CA/Incident Dashboard

From MozillaWiki
< CA
Revision as of 19:36, 24 May 2021 by Rsleevi (talk | contribs) (Sort by summary (assigned-to CA) and modification time)
Jump to navigation Jump to search

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
Summary ID Status Assigned to Whiteboard Last change time
[meta] Delayed Revocation 1911183 ASSIGNED Ben Wilson [ca-compliance] [meta] [leaf-revocation-delay] 2024-09-03T16:06:09Z
Actalis: CRL distribution point with ldap scheme 1906690 ASSIGNED Marco Menonna [ca-compliance] [crl-failure] 2024-09-03T15:59:27Z
Actalis: Use of CRLReason Code in Certificate Revocation 1914419 ASSIGNED Marco Menonna [ca-compliance] [crl-failure] 2024-09-12T14:47:35Z
Asseco DS / Certum: CRL non-conformance with the TLS BRs 1888689 ASSIGNED Kateryna Aleksieieva [ca-compliance] [crl-failure] [external] Next update 2024-10-01 2024-09-19T18:21:57Z
Asseco DS / Certum: Organization Identifier and Country field discrepancies 1917571 ASSIGNED Kateryna Aleksieieva [ca-compliance] [smime-misissuance] 2024-09-20T14:39:52Z
Asseco DS / Certum: S/MIME certificates with error in subjectAlternativeName 1879845 ASSIGNED Kateryna Aleksieieva [ca-compliance] [smime-misissuance] Next update 2024-10-01 2024-09-19T18:20:21Z
Buypass: Delayed revocation of TLS certificates 1872738 ASSIGNED Mads Henriksveen [ca-compliance] [leaf-revocation-delay] Next update 2024-09-15 2024-09-18T21:22:58Z
CFCA: certificate basicConstraints extension not marked as critical 1886135 ASSIGNED Gao Fei [ca-compliance] [ov-misissuance] 2024-09-18T21:19:46Z
CFCA: Delayed revocation of TLS certificates(basicConstraints extension not marked as critical) 1888882 ASSIGNED Gao Fei [ca-compliance] [leaf-revocation-delay] 2024-09-18T21:16:15Z
CFCA: Failure to respond to a CPR in a complete and/or timely manner 1888881 ASSIGNED Gao Fei [ca-compliance] [policy-failure] 2024-09-12T18:01:32Z
Chunghwa Telecom: “Test Website - Valid" URL disclosed to CCADB is expired 1904038 ASSIGNED Tsung-Min Kuo [ca-compliance] [policy-failure] 2024-09-23T11:22:43Z
Chunghwa Telecom: Delayed Revocation Due to GTLSCA EKU Misissuance 1892419 ASSIGNED Leo Fang [ca-compliance] [leaf-revocation-delay] 2024-09-06T11:14:45Z
Chunghwa Telecom: Delayed Revocation with Controversial Extension (2.5.29.9, SubjectDirectoryAttributes) 1903066 ASSIGNED Leo Fang [ca-compliance] [leaf-revocation-delay] 2024-09-06T11:14:46Z
Chunghwa Telecom: TLS Certificates Contains two LocalityName Values in SubjectDN by GTLSCA 1916392 ASSIGNED Leo Fang [ca-compliance] [ov-misissuance] 2024-09-20T02:08:28Z
Chunghwa Telecom:Delayed Annual Audit Report 2024 1917224 ASSIGNED Li-Chun CHEN [ca-compliance] [audit-delay] 2024-09-10T09:55:32Z
CommScope: Certificates not logged in CT logs as stated in CP/CPS 1910512 ASSIGNED Nicol So [ca-compliance] [policy-failure] 2024-09-20T17:04:15Z
CommScope: Incomplete Incident Report 1904402 ASSIGNED Nicol So [ca-compliance] [policy-failure] 2024-09-18T19:31:54Z
D-Trust: Issuance of an EV certificate containing a mixup of the Subject's postalCode and localityName 1896190 ASSIGNED Enrico Entschew [ca-compliance] [ev-misissuance] Next update 2024-10-21 2024-09-06T15:32:07Z
D-Trust: Non-compliance of issued root and intermediate S/MIME certificates 1918427 ASSIGNED Enrico Entschew [ca-compliance] [uncategorized] 2024-09-23T05:58:24Z
Digicert: Delayed Revocation for bug 1894560 1896053 ASSIGNED Tim Hollebeek [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 2024-09-09T15:38:42Z
DigiCert: Delayed revocation of 1910322 1910805 ASSIGNED Tim Hollebeek [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 2024-09-23T06:41:28Z
DigiCert: Random value in CNAME without underscore prefix 1910322 ASSIGNED Jeremy Rowley [ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance] 2024-09-20T18:04:21Z
DigiCert: Typo in TLS Org Name 1910258 ASSIGNED Martin Sullivan [ca-compliance] [ov-misissuance] 2024-09-20T18:12:06Z
DigiCert: Unclear Disclosure of CAA Issuer Domain Names 1914911 ASSIGNED Tim Hollebeek [ca-compliance] [policy-failure] [external] 2024-09-18T20:46:18Z
emSign PKI Services : OCSP Responder Time Inconsistency 1917459 ASSIGNED Naveen Kumar ML [ca-compliance] [ocsp-failure] 2024-09-09T15:49:06Z
emSign PKI Services: Delayed Revocation of SSL/TLS Certificates 1916478 ASSIGNED Naveen Kumar ML [ca-compliance] [leaf-revocation-delay] 2024-09-07T15:39:46Z
Entrust: Action Items from June 2024 Report 1901270 ASSIGNED Ben Wilson [ca-compliance] [meta] Next update 2024-10-31 2024-09-09T18:18:47Z
Entrust: Business Entity not permitted in CPS 1918380 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] 2024-09-19T15:44:39Z
Entrust: Delayed Revocation for S/MIME certificates 1910237 ASSIGNED Bruce Morton [ca-compliance] [leaf-revocation-delay] Next update 2024-10-31 2024-08-30T16:14:29Z
Entrust: Delayed revocation of certificates affected by Jurisdiction issue in some EV TLS & Code Signing certificates 1898848 ASSIGNED ngook.kong [ca-compliance] [leaf-revocation-delay] Next update 2024-09-30 2024-08-30T16:01:01Z
Entrust: Delayed revocation of EV TLS certificates with missing cPSuri 1886532 ASSIGNED Paul van Brouwershaven [ca-compliance] [leaf-revocation-delay] Next update 2024-09-30 2024-08-13T17:18:47Z
Entrust: Failure to revoke EV TLS certificates issued before CPS update 1890685 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] [leaf-revocation-delay] Next update 2024-09-30 2024-08-30T16:01:31Z
Entrust: Not updating CPR Problem Reporting Mechanism fields in CCADB 1894111 ASSIGNED Bruce Morton [ca-compliance] [policy-failure] Next update 2024-10-31 2024-08-30T16:10:46Z
Entrust: S/MIME certificates lacking OU verification 1914065 ASSIGNED Bruce Morton [ca-compliance] [smime-misissuance] Next update 2024-09-30 2024-08-30T16:05:20Z
Entrust: S/MIME mailbox address case mismatch between subject and subjectAltName 1906470 ASSIGNED Bruce Morton [ca-compliance] [smime-misissuance] Next update 2024-10-31 2024-08-30T16:21:07Z
Entrust: S/MIME mailbox address not in subjectAltName 1906467 ASSIGNED Bruce Morton [ca-compliance] [smime-misissuance] Next update 2024-10-31 2024-08-30T16:14:58Z
Entrust: S/MIME OrgID Country not matching C field 1914999 ASSIGNED Bruce Morton [ca-compliance] [smime-misissuance] Next update 2024-10-01 2024-09-06T15:42:41Z
GDCA: Delayed revocation of SSL/TLS certificates with Non-critical Basic Constraints 1889062 ASSIGNED capoc [ca-compliance] [leaf-revocation-delay] 2024-09-20T01:32:41Z
GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints 1888060 ASSIGNED capoc [ca-compliance] [ov-misissuance] 2024-09-20T01:31:38Z
GlobalSign: Caching headers inaccurate for subset of CRLs 1919304 ASSIGNED Christophe Bonjean [ca-compliance] [crl-failure] 2024-09-18T19:34:52Z
GlobalSign: Incorrect whois information for TLD 1917896 ASSIGNED Christophe Bonjean [ca-compliance] [uncategorized] 2024-09-20T03:43:45Z
GoDaddy : CAA checks did not properly handle issuewild tag allowing FQDN SANs to be added to wildcard certs 1904748 ASSIGNED [:nickname] Star [ca-compliance] [ov-misissuance] [dv-misissuance] 2024-09-20T21:18:19Z
GoDaddy : CAA checks passed when records contained incorrect variants of godaddy.com or starfieldtech.com 1904749 ASSIGNED [:nickname] Star [ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance] 2024-09-20T21:17:59Z
GoDaddy: Edge Case for Data Reuse Outside of Timeframes 1909948 ASSIGNED [:nickname] Star [ca-compliance] [dv-misissuance] 2024-08-05T16:25:38Z
GoDaddy: Intermittent unauthorized OCSP response when certificate is freshly issued 1905419 ASSIGNED [:nickname] Star [ca-compliance] [ocsp-failure] 2024-08-23T18:01:43Z
Hongkong Post: Delayed revocation of TLS certificates with basicConstraints not marked as critical 1887888 ASSIGNED Man Ho [ca-compliance] [leaf-revocation-delay] 2024-08-01T20:05:04Z
Hongkong Post: Delayed revocation of TLS certificates with Certificate Policies extension problem 1886665 ASSIGNED Man Ho [ca-compliance] [leaf-revocation-delay] 2024-08-01T20:05:04Z
IdenTrust: Expired CRLs 1914067 ASSIGNED IdenTrust [ca-compliance] [crl-failure] 2024-09-03T21:48:11Z
IdenTrust: TLS Certificates with outdated certificate profile 1919162 ASSIGNED IdenTrust [ca-compliance] [ov-misissuance] 2024-09-18T20:07:48Z
IdenTrust: Unauthorized OCSP response on a Timestamp certificate 1905446 ASSIGNED IdenTrust [ca-compliance] [ocsp-failure] Next update 2024-10-15 2024-08-30T22:20:28Z
Izenpe: Failure to Submit Annual CCADB Self-Assessment 1883493 ASSIGNED David [ca-compliance] [disclosure-failure] [external] 2024-08-26T16:07:19Z
Microsec: Delayed revocation of the misissued certificates 1887110 ASSIGNED dr. Sándor SZŐKE [ca-compliance] [leaf-revocation-delay] 2024-08-31T20:11:28Z
NETLOCK: CPR was not responded to in 24 hours 1905509 ASSIGNED Nikolett [ca-compliance] [policy-failure] 2024-09-05T17:30:54Z
NETLOCK: Findings in 2024 Audit - initial report 1917046 ASSIGNED Nikolett [ca-compliance] [audit-finding] 2024-09-19T17:02:25Z
NETLOCK: Intermediate CA Certificate not disclosed to CCADB 1904041 ASSIGNED Nikolett [ca-compliance] [policy-failure] [disclosure-failure] 2024-08-30T16:07:55Z
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates - delayed revocation 1891331 ASSIGNED Tamás Horváth [ca-compliance] [leaf-revocation-delay] 2024-08-01T20:05:04Z
PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA 1911335 ASSIGNED Jochem van den Berge [ca-compliance] [audit-delay] 2024-08-29T14:36:38Z
QuoVadis: Findings in 2024 ETSI Audit of QuoVadis Qualified Web ICA G2 1918467 ASSIGNED Stephen Davidson [ca-compliance] [audit-finding] 2024-09-20T20:46:54Z
Sectigo: HTML encoded characters in subject attribute values 1912225 ASSIGNED Martijn Katerbarg [ca-compliance] [ov-misissuance] 2024-09-18T19:51:12Z
Sectigo: Missing data in cabfOrganizationIdentifier 1915883 ASSIGNED Martijn Katerbarg [ca-compliance] [ev-misissuance] 2024-09-19T15:18:32Z
Sectigo: S/MIME OV Mis-issuance 1917405 ASSIGNED Martijn Katerbarg [ca-compliance] [smime-misissuance] [external] 2024-09-17T22:34:08Z
SHECA: CRLReason code usage error 1914365 ASSIGNED Alvin.Wang [ca-compliance] [crl-failure] 2024-08-27T05:59:45Z
SwissSign: LDAP URL still in CRL distribution point (CDP) 1916489 ASSIGNED Sandy Balzer [ca-compliance] [crl-failure] 2024-09-19T15:00:02Z
SwissSign: S/MIME LCP not-permitted key usage 1914023 ASSIGNED Sandy Balzer [ca-compliance] [smime-misissuance] Next update 2024-10-15 2024-09-18T19:24:37Z
Telekom Security: CRL-Entries with wrong CRL Reason Codes 1914383 ASSIGNED Arnold Essing [ca-compliance] [crl-failure] 2024-09-23T10:02:52Z
Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical 1877388 ASSIGNED Arnold Essing [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 2024-09-13T16:16:36Z
Telia: Delayed revocation of seven (7) certificates related to incident 1896108 1896553 ASSIGNED Antti Backman [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 2024-09-16T05:07:58Z
TWCA: Revocation delay for EV TLS certificates with invalid subject attribute order 1884568 ASSIGNED Hao-Chun Li [ca-compliance] [leaf-revocation-delay] Next update 2024-10-01 2024-09-09T15:32:53Z
TWCA: Revocation delay for TLS certificates with non-critical basicConstraints 1886110 ASSIGNED chtsai [ca-compliance] [ov-misissuance] [leaf-revocation-delay] 2024-09-18T21:21:54Z
VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 1885568 ASSIGNED Andrea Holland [ca-compliance] [ov-misissuance] [leaf-revocation-delay] Next update 2024-10-23 2024-08-16T18:58:11Z

70 Total; 70 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
Summary ID Status Assigned to Whiteboard Last change time
Chunghwa Telecom:Delayed Annual Audit Report 2024 1917224 ASSIGNED Li-Chun CHEN [ca-compliance] [audit-delay] 2024-09-10T09:55:32Z
PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA 1911335 ASSIGNED Jochem van den Berge [ca-compliance] [audit-delay] 2024-08-29T14:36:38Z

2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here:

Retrieved from "https://dev.wikimo.nonprod.webservices.mozgcp.net/index.php?title=CA/Incident_Dashboard&oldid=1235759"