CA/Incident Dashboard: Difference between revisions
< CA
Jump to navigation
Jump to search
(Fixed typo in wiki markdown) |
(Sort by summary (assigned-to CA) and modification time) |
||
| Line 23: | Line 23: | ||
"o4": "nowordssubstr", | "o4": "nowordssubstr", | ||
"v4": "audit-delay", | "v4": "audit-delay", | ||
"include_fields": | "include_fields": "summary, id, status, assigned_to, whiteboard, last_change_time", | ||
"order": "short_desc ASC, delta_ts ASC" | |||
} | } | ||
</bugzilla> | </bugzilla> | ||
| Line 44: | Line 45: | ||
"o3": "allwordssubstr", | "o3": "allwordssubstr", | ||
"v3": "audit-delay", | "v3": "audit-delay", | ||
"include_fields": | "include_fields": "summary, id, status, assigned_to, whiteboard, last_change_time", | ||
"order": "short_desc ASC, delta_ts DESC" | |||
} | } | ||
</bugzilla> | </bugzilla> | ||
| Line 65: | Line 67: | ||
"o3": "allwordssubstr", | "o3": "allwordssubstr", | ||
"v3": "delayed-revocation", | "v3": "delayed-revocation", | ||
"include_fields": "summary, id, status, assigned_to, whiteboard, last_change_time", | |||
"order": "short_desc ASC, delta_ts ASC" | |||
} | } | ||
</bugzilla> | </bugzilla> | ||
Revision as of 19:36, 24 May 2021
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| [meta] Delayed Revocation | 1911183 | ASSIGNED | Ben Wilson | [ca-compliance] [meta] [leaf-revocation-delay] | 2025-06-10T20:05:50Z |
| Agencia Notarial de Certificacion (ANCERT): Missing Contact Information in CCADB | 2015562 | UNCONFIRMED | [ca-compliance] [disclosure-failure] | 2026-03-19T01:24:11Z | |
| Asseco DS / Certum: CRL URLs disclosed in CCADB do not exactly match the CRL URLs in certificates | 2007105 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [disclosure-failure] Next update 2026-03-31 | 2026-03-16T13:51:33Z |
| Asseco DS / Certum: Delayed revocation of S/MIME certificates issued with mailbox validation older than 30 days | 2023190 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [leaf-revocation-delay] | 2026-03-13T15:27:47Z |
| Asseco DS / Certum: Finding in Routine WebTrust Audit – S/MIME certificates issued with mailbox validation older than 30 days | 2021685 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [smime-misissuance] | 2026-03-20T16:46:02Z |
| Buypass: Findings in 2025 ETSI Audit - Audit Incident Report #1 - Compliance auditing on support processes | 2005194 | ASSIGNED | Mads Henriksveen | [ca-compliance] [audit-finding] Next update 2026-04-08 | 2026-03-16T14:40:11Z |
| Buypass: Findings in 2025 ETSI Audit - Audit Incident Report #2 - Supply chain policy | 2005196 | ASSIGNED | Mads Henriksveen | [ca-compliance] [audit-finding] Next update 2026-04-08 | 2026-03-16T14:39:39Z |
| Byte Computer: Missing Contact Information in CCADB | 2015563 | ASSIGNED | Spyros Kollias | [ca-compliance] [disclosure-failure] | 2026-03-19T01:24:18Z |
| Carillon Information Security: Missing Contact Information in CCADB | 2015564 | ASSIGNED | Lyne Brosseau | [ca-compliance] [disclosure-failure] | 2026-03-19T01:06:25Z |
| Certicamara: Missing Contact Information in CCADB | 2015565 | ASSIGNED | Direccion TICS | [ca-compliance] [disclosure-failure] | 2026-03-19T01:24:29Z |
| certSIGN: certificates with delayed SCT signature | 2016672 | ASSIGNED | Gabriel PETCU | [ca-compliance] [ov-misissuance] | 2026-03-22T01:25:02Z |
| D-Trust: CRL HTTP Media Type | 2012511 | ASSIGNED | Ana Laura Martorano | [ca-compliance] [crl-failure] | 2026-03-20T13:28:26Z |
| D-Trust: CRL URL Disclosure | 2007116 | ASSIGNED | Ana Laura Martorano | [ca-compliance] [disclosure-failure] | 2026-03-20T13:27:33Z |
| D-Trust: Delayed publication of audit attestation letters in the CCADB | 2011430 | ASSIGNED | Ana Laura Martorano | [ca-compliance] [audit-delay] | 2026-03-20T13:28:09Z |
| D-Trust: Expired certificate provided on the CA TLS test website for demonstration of valid certificates | 2009149 | ASSIGNED | Ana Laura Martorano | [ca-compliance] [policy-failure] | 2026-03-20T13:27:51Z |
| D-Trust: TLS Precertificates Exceeding the Maximum Validity Period Allowed by the TLS Baseline Requirements | 2023458 | ASSIGNED | Enrico Entschew | [ca-compliance] [__-misissuance] | 2026-03-18T09:13:37Z |
| DigiCert: CAA processing during network disruption | 2017185 | ASSIGNED | DigiCert | [ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance] | 2026-03-20T12:00:28Z |
| DigiCert: Subject Serial Numbers for Non-Commercial Entities | 2015186 | ASSIGNED | DigiCert | [ca-compliance] [ev-misissuance] | 2026-03-19T10:21:49Z |
| Echoworx: Missing Contact Information in CCADB | 2015566 | ASSIGNED | Echoworx | [ca-compliance] [disclosure-failure] | 2026-02-10T21:19:01Z |
| Financijska agencija (Fina): Mis-issued certificates | 1986968 | ASSIGNED | miroslav.perincic | [ca-compliance] [dv-misissuance] | 2026-03-22T01:24:51Z |
| Firmaprofesional: Delayed preliminary response under BR 4.9.5 (Bug #2009941) | 2016066 | ASSIGNED | ext-antoni.camon | [ca-compliance] [policy-failure] | 2026-03-22T01:25:06Z |
| Firmaprofesional: Delayed revocation disclosure of TLS Subordinate CA certificate Secure Web 2024 in CCADB | 2016475 | ASSIGNED | ext-antoni.camon | [ca-compliance] [disclosure-failure] | 2026-03-22T01:24:58Z |
| Firmaprofesional: Delayed revocation of TLS certificates affected by bug #2009941 | 2011855 | ASSIGNED | ext-antoni.camon | [ca-compliance] [leaf-revocation-delay] [ca-revocation-delay] | 2026-03-22T01:25:03Z |
| Firmaprofesional: Misissuance of TLS Subordinate CA "AC Firmaprofesional - Secure Web 2024" | 2009941 | ASSIGNED | ext-antoni.camon | [ca-compliance] [ca-misissuance] | 2026-03-22T01:25:08Z |
| GoDaddy: CRL Disclosure in CCADB Mismatch with Issued Certificates | 2007216 | ASSIGNED | Steven Deitte | [ca-compliance] [disclosure failure] Next update 2026-04-03 | 2026-03-16T15:11:07Z |
| GoDaddy: Partitioned CRL files missing Issuing Distribution Point | 2007217 | ASSIGNED | Steven Deitte | [ca-compliance] [disclosure failure] Next update 2026-03-20 | 2026-03-20T19:30:56Z |
| Google Trust Services: Outdated BR version in some validation records | 2017747 | ASSIGNED | Google Trust Services | [ca-compliance] [policy-failure] Next update 2026-03-31 | 2026-03-04T16:11:59Z |
| Government of Saudi Arabia, NIC (SDAIA): Missing Contact Information in CCADB | 2015567 | ASSIGNED | Ammar | [ca-compliance] [disclosure-failure] | 2026-03-20T09:36:21Z |
| HARICA: Incorrect nCAId in PSD2 QCStatement for QWACs | 2017845 | ASSIGNED | HARICA | [ca-compliance] Next update 2026-03-27 | 2026-03-20T16:52:56Z |
| IdenTrust: Cross-signed root certificate mis-issuance | 2014609 | ASSIGNED | IdenTrust | [ca-compliance] [ca-misissuance] | 2026-03-22T01:24:55Z |
| IdenTrust: Gap between audit periods | 2016267 | ASSIGNED | IdenTrust | [ca-compliance] [audit-failure] | 2026-03-19T21:26:16Z |
| IdenTrust: Root OCSP Signer certificate mis-issuance | 2014610 | ASSIGNED | IdenTrust | [ca-compliance] [uncategorized] | 2026-03-22T01:24:53Z |
| IdenTrust: Test Certificates from cross-signed roots not disclosed in CT Logs | 2016585 | ASSIGNED | IdenTrust | [ca-compliance] [uncategorized] | 2026-03-22T01:24:57Z |
| IdenTrust: Unauthorized OCSP responses for cross-signed roots | 2014590 | ASSIGNED | IdenTrust | [ca-compliance] [ocsp-failure] | 2026-03-19T21:46:12Z |
| iTrusChina: Failure to Respond to Feb 2026 Chrome Root Program Survey | 2020899 | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] [disclosure-failure] | 2026-03-16T08:40:27Z |
| iTrusChina: Finding in Routine WebTrust Audit - Domain validation records without the TLS BR version | 2013805 | ASSIGNED | iTrusChina Co.,Ltd. | [ca-compliance] [audit-finding] | 2026-03-22T01:25:00Z |
| Microsoft PKI Services: Failure to update action item status within 3 days | 2021175 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [policy-failure] | 2026-03-20T22:16:02Z |
| Microsoft PKI Services: Policy document bug | 1962829 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [policy-failure] | 2026-03-20T22:17:30Z |
| Microsoft PKI Services: Failure to Revoke in 5 Days for 1962829 | 1965612 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [leaf-revocation-delay] | 2026-03-20T22:15:26Z |
| Microsoft PKI Services: OCSP Non-Compliance | 1999850 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [ocsp-failure] Next update 2026-04-24 | 2026-02-19T17:29:22Z |
| Netlock: CA in AIA in PEM format | 2004699 | ASSIGNED | Roland | [ca-compliance] [policy-failure] | 2026-03-16T20:31:37Z |
| NETLOCK: did not file a preliminary incident report or respond to a third-party report within the 72-hour timeframe | 2013400 | ASSIGNED | Roland | [ca-compliance] [policy-failure] | 2026-03-19T20:54:49Z |
| NETLOCK: Full Incident Report was not published within 14 days of notification | 2007948 | ASSIGNED | Roland | [ca-compliance] [disclosure failure] | 2026-03-16T20:33:01Z |
| NETLOCK: Missing Related Incidents section in the bug report | 2013395 | ASSIGNED | Roland | [ca-compliance] [policy-failure] | 2026-03-19T20:52:22Z |
| NETLOCK: Unavailability of the document repository | 2021559 | ASSIGNED | Roland | [ca-compliance] [policy-failure] | 2026-03-20T07:33:54Z |
| Netlock: unspecifed revocation code (0) in CRL | 2011314 | ASSIGNED | Roland | [ca-compliance] [crl-failure] | 2026-03-16T20:34:16Z |
| NISZ Nemzeti Infokommunikacios Szolgaltato: Missing Contact Information in CCADB | 2015568 | UNCONFIRMED | [ca-compliance] [disclosure-failure] | 2026-03-19T01:24:15Z | |
| PKIoverheid: TSP Cleverbase Findings in 2025 ETSI Audit - Incident Report #1 – Incorrect issuer CA listed in CPS | 1985816 | ASSIGNED | Policy Authority PKIoverheid | [ca-compliance] [audit-finding] Next update 2026-04-14 | 2026-01-27T15:16:50Z |
| PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #3 – Internal Audit | 1983263 | ASSIGNED | Policy Authority PKIoverheid | [ca-compliance] [audit-finding] | 2026-03-09T14:44:12Z |
| PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #7 – Change Management | 1983267 | ASSIGNED | Policy Authority PKIoverheid | [ca-compliance] [audit-finding] Next update 2026-03-20 | 2026-03-09T14:45:09Z |
| PostSignum: Length Subject organizationName | 2021239 | ASSIGNED | CA PostSignum | [ca-compliance] [ov-misissuance] | 2026-03-19T15:47:14Z |
| SECOM: 2025 S/MIME CA Modified Opinion Report of Cybertrust Japan (CTJ) | 2021550 | ASSIGNED | SECOM Trust Systems - ONO Fumiaki | [close on 2026-03-26] [ca-compliance] [ca-misissuance] [disclosure-failure] [audit-finding] [ca-revocation-delay] | 2026-03-19T14:21:14Z |
| SECOM: Incorrect CCADB Non-Audit Document References for FUJIFILM Fnet CA - C | 2023563 | ASSIGNED | SECOM Trust Systems - ONO Fumiaki | [ca-compliance] [disclosure-failure] | 2026-03-16T14:35:17Z |
| SECOM: Non conformant SCT Encoding Due to SCT Modification by Cybertrust Japan (CTJ) | 2007070 | ASSIGNED | SECOM Trust Systems - ONO Fumiaki | [ca-compliance] [ov-misissuance] | 2026-03-16T08:40:23Z |
| SECOM: Repository service disruption affecting subordinate CAs (CTJ) | 2017840 | ASSIGNED | SECOM Trust Systems - ONO Fumiaki | [ca-compliance] [policy-failure] | 2026-03-19T06:59:05Z |
| Sectigo: Package patching gap within Certificate Systems | 2019995 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [uncategorized] Next update 2026-04-10 | 2026-03-17T18:15:05Z |
| SHECA: CRL of root CA not published within 24 hours | 2015383 | ASSIGNED | SHECA | [ca-compliance] [crl-failure] | 2026-03-17T14:20:21Z |
| SHECA: Delayed revocation of TLS certificates affected by bug #1993357 | 1994051 | ASSIGNED | SHECA | [ca-compliance] [leaf-revocation-delay] | 2026-03-22T02:11:57Z |
| SHECA: TLS certificate key generation online | 1993357 | ASSIGNED | SHECA | [ca-compliance] [dv-misissuance] [ov-misissuance] | 2026-03-22T02:11:11Z |
| Swiss BIT (FOITT): Missing Contact Information in CCADB | 2015569 | ASSIGNED | Steph | [ca-compliance] [disclosure-failure] | 2026-03-19T01:24:22Z |
| SwissSign: recommendation on backup testing | 1990272 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:09Z |
| SwissSign: recommendation on BIA/BCP review | 1990263 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:51:27Z |
| SwissSign: recommendation on BIA/BCP test coverage | 1990266 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:51:38Z |
| SwissSign: recommendation on CA-specific risk assessment | 1990277 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:51Z |
| SwissSign: recommendation on document release dual control | 1990269 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:51:48Z |
| SwissSign: recommendation on evaluation of cloud service providers | 1990276 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:39Z |
| SwissSign: recommendation on firewall review | 1990271 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:51:54Z |
| SwissSign: recommendation on linting software updates | 1990282 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-11-03T08:50:16Z |
| SwissSign: recommendation on log review process | 1990285 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:54:20Z |
| SwissSign: recommendation on publication process for CA related data | 1990275 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:27Z |
| SwissSign: recommendation on review of key pair generation implementation | 1990284 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:53:56Z |
| SwissSign: recommendation on risk assessment | 1990254 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:50:25Z |
| SwissSign: recommendation on self-assessment tool | 1990281 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:53:00Z |
| SwissSign: recommendation on synchronization of staging and production environments | 1990274 | ASSIGNED | Sandy Balzer | [ca-compliance] [audit-finding] Next update 2026-04-30 | 2025-10-28T12:52:18Z |
| Telia: S/MIME Misissuance - incorrect subject information for Multipurpose sponsor-validated-profile | 2012101 | ASSIGNED | Antti Backman | [ca-compliance] [smime-misissuance] Next update 2026-03-31 | 2026-03-17T17:41:38Z |
75 Total; 75 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| D-Trust: Delayed publication of audit attestation letters in the CCADB | 2011430 | ASSIGNED | Ana Laura Martorano | [ca-compliance] [audit-delay] | 2026-03-20T13:28:09Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
No results.
0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here: