CA/Incident Dashboard
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
---|---|---|---|---|---|---|
Actalis: CRL distribution point with ldap scheme | 1906690 | ASSIGNED | Marco Menonna | [ca-compliance] [crl-failure] | 2024-09-03T15:59:27Z | 2024-07-08T15:44:42Z |
Actalis: Use of CRLReason Code in Certificate Revocation | 1914419 | ASSIGNED | Marco Menonna | [ca-compliance] [crl-failure] | 2024-09-12T14:47:35Z | 2024-08-22T15:13:31Z |
Asseco DS / Certum: CRL non-conformance with the TLS BRs | 1888689 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [crl-failure] [external] Next update 2024-10-01 | 2024-09-19T18:21:57Z | 2024-03-29T17:37:14Z |
Asseco DS / Certum: Organization Identifier and Country field discrepancies | 1917571 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [smime-misissuance] | 2024-09-20T14:39:52Z | 2024-09-09T11:32:46Z |
Asseco DS / Certum: S/MIME certificates with error in subjectAlternativeName | 1879845 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [smime-misissuance] Next update 2024-10-01 | 2024-09-19T18:20:21Z | 2024-02-12T13:22:11Z |
CFCA: certificate basicConstraints extension not marked as critical | 1886135 | ASSIGNED | Gao Fei | [ca-compliance] [ov-misissuance] | 2024-09-18T21:19:46Z | 2024-03-19T10:57:32Z |
CFCA: Failure to respond to a CPR in a complete and/or timely manner | 1888881 | ASSIGNED | Gao Fei | [ca-compliance] [policy-failure] | 2024-09-12T18:01:32Z | 2024-04-01T07:17:16Z |
Chunghwa Telecom: “Test Website - Valid" URL disclosed to CCADB is expired | 1904038 | ASSIGNED | Tsung-Min Kuo | [ca-compliance] [policy-failure] | 2024-09-06T11:14:46Z | 2024-06-21T12:48:21Z |
Chunghwa Telecom: TLS Certificates Contains two LocalityName Values in SubjectDN by GTLSCA | 1916392 | ASSIGNED | Leo Fang | [ca-compliance] [ov-misissuance] | 2024-09-20T02:08:28Z | 2024-09-03T10:00:29Z |
Chunghwa Telecom:Delayed Annual Audit Report 2024 | 1917224 | ASSIGNED | Li-Chun CHEN | [ca-compliance] [audit-delay] | 2024-09-10T09:55:32Z | 2024-09-06T12:29:32Z |
CommScope: Certificates not logged in CT logs as stated in CP/CPS | 1910512 | ASSIGNED | Nicol So | [ca-compliance] [policy-failure] | 2024-09-20T17:04:15Z | 2024-07-30T00:10:18Z |
CommScope: Incomplete Incident Report | 1904402 | ASSIGNED | Nicol So | [ca-compliance] [policy-failure] | 2024-09-18T19:31:54Z | 2024-06-24T18:20:49Z |
D-Trust: Issuance of an EV certificate containing a mixup of the Subject's postalCode and localityName | 1896190 | ASSIGNED | Enrico Entschew | [ca-compliance] [ev-misissuance] Next update 2024-10-21 | 2024-09-06T15:32:07Z | 2024-05-10T19:14:04Z |
D-Trust: Non-compliance of issued root and intermediate S/MIME certificates | 1918427 | ASSIGNED | Enrico Entschew | [ca-compliance] [uncategorized] | 2024-09-23T05:58:24Z | 2024-09-12T14:14:23Z |
DigiCert: Random value in CNAME without underscore prefix | 1910322 | ASSIGNED | Jeremy Rowley | [ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance] | 2024-09-20T18:04:21Z | 2024-07-29T02:17:59Z |
DigiCert: Typo in TLS Org Name | 1910258 | ASSIGNED | Martin Sullivan | [ca-compliance] [ov-misissuance] | 2024-09-20T18:12:06Z | 2024-07-27T20:48:42Z |
DigiCert: Unclear Disclosure of CAA Issuer Domain Names | 1914911 | ASSIGNED | Tim Hollebeek | [ca-compliance] [policy-failure] [external] | 2024-09-18T20:46:18Z | 2024-08-26T13:21:22Z |
emSign PKI Services : OCSP Responder Time Inconsistency | 1917459 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [ocsp-failure] | 2024-09-09T15:49:06Z | 2024-09-08T09:06:01Z |
Entrust: Action Items from June 2024 Report | 1901270 | ASSIGNED | Ben Wilson | [ca-compliance] [meta] Next update 2024-10-31 | 2024-09-09T18:18:47Z | 2024-06-07T16:50:41Z |
Entrust: Business Entity not permitted in CPS | 1918380 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] | 2024-09-19T15:44:39Z | 2024-09-12T12:19:49Z |
Entrust: Not updating CPR Problem Reporting Mechanism fields in CCADB | 1894111 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] Next update 2024-10-31 | 2024-08-30T16:10:46Z | 2024-04-29T21:37:24Z |
Entrust: S/MIME certificates lacking OU verification | 1914065 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-09-30 | 2024-08-30T16:05:20Z | 2024-08-20T21:35:45Z |
Entrust: S/MIME mailbox address case mismatch between subject and subjectAltName | 1906470 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-10-31 | 2024-08-30T16:21:07Z | 2024-07-05T18:24:44Z |
Entrust: S/MIME mailbox address not in subjectAltName | 1906467 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-10-31 | 2024-08-30T16:14:58Z | 2024-07-05T18:16:34Z |
Entrust: S/MIME OrgID Country not matching C field | 1914999 | ASSIGNED | Bruce Morton | [ca-compliance] [smime-misissuance] Next update 2024-10-01 | 2024-09-06T15:42:41Z | 2024-08-26T17:57:09Z |
GDCA: Issuance of SSL/TLS certificates with Non-critical Basic Constraints | 1888060 | ASSIGNED | capoc | [ca-compliance] [ov-misissuance] | 2024-09-20T01:31:38Z | 2024-03-27T06:15:29Z |
GlobalSign: Caching headers inaccurate for subset of CRLs | 1919304 | ASSIGNED | Christophe Bonjean | [ca-compliance] [crl-failure] | 2024-09-18T19:34:52Z | 2024-09-17T14:16:40Z |
GlobalSign: Incorrect whois information for TLD | 1917896 | ASSIGNED | Christophe Bonjean | [ca-compliance] [uncategorized] | 2024-09-20T03:43:45Z | 2024-09-10T17:05:08Z |
GoDaddy : CAA checks did not properly handle issuewild tag allowing FQDN SANs to be added to wildcard certs | 1904748 | ASSIGNED | [:nickname] Star | [ca-compliance] [ov-misissuance] [dv-misissuance] | 2024-09-20T21:18:19Z | 2024-06-26T02:12:50Z |
GoDaddy : CAA checks passed when records contained incorrect variants of godaddy.com or starfieldtech.com | 1904749 | ASSIGNED | [:nickname] Star | [ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance] | 2024-09-20T21:17:59Z | 2024-06-26T02:14:20Z |
GoDaddy: Edge Case for Data Reuse Outside of Timeframes | 1909948 | ASSIGNED | [:nickname] Star | [ca-compliance] [dv-misissuance] | 2024-08-05T16:25:38Z | 2024-07-25T17:47:50Z |
GoDaddy: Intermittent unauthorized OCSP response when certificate is freshly issued | 1905419 | ASSIGNED | [:nickname] Star | [ca-compliance] [ocsp-failure] | 2024-08-23T18:01:43Z | 2024-06-28T19:25:10Z |
IdenTrust: Expired CRLs | 1914067 | ASSIGNED | IdenTrust | [ca-compliance] [crl-failure] | 2024-09-03T21:48:11Z | 2024-08-20T21:50:05Z |
IdenTrust: TLS Certificates with outdated certificate profile | 1919162 | ASSIGNED | IdenTrust | [ca-compliance] [ov-misissuance] | 2024-09-18T20:07:48Z | 2024-09-16T22:13:02Z |
IdenTrust: Unauthorized OCSP response on a Timestamp certificate | 1905446 | ASSIGNED | IdenTrust | [ca-compliance] [ocsp-failure] Next update 2024-10-15 | 2024-08-30T22:20:28Z | 2024-06-28T22:11:23Z |
Izenpe: Failure to Submit Annual CCADB Self-Assessment | 1883493 | ASSIGNED | David | [ca-compliance] [disclosure-failure] [external] | 2024-08-26T16:07:19Z | 2024-03-04T20:36:07Z |
NETLOCK: CPR was not responded to in 24 hours | 1905509 | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] | 2024-09-05T17:30:54Z | 2024-06-29T19:45:26Z |
NETLOCK: Findings in 2024 Audit - initial report | 1917046 | ASSIGNED | Nikolett | [ca-compliance] [audit-finding] | 2024-09-19T17:02:25Z | 2024-09-05T17:25:24Z |
NETLOCK: Intermediate CA Certificate not disclosed to CCADB | 1904041 | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] [disclosure-failure] | 2024-08-30T16:07:55Z | 2024-06-21T13:01:09Z |
PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA | 1911335 | ASSIGNED | Jochem van den Berge | [ca-compliance] [audit-delay] | 2024-08-29T14:36:38Z | 2024-08-02T15:40:40Z |
QuoVadis: Findings in 2024 ETSI Audit of QuoVadis Qualified Web ICA G2 | 1918467 | ASSIGNED | Stephen Davidson | [ca-compliance] [audit-finding] | 2024-09-20T20:46:54Z | 2024-09-12T16:22:31Z |
Sectigo: HTML encoded characters in subject attribute values | 1912225 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [ov-misissuance] | 2024-09-18T19:51:12Z | 2024-08-08T09:16:17Z |
Sectigo: Missing data in cabfOrganizationIdentifier | 1915883 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [ev-misissuance] | 2024-09-19T15:18:32Z | 2024-08-30T15:11:31Z |
Sectigo: S/MIME OV Mis-issuance | 1917405 | ASSIGNED | Martijn Katerbarg | [ca-compliance] [smime-misissuance] [external] | 2024-09-17T22:34:08Z | 2024-09-07T09:34:22Z |
SHECA: CRLReason code usage error | 1914365 | ASSIGNED | Alvin.Wang | [ca-compliance] [crl-failure] | 2024-08-27T05:59:45Z | 2024-08-22T11:43:31Z |
SwissSign: LDAP URL still in CRL distribution point (CDP) | 1916489 | ASSIGNED | Sandy Balzer | [ca-compliance] [crl-failure] | 2024-09-19T15:00:02Z | 2024-09-03T16:00:28Z |
SwissSign: S/MIME LCP not-permitted key usage | 1914023 | ASSIGNED | Sandy Balzer | [ca-compliance] [smime-misissuance] Next update 2024-10-15 | 2024-09-18T19:24:37Z | 2024-08-20T18:42:01Z |
Telekom Security: CRL-Entries with wrong CRL Reason Codes | 1914383 | ASSIGNED | Arnold Essing | [ca-compliance] [crl-failure] | 2024-09-16T07:39:25Z | 2024-08-22T12:56:33Z |
48 Total; 48 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
---|---|---|---|---|---|---|
Chunghwa Telecom:Delayed Annual Audit Report 2024 | 1917224 | ASSIGNED | Li-Chun CHEN | [ca-compliance] [audit-delay] | 2024-09-10T09:55:32Z | 2024-09-06T12:29:32Z |
PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA | 1911335 | ASSIGNED | Jochem van den Berge | [ca-compliance] [audit-delay] | 2024-08-29T14:36:38Z | 2024-08-02T15:40:40Z |
2 Total; 2 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
No results.
0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here: