CA/Incident Dashboard: Difference between revisions
< CA
Jump to navigation
Jump to search
m (Added column last_change_time) |
m (Added introductory list) |
||
| (27 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
= Open CA Bugs in Bugzilla = | = Open CA Bugs in Bugzilla = | ||
There are three separate lists of open compliance bugs below: | |||
== Open Incident | * Compliance bugs (not including audit delays or leaf revocation delays) | ||
* Audit Delays | |||
* Leaf Revocation Delays | |||
== Open CA Compliance Bugs == | |||
A CA compliance bug relates to a concern about a CA's certificates failing to comply with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy] and/or a [https://cabforum.org/ CA/Browser Forum] requirement, and is determined to not be an [https://www.mozilla.org/en-US/security/#For_Developers imminent security concern]. A CA's response to a CA compliance bug includes providing an [[CA/Responding_To_An_Incident#Incident_Report|Incident Report]] in the bug. | |||
Anyone may create a CA Compliance bug as follows: | |||
* https://bugzilla.mozilla.org/enter_bug.cgi?product=CA+Program&component=CA+Certificate+Compliance&version=other | |||
* Whiteboard = [ca-compliance] | |||
** If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19] | |||
<bugzilla> | <bugzilla> | ||
{ | { | ||
"component":"CA Certificate | "component":"CA Certificate Compliance", | ||
"status":["UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED"], | "status":["UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED"], | ||
" | "f1": "OP", | ||
" | "j1": "AND", | ||
"include_fields": "id | "f2": "status_whiteboard", | ||
"o2": "allwordssubstr", | |||
"v2": "ca-compliance", | |||
"f3": "status_whiteboard", | |||
"o3": "nowordssubstr", | |||
"v3": "leaf-revocation-delay", | |||
"f4": "status_whiteboard", | |||
"o4": "nowordssubstr", | |||
"v4": "audit-delay", | |||
"include_fields": "summary, id, status, assigned_to, whiteboard, last_change_time, creation_time", | |||
"order": "short_desc ASC" | |||
} | } | ||
</bugzilla> | </bugzilla> | ||
== | == Audit Delays == | ||
The | The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla [[CA/Audit_Statements|when they are due]]. Such bugs should be reported as [[CA/Bug_Triage#Compliance_Problems_and_Incidents|CA compliance issues]], with the following whiteboard tags as described [https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay here]. | ||
*Whiteboard = [ca-compliance][audit-delay] | |||
*For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19] | |||
<bugzilla> | <bugzilla> | ||
{ | { | ||
"component":"CA Certificate | "component":"CA Certificate Compliance", | ||
"status":["UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED"], | "status":["UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED"], | ||
" | "f1": "OP", | ||
" | "j1": "AND", | ||
"include_fields": "id | "f2": "status_whiteboard", | ||
"o2": "allwordssubstr", | |||
"v2": "ca-compliance", | |||
"f3": "status_whiteboard", | |||
"o3": "allwordssubstr", | |||
"v3": "audit-delay", | |||
"include_fields": "summary, id, status, assigned_to, whiteboard, last_change_time, creation_time", | |||
"order": "short_desc ASC" | |||
} | } | ||
</bugzilla> | </bugzilla> | ||
== | == Revocation Delays == | ||
The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in [[CA/Responding_To_An_Incident#Revocation]], Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an [[CA/Responding_To_An_Incident#Incident_Report|Incident Report]]. | |||
Such bugs should be reported as [[CA/Bug_Triage#Compliance_Problems_and_Incidents|CA compliance issues]], and will be categorized appropriately during triage. | |||
<bugzilla> | <bugzilla> | ||
{ | { | ||
"component":"CA Certificate | "component":"CA Certificate Compliance", | ||
"status":["UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED"], | "status":["UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED"], | ||
" | "f1": "OP", | ||
" | "j1": "AND", | ||
"include_fields": "id | "f2": "status_whiteboard", | ||
"o2": "allwordssubstr", | |||
"v2": "ca-compliance", | |||
"f3": "status_whiteboard", | |||
"o3": "allwordssubstr", | |||
"v3": "leaf-revocation-delay", | |||
"include_fields": "summary, id, status, assigned_to, whiteboard, last_change_time, creation_time", | |||
"order": "short_desc ASC" | |||
} | } | ||
</bugzilla> | </bugzilla> | ||
= Closed CA Bugs = | |||
== Closed CA Compliance Bugs == | |||
A historical view of past CA compliance bugs may be found here: | |||
* https://wiki.mozilla.org/CA/Closed_Incidents | |||
Latest revision as of 20:44, 1 October 2024
Open CA Bugs in Bugzilla
There are three separate lists of open compliance bugs below:
- Compliance bugs (not including audit delays or leaf revocation delays)
- Audit Delays
- Leaf Revocation Delays
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=CA+Program&component=CA+Certificate+Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| Agencia Notarial de Certificacion (ANCERT): Missing Contact Information in CCADB | 2015562 | UNCONFIRMED | [ca-compliance] [disclosure-failure] | 2026-03-24T06:57:52Z | 2026-02-09T18:36:46Z | |
| Asseco DS / Certum: CRL URLs disclosed in CCADB do not exactly match the CRL URLs in certificates | 2007105 | ASSIGNED | Kateryna Aleksieieva | [close on 2026-03-30] [ca-compliance] [disclosure-failure] | 2026-03-23T14:49:12Z | 2025-12-19T13:32:26Z |
| Asseco DS / Certum: Finding in Routine WebTrust Audit – S/MIME certificates issued with mailbox validation older than 30 days | 2021685 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [smime-misissuance] Next update 2026-04-20 | 2026-03-27T17:07:43Z | 2026-03-07T10:05:43Z |
| Buypass: Findings in 2025 ETSI Audit - Audit Incident Report #1 - Compliance auditing on support processes | 2005194 | ASSIGNED | Mads Henriksveen | [ca-compliance] [audit-finding] Next update 2026-04-08 | 2026-03-16T14:40:11Z | 2025-12-10T13:20:20Z |
| Buypass: Findings in 2025 ETSI Audit - Audit Incident Report #2 - Supply chain policy | 2005196 | ASSIGNED | Mads Henriksveen | [ca-compliance] [audit-finding] Next update 2026-04-08 | 2026-03-16T14:39:39Z | 2025-12-10T13:22:48Z |
| Byte Computer: Missing Contact Information in CCADB | 2015563 | ASSIGNED | Spyros Kollias | [ca-compliance] [disclosure-failure] | 2026-03-19T01:24:18Z | 2026-02-09T18:36:51Z |
| Carillon Information Security: Missing Contact Information in CCADB | 2015564 | ASSIGNED | Lyne Brosseau | [ca-compliance] [disclosure-failure] | 2026-03-19T01:06:25Z | 2026-02-09T18:37:02Z |
| Certicamara: Missing Contact Information in CCADB | 2015565 | ASSIGNED | Direccion TICS | [ca-compliance] [disclosure-failure] | 2026-03-19T01:24:29Z | 2026-02-09T18:37:08Z |
| certSIGN: certificates with delayed SCT signature | 2016672 | ASSIGNED | Gabriel PETCU | [close on 2026-03-30] [ca-compliance] [ov-misissuance] | 2026-03-23T14:56:11Z | 2026-02-13T11:01:07Z |
| certSIGN: delay in updating a Bugzilla ticket | 2025318 | ASSIGNED | Gabriel PETCU | [ca-compliance] [policy-failure] | 2026-03-23T15:03:58Z | 2026-03-23T13:55:28Z |
| Chunghwa Telecom: Test Website certificate not revoked | 2025231 | ASSIGNED | Tsung-Min Kuo | [ca-compliance] [policy-failure] | 2026-03-23T15:01:06Z | 2026-03-23T03:23:44Z |
| D-Trust: CRL HTTP Media Type | 2012511 | ASSIGNED | Ana Laura Martorano | [ca-compliance] [crl-failure] | 2026-03-27T17:02:37Z | 2026-01-26T16:16:11Z |
| D-Trust: CRL URL Disclosure | 2007116 | ASSIGNED | Ana Laura Martorano | [ca-compliance] [disclosure-failure] | 2026-03-27T07:38:54Z | 2025-12-19T14:22:17Z |
| D-Trust: Expired certificate provided on the CA TLS test website for demonstration of valid certificates | 2009149 | ASSIGNED | Ana Laura Martorano | [ca-compliance] [policy-failure] | 2026-03-27T08:39:41Z | 2026-01-08T12:14:02Z |
| D-Trust: TLS Precertificates Exceeding the Maximum Validity Period Allowed by the TLS Baseline Requirements | 2023458 | ASSIGNED | Enrico Entschew | [ca-compliance] [__-misissuance] | 2026-03-27T13:19:40Z | 2026-03-15T21:03:13Z |
| DigiCert: CAA processing during network disruption | 2017185 | ASSIGNED | DigiCert | [ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance] | 2026-03-26T21:31:59Z | 2026-02-16T19:53:36Z |
| Echoworx: Missing Contact Information in CCADB | 2015566 | ASSIGNED | Echoworx | [ca-compliance] [disclosure-failure] | 2026-02-10T21:19:01Z | 2026-02-09T18:37:14Z |
| Financijska agencija (Fina): Mis-issued certificates | 1986968 | ASSIGNED | miroslav.perincic | [ca-compliance] [dv-misissuance] | 2026-03-24T16:07:17Z | 2025-09-04T16:47:06Z |
| Firmaprofesional: Delayed initial incident reporting for Bug 2016475 (72-hour preliminary and 14-day full report timing) | 2025536 | ASSIGNED | ext-antoni.camon | [ca-compliance] [policy-failure] | 2026-03-25T02:56:30Z | 2026-03-23T17:41:52Z |
| Firmaprofesional: Delayed preliminary response under BR 4.9.5 (Bug #2009941) | 2016066 | ASSIGNED | ext-antoni.camon | [close on 2026-03-30] [ca-compliance] [policy-failure] | 2026-03-23T14:50:28Z | 2026-02-11T10:36:54Z |
| Firmaprofesional: Delayed revocation disclosure of TLS Subordinate CA certificate Secure Web 2024 in CCADB | 2016475 | ASSIGNED | ext-antoni.camon | [ca-compliance] [disclosure-failure] | 2026-03-23T17:54:35Z | 2026-02-12T16:15:17Z |
| Firmaprofesional: Delayed weekly updates and responses on open incident reports | 2025538 | UNCONFIRMED | ext-antoni.camon | [ca-compliance] [policy-failure] | 2026-03-25T02:57:05Z | 2026-03-23T17:46:59Z |
| Firmaprofesional: Misissuance of TLS Subordinate CA "AC Firmaprofesional - Secure Web 2024" | 2009941 | ASSIGNED | ext-antoni.camon | [ca-compliance] [ca-misissuance] | 2026-03-23T17:57:33Z | 2026-01-13T10:59:12Z |
| GoDaddy: CRL Disclosure in CCADB Mismatch with Issued Certificates | 2007216 | ASSIGNED | Steven Deitte | [ca-compliance] [disclosure failure] Next update 2026-04-03 | 2026-03-16T15:11:07Z | 2025-12-20T00:13:07Z |
| GoDaddy: Partitioned CRL files missing Issuing Distribution Point | 2007217 | ASSIGNED | Steven Deitte | [ca-compliance] [disclosure failure] | 2026-03-27T18:12:31Z | 2025-12-20T00:15:11Z |
| Google Trust Services: Outdated BR version in some validation records | 2017747 | ASSIGNED | Google Trust Services | [ca-compliance] [policy-failure] Next update 2026-03-31 | 2026-03-04T16:11:59Z | 2026-02-18T21:48:20Z |
| Government of Saudi Arabia, NIC (SDAIA): Missing Contact Information in CCADB | 2015567 | ASSIGNED | Ammar | [ca-compliance] [disclosure-failure] | 2026-03-26T10:46:34Z | 2026-02-09T18:37:18Z |
| HARICA: Incorrect nCAId in PSD2 QCStatement for QWACs | 2017845 | ASSIGNED | HARICA | [ca-compliance] Next update 2026-04-24 | 2026-03-27T17:04:32Z | 2026-02-19T12:11:13Z |
| IdenTrust: Cross-signed root certificate mis-issuance | 2014609 | ASSIGNED | IdenTrust | [ca-compliance] [ca-misissuance] | 2026-03-24T22:44:03Z | 2026-02-05T00:30:24Z |
| IdenTrust: Delay in updating a Bug 2014609 - Next update | 2025595 | ASSIGNED | IdenTrust | [ca-compliance] [policy-failure] | 2026-03-25T02:57:41Z | 2026-03-23T21:52:21Z |
| IdenTrust: Delay in updating a Bug 2016585 - Action item | 2025598 | ASSIGNED | IdenTrust | [ca-compliance] [policy-failure] | 2026-03-25T02:58:58Z | 2026-03-23T22:03:01Z |
| IdenTrust: Delay in updating a Bug 2016585 - Next update | 2025597 | ASSIGNED | IdenTrust | [ca-compliance] [policy-failure] | 2026-03-25T02:58:32Z | 2026-03-23T21:58:39Z |
| IdenTrust: Delay in updating a Bugzilla ticket Bug 2014610 - Next update | 2025596 | ASSIGNED | IdenTrust | [ca-compliance] [policy-failure] | 2026-03-25T02:58:04Z | 2026-03-23T21:55:59Z |
| IdenTrust: Full Incident Report for Bug 2014609 was not published within 14 days of discovering the issue | 2025913 | ASSIGNED | IdenTrust | [ca-compliance] [policy-failure] | 2026-03-25T02:59:28Z | 2026-03-24T17:14:57Z |
| IdenTrust: Full Incident Report for bug 2014610 was not published within 14 days of discovering the issue | 2025914 | ASSIGNED | IdenTrust | [ca-compliance] [policy-failure] | 2026-03-25T02:59:55Z | 2026-03-24T17:18:17Z |
| IdenTrust: Full Incident Report for bug 2016585 was not published within 14 days of discovering the issue | 2025917 | ASSIGNED | IdenTrust | [ca-compliance] [policy-failure] | 2026-03-25T03:00:23Z | 2026-03-24T17:24:01Z |
| IdenTrust: Gap between audit periods | 2016267 | ASSIGNED | IdenTrust | [ca-compliance] [audit-failure] | 2026-03-25T21:30:15Z | 2026-02-11T22:48:59Z |
| Identrust: Root CrossSign, of dedicated Roots, missing EKU | 2026351 | ASSIGNED | IdenTrust | [ca-compliance] | 2026-03-26T19:01:51Z | 2026-03-25T20:46:40Z |
| IdenTrust: Root OCSP Signer certificate mis-issuance | 2014610 | ASSIGNED | IdenTrust | [ca-compliance] [uncategorized] | 2026-03-24T22:47:22Z | 2026-02-05T00:38:27Z |
| IdenTrust: Test Certificates from cross-signed roots not disclosed in CT Logs | 2016585 | ASSIGNED | IdenTrust | [ca-compliance] [uncategorized] | 2026-03-24T22:51:43Z | 2026-02-12T23:13:02Z |
| IdenTrust: Unauthorized OCSP responses for cross-signed roots | 2014590 | ASSIGNED | IdenTrust | [ca-compliance] [ocsp-failure] | 2026-03-25T21:29:35Z | 2026-02-04T22:52:56Z |
| iTrusChina: Failure to Provide Regular Incident Update | 2025248 | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] [policy-failure] | 2026-03-25T07:56:55Z | 2026-03-23T08:05:43Z |
| iTrusChina: Failure to Respond to Feb 2026 Chrome Root Program Survey | 2020899 | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] [disclosure-failure] | 2026-03-23T07:37:16Z | 2026-03-04T07:18:19Z |
| iTrusChina: Finding in Routine WebTrust Audit - Domain validation records without the TLS BR version | 2013805 | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] [audit-finding] | 2026-03-23T08:37:54Z | 2026-02-02T02:51:31Z |
| Microsoft PKI Services: Failure to report Bugzilla 2026452 within 72 hrs | 2026453 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [policy-failure] | 2026-03-26T19:02:50Z | 2026-03-26T02:12:06Z |
| Microsoft PKI Services: Failure to update action item status within 3 days | 2021175 | ASSIGNED | Microsoft PKI Services | [close on 2026-04-02] [ca-compliance] [policy-failure] | 2026-03-27T02:58:32Z | 2026-03-05T00:48:22Z |
| Microsoft PKI Services: Policy document bug | 1962829 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [policy-failure] | 2026-03-24T01:50:58Z | 2025-04-26T02:10:29Z |
| Microsoft PKI Services: Failure to publish Full Incident Report for Bugzilla 2021175 within 14 days | 2026452 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [policy-failure] | 2026-03-26T19:02:21Z | 2026-03-26T02:05:32Z |
| Microsoft PKI Services: OCSP Non-Compliance | 1999850 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [ocsp-failure] Next update 2026-04-24 | 2026-02-19T17:29:22Z | 2025-11-13T01:29:14Z |
| Netlock: CA in AIA in PEM format | 2004699 | ASSIGNED | Roland | [ca-compliance] [policy-failure] | 2026-03-23T22:44:30Z | 2025-12-08T13:50:23Z |
| NETLOCK: did not file a preliminary incident report or respond to a third-party report within the 72-hour timeframe | 2013400 | ASSIGNED | Roland | [ca-compliance] [policy-failure] | 2026-03-26T20:42:38Z | 2026-01-29T20:56:39Z |
| NETLOCK: Full Incident Report was not published within 14 days of notification | 2007948 | ASSIGNED | Roland | [ca-compliance] [disclosure failure] | 2026-03-23T20:13:25Z | 2025-12-29T20:30:46Z |
| NETLOCK: Missing Related Incidents section in the bug report | 2013395 | ASSIGNED | Roland | [ca-compliance] [policy-failure] | 2026-03-26T20:43:49Z | 2026-01-29T20:50:07Z |
| NETLOCK: Unavailability of the document repository | 2021559 | ASSIGNED | Roland | [ca-compliance] [policy-failure] | 2026-03-26T20:54:03Z | 2026-03-06T12:10:43Z |
| Netlock: unspecifed revocation code (0) in CRL | 2011314 | ASSIGNED | Roland | [ca-compliance] [crl-failure] | 2026-03-23T22:44:32Z | 2026-01-19T21:40:56Z |
| NISZ Nemzeti Infokommunikacios Szolgaltato: Missing Contact Information in CCADB | 2015568 | UNCONFIRMED | [ca-compliance] [disclosure-failure] | 2026-03-24T06:58:47Z | 2026-02-09T18:37:24Z | |
| PKIoverheid: TSP Cleverbase Findings in 2025 ETSI Audit - Incident Report #1 – Incorrect issuer CA listed in CPS | 1985816 | ASSIGNED | Policy Authority PKIoverheid | [ca-compliance] [audit-finding] Next update 2026-04-14 | 2026-01-27T15:16:50Z | 2025-08-28T15:39:28Z |
| PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #3 – Internal Audit | 1983263 | ASSIGNED | Policy Authority PKIoverheid | [ca-compliance] [audit-finding] | 2026-03-09T14:44:12Z | 2025-08-15T14:05:23Z |
| PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #7 – Change Management | 1983267 | ASSIGNED | Policy Authority PKIoverheid | [close on 2026-03-30] [ca-compliance] [audit-finding] | 2026-03-23T16:10:29Z | 2025-08-15T14:09:40Z |
| PostSignum: Length Subject organizationName | 2021239 | ASSIGNED | CA PostSignum | [ca-compliance] [ov-misissuance] | 2026-03-27T13:07:48Z | 2026-03-05T08:52:41Z |
| SECOM: Incorrect CCADB Non-Audit Document References for FUJIFILM Fnet CA - C | 2023563 | ASSIGNED | SECOM Trust Systems - ONO Fumiaki | [ca-compliance] [disclosure-failure] | 2026-03-23T06:17:44Z | 2026-03-16T12:50:25Z |
| SECOM: Non conformant SCT Encoding Due to SCT Modification by Cybertrust Japan (CTJ) | 2007070 | ASSIGNED | SECOM Trust Systems - ONO Fumiaki | [close on 2026-03-30] [ca-compliance] [ov-misissuance] | 2026-03-23T14:58:04Z | 2025-12-19T08:01:55Z |
| SECOM: Repository service disruption affecting subordinate CAs (CTJ) | 2017840 | ASSIGNED | SECOM Trust Systems - ONO Fumiaki | [ca-compliance] [policy-failure] | 2026-03-26T05:37:05Z | 2026-02-19T11:49:12Z |
| Sectigo: Package patching gap within Certificate Systems | 2019995 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [uncategorized] Next update 2026-04-10 | 2026-03-17T18:15:05Z | 2026-02-27T17:52:48Z |
| SHECA: CRL of root CA not published within 24 hours | 2015383 | ASSIGNED | SHECA | [ca-compliance] [crl-failure] | 2026-03-25T08:54:50Z | 2026-02-09T07:14:45Z |
| SHECA: Failure to keep weekly updates under bugs | 2025259 | ASSIGNED | SHECA | [ca-compliance] [policy-failure] | 2026-03-24T02:05:35Z | 2026-03-23T09:49:06Z |
| SHECA: Test Website certificate expired | 2025135 | ASSIGNED | SHECA | [ca-compliance] [policy-failure] | 2026-03-27T10:21:46Z | 2026-03-22T03:10:44Z |
| SHECA: TLS certificate key generation online | 1993357 | ASSIGNED | SHECA | [ca-compliance] [dv-misissuance] [ov-misissuance] | 2026-03-27T10:23:34Z | 2025-10-08T19:46:26Z |
| Siemens: Outdated CP/CPS records disclosed in CCADB | 2026484 | ASSIGNED | Fabian Meister | [ca-compliance] [disclosure-failure] | 2026-03-26T19:00:35Z | 2026-03-26T07:21:06Z |
| Swiss BIT (FOITT): Missing Contact Information in CCADB | 2015569 | ASSIGNED | Steph | [ca-compliance] [disclosure-failure] | 2026-03-19T01:24:22Z | 2026-02-09T18:37:29Z |
| SwissSign: recommendation on backup testing | 1990272 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:09Z | 2025-09-23T17:06:29Z |
| SwissSign: recommendation on BIA/BCP review | 1990263 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:51:27Z | 2025-09-23T16:53:15Z |
| SwissSign: recommendation on BIA/BCP test coverage | 1990266 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:51:38Z | 2025-09-23T16:55:40Z |
| SwissSign: recommendation on CA-specific risk assessment | 1990277 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:51Z | 2025-09-23T17:08:41Z |
| SwissSign: recommendation on document release dual control | 1990269 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:51:48Z | 2025-09-23T17:03:05Z |
| SwissSign: recommendation on evaluation of cloud service providers | 1990276 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:39Z | 2025-09-23T17:08:11Z |
| SwissSign: recommendation on firewall review | 1990271 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:51:54Z | 2025-09-23T17:05:31Z |
| SwissSign: recommendation on linting software updates | 1990282 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-11-03T08:50:16Z | 2025-09-23T17:12:55Z |
| SwissSign: recommendation on log review process | 1990285 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:54:20Z | 2025-09-23T17:14:00Z |
| SwissSign: recommendation on publication process for CA related data | 1990275 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:27Z | 2025-09-23T17:07:40Z |
| SwissSign: recommendation on review of key pair generation implementation | 1990284 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:53:56Z | 2025-09-23T17:13:29Z |
| SwissSign: recommendation on risk assessment | 1990254 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:50:25Z | 2025-09-23T16:08:48Z |
| SwissSign: recommendation on self-assessment tool | 1990281 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:53:00Z | 2025-09-23T17:12:19Z |
| SwissSign: recommendation on synchronization of staging and production environments | 1990274 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:18Z | 2025-09-23T17:07:10Z |
| Telia: S/MIME Misissuance - incorrect subject information for Multipurpose sponsor-validated-profile | 2012101 | ASSIGNED | Antti Backman | [ca-compliance] [smime-misissuance] Next update 2026-03-31 | 2026-03-17T17:41:38Z | 2026-01-23T12:25:35Z |
85 Total; 85 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| D-Trust: Delayed publication of audit attestation letters in the CCADB | 2011430 | ASSIGNED | Ana Laura Martorano | [ca-compliance] [audit-delay] | 2026-03-27T07:39:44Z | 2026-01-20T14:51:29Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| [meta] Delayed Revocation | 1911183 | ASSIGNED | Ben Wilson | [ca-compliance] [meta] [leaf-revocation-delay] | 2025-06-10T20:05:50Z | 2024-08-01T20:05:04Z |
| Asseco DS / Certum: Delayed revocation of S/MIME certificates issued with mailbox validation older than 30 days | 2023190 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [leaf-revocation-delay] | 2026-03-27T16:01:52Z | 2026-03-13T14:37:17Z |
| Firmaprofesional: Delayed revocation of TLS certificates affected by bug #2009941 | 2011855 | ASSIGNED | ext-antoni.camon | [ca-compliance] [leaf-revocation-delay] [ca-revocation-delay] | 2026-03-23T18:16:59Z | 2026-01-22T12:13:47Z |
| Microsoft PKI Services: Failure to Revoke in 5 Days for 1962829 | 1965612 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [leaf-revocation-delay] | 2026-03-26T09:47:20Z | 2025-05-10T01:34:01Z |
| SHECA: Delayed revocation of TLS certificates affected by bug #1993357 | 1994051 | ASSIGNED | SHECA | [ca-compliance] [leaf-revocation-delay] | 2026-03-27T10:23:58Z | 2025-10-13T18:23:58Z |
5 Total; 5 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here: