CA/Incident Dashboard: Difference between revisions
< CA
Jump to navigation
Jump to search
(→Revocation Delays: Clarifications) |
(Added [covid-19] whiteboard tag) |
||
| Line 7: | Line 7: | ||
* https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other | * https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other | ||
* Whiteboard = [ca-compliance] | * Whiteboard = [ca-compliance] | ||
** If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19] | |||
<bugzilla> | <bugzilla> | ||
Revision as of 20:51, 20 March 2020
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| ID | Summary | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| 1911183 | [meta] Delayed Revocation | ASSIGNED | Ben Wilson | [ca-compliance] [meta] [leaf-revocation-delay] | 2025-06-10T20:05:50Z |
| 1962829 | Microsoft PKI Services: Policy document bug | ASSIGNED | Microsoft PKI Services | [ca-compliance] [policy-failure] | 2026-03-14T04:04:13Z |
| 1965612 | Microsoft PKI Services: Failure to Revoke in 5 Days for 1962829 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [leaf-revocation-delay] | 2026-03-16T21:36:51Z |
| 1983263 | PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #3 – Internal Audit | ASSIGNED | Policy Authority PKIoverheid | [ca-compliance] [audit-finding] | 2026-03-09T14:44:12Z |
| 1983267 | PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #7 – Change Management | ASSIGNED | Policy Authority PKIoverheid | [ca-compliance] [audit-finding] Next update 2026-03-20 | 2026-03-09T14:45:09Z |
| 1985816 | PKIoverheid: TSP Cleverbase Findings in 2025 ETSI Audit - Incident Report #1 – Incorrect issuer CA listed in CPS | ASSIGNED | Policy Authority PKIoverheid | [ca-compliance] [audit-finding] Next update 2026-04-14 | 2026-01-27T15:16:50Z |
| 1986968 | Financijska agencija (Fina): Mis-issued certificates | ASSIGNED | miroslav.perincic | [ca-compliance] [dv-misissuance] | 2026-02-19T16:20:59Z |
| 1990254 | SwissSign: recommendation on risk assessment | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:50:25Z |
| 1990263 | SwissSign: recommendation on BIA/BCP review | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:51:27Z |
| 1990266 | SwissSign: recommendation on BIA/BCP test coverage | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:51:38Z |
| 1990269 | SwissSign: recommendation on document release dual control | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:51:48Z |
| 1990271 | SwissSign: recommendation on firewall review | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:51:54Z |
| 1990272 | SwissSign: recommendation on backup testing | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:09Z |
| 1990274 | SwissSign: recommendation on synchronization of staging and production environments | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:18Z |
| 1990275 | SwissSign: recommendation on publication process for CA related data | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:27Z |
| 1990276 | SwissSign: recommendation on evaluation of cloud service providers | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:39Z |
| 1990277 | SwissSign: recommendation on CA-specific risk assessment | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:51Z |
| 1990281 | SwissSign: recommendation on self-assessment tool | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:53:00Z |
| 1990282 | SwissSign: recommendation on linting software updates | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-11-03T08:50:16Z |
| 1990284 | SwissSign: recommendation on review of key pair generation implementation | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:53:56Z |
| 1990285 | SwissSign: recommendation on log review process | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:54:20Z |
| 1993357 | SHECA: TLS certificate key generation online | ASSIGNED | SHECA | [ca-compliance] [dv-misissuance] [ov-misissuance] | 2026-03-13T14:23:41Z |
| 1994051 | SHECA: Delayed revocation of TLS certificates affected by bug #1993357 | ASSIGNED | SHECA | [ca-compliance] [leaf-revocation-delay] | 2026-03-13T14:23:22Z |
| 1999850 | Microsoft PKI Services: OCSP Non-Compliance | ASSIGNED | Microsoft PKI Services | [ca-compliance] [ocsp-failure] Next update 2026-04-24 | 2026-02-19T17:29:22Z |
| 2004699 | Netlock: CA in AIA in PEM format | ASSIGNED | Roland | [ca-compliance] [policy-failure] | 2026-03-16T20:31:37Z |
| 2005194 | Buypass: Findings in 2025 ETSI Audit - Audit Incident Report #1 - Compliance auditing on support processes | ASSIGNED | Mads Henriksveen | [ca-compliance] [audit-finding] Next update 2026-04-08 | 2026-03-16T14:40:11Z |
| 2005196 | Buypass: Findings in 2025 ETSI Audit - Audit Incident Report #2 - Supply chain policy | ASSIGNED | Mads Henriksveen | [ca-compliance] [audit-finding] Next update 2026-04-08 | 2026-03-16T14:39:39Z |
| 2007070 | SECOM: Non conformant SCT Encoding Due to SCT Modification by Cybertrust Japan (CTJ) | ASSIGNED | SECOM Trust Systems - ONO Fumiaki | [ca-compliance] [ov-misissuance] | 2026-03-16T08:40:23Z |
| 2007105 | Asseco DS / Certum: CRL URLs disclosed in CCADB do not exactly match the CRL URLs in certificates | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [disclosure-failure] Next update 2026-03-31 | 2026-03-16T13:51:33Z |
| 2007116 | D-Trust: CRL URL Disclosure | ASSIGNED | Ana Laura Martorano | [ca-compliance] [disclosure-failure] | 2026-03-13T12:29:16Z |
| 2007216 | GoDaddy: CRL Disclosure in CCADB Mismatch with Issued Certificates | ASSIGNED | Steven Deitte | [ca-compliance] [disclosure failure] Next update 2026-04-03 | 2026-03-16T15:11:07Z |
| 2007217 | GoDaddy: Partitioned CRL files missing Issuing Distribution Point | ASSIGNED | Steven Deitte | [ca-compliance] [disclosure failure] Next update 2026-03-20 | 2026-03-02T18:50:54Z |
| 2007948 | NETLOCK: Full Incident Report was not published within 14 days of notification | ASSIGNED | Roland | [ca-compliance] [disclosure failure] | 2026-03-16T20:33:01Z |
| 2009149 | D-Trust: Expired certificate provided on the CA TLS test website for demonstration of valid certificates | ASSIGNED | Ana Laura Martorano | [ca-compliance] [policy-failure] | 2026-03-13T12:28:39Z |
| 2009941 | Firmaprofesional: Misissuance of TLS Subordinate CA "AC Firmaprofesional - Secure Web 2024" | ASSIGNED | ext-antoni.camon | [ca-compliance] [ca-misissuance] | 2026-03-13T12:24:31Z |
| 2011238 | Telekom Security / DFN: CRL of “DFN-Verein Certification Authority 2“ contains empty revoked certificate list | ASSIGNED | Stefan Kirch | [close on 2026-03-17] [ca-compliance] [crl-failure] | 2026-03-10T15:18:22Z |
| 2011314 | Netlock: unspecifed revocation code (0) in CRL | ASSIGNED | Roland | [ca-compliance] [crl-failure] | 2026-03-16T20:34:16Z |
| 2011430 | D-Trust: Delayed publication of audit attestation letters in the CCADB | ASSIGNED | Ana Laura Martorano | [ca-compliance] [audit-delay] | 2026-03-06T08:10:02Z |
| 2011713 | TrustAsia: ACME Authorization Reuse Non-Compliance | ASSIGNED | TrustAsia | [close on 2026-03-17] [ca-compliance] [dv-misissuance] | 2026-03-10T14:57:37Z |
| 2011855 | Firmaprofesional: Delayed revocation of TLS certificates affected by bug #2009941 | ASSIGNED | ext-antoni.camon | [ca-compliance] [leaf-revocation-delay] [ca-revocation-delay] | 2026-03-11T16:49:05Z |
| 2011865 | TrustAsia: SSL DV Mis-issuance against CP/CPS (IPAddress) | ASSIGNED | TrustAsia | [close on 2026-03-17] [ca-compliance] [dv-misissuance] | 2026-03-10T14:56:33Z |
| 2012101 | Telia: S/MIME Misissuance - incorrect subject information for Multipurpose sponsor-validated-profile | ASSIGNED | Antti Backman | [ca-compliance] [smime-misissuance] Next update 2026-03-17 | 2026-03-17T05:39:47Z |
| 2012511 | D-Trust: CRL HTTP Media Type | ASSIGNED | Ana Laura Martorano | [ca-compliance] [crl-failure] | 2026-03-13T12:29:39Z |
| 2013395 | NETLOCK: Missing Related Incidents section in the bug report | ASSIGNED | Roland | [ca-compliance] [policy-failure] | 2026-03-12T20:02:39Z |
| 2013400 | NETLOCK: did not file a preliminary incident report or respond to a third-party report within the 72-hour timeframe | ASSIGNED | Roland | [ca-compliance] [policy-failure] | 2026-03-12T20:18:29Z |
| 2013805 | iTrusChina: Finding in Routine WebTrust Audit - Domain validation records without the TLS BR version | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] [audit-finding] | 2026-03-09T09:56:37Z |
| 2014590 | IdenTrust: Unauthorized OCSP responses for cross-signed roots | ASSIGNED | IdenTrust | [ca-compliance] [ocsp-failure] | 2026-03-12T16:55:17Z |
| 2014609 | IdenTrust: Cross-signed root certificate mis-issuance | ASSIGNED | IdenTrust | [ca-compliance] [ca-misissuance] | 2026-02-20T23:22:44Z |
| 2014610 | IdenTrust: Root OCSP Signer certificate mis-issuance | ASSIGNED | IdenTrust | [ca-compliance] [uncategorized] | 2026-02-20T23:06:39Z |
| 2015186 | DigiCert: Subject Serial Numbers for Non-Commercial Entities | ASSIGNED | DigiCert | [close on 2026-03-18] [ca-compliance] [ev-misissuance] | 2026-03-16T13:07:39Z |
| 2015383 | SHECA: CRL of root CA not published within 24 hours | ASSIGNED | SHECA | [ca-compliance] [crl-failure] | 2026-03-17T14:20:21Z |
| 2015562 | Agencia Notarial de Certificacion (ANCERT): Missing Contact Information in CCADB | UNCONFIRMED | [ca-compliance] [disclosure-failure] | 2026-02-10T18:04:14Z | |
| 2015563 | Byte Computer: Missing Contact Information in CCADB | ASSIGNED | Spyros Kollias | [ca-compliance] [disclosure-failure] | 2026-02-10T18:07:31Z |
| 2015564 | Carillon Information Security: Missing Contact Information in CCADB | ASSIGNED | Lyne Brosseau | [ca-compliance] [disclosure-failure] | 2026-03-04T12:40:30Z |
| 2015565 | Certicamara: Missing Contact Information in CCADB | ASSIGNED | Direccion TICS | [ca-compliance] [disclosure-failure] | 2026-02-10T18:08:45Z |
| 2015566 | Echoworx: Missing Contact Information in CCADB | ASSIGNED | Echoworx | [ca-compliance] [disclosure-failure] | 2026-02-10T21:19:01Z |
| 2015567 | Government of Saudi Arabia, NIC (SDAIA): Missing Contact Information in CCADB | ASSIGNED | Ammar | [ca-compliance] [disclosure-failure] | 2026-02-18T09:03:16Z |
| 2015568 | NISZ Nemzeti Infokommunikacios Szolgaltato: Missing Contact Information in CCADB | UNCONFIRMED | [ca-compliance] [disclosure-failure] | 2026-02-10T18:05:35Z | |
| 2015569 | Swiss BIT (FOITT): Missing Contact Information in CCADB | ASSIGNED | Steph | [ca-compliance] [disclosure-failure] | 2026-02-10T18:08:09Z |
| 2016066 | Firmaprofesional: Delayed preliminary response under BR 4.9.5 (Bug #2009941) | ASSIGNED | ext-antoni.camon | [ca-compliance] [policy-failure] | 2026-03-13T12:16:20Z |
| 2016267 | IdenTrust: Gap between audit periods | ASSIGNED | IdenTrust | [ca-compliance] [audit-failure] | 2026-03-13T22:49:16Z |
| 2016475 | Firmaprofesional: Delayed revocation disclosure of TLS Subordinate CA certificate Secure Web 2024 in CCADB | ASSIGNED | ext-antoni.camon | [ca-compliance] [disclosure-failure] | 2026-03-06T14:35:18Z |
| 2016585 | IdenTrust: Test Certificates from cross-signed roots not disclosed in CT Logs | ASSIGNED | IdenTrust | [ca-compliance] [uncategorized] | 2026-02-26T15:30:29Z |
| 2016672 | certSIGN: certificates with delayed SCT signature | ASSIGNED | Gabriel PETCU | [ca-compliance] [ov-misissuance] | 2026-03-09T12:49:18Z |
| 2016722 | PostSignum: Mis-issued certificate | ASSIGNED | CA PostSignum | [close on 2026-03-17] [ca-compliance] [ov-misissuance] | 2026-03-16T17:43:16Z |
| 2017185 | DigiCert: CAA processing during network disruption | ASSIGNED | DigiCert | [ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance] | 2026-03-16T17:54:36Z |
| 2017747 | Google Trust Services: Outdated BR version in some validation records | ASSIGNED | Google Trust Services | [ca-compliance] [policy-failure] Next update 2026-03-31 | 2026-03-04T16:11:59Z |
| 2017840 | SECOM: Repository service disruption affecting subordinate CAs (CTJ) | ASSIGNED | SECOM Trust Systems - ONO Fumiaki | [ca-compliance] [policy-failure] | 2026-03-12T05:31:49Z |
| 2017845 | HARICA: Incorrect nCAId in PSD2 QCStatement for QWACs | ASSIGNED | HARICA | [ca-compliance] Next update 2026-03-27 | 2026-03-05T17:47:13Z |
| 2019995 | Sectigo: Package patching gap within Certificate Systems | ASSIGNED | Martijn Katerbarg | [ca-compliance] [uncategorized] | 2026-03-17T15:38:13Z |
| 2020899 | iTrusChina: Failure to Respond to Feb 2026 Chrome Root Program Survey | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] [disclosure-failure] | 2026-03-16T08:40:27Z |
| 2021175 | Microsoft PKI Services: Failure to update action item status within 3 days | ASSIGNED | Microsoft PKI Services | [ca-compliance] [policy-failure] | 2026-03-05T17:52:26Z |
| 2021239 | PostSignum: Length Subject organizationName | ASSIGNED | CA PostSignum | [ca-compliance] [ov-misissuance] | 2026-03-05T17:53:54Z |
| 2021550 | SECOM: 2025 S/MIME CA Modified Opinion Report of Cybertrust Japan (CTJ) | ASSIGNED | SECOM Trust Systems - ONO Fumiaki | [ca-compliance] [ca-misissuance] [disclosure-failure] [audit-finding] [ca-revocation-delay] | 2026-03-16T11:04:02Z |
| 2021559 | NETLOCK: Unavailability of the document repository | ASSIGNED | Roland | [ca-compliance] [policy-failure] | 2026-03-12T21:02:42Z |
| 2021685 | Asseco DS / Certum: Finding in Routine WebTrust Audit – S/MIME certificates issued with mailbox validation older than 30 days | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [smime-misissuance] | 2026-03-13T14:38:20Z |
| 2023190 | Asseco DS / Certum: Delayed revocation of S/MIME certificates issued with mailbox validation older than 30 days | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [leaf-revocation-delay] | 2026-03-13T15:27:47Z |
| 2023458 | D-Trust: TLS Precertificates Exceeding the Maximum Validity Period Allowed by the TLS Baseline Requirements | ASSIGNED | Enrico Entschew | [ca-compliance] [__-misissuance] | 2026-03-17T12:13:02Z |
| 2023563 | SECOM: Incorrect CCADB Non-Audit Document References for FUJIFILM Fnet CA - C | ASSIGNED | SECOM Trust Systems - ONO Fumiaki | [ca-compliance] [disclosure-failure] | 2026-03-16T14:35:17Z |
79 Total; 79 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
No results.
0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here: