CA/Incident Dashboard: Difference between revisions

From MozillaWiki
< CA
Jump to navigation Jump to search
(Added [covid-19] whiteboard tag)
(Separated audit delays into their own section)
Line 21: Line 21:
         "o3": "nowordssubstr",
         "o3": "nowordssubstr",
         "v3": "delayed-revocation",
         "v3": "delayed-revocation",
        "o4": "nowordssubstr",
        "v4": "audit-delay",
        "include_fields": ["id", "summary", "status", "assigned_to", "whiteboard", "last_change_time"]
    }
</bugzilla>
== Audit Delays ==
The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla [[CA/Audit_Statements|when they are due]]. Such bugs should be reported as [[CA/Bug_Triage#Compliance_Problems_and_Incidents|CA compliance issues]], with the following whiteboard tags as described [[herehttps://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay|here]].
*Whiteboard = [ca-compliance][audit-delay]
*For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
<bugzilla>
    {
        "component":"CA Certificate Compliance",
        "status":["UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED"],
        "f1": "OP",
        "j1": "AND",
        "f2": "status_whiteboard",
        "o2": "allwordssubstr",
        "v2": "ca-compliance",
        "f3": "status_whiteboard",
        "o3": "allwordssubstr",
        "v3": "audit-delay",
         "include_fields": ["id", "summary", "status", "assigned_to", "whiteboard", "last_change_time"]
         "include_fields": ["id", "summary", "status", "assigned_to", "whiteboard", "last_change_time"]
     }
     }
Line 45: Line 68:
     }
     }
</bugzilla>
</bugzilla>


= Closed CA Bugs =
= Closed CA Bugs =

Revision as of 00:46, 28 March 2020

Open CA Bugs in Bugzilla

Open CA Compliance Bugs

A CA compliance bug relates to a concern about a CA's certificates failing to comply with Mozilla's CA Certificate Policy and/or the CA/Browser Forum's Baseline Requirements, and is determined to not be an imminent security concern. A CA's response to CA compliance bug includes providing an Incident Report in the bug.

Anyone may create a CA Compliance bug as follows:

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1885568 VikingCloud: Delayed revocation of TLS certificates in connection to bug #1883779 ASSIGNED VikingCloud CA [ca-compliance] [ov-misissuance] [leaf-revocation-delay] Next update 2025-07-15 2025-06-03T17:09:45Z
1904041 NETLOCK: Intermediate CA Certificate not disclosed to CCADB ASSIGNED Nikolett [ca-compliance] [policy-failure] [disclosure-failure] 2025-06-21T19:57:54Z
1911183 [meta] Delayed Revocation ASSIGNED Ben Wilson [ca-compliance] [meta] [leaf-revocation-delay] 2025-06-10T20:05:50Z
1911335 PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA ASSIGNED Jochem van den Berge [ca-compliance] [audit-delay] 2025-06-04T20:38:46Z
1924385 D-Trust: Missed Revocation of TLS certificates affected by Bugzilla 1884714 ASSIGNED Enrico Entschew [ca-compliance] [leaf-revocation-delay] Next update 2025-06-30 2025-06-02T14:31:56Z
1925106 DigiCert: Incorrect CP listed in CCADB ASSIGNED DigiCert [ca-compliance] [disclosure-failure] Next update 2025-07-01 2025-06-20T16:39:54Z
1927532 SSL.com: Issuance of certificates using keys previously reported as compromised ASSIGNED Rebecca Kelley [ca-compliance] [dv-misissuance] Next update 2025-06-25 2025-06-14T19:06:36Z
1929189 SwissSign: S/MIME certificates deviate from CPR ASSIGNED Mike Guenther [ca-compliance] [smime-misissuance] 2025-06-18T15:16:41Z
1947691 NETLOCK: Bug 1891331 replacement - delayed revocation - ASSIGNED Nikolett [ca-compliance] [leaf-revocation-delay] 2025-06-18T15:25:48Z
1948600 IZENPE: Outdated CPS for Izenpe Root ASSIGNED David [ca-compliance] [disclosure-failure] 2025-06-12T09:58:04Z
1950574 SECOM: S/MIME CA Modified Opinion Report of Cybertrust Japan (CTJ) ASSIGNED ONO Fumiaki [ca-compliance] [audit-finding] Next update 2025-09-01 2025-02-28T15:35:46Z
1952635 Entrust: Missing or Inconsistent Disclosure of S/MIME BR Audits ASSIGNED Bruce Morton [close on 2025-06-17] [ca-compliance] [audit-failure] 2025-06-18T15:21:19Z
1957140 SSL.com: "unknown" OCSP response for issued certificates ASSIGNED SSL.com [ca-compliance] [ocsp-failure] Next update 2025-06-26 2025-06-18T15:22:17Z
1957499 DigiCert: Persistent failure to answer questions in a timely manner ASSIGNED DigiCert [ca-compliance] [disclosure-failure] [external] 2025-06-21T20:45:32Z
1959733 CFCA: Failed to respond a Certificate Problem Report within 24 hours which violates Section 4.9.5 of the TLS BRs ASSIGNED Michael [ca-compliance] [policy-failure] Next update 2025-06-30 2025-05-25T18:34:57Z
1961406 SSL.com: DCV bypass and issue fake certificates for any MX hostname ASSIGNED Rebecca Kelley [ca-compliance] [dv-misissuance] [external] 2025-06-18T15:51:48Z
1962426 NETLOCK: CA/Browser Forum TLS BR Non-compliance ASSIGNED Nikolett [ca-compliance] [policy-failure] 2025-06-20T13:07:42Z
1962809 SSL.com: Expired certificate for a “Valid” Test Website ASSIGNED Rebecca Kelley [ca-compliance] [policy-failure] Next update 2025-07-03 2025-06-21T19:57:16Z
1962829 Microsoft PKI Services: Policy document bug ASSIGNED Microsoft PKI Services [ca-compliance] [policy-failure] Next update 2025-06-27 2025-06-20T21:41:25Z
1963456 GoDaddy: CA Certificates with HTTPS URL in AIA Field ASSIGNED Steven Deitte [ca-compliance] [ca-misissuance] 2025-06-16T12:23:10Z
1963629 HARICA: One of the two Certificate Problem Report email aliases not working ASSIGNED Dimitris Zacharopoulos [ca-compliance] [policy-failure] Next update 2025-06-27 2025-06-19T16:56:53Z
1963778 FNMT: CP/CPS, Revocation Requests Mechanism, Certificate Problem Report, CRL and OCSP disruption ASSIGNED Amaya Espinosa [ca-compliance] [policy-failure] 2025-06-19T21:50:29Z
1964866 SHECA: OCSP service response error ASSIGNED SHECA [ca-compliance] [ocsp-failure] 2025-06-05T01:43:26Z
1965459 Telia: S/MIME Misissuance incorrect AIA id-ca-caIssuer http:URI ASSIGNED Antti Backman [ca-compliance] [smime-misissuance] 2025-06-19T05:06:28Z
1965559 eMudhra: Delayed Publication of Issuing CA Certificates In CCADB ASSIGNED Naveen Kumar ML [ca-compliance] [disclosure-failure] 2025-06-16T04:51:53Z
1965612 Microsoft PKI Services: Failure to Revoke in 5 Days for 1962829 ASSIGNED Microsoft PKI Services [ca-compliance] [leaf-revocation-delay] 2025-06-20T23:38:17Z
1965828 SwissSign: OCSP outage ASSIGNED Roman Fischer [ca-compliance] [ocsp-failure] Next update 2025-07-18 2025-06-20T17:33:24Z
1966006 KIR: Intermediate CA - SZAFIR Trusted CA3 - revocation status not changed in CCADB ASSIGNED Waldemar Brzozowski [ca-compliance] [disclosure-failure] 2025-06-16T15:11:41Z
1967929 KIR: Failed to respond a Certificate Problem Report within 24 hours ASSIGNED Piotr Grabowski [ca-compliance] [policy-failure] 2025-06-19T14:28:44Z
1967951 FNMT: Delayed Disclosure of Updated Policy Documents in the CCADB ASSIGNED Amaya Espinosa [ca-compliance] [disclosure-failure] 2025-06-16T15:12:58Z
1968246 Entrust: Incomplete privileged access removal within 24 hours ASSIGNED Bruce Morton [ca-compliance] [policy-failure] 2025-06-17T14:46:17Z
1968836 Certainly: Sample Websites Unavailable ASSIGNED Daniel Jeffery [ca-compliance] [policy-failure] 2025-06-16T22:53:30Z
1969036 Telia: TLS incorrect AIA caIssuer URI and incorrect CDP ASSIGNED Antti Backman [ca-compliance] [ov-misissuance] Next update 2025-06-27 2025-06-14T19:34:33Z
1969296 GoDaddy: Certificates with invalid embedded SCT signatures ASSIGNED Steven Deitte [ca-compliance] [dv-misissuance] 2025-06-19T17:38:32Z
1969842 ANF AC: Finding #1 ETSI Audit - Missing log retention period in Terms and Conditions v1.9 ASSIGNED Pablo Díaz [ca-compliance] [audit-finding] 2025-06-03T14:50:47Z
1970259 GoDaddy: Precertificates incorrectly logged to DigiCert SCT Logs ASSIGNED Steven Deitte [ca-compliance] [uncategorized] 2025-06-19T19:38:09Z
1970559 ANF AC: Finding #3 ETSI Audit - Improve documental explanation revocation request >24h on CPS ASSIGNED Pablo Díaz [ca-compliance] [audit-finding] 2025-06-05T15:35:39Z
1970565 ANF AC: Finding #2 ETSI Audit - Information security policy not updated on the website ASSIGNED Yulier Nuñez [ca-compliance] [audit-finding] 2025-06-05T15:34:42Z
1970567 ANF AC: Finding #4 ETSI Audit - Missing one Revocation circumstance on CPS ASSIGNED Yulier Nuñez [ca-compliance] [audit-finding] 2025-06-05T15:33:58Z
1970727 eMudhra: Failure to respond to a Problem Report within 24 hours ASSIGNED Naveen Kumar ML [ca-compliance] [policy-failure] 2025-06-16T09:15:27Z
1970728 eMudhra: Invalid CRL signatures ASSIGNED Naveen Kumar ML [ca-compliance] [crl-failure] [external] 2025-06-20T17:30:30Z
1970968 Microsoft PKI Services: Incorrect Revocation Reason Code ASSIGNED Microsoft PKI Services [ca-compliance] [crl-failure] 2025-06-20T21:53:49Z
1972158 Sectigo: Lack of documentation for vulnerability NVD rating adjustment ASSIGNED Martijn Katerbarg [ca-compliance] [policy-failure] 2025-06-15T22:42:20Z
1972547 Sectigo: Lack of technical controls for multiparty control access to Secure Zone ASSIGNED Martijn Katerbarg [ca-compliance] [policy-failure] 2025-06-17T14:48:00Z
1972745 Let's Encrypt: Deployed Unreviewed Boulder Code ASSIGNED Jacob Hoffman-Andrews [ca-compliance] [policy-failure] 2025-06-19T16:26:14Z
1972887 A-Trust: TLS non-compliance detected during linter implementation ASSIGNED Ramin Sabet [ca-compliance] [ov-misissuance] 2025-06-21T15:34:59Z
1973027 Certigna: Finding #1 ETSI Audit – French translation missing from S/MIME CP/CPS ASSIGNED Josselin Allemandou [ca-compliance] [audit-finding] 2025-06-19T20:58:38Z
1973032 Certigna: Finding #2 ETSI Audit - Risks regarding the certification of device not described ASSIGNED Josselin Allemandou [ca-compliance] [audit-finding] 2025-06-19T20:59:15Z
1973034 Certigna: Finding #3 ETSI Audit – Event log protection beyond seven years shall be improved ASSIGNED Josselin Allemandou [ca-compliance] [audit-finding] 2025-06-19T20:59:43Z
1973236 ANF AC: Delayed Disclosure of Updated Policy Documents in CCADB ASSIGNED Pablo Díaz [ca-compliance] [disclosure-failure] 2025-06-20T17:24:24Z
1973238 Actalis: incorrect CP/S Last Update date in CCADB ASSIGNED Adriano Santoni [ca-compliance] [disclosure-failure] 2025-06-20T17:22:04Z
1973341 eMudhra emSign PKI Services :Policy Document Inconsistency ASSIGNED Naveen Kumar ML [ca-compliance] [uncategorized] 2025-06-21T19:50:05Z

52 Total; 52 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Audit Delays

The compliance bug's whiteboard field is tagged with [audit-delay] whenever a CA is unable to deliver audit statements to Mozilla when they are due. Such bugs should be reported as CA compliance issues, with the following whiteboard tags as described here.

  • Whiteboard = [ca-compliance][audit-delay]
  • For audit delays due to mandated restrictions regarding COVID-19, use Whiteboard = [ca-compliance][audit-delay][covid-19]
Full Query
ID Summary Status Assigned to Whiteboard Last change time
1911335 PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA ASSIGNED Jochem van den Berge [ca-compliance] [audit-delay] 2025-06-04T20:38:46Z

1 Total; 1 Open (100%); 0 Resolved (0%); 0 Verified (0%);


Revocation Delays

The compliance bug's whiteboard field is tagged with [delayed-revocation-ca] or [delayed-revocation-leaf] whenever a CA fails to abide by Mozilla's requirement to revoke certificates in a timely fashion. As discussed in CA/Responding_To_An_Incident#Revocation, Mozilla recognizes that there may be *exceptional* situations that cause a CA to not abide by the Baseline Requirements, which should be accompanied by an Incident Report.

Such bugs should be reported as CA compliance issues, and will be categorized appropriately during triage.

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);


Closed CA Bugs

Closed CA Compliance Bugs

A historical view of past CA compliance bugs may be found here:

Retrieved from "https://wiki.allizom.org/index.php?title=CA/Incident_Dashboard&oldid=1225531"