CA/Incident Dashboard
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
ID | Summary | Status | Assigned to | Whiteboard | Last change time |
---|---|---|---|---|---|
1872738 | Buypass: Delayed revocation of TLS certificates | ASSIGNED | Mads Henriksveen | [ca-compliance] [leaf-revocation-delay] Next update 2024-09-15 | 2024-09-18T21:22:58Z |
1877388 | Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical | ASSIGNED | Arnold Essing | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 | 2024-09-13T16:16:36Z |
1879845 | Asseco DS / Certum: S/MIME certificates with error in subjectAlternativeName | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [smime-misissuance] Next update 2024-10-01 | 2024-09-19T18:20:21Z |
1883493 | Izenpe: Failure to Submit Annual CCADB Self-Assessment | ASSIGNED | David | [ca-compliance] [disclosure-failure] [external] | 2024-08-26T16:07:19Z |
1884568 | TWCA: Revocation delay for EV TLS certificates with invalid subject attribute order | ASSIGNED | Hao-Chun Li | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 | 2024-09-09T15:32:53Z |
1885568 | VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 | ASSIGNED | Andrea Holland | [ca-compliance] [ov-misissuance] [leaf-revocation-delay] Next update 2024-10-23 | 2024-08-16T18:58:11Z |
1886110 | TWCA: Revocation delay for TLS certificates with non-critical basicConstraints | ASSIGNED | chtsai | [ca-compliance] [ov-misissuance] [leaf-revocation-delay] | 2024-09-18T21:21:54Z |
1886135 | CFCA: certificate basicConstraints extension not marked as critical | ASSIGNED | Gao Fei | [ca-compliance] [ov-misissuance] | 2024-09-18T21:19:46Z |
1886532 | Entrust: Delayed revocation of EV TLS certificates with missing cPSuri | ASSIGNED | Paul van Brouwershaven | [ca-compliance] [leaf-revocation-delay] Next update 2024-09-30 | 2024-08-13T17:18:47Z |
1886665 | Hongkong Post: Delayed revocation of TLS certificates with Certificate Policies extension problem | ASSIGNED | Man Ho | [ca-compliance] [leaf-revocation-delay] | 2024-08-01T20:05:04Z |
1887110 | Microsec: Delayed revocation of the misissued certificates | ASSIGNED | dr. Sándor SZŐKE | [ca-compliance] [leaf-revocation-delay] | 2024-08-31T20:11:28Z |
1887888 | Hongkong Post: Delayed revocation of TLS certificates with basicConstraints not marked as critical | ASSIGNED | Man Ho | [ca-compliance] [leaf-revocation-delay] | 2024-08-01T20:05:04Z |
1888060 | GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints | ASSIGNED | capoc | [ca-compliance] [ov-misissuance] | 2024-09-20T01:31:38Z |
1888689 | Asseco DS / Certum: CRL non-conformance with the TLS BRs | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [crl-failure] [external] Next update 2024-10-01 | 2024-09-19T18:21:57Z |
1888881 | CFCA: Failure to respond to a CPR in a complete and/or timely manner | ASSIGNED | Gao Fei | [ca-compliance] [policy-failure] | 2024-09-12T18:01:32Z |
1888882 | CFCA: Delayed revocation of TLS certificates(basicConstraints extension not marked as critical) | ASSIGNED | Gao Fei | [ca-compliance] [leaf-revocation-delay] | 2024-09-18T21:16:15Z |
1889062 | GDCA: Delayed revocation of SSL/TLS certificates with Non-critical Basic Constraints | ASSIGNED | capoc | [ca-compliance] [leaf-revocation-delay] | 2024-09-20T01:32:41Z |
1890685 | Entrust: Failure to revoke EV TLS certificates issued before CPS update | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] [leaf-revocation-delay] Next update 2024-09-30 | 2024-08-30T16:01:31Z |
1891331 | NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates - delayed revocation | ASSIGNED | Tamás Horváth | [ca-compliance] [leaf-revocation-delay] | 2024-08-01T20:05:04Z |
1892419 | Chunghwa Telecom: Delayed Revocation Due to GTLSCA EKU Misissuance | ASSIGNED | Leo Fang | [ca-compliance] [leaf-revocation-delay] | 2024-09-06T11:14:45Z |
1894111 | Entrust: Not updating CPR Problem Reporting Mechanism fields in CCADB | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] Next update 2024-10-31 | 2024-08-30T16:10:46Z |
1896053 | Digicert: Delayed Revocation for bug 1894560 | ASSIGNED | Tim Hollebeek | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 | 2024-09-09T15:38:42Z |
1896190 | D-Trust: Issuance of an EV certificate containing a mixup of the Subject's postalCode and localityName | ASSIGNED | Enrico Entschew | [ca-compliance] [ev-misissuance] Next update 2024-10-21 | 2024-09-06T15:32:07Z |
1896553 | Telia: Delayed revocation of seven (7) certificates related to incident 1896108 | ASSIGNED | Antti Backman | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 | 2024-09-16T05:07:58Z |
1898848 | Entrust: Delayed revocation of certificates affected by Jurisdiction issue in some EV TLS & Code Signing certificates | ASSIGNED | ngook.kong | [ca-compliance] [leaf-revocation-delay] Next update 2024-09-30 | 2024-08-30T16:01:01Z |
1901270 | Entrust: Action Items from June 2024 Report | ASSIGNED | Ben Wilson | [ca-compliance] [meta] Next update 2024-10-31 | 2024-09-09T18:18:47Z |
1903066 | Chunghwa Telecom: Delayed Revocation with Controversial Extension (2.5.29.9, SubjectDirectoryAttributes) | ASSIGNED | Leo Fang | [ca-compliance] [leaf-revocation-delay] | 2024-09-06T11:14:46Z |
1904038 | Chunghwa Telecom: “Test Website - Valid" URL disclosed to CCADB is expired | ASSIGNED | Tsung-Min Kuo | [ca-compliance] [policy-failure] | 2024-09-06T11:14:46Z |
1904041 | NETLOCK: Intermediate CA Certificate not disclosed to CCADB | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] [disclosure-failure] | 2024-08-30T16:07:55Z |
1904402 | CommScope: Incomplete Incident Report | ASSIGNED | Nicol So | [ca-compliance] [policy-failure] | 2024-09-18T19:31:54Z |
1904748 | GoDaddy : CAA checks did not properly handle issuewild tag allowing FQDN SANs to be added to wildcard certs | ASSIGNED | [:nickname] Star | [ca-compliance] [ov-misissuance] [dv-misissuance] | 2024-09-20T21:18:19Z |
1904749 | GoDaddy : CAA checks passed when records contained incorrect variants of godaddy.com or starfieldtech.com | ASSIGNED | [:nickname] Star | [ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance] | 2024-09-20T21:17:59Z |
1905419 | GoDaddy: Intermittent unauthorized OCSP response when certificate is freshly issued | ASSIGNED | [:nickname] Star | [ca-compliance] [ocsp-failure] | 2024-08-23T18:01:43Z |
1905446 | IdenTrust: Unauthorized OCSP response on a Timestamp certificate | ASSIGNED | IdenTrust | [ca-compliance] [ocsp-failure] Next update 2024-10-15 | 2024-08-30T22:20:28Z |
1905509 | NETLOCK: CPR was not responded to in 24 hours | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] | 2024-09-05T17:30:54Z |
1906467 | Entrust: S/MIME mailbox address not in subjectAltName | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-10-31 | 2024-08-30T16:14:58Z |
1906470 | Entrust: S/MIME mailbox address case mismatch between subject and subjectAltName | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-10-31 | 2024-08-30T16:21:07Z |
1906690 | Actalis: CRL distribution point with ldap scheme | ASSIGNED | Marco Menonna | [ca-compliance] [crl-failure] | 2024-09-03T15:59:27Z |
1909948 | GoDaddy: Edge Case for Data Reuse Outside of Timeframes | ASSIGNED | [:nickname] Star | [ca-compliance] [dv-misissuance] | 2024-08-05T16:25:38Z |
1910237 | Entrust: Delayed Revocation for S/MIME certificates | ASSIGNED | Bruce Morton | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-31 | 2024-08-30T16:14:29Z |
1910258 | DigiCert: Typo in TLS Org Name | ASSIGNED | Martin Sullivan | [ca-compliance] [ov-misissuance] | 2024-09-20T18:12:06Z |
1910322 | DigiCert: Random value in CNAME without underscore prefix | ASSIGNED | Jeremy Rowley | [ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance] | 2024-09-20T18:04:21Z |
1910512 | CommScope: Certificates not logged in CT logs as stated in CP/CPS | ASSIGNED | Nicol So | [ca-compliance] [policy-failure] | 2024-09-20T17:04:15Z |
1910805 | DigiCert: Delayed revocation of 1910322 | ASSIGNED | Tim Hollebeek | [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 | 2024-09-23T06:41:28Z |
1911183 | [meta] Delayed Revocation | ASSIGNED | Ben Wilson | [ca-compliance] [meta] [leaf-revocation-delay] | 2024-09-03T16:06:09Z |
1911335 | PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA | ASSIGNED | Jochem van den Berge | [ca-compliance] [audit-delay] | 2024-08-29T14:36:38Z |
1912225 | Sectigo: HTML encoded characters in subject attribute values | ASSIGNED | Martijn Katerbarg | [ca-compliance] [ov-misissuance] | 2024-09-18T19:51:12Z |
1914023 | SwissSign: S/MIME LCP not-permitted key usage | ASSIGNED | Sandy Balzer | [ca-compliance] [smime-misissuance] Next update 2024-10-15 | 2024-09-18T19:24:37Z |
1914065 | Entrust: S/MIME certificates lacking OU verification | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-09-30 | 2024-08-30T16:05:20Z |
1914067 | IdenTrust: Expired CRLs | ASSIGNED | IdenTrust | [ca-compliance] [crl-failure] | 2024-09-03T21:48:11Z |
1914365 | SHECA: CRLReason code usage error | ASSIGNED | Alvin.Wang | [ca-compliance] [crl-failure] | 2024-08-27T05:59:45Z |
1914383 | Telekom Security: CRL-Entries with wrong CRL Reason Codes | ASSIGNED | Arnold Essing | [ca-compliance] [crl-failure] | 2024-09-23T10:02:52Z |
1914419 | Actalis: Use of CRLReason Code in Certificate Revocation | ASSIGNED | Marco Menonna | [ca-compliance] [crl-failure] | 2024-09-12T14:47:35Z |
1914911 | DigiCert: Unclear Disclosure of CAA Issuer Domain Names | ASSIGNED | Tim Hollebeek | [ca-compliance] [policy-failure] [external] | 2024-09-18T20:46:18Z |
1914999 | Entrust: S/MIME OrgID Country not matching C field | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-10-01 | 2024-09-06T15:42:41Z |
1915883 | Sectigo: Missing data in cabfOrganizationIdentifier | ASSIGNED | Martijn Katerbarg | [ca-compliance] [ev-misissuance] | 2024-09-19T15:18:32Z |
1916392 | Chunghwa Telecom: TLS Certificates Contains two LocalityName Values in SubjectDN by GTLSCA | ASSIGNED | Leo Fang | [ca-compliance] [ov-misissuance] | 2024-09-20T02:08:28Z |
1916478 | emSign PKI Services: Delayed Revocation of SSL/TLS Certificates | ASSIGNED | Naveen Kumar ML | [ca-compliance] [leaf-revocation-delay] | 2024-09-07T15:39:46Z |
1916489 | SwissSign: LDAP URL still in CRL distribution point (CDP) | ASSIGNED | Sandy Balzer | [ca-compliance] [crl-failure] | 2024-09-19T15:00:02Z |
1917046 | NETLOCK: Findings in 2024 Audit - initial report | ASSIGNED | Nikolett | [ca-compliance] [audit-finding] | 2024-09-19T17:02:25Z |
1917224 | Chunghwa Telecom:Delayed Annual Audit Report 2024 | ASSIGNED | Li-Chun CHEN | [ca-compliance] [audit-delay] | 2024-09-10T09:55:32Z |
1917405 | Sectigo: S/MIME OV Mis-issuance | ASSIGNED | Martijn Katerbarg | [ca-compliance] [smime-misissuance] [external] | 2024-09-17T22:34:08Z |
1917459 | emSign PKI Services : OCSP Responder Time Inconsistency | ASSIGNED | Naveen Kumar ML | [ca-compliance] [ocsp-failure] | 2024-09-09T15:49:06Z |
1917571 | Asseco DS / Certum: Organization Identifier and Country field discrepancies | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [smime-misissuance] | 2024-09-20T14:39:52Z |
1917896 | GlobalSign: Incorrect whois information for TLD | ASSIGNED | Christophe Bonjean | [ca-compliance] [uncategorized] | 2024-09-20T03:43:45Z |
1918380 | Entrust: Business Entity not permitted in CPS | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] | 2024-09-19T15:44:39Z |
1918427 | D-Trust: Non-compliance of issued root and intermediate S/MIME certificates | ASSIGNED | Enrico Entschew | [ca-compliance] [uncategorized] | 2024-09-23T05:58:24Z |
1918467 | QuoVadis: Findings in 2024 ETSI Audit of QuoVadis Qualified Web ICA G2 | ASSIGNED | Stephen Davidson | [ca-compliance] [audit-finding] | 2024-09-20T20:46:54Z |
1919162 | IdenTrust: TLS Certificates with outdated certificate profile | ASSIGNED | IdenTrust | [ca-compliance] [ov-misissuance] | 2024-09-18T20:07:48Z |
1919304 | GlobalSign: Caching headers inaccurate for subset of CRLs | ASSIGNED | Christophe Bonjean | [ca-compliance] [crl-failure] | 2024-09-18T19:34:52Z |
70 Total; 70 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
No results.
0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here: