CA/Incident Dashboard: Difference between revisions
< CA
Jump to navigation
Jump to search
(Sort by summary (assigned-to CA) and modification time) |
m (→Open CA Compliance Bugs: Minor edit) |
||
| (8 intermediate revisions by 2 users not shown) | |||
| Line 2: | Line 2: | ||
== Open CA Compliance Bugs == | == Open CA Compliance Bugs == | ||
A CA compliance bug relates to a concern about a CA's certificates failing to comply with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy] and/or | A CA compliance bug relates to a concern about a CA's certificates failing to comply with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy] and/or a [https://cabforum.org/ CA/Browser Forum] requirement, and is determined to not be an [https://www.mozilla.org/en-US/security/#For_Developers imminent security concern]. A CA's response to a CA compliance bug includes providing an [[CA/Responding_To_An_Incident#Incident_Report|Incident Report]] in the bug. | ||
Anyone may create a CA Compliance bug as follows: | Anyone may create a CA Compliance bug as follows: | ||
| Line 20: | Line 20: | ||
"f3": "status_whiteboard", | "f3": "status_whiteboard", | ||
"o3": "nowordssubstr", | "o3": "nowordssubstr", | ||
"v3": " | "v3": "leaf-revocation-delay", | ||
"f4": "status_whiteboard", | |||
"o4": "nowordssubstr", | "o4": "nowordssubstr", | ||
"v4": "audit-delay", | "v4": "audit-delay", | ||
"include_fields": "summary, id, status, assigned_to, whiteboard, last_change_time", | "include_fields": "summary, id, status, assigned_to, whiteboard, last_change_time, creation_time", | ||
"order": "short_desc | "order": "short_desc ASC" | ||
} | } | ||
</bugzilla> | </bugzilla> | ||
| Line 45: | Line 46: | ||
"o3": "allwordssubstr", | "o3": "allwordssubstr", | ||
"v3": "audit-delay", | "v3": "audit-delay", | ||
"include_fields": "summary, id, status, assigned_to, whiteboard, last_change_time", | "include_fields": "summary, id, status, assigned_to, whiteboard, last_change_time, creation_time", | ||
"order": "short_desc ASC | "order": "short_desc ASC" | ||
} | } | ||
</bugzilla> | </bugzilla> | ||
== Revocation Delays == | == Revocation Delays == | ||
The compliance bug's whiteboard field is tagged with [ | The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in [[CA/Responding_To_An_Incident#Revocation]], Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an [[CA/Responding_To_An_Incident#Incident_Report|Incident Report]]. | ||
Such bugs should be reported as [[CA/Bug_Triage#Compliance_Problems_and_Incidents|CA compliance issues]], and will be categorized appropriately during triage. | Such bugs should be reported as [[CA/Bug_Triage#Compliance_Problems_and_Incidents|CA compliance issues]], and will be categorized appropriately during triage. | ||
| Line 66: | Line 67: | ||
"f3": "status_whiteboard", | "f3": "status_whiteboard", | ||
"o3": "allwordssubstr", | "o3": "allwordssubstr", | ||
"v3": " | "v3": "leaf-revocation-delay", | ||
"include_fields": "summary, id, status, assigned_to, whiteboard, last_change_time", | "include_fields": "summary, id, status, assigned_to, whiteboard, last_change_time, creation_time", | ||
"order": "short_desc | "order": "short_desc ASC" | ||
} | } | ||
</bugzilla> | </bugzilla> | ||
= Closed CA Bugs = | = Closed CA Bugs = | ||
Latest revision as of 22:48, 2 February 2024
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| Actalis: CRL distribution point with ldap scheme | 1906690 | ASSIGNED | Marco Menonna | [ca-compliance] [crl-failure] | 2024-09-03T15:59:27Z | 2024-07-08T15:44:42Z |
| Actalis: Use of CRLReason Code in Certificate Revocation | 1914419 | ASSIGNED | Marco Menonna | [ca-compliance] [crl-failure] | 2024-09-12T14:47:35Z | 2024-08-22T15:13:31Z |
| Asseco DS / Certum: CRL non-conformance with the TLS BRs | 1888689 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [crl-failure] [external] Next update 2024-10-01 | 2024-09-19T18:21:57Z | 2024-03-29T17:37:14Z |
| Asseco DS / Certum: Organization Identifier and Country field discrepancies | 1917571 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [smime-misissuance] | 2024-09-20T14:39:52Z | 2024-09-09T11:32:46Z |
| Asseco DS / Certum: S/MIME certificates with error in subjectAlternativeName | 1879845 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [smime-misissuance] Next update 2024-10-01 | 2024-09-19T18:20:21Z | 2024-02-12T13:22:11Z |
| CFCA: certificate basicConstraints extension not marked as critical | 1886135 | ASSIGNED | Gao Fei | [ca-compliance] [ov-misissuance] | 2024-09-18T21:19:46Z | 2024-03-19T10:57:32Z |
| CFCA: Failure to respond to a CPR in a complete and/or timely manner | 1888881 | ASSIGNED | Gao Fei | [ca-compliance] [policy-failure] | 2024-09-12T18:01:32Z | 2024-04-01T07:17:16Z |
| Chunghwa Telecom: “Test Website - Valid" URL disclosed to CCADB is expired | 1904038 | ASSIGNED | Tsung-Min Kuo | [ca-compliance] [policy-failure] | 2024-09-06T11:14:46Z | 2024-06-21T12:48:21Z |
| Chunghwa Telecom: TLS Certificates Contains two LocalityName Values in SubjectDN by GTLSCA | 1916392 | ASSIGNED | Leo Fang | [ca-compliance] [ov-misissuance] | 2024-09-20T02:08:28Z | 2024-09-03T10:00:29Z |
| CommScope: Certificates not logged in CT logs as stated in CP/CPS | 1910512 | ASSIGNED | Nicol So | [ca-compliance] [policy-failure] | 2024-09-20T17:04:15Z | 2024-07-30T00:10:18Z |
| CommScope: Incomplete Incident Report | 1904402 | ASSIGNED | Nicol So | [ca-compliance] [policy-failure] | 2024-09-18T19:31:54Z | 2024-06-24T18:20:49Z |
| D-Trust: Issuance of an EV certificate containing a mixup of the Subject's postalCode and localityName | 1896190 | ASSIGNED | Enrico Entschew | [ca-compliance] [ev-misissuance] Next update 2024-10-21 | 2024-09-06T15:32:07Z | 2024-05-10T19:14:04Z |
| D-Trust: Non-compliance of issued root and intermediate S/MIME certificates | 1918427 | ASSIGNED | Enrico Entschew | [ca-compliance] [uncategorized] | 2024-09-23T05:58:24Z | 2024-09-12T14:14:23Z |
| DigiCert: Random value in CNAME without underscore prefix | 1910322 | ASSIGNED | Jeremy Rowley | [ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance] | 2024-09-20T18:04:21Z | 2024-07-29T02:17:59Z |
| DigiCert: Typo in TLS Org Name | 1910258 | ASSIGNED | Martin Sullivan | [ca-compliance] [ov-misissuance] | 2024-09-20T18:12:06Z | 2024-07-27T20:48:42Z |
| DigiCert: Unclear Disclosure of CAA Issuer Domain Names | 1914911 | ASSIGNED | Tim Hollebeek | [ca-compliance] [policy-failure] [external] | 2024-09-18T20:46:18Z | 2024-08-26T13:21:22Z |
| emSign PKI Services : OCSP Responder Time Inconsistency | 1917459 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [ocsp-failure] | 2024-09-09T15:49:06Z | 2024-09-08T09:06:01Z |
| Entrust: Action Items from June 2024 Report | 1901270 | ASSIGNED | Ben Wilson | [ca-compliance] [meta] Next update 2024-10-31 | 2024-09-09T18:18:47Z | 2024-06-07T16:50:41Z |
| Entrust: Business Entity not permitted in CPS | 1918380 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] | 2024-09-19T15:44:39Z | 2024-09-12T12:19:49Z |
| Entrust: Not updating CPR Problem Reporting Mechanism fields in CCADB | 1894111 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] Next update 2024-10-31 | 2024-08-30T16:10:46Z | 2024-04-29T21:37:24Z |
| Entrust: S/MIME certificates lacking OU verification | 1914065 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-09-30 | 2024-08-30T16:05:20Z | 2024-08-20T21:35:45Z |
| Entrust: S/MIME mailbox address case mismatch between subject and subjectAltName | 1906470 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-10-31 | 2024-08-30T16:21:07Z | 2024-07-05T18:24:44Z |
| Entrust: S/MIME mailbox address not in subjectAltName | 1906467 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-10-31 | 2024-08-30T16:14:58Z | 2024-07-05T18:16:34Z |
| Entrust: S/MIME OrgID Country not matching C field | 1914999 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-10-01 | 2024-09-06T15:42:41Z | 2024-08-26T17:57:09Z |
| GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints | 1888060 | ASSIGNED | capoc | [ca-compliance] [ov-misissuance] | 2024-09-20T01:31:38Z | 2024-03-27T06:15:29Z |
| GlobalSign: Caching headers inaccurate for subset of CRLs | 1919304 | ASSIGNED | Christophe Bonjean | [ca-compliance] [crl-failure] | 2024-09-18T19:34:52Z | 2024-09-17T14:16:40Z |
| GlobalSign: Incorrect whois information for TLD | 1917896 | ASSIGNED | Christophe Bonjean | [ca-compliance] [uncategorized] | 2024-09-20T03:43:45Z | 2024-09-10T17:05:08Z |
| GoDaddy : CAA checks did not properly handle issuewild tag allowing FQDN SANs to be added to wildcard certs | 1904748 | ASSIGNED | [:nickname] Star | [ca-compliance] [ov-misissuance] [dv-misissuance] | 2024-09-20T21:18:19Z | 2024-06-26T02:12:50Z |
| GoDaddy : CAA checks passed when records contained incorrect variants of godaddy.com or starfieldtech.com | 1904749 | ASSIGNED | [:nickname] Star | [ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance] | 2024-09-20T21:17:59Z | 2024-06-26T02:14:20Z |
| GoDaddy: Edge Case for Data Reuse Outside of Timeframes | 1909948 | ASSIGNED | [:nickname] Star | [ca-compliance] [dv-misissuance] | 2024-08-05T16:25:38Z | 2024-07-25T17:47:50Z |
| GoDaddy: Intermittent unauthorized OCSP response when certificate is freshly issued | 1905419 | ASSIGNED | [:nickname] Star | [ca-compliance] [ocsp-failure] | 2024-08-23T18:01:43Z | 2024-06-28T19:25:10Z |
| IdenTrust: Expired CRLs | 1914067 | ASSIGNED | IdenTrust | [ca-compliance] [crl-failure] | 2024-09-03T21:48:11Z | 2024-08-20T21:50:05Z |
| IdenTrust: TLS Certificates with outdated certificate profile | 1919162 | ASSIGNED | IdenTrust | [ca-compliance] [ov-misissuance] | 2024-09-18T20:07:48Z | 2024-09-16T22:13:02Z |
| IdenTrust: Unauthorized OCSP response on a Timestamp certificate | 1905446 | ASSIGNED | IdenTrust | [ca-compliance] [ocsp-failure] Next update 2024-10-15 | 2024-08-30T22:20:28Z | 2024-06-28T22:11:23Z |
| Izenpe: Failure to Submit Annual CCADB Self-Assessment | 1883493 | ASSIGNED | David | [ca-compliance] [disclosure-failure] [external] | 2024-08-26T16:07:19Z | 2024-03-04T20:36:07Z |
| NETLOCK: CPR was not responded to in 24 hours | 1905509 | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] | 2024-09-05T17:30:54Z | 2024-06-29T19:45:26Z |
| NETLOCK: Findings in 2024 Audit - initial report | 1917046 | ASSIGNED | Nikolett | [ca-compliance] [audit-finding] | 2024-09-19T17:02:25Z | 2024-09-05T17:25:24Z |
| NETLOCK: Intermediate CA Certificate not disclosed to CCADB | 1904041 | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] [disclosure-failure] | 2024-08-30T16:07:55Z | 2024-06-21T13:01:09Z |
| QuoVadis: Findings in 2024 ETSI Audit of QuoVadis Qualified Web ICA G2 | 1918467 | ASSIGNED | Stephen Davidson | [ca-compliance] [audit-finding] | 2024-09-20T20:46:54Z | 2024-09-12T16:22:31Z |
| Sectigo: HTML encoded characters in subject attribute values | 1912225 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [ov-misissuance] | 2024-09-18T19:51:12Z | 2024-08-08T09:16:17Z |
| Sectigo: Missing data in cabfOrganizationIdentifier | 1915883 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [ev-misissuance] | 2024-09-19T15:18:32Z | 2024-08-30T15:11:31Z |
| Sectigo: S/MIME OV Mis-issuance | 1917405 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [smime-misissuance] [external] | 2024-09-17T22:34:08Z | 2024-09-07T09:34:22Z |
| SHECA: CRLReason code usage error | 1914365 | ASSIGNED | Alvin.Wang | [ca-compliance] [crl-failure] | 2024-08-27T05:59:45Z | 2024-08-22T11:43:31Z |
| SwissSign: LDAP URL still in CRL distribution point (CDP) | 1916489 | ASSIGNED | Sandy Balzer | [ca-compliance] [crl-failure] | 2024-09-19T15:00:02Z | 2024-09-03T16:00:28Z |
| SwissSign: S/MIME LCP not-permitted key usage | 1914023 | ASSIGNED | Sandy Balzer | [ca-compliance] [smime-misissuance] Next update 2024-10-15 | 2024-09-18T19:24:37Z | 2024-08-20T18:42:01Z |
| Telekom Security: CRL-Entries with wrong CRL Reason Codes | 1914383 | ASSIGNED | Arnold Essing | [ca-compliance] [crl-failure] | 2024-09-16T07:39:25Z | 2024-08-22T12:56:33Z |
46 Total; 46 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| Chunghwa Telecom:Delayed Annual Audit Report 2024 | 1917224 | ASSIGNED | Li-Chun CHEN | [ca-compliance] [audit-delay] | 2024-09-10T09:55:32Z | 2024-09-06T12:29:32Z |
| PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA | 1911335 | ASSIGNED | Jochem van den Berge | [ca-compliance] [audit-delay] | 2024-08-29T14:36:38Z | 2024-08-02T15:40:40Z |
2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| [meta] Delayed Revocation | 1911183 | ASSIGNED | Ben Wilson | [ca-compliance] [meta] [leaf-revocation-delay] | 2024-09-03T16:06:09Z | 2024-08-01T20:05:04Z |
| Buypass: Delayed revocation of TLS certificates | 1872738 | ASSIGNED | Mads Henriksveen | [ca-compliance] [leaf-revocation-delay] Next update 2024-09-15 | 2024-09-18T21:22:58Z | 2024-01-02T19:18:17Z |
| CFCA: Delayed revocation of TLS certificates(basicConstraints extension not marked as critical) | 1888882 | ASSIGNED | Gao Fei | [ca-compliance] [leaf-revocation-delay] | 2024-09-18T21:16:15Z | 2024-04-01T07:19:09Z |
| Chunghwa Telecom: Delayed Revocation Due to GTLSCA EKU Misissuance | 1892419 | ASSIGNED | Leo Fang | [ca-compliance] [leaf-revocation-delay] | 2024-09-06T11:14:45Z | 2024-04-19T10:55:40Z |
| Chunghwa Telecom: Delayed Revocation with Controversial Extension (2.5.29.9, SubjectDirectoryAttributes) | 1903066 | ASSIGNED | Leo Fang | [ca-compliance] [leaf-revocation-delay] | 2024-09-06T11:14:46Z | 2024-06-17T14:31:08Z |
| Digicert: Delayed Revocation for bug 1894560 | 1896053 | ASSIGNED | Tim Hollebeek | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 | 2024-09-09T15:38:42Z | 2024-05-10T05:00:07Z |
| DigiCert: Delayed revocation of 1910322 | 1910805 | ASSIGNED | Tim Hollebeek | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 | 2024-09-23T06:41:28Z | 2024-07-31T00:45:12Z |
| emSign PKI Services: Delayed Revocation of SSL/TLS Certificates | 1916478 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [leaf-revocation-delay] | 2024-09-07T15:39:46Z | 2024-09-03T15:24:26Z |
| Entrust: Delayed Revocation for S/MIME certificates | 1910237 | ASSIGNED | Bruce Morton | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-31 | 2024-08-30T16:14:29Z | 2024-07-27T15:07:49Z |
| Entrust: Delayed revocation of certificates affected by Jurisdiction issue in some EV TLS & Code Signing certificates | 1898848 | ASSIGNED | ngook.kong | [ca-compliance] [leaf-revocation-delay] Next update 2024-09-30 | 2024-08-30T16:01:01Z | 2024-05-25T03:48:12Z |
| Entrust: Delayed revocation of EV TLS certificates with missing cPSuri | 1886532 | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [leaf-revocation-delay] Next update 2024-09-30 | 2024-08-13T17:18:47Z | 2024-03-20T17:22:26Z |
| Entrust: Failure to revoke EV TLS certificates issued before CPS update | 1890685 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] [leaf-revocation-delay] Next update 2024-09-30 | 2024-08-30T16:01:31Z | 2024-04-09T23:40:57Z |
| GDCA: Delayed revocation of SSL/TLS certificates with Non-critical Basic Constraints | 1889062 | ASSIGNED | capoc | [ca-compliance] [leaf-revocation-delay] | 2024-09-20T01:32:41Z | 2024-04-02T09:18:52Z |
| Hongkong Post: Delayed revocation of TLS certificates with basicConstraints not marked as critical | 1887888 | ASSIGNED | Man Ho | [ca-compliance] [leaf-revocation-delay] | 2024-08-01T20:05:04Z | 2024-03-26T14:39:37Z |
| Hongkong Post: Delayed revocation of TLS certificates with Certificate Policies extension problem | 1886665 | ASSIGNED | Man Ho | [ca-compliance] [leaf-revocation-delay] | 2024-08-01T20:05:04Z | 2024-03-21T04:30:30Z |
| Microsec: Delayed revocation of the misissued certificates | 1887110 | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] [leaf-revocation-delay] | 2024-08-31T20:11:28Z | 2024-03-22T18:00:56Z |
| NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates - delayed revocation | 1891331 | ASSIGNED | Tamás Horváth | [ca-compliance] [leaf-revocation-delay] | 2024-08-01T20:05:04Z | 2024-04-13T22:07:56Z |
| Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical | 1877388 | ASSIGNED | Arnold Essing | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 | 2024-09-13T16:16:36Z | 2024-01-30T07:52:58Z |
| Telia: Delayed revocation of seven (7) certificates related to incident 1896108 | 1896553 | ASSIGNED | Antti Backman | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 | 2024-09-16T05:07:58Z | 2024-05-14T04:48:55Z |
| TWCA: Revocation delay for EV TLS certificates with invalid subject attribute order | 1884568 | ASSIGNED | Hao-Chun Li | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 | 2024-09-09T15:32:53Z | 2024-03-10T12:44:57Z |
| TWCA: Revocation delay for TLS certificates with non-critical basicConstraints | 1886110 | ASSIGNED | chtsai | [ca-compliance] [ov-misissuance] [leaf-revocation-delay] | 2024-09-18T21:21:54Z | 2024-03-19T07:42:18Z |
| VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 | 1885568 | ASSIGNED | Andrea Holland | [ca-compliance] [ov-misissuance] [leaf-revocation-delay] Next update 2024-10-23 | 2024-08-16T18:58:11Z | 2024-03-15T16:20:17Z |
22 Total; 22 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here: