CA/Incident Dashboard: Difference between revisions
< CA
Jump to navigation
Jump to search
(Fixed typo in wiki markdown) |
(Sort by summary (assigned-to CA) and modification time) |
||
| Line 23: | Line 23: | ||
"o4": "nowordssubstr", | "o4": "nowordssubstr", | ||
"v4": "audit-delay", | "v4": "audit-delay", | ||
"include_fields": | "include_fields": "summary, id, status, assigned_to, whiteboard, last_change_time", | ||
"order": "short_desc ASC, delta_ts ASC" | |||
} | } | ||
</bugzilla> | </bugzilla> | ||
| Line 44: | Line 45: | ||
"o3": "allwordssubstr", | "o3": "allwordssubstr", | ||
"v3": "audit-delay", | "v3": "audit-delay", | ||
"include_fields": | "include_fields": "summary, id, status, assigned_to, whiteboard, last_change_time", | ||
"order": "short_desc ASC, delta_ts DESC" | |||
} | } | ||
</bugzilla> | </bugzilla> | ||
| Line 65: | Line 67: | ||
"o3": "allwordssubstr", | "o3": "allwordssubstr", | ||
"v3": "delayed-revocation", | "v3": "delayed-revocation", | ||
"include_fields": "summary, id, status, assigned_to, whiteboard, last_change_time", | |||
"order": "short_desc ASC, delta_ts ASC" | |||
} | } | ||
</bugzilla> | </bugzilla> | ||
Revision as of 19:36, 24 May 2021
Open CA Bugs in Bugzilla
Open CA Compliance Bugs
A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.
Anyone may create a CA Compliance bug as follows:
- https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&version=other
- Whiteboard = [ca-compliance]
- If the issue is due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| [meta] Delayed Revocation | 1911183 | ASSIGNED | Ben Wilson | [ca-compliance] [meta] [leaf-revocation-delay] | 2024-11-20T16:01:15Z |
| Asseco DS / Certum: DNS service outage | 1958645 | ASSIGNED | Kateryna Aleksieieva | [ca-compliance] [uncategorized] | 2025-05-27T01:32:13Z |
| Certainly: Sample Websites Unavailable | 1968836 | ASSIGNED | Daniel Jeffery | [ca-compliance] [policy-failure] | 2025-05-29T16:28:03Z |
| Certigna: Multiple Reserved Certificate Policy Identifiers in CA certificates | 1963663 | ASSIGNED | Josselin Allemandou | [ca-compliance] [ca-misissuance] | 2025-05-19T11:35:00Z |
| certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report #1 – Improve clarity in CPS | 1965804 | ASSIGNED | Gabriel PETCU | [ca-compliance] [audit-finding] | 2025-05-19T08:06:05Z |
| certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report #2 – Add test certificates in CPS | 1965805 | ASSIGNED | Gabriel PETCU | [ca-compliance] [audit-finding] | 2025-05-29T10:46:33Z |
| certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report #3 – Missing certSIGN OID on Terms and Conditions | 1965806 | ASSIGNED | Gabriel PETCU | [ca-compliance] [audit-finding] | 2025-05-19T08:59:08Z |
| certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report #4 – Expired cert with bad order of attributes | 1965807 | ASSIGNED | Gabriel PETCU | [ca-compliance] [audit-finding] | 2025-05-19T14:16:04Z |
| certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report #5 – Conflicting info in CPS | 1965808 | ASSIGNED | Gabriel PETCU | [ca-compliance] [audit-finding] | 2025-05-19T09:37:06Z |
| CFCA: Failed to respond a Certificate Problem Report within 24 hours which violates Section 4.9.5 of the TLS BRs | 1959733 | ASSIGNED | Michael | [ca-compliance] [policy-failure] Next update 2025-06-30 | 2025-05-25T18:34:57Z |
| Chunghwa telecom: delayed revocation for bug 1951415 | 1959278 | ASSIGNED | Tsung-Min Kuo | [ca-compliance] [leaf-revocation-delay] | 2025-05-27T10:05:56Z |
| D-Trust: Missed Revocation of TLS certificates affected by Bugzilla 1884714 | 1924385 | ASSIGNED | Enrico Entschew | [ca-compliance] [leaf-revocation-delay] Next update 2025-06-01 | 2025-05-31T21:53:31Z |
| DigiCert: Delayed revocation of 1910322 | 1910805 | ASSIGNED | DigiCert | [ca-compliance] [leaf-revocation-delay] Next update 2025-05-30 | 2025-05-28T21:16:18Z |
| DigiCert: Incorrect CP listed in CCADB | 1925106 | ASSIGNED | DigiCert | [ca-compliance] [disclosure-failure] Next update 2025-07-01 | 2025-05-29T20:18:54Z |
| DigiCert: Outdated CPS for 13 Roots in CCADB | 1945536 | REOPENED | DigiCert | [close on 2025-05-30] [ca-compliance] [policy-failure] [disclosure-failure] | 2025-05-30T19:19:50Z |
| DigiCert: Persistent failure to answer questions in a timely manner | 1957499 | ASSIGNED | DigiCert | [ca-compliance] [disclosure-failure] [external] | 2025-05-28T21:16:53Z |
| eMudhra: Delayed Publication of Issuing CA Certificates In CCADB | 1965559 | ASSIGNED | Naveen Kumar ML | [ca-compliance] [disclosure-failure] | 2025-05-26T09:19:39Z |
| Entrust: Incomplete privileged access removal within 24 hours | 1968246 | ASSIGNED | Bruce Morton | [ca-compliance] [policy-failure] | 2025-05-23T15:59:13Z |
| Entrust: Missing or Inconsistent Disclosure of S/MIME BR Audits | 1952635 | ASSIGNED | Bruce Morton | [ca-compliance] [audit-failure] Next update 2025-06-02 | 2025-05-27T17:36:45Z |
| FNMT: CP/CPS, Revocation Requests Mechanism, Certificate Problem Report, CRL and OCSP disruption | 1963778 | ASSIGNED | Amaya Espinosa | [ca-compliance] [policy-failure] | 2025-05-15T11:55:11Z |
| FNMT: Delayed Disclosure of Updated Policy Documents in the CCADB | 1967951 | ASSIGNED | Amaya Espinosa | [ca-compliance] [disclosure-failure] | 2025-05-22T14:47:09Z |
| GoDaddy: CA Certificates with HTTPS URL in AIA Field | 1963456 | ASSIGNED | Steven Deitte | [ca-compliance] [ca-misissuance] | 2025-05-28T22:55:25Z |
| GoDaddy: Certificates with invalid embedded SCT signatures | 1969296 | ASSIGNED | Steven Deitte | [ca-compliance] [dv-misissuance] | 2025-06-01T16:00:36Z |
| Google Trust Services: Inconsistent MPCAA secondary perspective logging | 1959867 | ASSIGNED | Google Trust Services | [ca-compliance] [policy-failure] | 2025-05-29T15:05:14Z |
| HARICA: One of the two Certificate Problem Report email aliases not working | 1963629 | ASSIGNED | Dimitris Zacharopoulos | [ca-compliance] [policy-failure] Next update 2025-06-27 | 2025-05-23T16:05:46Z |
| IZENPE: Outdated CPS for Izenpe Root | 1948600 | ASSIGNED | David | [ca-compliance] [disclosure-failure] | 2025-05-30T12:34:54Z |
| KIR: Failed to respond a Certificate Problem Report within 24 hours | 1967929 | ASSIGNED | Piotr Grabowski | [ca-compliance] [policy-failure] | 2025-05-29T15:54:34Z |
| KIR: Intermediate CA - SZAFIR Trusted CA3 - revocation status not changed in CCADB | 1966006 | ASSIGNED | Waldemar Brzozowski | [ca-compliance] [disclosure-failure] | 2025-05-21T21:56:55Z |
| Lawtrust: The S/MIME CA’s policy identifiers did not align with the CA/Browser Forum Requirements. | 1959721 | ASSIGNED | Marcile De Waal | [ca-compliance] [policy-failure] | 2025-05-15T13:03:23Z |
| Let's Encrypt: Failure to Document Analysis of Detected Vulnerabilities | 1955721 | ASSIGNED | Phil Porada | [ca-compliance] [policy-failure] | 2025-05-19T17:27:29Z |
| Let's Encrypt: Issuance for Invalid Internationalized Domain Name | 1966515 | ASSIGNED | Aaron Gable | [close on 2025-06-03] [ca-compliance] [uncategorized] | 2025-05-28T17:32:29Z |
| Microsoft PKI Services: Policy document bug | 1962829 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [policy-failure] | 2025-05-31T00:32:55Z |
| Microsoft PKI Services: Subscriber certificate change made that was not compliant with CPS | 1962830 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [policy-failure] | 2025-05-31T00:37:51Z |
| Microsoft PKI Services: Failure to Revoke in 5 Days for 1962829 | 1965612 | ASSIGNED | Microsoft PKI Services | [ca-compliance] [leaf-revocation-delay] | 2025-05-31T02:59:31Z |
| NETLOCK: Bug 1891331 replacement - delayed revocation - | 1947691 | ASSIGNED | Nikolett | [ca-compliance] [leaf-revocation-delay] | 2025-05-30T11:31:33Z |
| NETLOCK: CA/Browser Forum TLS BR Non-compliance | 1962426 | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] | 2025-05-30T14:28:00Z |
| NETLOCK: CRL not published in DER Encoded Format | 1938167 | ASSIGNED | Nikolett | [ca-compliance] [crl-failure] | 2025-05-30T07:56:19Z |
| Netlock: Failure to Provide Weekly Updates | 1957474 | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] [external] | 2025-05-30T14:20:14Z |
| NETLOCK: Intermediate CA Certificate not disclosed to CCADB | 1904041 | ASSIGNED | Nikolett | [ca-compliance] [policy-failure] [disclosure-failure] | 2025-05-30T15:33:05Z |
| PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA | 1911335 | ASSIGNED | Jochem van den Berge | [ca-compliance] [audit-delay] | 2025-05-16T18:48:14Z |
| SECOM: S/MIME CA Modified Opinion Report of Cybertrust Japan (CTJ) | 1950574 | ASSIGNED | ONO Fumiaki | [ca-compliance] [audit-finding] Next update 2025-09-01 | 2025-02-28T15:35:46Z |
| SHECA: OCSP service response error | 1964866 | ASSIGNED | Alvin.Wang | [ca-compliance] [ocsp-failure] | 2025-05-29T14:36:17Z |
| SSL.com: "unknown" OCSP response for issued certificates | 1957140 | ASSIGNED | SSL.com | [ca-compliance] [ocsp-failure] Next update 2025-06-12 | 2025-05-29T22:02:12Z |
| SSL.com: DCV bypass and issue fake certificates for any MX hostname | 1961406 | ASSIGNED | Rebecca Kelley | [ca-compliance] [dv-misissuance] [external] | 2025-05-23T16:43:40Z |
| SSL.com: Expired certificate for a “Valid” Test Website | 1962809 | ASSIGNED | Rebecca Kelley | [ca-compliance] [policy-failure] Next update 2025-06-06 | 2025-05-22T16:01:34Z |
| SSL.com: Issuance of certificates using keys previously reported as compromised | 1927532 | ASSIGNED | Rebecca Kelley | [ca-compliance] [dv-misissuance] Next update 2025-06-13 | 2025-05-30T19:26:48Z |
| SwissSign: OCSP outage | 1965828 | ASSIGNED | Roman Fischer | [ca-compliance] [ocsp-failure] | 2025-05-30T05:45:44Z |
| SwissSign: S/MIME certificates deviate from CPR | 1929189 | ASSIGNED | Mike Guenther | [ca-compliance] [smime-misissuance] Next update 2025-06-17 | 2025-05-28T17:24:27Z |
| Telia: S/MIME Misissuance incorrect AIA id-ca-caIssuer http:URI | 1965459 | ASSIGNED | Antti Backman | [ca-compliance] [smime-misissuance] | 2025-05-30T05:05:11Z |
| Telia: TLS incorrect AIA caIssuer URI and incorrect CDP | 1969036 | ASSIGNED | Antti Backman | [ca-compliance] [ov-misissuance] | 2025-05-29T16:29:06Z |
| Telia: TLS OV certificate with subject countryName and localityName mismatch | 1940957 | ASSIGNED | Antti Backman | [ca-compliance] [ov-misissuance] Next update 2025-06-13 | 2025-05-23T16:15:36Z |
| VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 | 1885568 | ASSIGNED | VikingCloud CA | [ca-compliance] [ov-misissuance] [leaf-revocation-delay] | 2025-05-22T20:30:28Z |
| VikingCloud: Missing CRL in CCADB | 1964167 | ASSIGNED | VikingCloud CA | [ca-compliance] [disclosure-failure] | 2025-05-29T21:59:14Z |
53 Total; 53 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Audit Delays
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.
- Whiteboard = [ca-compliance][audit-delay]
- For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
| Summary | ID | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA | 1911335 | ASSIGNED | Jochem van den Berge | [ca-compliance] [audit-delay] | 2025-05-16T18:48:14Z |
1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);
Revocation Delays
The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.
Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.
No results.
0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);
Closed CA Bugs
Closed CA Compliance Bugs
A historical view of past CA compliance bugs may be found here: