CA/Incident Dashboard
< CA
Jump to navigation
Jump to search
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or a CA/Browser Forum requirement, and is determined to not be an imminent security concern. A CA's response to a CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| Asseco DS / Certum: DNS service outage | 1958645 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [uncategorized] | 2025-05-27T01:32:13Z | 2025-04-05T18:16:25Z |
| Certainly: Sample Websites Unavailable | 1968836 | ASSIGNED | Daniel Jeffery | [ca-compliance] [policy-failure] | 2025-05-29T16:28:03Z | 2025-05-28T03:00:33Z |
| Certigna: Multiple Reserved Certificate Policy Identifiers in CA certificates | 1963663 | ASSIGNED | Josselin Allemandou | [ca-compliance] [ca-misissuance] | 2025-05-19T11:35:00Z | 2025-04-30T17:56:45Z |
| certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report #1 – Improve clarity in CPS | 1965804 | ASSIGNED | Gabriel PETCU | [ca-compliance] [audit-finding] | 2025-05-19T08:06:05Z | 2025-05-12T12:23:05Z |
| certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report #2 – Add test certificates in CPS | 1965805 | ASSIGNED | Gabriel PETCU | [ca-compliance] [audit-finding] | 2025-05-29T10:46:33Z | 2025-05-12T12:24:36Z |
| certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report #3 – Missing certSIGN OID on Terms and Conditions | 1965806 | ASSIGNED | Gabriel PETCU | [ca-compliance] [audit-finding] | 2025-05-19T08:59:08Z | 2025-05-12T12:25:45Z |
| certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report #4 – Expired cert with bad order of attributes | 1965807 | ASSIGNED | Gabriel PETCU | [ca-compliance] [audit-finding] | 2025-05-19T14:16:04Z | 2025-05-12T12:27:16Z |
| certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report #5 – Conflicting info in CPS | 1965808 | ASSIGNED | Gabriel PETCU | [ca-compliance] [audit-finding] | 2025-05-19T09:37:06Z | 2025-05-12T12:28:22Z |
| CFCA: Failed to respond a Certificate Problem Report within 24 hours which violates Section 4.9.5 of the TLS BRs | 1959733 | ASSIGNED | Michael | [ca-compliance] [policy-failure] Next update 2025-06-30 | 2025-05-25T18:34:57Z | 2025-04-10T15:25:50Z |
| DigiCert: Incorrect CP listed in CCADB | 1925106 | ASSIGNED | DigiCert | [ca-compliance] [disclosure-failure] Next update 2025-07-01 | 2025-05-29T20:18:54Z | 2024-10-16T19:56:28Z |
| DigiCert: Outdated CPS for 13 Roots in CCADB | 1945536 | REOPENED | DigiCert | [close on 2025-05-30] [ca-compliance] [policy-failure] [disclosure-failure] | 2025-05-30T19:19:50Z | 2025-02-03T15:51:59Z |
| DigiCert: Persistent failure to answer questions in a timely manner | 1957499 | ASSIGNED | DigiCert | [ca-compliance] [disclosure-failure] [external] | 2025-05-28T21:16:53Z | 2025-03-31T20:22:02Z |
| eMudhra: Delayed Publication of Issuing CA Certificates In CCADB | 1965559 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [disclosure-failure] | 2025-05-26T09:19:39Z | 2025-05-09T19:28:54Z |
| Entrust: Incomplete privileged access removal within 24 hours | 1968246 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] | 2025-05-23T15:59:13Z | 2025-05-23T13:51:09Z |
| Entrust: Missing or Inconsistent Disclosure of S/MIME BR Audits | 1952635 | ASSIGNED | Bruce Morton | [ca-compliance] [audit-failure] Next update 2025-06-02 | 2025-05-27T17:36:45Z | 2025-03-08T12:20:57Z |
| FNMT: CP/CPS, Revocation Requests Mechanism, Certificate Problem Report, CRL and OCSP disruption | 1963778 | ASSIGNED | Amaya Espinosa | [ca-compliance] [policy-failure] | 2025-05-15T11:55:11Z | 2025-05-01T08:21:00Z |
| FNMT: Delayed Disclosure of Updated Policy Documents in the CCADB | 1967951 | ASSIGNED | Amaya Espinosa | [ca-compliance] [disclosure-failure] | 2025-05-22T14:47:09Z | 2025-05-22T11:20:29Z |
| GoDaddy: CA Certificates with HTTPS URL in AIA Field | 1963456 | ASSIGNED | Steven Deitte | [ca-compliance] [ca-misissuance] | 2025-05-28T22:55:25Z | 2025-04-29T19:55:47Z |
| GoDaddy: Certificates with invalid embedded SCT signatures | 1969296 | ASSIGNED | Steven Deitte | [ca-compliance] [dv-misissuance] | 2025-05-29T19:14:18Z | 2025-05-29T16:25:22Z |
| Google Trust Services: Inconsistent MPCAA secondary perspective logging | 1959867 | ASSIGNED | Google Trust Services | [ca-compliance] [policy-failure] | 2025-05-29T15:05:14Z | 2025-04-11T02:33:17Z |
| HARICA: One of the two Certificate Problem Report email aliases not working | 1963629 | ASSIGNED | Dimitris Zacharopoulos | [ca-compliance] [policy-failure] Next update 2025-06-27 | 2025-05-23T16:05:46Z | 2025-04-30T15:32:28Z |
| IZENPE: Outdated CPS for Izenpe Root | 1948600 | ASSIGNED | David | [ca-compliance] [disclosure-failure] | 2025-05-30T12:34:54Z | 2025-02-17T09:31:12Z |
| KIR: Failed to respond a Certificate Problem Report within 24 hours | 1967929 | ASSIGNED | Piotr Grabowski | [ca-compliance] [policy-failure] | 2025-05-29T15:54:34Z | 2025-05-22T09:33:58Z |
| KIR: Intermediate CA - SZAFIR Trusted CA3 - revocation status not changed in CCADB | 1966006 | ASSIGNED | Waldemar Brzozowski | [ca-compliance] [disclosure-failure] | 2025-05-21T21:56:55Z | 2025-05-13T07:03:11Z |
| Lawtrust: The S/MIME CA’s policy identifiers did not align with the CA/Browser Forum Requirements. | 1959721 | ASSIGNED | Marcile De Waal | [ca-compliance] [policy-failure] | 2025-05-15T13:03:23Z | 2025-04-10T14:23:00Z |
| Let's Encrypt: Failure to Document Analysis of Detected Vulnerabilities | 1955721 | ASSIGNED | Phil Porada | [ca-compliance] [policy-failure] | 2025-05-19T17:27:29Z | 2025-03-21T23:26:17Z |
| Let's Encrypt: Issuance for Invalid Internationalized Domain Name | 1966515 | ASSIGNED | Aaron Gable | [close on 2025-06-03] [ca-compliance] [uncategorized] | 2025-05-28T17:32:29Z | 2025-05-14T21:05:11Z |
| Microsoft PKI Services: Policy document bug | 1962829 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [policy-failure] | 2025-05-31T00:32:55Z | 2025-04-26T02:10:29Z |
| Microsoft PKI Services: Subscriber certificate change made that was not compliant with CPS | 1962830 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [policy-failure] | 2025-05-31T00:37:51Z | 2025-04-26T02:17:58Z |
| NETLOCK: CA/Browser Forum TLS BR Non-compliance | 1962426 | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] | 2025-05-30T14:28:00Z | 2025-04-24T15:03:58Z |
| NETLOCK: CRL not published in DER Encoded Format | 1938167 | ASSIGNED | Nikolett | [ca-compliance] [crl-failure] | 2025-05-30T07:56:19Z | 2024-12-18T17:58:22Z |
| Netlock: Failure to Provide Weekly Updates | 1957474 | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] [external] | 2025-05-30T14:20:14Z | 2025-03-31T17:49:46Z |
| NETLOCK: Intermediate CA Certificate not disclosed to CCADB | 1904041 | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] [disclosure-failure] | 2025-05-30T15:33:05Z | 2024-06-21T13:01:09Z |
| SECOM: S/MIME CA Modified Opinion Report of Cybertrust Japan (CTJ) | 1950574 | ASSIGNED | ONO Fumiaki | [ca-compliance] [audit-finding] Next update 2025-09-01 | 2025-02-28T15:35:46Z | 2025-02-26T09:11:03Z |
| SHECA: OCSP service response error | 1964866 | ASSIGNED | Alvin.Wang | [ca-compliance] [ocsp-failure] | 2025-05-29T14:36:17Z | 2025-05-07T02:14:16Z |
| SSL.com: "unknown" OCSP response for issued certificates | 1957140 | ASSIGNED | SSL.com | [ca-compliance] [ocsp-failure] Next update 2025-06-12 | 2025-05-29T22:02:12Z | 2025-03-28T19:39:09Z |
| SSL.com: DCV bypass and issue fake certificates for any MX hostname | 1961406 | ASSIGNED | Rebecca Kelley | [ca-compliance] [dv-misissuance] [external] | 2025-05-23T16:43:40Z | 2025-04-18T18:42:35Z |
| SSL.com: Expired certificate for a “Valid” Test Website | 1962809 | ASSIGNED | Rebecca Kelley | [ca-compliance] [policy-failure] Next update 2025-06-06 | 2025-05-22T16:01:34Z | 2025-04-25T21:31:19Z |
| SSL.com: Issuance of certificates using keys previously reported as compromised | 1927532 | ASSIGNED | Rebecca Kelley | [ca-compliance] [dv-misissuance] Next update 2025-06-13 | 2025-05-30T19:26:48Z | 2024-10-28T18:17:59Z |
| SwissSign: OCSP outage | 1965828 | ASSIGNED | Roman Fischer | [ca-compliance] [ocsp-failure] | 2025-05-30T05:45:44Z | 2025-05-12T14:01:24Z |
| SwissSign: S/MIME certificates deviate from CPR | 1929189 | ASSIGNED | Mike Guenther | [ca-compliance] [smime-misissuance] Next update 2025-06-17 | 2025-05-28T17:24:27Z | 2024-11-05T08:25:05Z |
| Telia: S/MIME Misissuance incorrect AIA id-ca-caIssuer http:URI | 1965459 | ASSIGNED | Antti Backman | [ca-compliance] [smime-misissuance] | 2025-05-30T05:05:11Z | 2025-05-09T11:36:40Z |
| Telia: TLS incorrect AIA caIssuer URI and incorrect CDP | 1969036 | ASSIGNED | Antti Backman | [ca-compliance] [ov-misissuance] | 2025-05-29T16:29:06Z | 2025-05-28T18:45:08Z |
| Telia: TLS OV certificate with subject countryName and localityName mismatch | 1940957 | ASSIGNED | Antti Backman | [ca-compliance] [ov-misissuance] Next update 2025-06-13 | 2025-05-23T16:15:36Z | 2025-01-10T13:37:15Z |
| VikingCloud: Missing CRL in CCADB | 1964167 | ASSIGNED | VikingCloud CA | [ca-compliance] [disclosure-failure] | 2025-05-29T21:59:14Z | 2025-05-02T20:51:25Z |
45 Total; 45 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA | 1911335 | ASSIGNED | Jochem van den Berge | [ca-compliance] [audit-delay] | 2025-05-16T18:48:14Z | 2024-08-02T15:40:40Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [ca-revocation-delay] or [leaf-revocation-delay] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
| Summary | ID | Status | Assigned to | Whiteboard | Last change time | Creation time |
|---|---|---|---|---|---|---|
| [meta] Delayed Revocation | 1911183 | ASSIGNED | Ben Wilson | [ca-compliance] [meta] [leaf-revocation-delay] | 2024-11-20T16:01:15Z | 2024-08-01T20:05:04Z |
| Chunghwa telecom: delayed revocation for bug 1951415 | 1959278 | ASSIGNED | Tsung-Min Kuo | [ca-compliance] [leaf-revocation-delay] | 2025-05-27T10:05:56Z | 2025-04-08T21:44:19Z |
| D-Trust: Missed Revocation of TLS certificates affected by Bugzilla 1884714 | 1924385 | ASSIGNED | Enrico Entschew | [ca-compliance] [leaf-revocation-delay] Next update 2025-06-01 | 2025-04-01T22:11:38Z | 2024-10-13T17:26:55Z |
| DigiCert: Delayed revocation of 1910322 | 1910805 | ASSIGNED | DigiCert | [ca-compliance] [leaf-revocation-delay] Next update 2025-05-30 | 2025-05-28T21:16:18Z | 2024-07-31T00:45:12Z |
| Microsoft PKI Services: Failure to Revoke in 5 Days for 1962829 | 1965612 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [leaf-revocation-delay] | 2025-05-31T02:59:31Z | 2025-05-10T01:34:01Z |
| NETLOCK: Bug 1891331 replacement - delayed revocation - | 1947691 | ASSIGNED | Nikolett | [ca-compliance] [leaf-revocation-delay] | 2025-05-30T11:31:33Z | 2025-02-12T09:43:02Z |
| VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 | 1885568 | ASSIGNED | VikingCloud CA | [ca-compliance] [ov-misissuance] [leaf-revocation-delay] | 2025-05-22T20:30:28Z | 2024-03-15T16:20:17Z |
7 Total; 7 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here: