CA/Incident Dashboard
Contents
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| Apple: EV TLS pre-certificates issued without EKU extension | 1777757 | ASSIGNED | certification_authority | [ca-compliance] Next update 2022-09-30 | 2022-09-30T22:18:36Z |
| Certigna: Certificate issued with validity period greater than 398-days | 1774418 | ASSIGNED | Josselin Allemandou | [ca-compliance] | 2022-09-26T08:00:45Z |
| CFCA: not report new root certificate timely | 1784820 | ASSIGNED | bixinlong | [ca-compliance] | 2022-09-29T12:31:25Z |
| CFCA: Overdue Audit Statements 2021 | 1741497 | ASSIGNED | Oliver Bi | [ca-compliance] [audit-delay] | 2022-08-15T02:01:50Z |
| CFCA: The wrong status of OCSP | 1778035 | ASSIGNED | bixinlong | [ca-compliance] Next update 2022-10-15 | 2022-09-30T12:39:17Z |
| DFN-PKI: OCSP/CRL inconsistencies | 1786313 | ASSIGNED | Jürgen Brauckmann | [ca-compliance] Next update 2022-09-24 | 2022-09-23T07:51:59Z |
| Entrust: TLS Certificate issued with an incorrect state or province | 1792231 | ASSIGNED | Bruce Morton | [ca-compliance] | 2022-09-23T17:29:03Z |
| IdenTrust Expired CRLs | 1792111 | ASSIGNED | IdenTrust | [ca-compliance] | 2022-09-30T00:09:29Z |
| Let’s Encrypt: Certificates issued to Elliptic Curve Debian Weak Keys | 1789521 | ASSIGNED | Andrew Gabbitas | [ca-compliance] | 2022-09-19T18:13:00Z |
| NAVER Cloud: DV certificate issued with no subject alternative name extension | 1785865 | ASSIGNED | Han Yong, Park | [ca-compliance] | 2022-09-24T01:12:01Z |
| Sectigo: Misspelled city name in localityName field | 1782356 | ASSIGNED | Tim Callan | [ca-compliance] Next update 2022-09-30 | 2022-09-28T19:13:03Z |
| SecureTrust: 2 certificates with non-DER encoded keyUsage extension | 1776764 | ASSIGNED | Andrea Holland | [ca-compliance] Next update 2022-10-03 | 2022-08-09T15:07:45Z |
| SecureTrust: Incorrect OCSP response | 1765800 | ASSIGNED | Andrea Holland | [ca-compliance] Next update 2022-09-28 | 2022-09-30T12:17:28Z |
| SecureTrust: Invalid localityName | 1720723 | ASSIGNED | Andrea Holland | [ca-compliance] Next update 2022-09-28 | 2022-09-29T14:34:06Z |
| SSL.com: Issuance of 1 EV TLS certificate using a Registration/Incorporation Agency not included in our approved public list. | 1790693 | ASSIGNED | Chris Kemmerer | [ca-compliance] | 2022-09-30T21:18:48Z |
| SwissSign: Missed deadline of publication of 6 CPs and 1 CP/CPS | 1784881 | ASSIGNED | Mike Guenther | [ca-compliance] | 2022-09-22T12:14:28Z |
| UniTrust: EV certificate with wildcard domain in common name and SAN | 1787537 | ASSIGNED | chenxiaotong | [ca-compliance] | 2022-09-26T16:14:50Z |
| UniTrust: Improper DER results in failure to comply with RFC 5280 - Encoded sequence component with default value | 1735908 | ASSIGNED | chenxiaotong | [ca-compliance] Next update 2022-10-15 | 2022-08-31T03:11:33Z |
18 Total; 18 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| CFCA: Overdue Audit Statements 2021 | 1741497 | ASSIGNED | Oliver Bi | [ca-compliance] [audit-delay] | 2022-08-15T02:01:50Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| Amazon Trust Services: Delayed Revocation of Subordinate CA | 1743943 | ASSIGNED | Trevoli (Amazon Trust Services) | [ca-compliance] [delayed-revocation-ca] Next update 2022-10-01 | 2022-09-30T19:42:05Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here:
