Z
1653680	IdenTrust: OCSP Responder missing id-pkix-ocsp-nocheck	ASSIGNED	IdenTrust	[ca-compliance]	2020-09-09T22:38:28Z
1654896	GlobalSign: Certificates with RSA keys where modulus is not divisible by 8	ASSIGNED	Arvid Vermote	[ca-compliance]	2020-09-09T22:49:52Z
1654967	DigiCert: Malformed ICA	ASSIGNED	Martin Sullivan	[ca-compliance]	2020-10-15T16:37:02Z
1655698	Telekom Security: CRL also contained unrevoked certificates	ASSIGNED	Arnold Essing	[ca-compliance]	2020-10-14T17:11:05Z
1658437	Let's Encrypt intent to issue root and intermediate certificates with organizationName and CABF DV OID	ASSIGNED	Josh Aas	[ca-compliance]	2020-08-17T17:16:04Z
1658792	Entrust: Invalid data in State/Province Field	ASSIGNED	Dathan Demone	[ca-compliance]	2020-10-21T15:51:21Z
1659426	E-Tugra: audit delay because of an environmental disaster/pandemic	ASSIGNED	Davut Tokgöz	[ca-compliance][audit-delay][covid-19]	2020-09-28T12:57:31Z
1662807	GoDaddy: Certificates issued with validity periods greater than 398-days	ASSIGNED	Joanna	[ca-compliance]	2020-10-16T18:29:31Z
1663080	IdenTrust Issuance of certificates greater than 398 days	ASSIGNED	IdenTrust	[ca-compliance]	2020-10-08T14:25:31Z
1663953	TunTrust : OCSP unreachable	ASSIGNED	Agence Nationale de Certification Electronique	[ca-compliance]	2020-10-08T16:11:18Z
1664328	GlobalSign: SHA-256 hash algorithm used with ECC P-384 key	ASSIGNED	Arvid Vermote	[ca-compliance]	2020-09-28T19:49:01Z
1666872	SSL.com: Insufficient validation evidence for the localityName attribute of an OV certificate	ASSIGNED	Chris Kemmerer	[ca-compliance]	2020-10-09T16:21:57Z
1667430	Camerfirma: Invalid stateOrProvinceName field	ASSIGNED	Ana Lopes	[ca-compliance]	2020-10-19T17:25:50Z
1667448	Entrust: Incorrect keyUsage for ECC certificate	ASSIGNED	Bruce Morton	[ca-compliance]	2020-10-08T21:47:07Z
1667518	QuoVadis: Incorrect keyUsage for ECC certificate	ASSIGNED	Stephen Davidson	[ca-compliance]	2020-10-12T23:21:33Z
1667684	Asseco DS / Certum: Failure to provide a preliminary report within 24 hours.	ASSIGNED	Wojciech Trapczyński	[ca-compliance]	2020-10-08T12:31:32Z
1667690	Entrust: Failure to provide a preliminary report within 24 hours.	ASSIGNED	Dathan Demone	[ca-compliance]	2020-10-08T17:28:20Z
1667744	Dhimyotis/Certigna: Certificates issued with validity periods greater than 398-days	ASSIGNED	Josselin Allemandou	[ca-compliance]	2020-09-30T07:46:38Z
1667799	SecureTrust: Failure to provide a preliminary report within 24 hours.	ASSIGNED	Andrea Holland	[ca-compliance]	2020-10-17T23:39:50Z
1667842	SecureTrust: Inaccurate value in stateOrProvinceName	ASSIGNED	Andrea Holland	[ca-compliance]	2020-10-21T20:56:25Z
1667844	Google Trust Services: Certificates not disclosed in CCADB	ASSIGNED	Ryan Hurst	[ca-compliance]	2020-10-05T19:09:17Z
1667944	GlobalSign: Empty SingleExtension in OCSP responses	ASSIGNED	Paul Brown	[ca-compliance]	2020-09-29T15:10:26Z
1667986	Asseco DS / Certum: Invalid stateOrProvinceName field	ASSIGNED	Aleksandra Kurosz	[ca-compliance]	2020-10-16T13:02:00Z
1668005	GlobalSign: Failure to provide a preliminary report within 24 hours	ASSIGNED	Arvid Vermote	[ca-compliance]	2020-10-02T18:18:45Z
1668007	GlobalSign: Invalid stateOrProvinceName value	ASSIGNED	Arvid Vermote	[ca-compliance]	2020-10-07T13:50:22Z
1669518	PKIoverheid: Overdue audit statements for intermediate certificates	ASSIGNED	Jorik van 't Hof	[ca-compliance]	2020-10-06T16:00:27Z
1669594	Identrust: Issuance of Subordinate CA’s Without EKU	ASSIGNED	IdenTrust	[ca-compliance]	2020-10-17T00:28:29Z
1669618	Apple: Empty SingleExtension in OCSP responses	ASSIGNED	certification_authority	[ca-compliance]	2020-10-17T00:17:31Z
1670337	Microsoft PKI Services: Certificate Mis-Issuance, DNSNames must have a valid TLD	ASSIGNED	John Mason	[ca-compliance]	2020-10-21T17:03:43Z
1670458	Disig: Failure to provide a preliminary report within 24 hours.	ASSIGNED	Peter Miskovic	[ca-compliance]	2020-10-21T08:37:07Z
1670894	SwissSign: Invalid stateOrProvinceName field	ASSIGNED	Mike Guenther	[ca-compliance]	2020-10-19T16:58:43Z
1671037	SecureTrust: CPS section 6.1.1.1 number 3 non-compliance event	ASSIGNED	Andrea Holland	[ca-compliance]	2020-10-14T21:33:36Z
1671113	SwissSign: Failure to provide a preliminary report within 24 hours.	ASSIGNED	Mike Guenther	[ca-compliance]	2020-10-19T17:06:09Z
1671410	IdenTrust / ISRG: Inconsistent Disclosure of Externally-Operated Intermediate	ASSIGNED	IdenTrust	[ca-compliance]	2020-10-19T22:55:32Z
1672029	Camerfirma: Failure to abide by Section 8 of Mozilla Policy: Unauthorized, improperly disclosed Subordinate CA	ASSIGNED	Ana Lopes	[ca-compliance]	2020-10-21T19:01:27Z
1672208	DFN-PKI: Finding in 2020 ETSI audit	ASSIGNED	Jürgen Brauckmann	[ca-compliance]	2020-10-21T01:54:48Z
1672409	Camerfirma: suspicious certificate for com.com	ASSIGNED	Ana Lopes	[ca-compliance]	2020-10-21T15:42:55Z
1672562	Camerfirma: Incorrect disclosure of Intesa Sanpaolo sub-CA	ASSIGNED	Ana Lopes	[ca-compliance]	2020-10-22T09:43:51Z

71 Total; 71 Open (100%); 0 Resolved (0%); 0 Verified (0%);

Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

Whiteboard = [ca-compliance][audit-delay]
For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]

Full Query

ID	Summary	Status	Assigned to	Whiteboard	Last change time
1626355	Atos: Tracking bug for possible audit delays	ASSIGNED	michael.schwieters	[ca-compliance][audit-delay][covid-19] Next Update 1-Oct-2020	2020-09-28T12:32:47Z
1648593	Sectigo: Potential audit report delay	ASSIGNED	Nick France	[ca-compliance] [audit-delay]	2020-10-21T10:40:26Z
1659426	E-Tugra: audit delay because of an environmental disaster/pandemic	ASSIGNED	Davut Tokgöz	[ca-compliance][audit-delay][covid-19]	2020-09-28T12:57:31Z

3 Total; 3 Open (100%); 0 Resolved (0%); 0 Verified (0%);

Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

Full Query

ID	Summary	Status	Assigned to	Whiteboard	Last change time
1591005	GlobalSign: ICAs in CCADB, without EKU extension are listed in WTCA report but not in WTBR report	ASSIGNED	Arvid Vermote	[ca-compliance] [delayed-revocation-ca] Next Update 1-Oct-2020	2020-09-30T08:59:43Z
1620561	Sectigo: Non-revocation of certificates with subject:organizationalUnitName in DV certificates	ASSIGNED	Nick France	[ca-compliance] [delayed-revocation-leaf]	2020-10-19T20:29:10Z
1628292	Buypass: Failure to revoke PSD2 QWACs within mandated 5 days	ASSIGNED	Mads Henriksveen	[ca-compliance] [delayed-revocation-leaf]	2020-09-28T12:20:21Z
1647099	Camerfirma: Delayed revocations related to Invalid authorityKeyIdentifier - recurrent incident	ASSIGNED	Ana Lopes	[ca-compliance] [delayed-revocation-leaf] [covid-19]	2020-10-14T19:23:23Z
1651447	GlobalSign: Failure to revoke noncompliant ICA within 7 days	ASSIGNED	Arvid Vermote	[ca-compliance] [delayed-revocation-ca]	2020-10-12T14:48:51Z
1651461	DigiCert: Failure to revoke within 7 days: OCSP EKU issue	ASSIGNED	Brenda Bernal	[ca-compliance] [delayed-revocation-ca]	2020-10-22T20:04:17Z
1651465	HARICA: Delayed revocation for non-BR-compliant CA Certificates within 7 days	ASSIGNED	Dimitris Zacharopoulos	[ca-compliance] [delayed-revocation-ca] Next update 5-Oct-2020	2020-10-19T18:45:36Z
1651481	Entrust: Late Revocation due to SHA-256 hash algorithm	ASSIGNED	Bruce Morton	[ca-compliance] [delayed-revocation-leaf]	2020-10-05T21:05:20Z
1651487	Telekom Security: Delayed Revocations of Sub-CA certificates	ASSIGNED	Arnold Essing	[ca-compliance] [delayed-revocation-ca] Next update 2-Oct-2020	2020-10-19T10:25:54Z
1651553	QuoVadis: Failure to revoke within 7 days: OCSP EKU issue	ASSIGNED	Stephen Davidson	[ca-compliance] [delayed-revocation-ca] Next update 1-Oct-2020	2020-10-20T19:14:48Z
1651632	Microsec: Failure to revoke noncompliant ICA within 7 days	ASSIGNED	dr. Sándor SZŐKE	[ca-compliance] [delayed-revocation-ca] Next update 15-Oct-2020	2020-10-18T11:02:09Z
1651637	Firmaprofesional: Failure to revoke ICAs within 7 days: OCSP EKU	ASSIGNED	Maria Jose Prieto	[ca-compliance] [delayed-revocation-ca]	2020-10-15T15:05:38Z
1651651	Actalis: Failure to revoke within 7 days: OCSP EKU issue	ASSIGNED	Adriano Santoni	[ca-compliance] [delayed-revocation-ca] Next Update - 1-Oct-2020	2020-10-12T23:07:31Z
1651730	WISeKey: Failure to revoke ICA Certificates within 7 days (OCSP EKU)	ASSIGNED	Pedro Fuentes	[ca-compliance] [delayed-revocation-ca] Next Update - 1-Oct-2020	2020-10-03T18:21:52Z
1652603	Camerfirma: Failure to revoke within 7 days: OCSP EKU issue	ASSIGNED	Eusebio Herrera	[ca-compliance] [delayed-revocation-ca]	2020-10-02T12:31:02Z
1652604	PKIoverheid: Failure to revoke within 7 days: OCSP EKU issue	ASSIGNED	Jorik van 't Hof	[ca-compliance] [delayed-revocation-ca] Next update 30-Sept-2020	2020-10-09T07:33:51Z
1652610	SECOM: Delayed Revocation of CA Certificate with OCSP EKU Issue	ASSIGNED	Hisashi Kamo	[ca-compliance] [delayed-revocation-ca]	2020-10-12T19:31:36Z
1656487	Izenpe: Failure to revoke within 5 days	ASSIGNED	Oscar Garcia	[ca-compliance][delayed-revocation-leaf]	2020-09-29T14:30:29Z
1656882	Netlock - Failure to revoke noncompliant ICA within 7 days	ASSIGNED	Varga Viktor	[ca-compliance] [delayed-revocation-ca]	2020-10-05T21:11:47Z
1665763	Sectigo: Failure to revoke within 5 days	ASSIGNED	Rich Smith	[ca-compliance] [delayed-revocation-leaf]	2020-10-15T14:47:26Z
1668331	Camerfirma: Delayed revocations related to Invalid stateOrProvinceName field	ASSIGNED	Juan Angel Martin	[ca-compliance] [delayed-revocation-leaf]	2020-10-20T09:01:55Z
1668523	Asseco DS/Certum: Failure to revoke within 5 days	ASSIGNED	Aleksandra Kurosz	[ca-compliance] [delayed-revocation-leaf]	2020-10-17T00:13:31Z
1670861	Actalis: delayed revocation related to inaccurate value in stateOrProvinceName	ASSIGNED	Adriano Santoni	[ca-compliance] [delayed-revocation-leaf]	2020-10-16T20:36:14Z

23 Total; 23 Open (100%); 0 Resolved (0%); 0 Verified (0%);

Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here:

https://wiki.mozilla.org/CA/Closed_Incidents

CA/Incident Dashboard

Contents

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

Audit Delays

Revocation Delays

Closed CA Bugs

Closed CA Compliance Bugs

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools