Hi Suchan,
My information was limited to the CA Certificate Compliance component in
Bugzilla.
Here are the csv files showing bugs reviewed.
Ben
On Wed, Mar 4, 2026 at 5:59 PM Suchan Seo <[email protected]> wrote:
> P..S does I think key related bug would be classed to CA Security
> Vulnerability
> <https://bugzilla.mozilla.org/buglist.cgi?product=CA%20Program&component=CA%20Security%20Vulnerability&resolution=--->
> not
> in CA Certificate Compliance
> <https://bugzilla.mozilla.org/buglist.cgi?product=CA%20Program&component=CA%20Certificate%20Compliance&resolution=--->
> :
> I can't see any bug in that product but I don't think outsider would have
> permission to see those bugs.
> was it was actually empty, or are those bugs not read by the AI?
>
> 2026년 3월 5일 목요일 AM 3시 58분 28초 UTC+9에 Ben Wilson님이 작성:
>
>> All,
>>
>> *TL;DR:* A review of 141 CA incident reports (76 open, 65 resolved) from
>> January and February 2026 shows that most issues were not caused by
>> cryptographic weakness or reckless behavior. Instead, they clustered around
>> two structural themes:
>>
>> 1.
>>
>> weaknesses in how compliance and disclosure information is prepared
>> and published, and
>> 2.
>>
>> incomplete translation of policy requirements into automated issuance
>> controls.
>>
>> In short, the ecosystem is experiencing fewer “manual error” problems and
>> more “automation design” problems — particularly at the points where
>> operational systems connect to transparency and reporting mechanisms.
>> -----------------------
>>
>> Recently, I reviewed both open (76) and resolved (65) Bugzilla reports of
>> CA incidents from January and February 2026. Using AI-assisted analysis (I
>> also relied on AI to help draft this post), I examined whiteboard labels
>> and comment threads to identify deeper root causes. At the surface level,
>> whiteboard labels describe what happened — for example, “audit-finding,”
>> “policy-failure,” “misissuance,” or “disclosure-failure.” While useful for
>> organizing incidents, these labels do not necessarily explain where a CA’s
>> control systems actually failed.
>>
>> Examining the narratives beneath the labels reveals two structural
>> patterns that have recently become more prominent.
>> Publication Accuracy and Disclosure Controls
>>
>> The most significant cluster of root causes involved weaknesses in
>> compliance publication and reporting controls. In practical terms, this
>> means that processes responsible for preparing, validating, and publishing
>> compliance-related information did not consistently enforce correctness
>> before that information was exposed publicly.
>>
>> This included issues related to CCADB record entry, metadata disclosure
>> fields, URL synchronization between certificates and disclosed records, CRL
>> and OCSP publication artifacts, and disclosure timing workflows.
>>
>> A recurring theme was a mismatch between operational systems and how
>> information was disclosed. Certificates and disclosure metadata were not
>> always aligned. URLs embedded in certificates did not match those disclosed
>> in CCADB. CRLs were updated operationally but encoded incorrectly. Required
>> reporting fields were sometimes not validated before submission.
>>
>> These were not simply clerical oversights. Rather, they reflect gaps in
>> automation and validation at the point where internal CA systems interface
>> with transparency and reporting systems. In many cases, systems allowed
>> incorrect or incomplete compliance data to be published because there was
>> no automated validation step enforcing alignment before exposure. This
>> highlights *the importance of implementing automated consistency checks
>> between operational systems and published compliance data*.
>>
>> Disclosure timing failures — such as missing 72-hour reporting windows —
>> represent one subset of this broader theme. While some incidents did
>> involve procedural gaps or delayed escalation, many others involved data
>> consistency, publication accuracy, or insufficient validation coverage.
>> Disclosure timing should therefore be understood as part of a larger issue:
>> publication-layer control maturity. Strengthening this area may involve
>> *embedding
>> disclosure timing and escalation triggers directly into incident management
>> workflows*.
>>
>> Overall, addressing this class of issues may involve *implementing
>> automated consistency checks, improving metadata validation prior to CCADB
>> submission, and strengthening synchronization between issuance systems and
>> disclosure records*.
>> Failed Implementation of Policy into Issuance Processes
>>
>> Misissuance incidents also revealed a consistent pattern. Most were not
>> caused by cryptographic weakness or key compromise. Instead, they were
>> linked to missing pre-issuance validation checks, defects in data mapping
>> and distinguished name construction, or inconsistencies between automated
>> and manual issuance paths.
>>
>> This suggests that the dominant issue was not failure of the signing
>> engine itself, but incomplete translation of policy requirements into
>> enforceable validation logic. The rule existed in documentation, but it was
>> not fully encoded in the control system.
>>
>> A similar pattern appeared in incidents involving Certificate
>> Transparency. CT-related issues were often not failures of transparency
>> policy, but weaknesses in how those requirements were implemented in
>> automated workflows. Some involved incomplete enforcement of Signed
>> Certificate Timestamp requirements. Others exposed weaknesses at the
>> integration boundary between CA systems and external CT log infrastructure.
>>
>> Misissuance incidents tended to expose gaps within internal validation
>> logic. CT-related incidents more often highlighted challenges in reliably
>> enforcing obligations that depend on external systems. Both, however, point
>> to automation design maturity rather than fundamental policy breakdown.
>> Tooling and Validation Coverage
>>
>> Tooling also played a role. In several cases, linting tools were present
>> and operational but did not detect semantic violations of Baseline
>> Requirements or edge-case conditions. This suggests incomplete validation
>> coverage and underscores the importance of *more comprehensive testing
>> of issuance systems*.
>>
>> The presence of automated tooling created a reasonable expectation of
>> compliance assurance. However, where rule coverage was incomplete or
>> boundary-condition testing was insufficient, non-conformant artifacts were
>> able to pass undetected.
>> Automation and Control Maturity
>>
>> Taken together, the dataset suggests a shift in the nature of challenges
>> within the Web PKI ecosystem. As issuance processes become more automated
>> and standardized, traditional manual procedural errors appear less
>> dominant. Instead, failure modes are increasingly associated with
>> automation complexity, integration boundaries, reporting synchronization,
>> and publication-layer validation.
>>
>> In effect, the ecosystem appears to be moving from “manual error risk” to
>> “automation design risk.” This shift is not inherently problematic, but it
>> does require *increased maturity in engineering discipline,
>> policy-to-code traceability, validation coverage, integration design, and
>> change management*.
>>
>> One of the key insights from this exercise is the distinction between
>> symptom and structural cause. Whiteboard labels describe what happened.
>> Hierarchical root cause analysis reveals where the control boundary was
>> insufficiently designed or enforced. Many incidents that appear unrelated
>> at the surface level converge on the same structural weakness: insufficient
>> enforcement of correctness at the points where operational systems connect
>> to transparency and reporting systems.
>>
>> Recognizing this convergence enables more focused improvement. Instead of
>> addressing each incident category separately, *attention should shift
>> toward strengthening publication validation, improving synchronization
>> between certificate content and disclosed metadata, enhancing
>> policy-to-control mapping, expanding validation coverage, and embedding
>> clearer automation around disclosure timing and escalation triggers*.
>>
>> In summary, the findings do not indicate widespread cryptographic failure
>> or reckless operational behavior. Instead, they highlight areas where
>> automation and compliance publication mechanisms require strengthening —
>> particularly at the points where operational systems interface with
>> transparency and reporting obligations.
>> Ben Wilson
>> Mozilla CA Program Manager
>>
>
--
You received this message because you are subscribed to the Google Groups
"CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtabc0FL4mqFTW3%2B3qqEzOiQ57xQgU6XFXRK5j5%3DeDg5pTQ%40mail.gmail.com.
"Bug ID","Priority","Type","Summary","Status","Whiteboard","Opened","Updated","Number of Comments"
2015562," --","task","Agencia Notarial de Certificacion (ANCERT): Missing Contact Information in CCADB","UNCONFIRMED","[ca-compliance] [disclosure-failure]","2026-02-09 10:36:46","2026-02-10 10:04:14",2
2015568," --","task","NISZ Nemzeti Infokommunikacios Szolgaltato: Missing Contact Information in CCADB","UNCONFIRMED","[ca-compliance] [disclosure-failure]","2026-02-09 10:37:24","2026-02-10 10:05:35",2
2009525," --","task","Amazon Trust Services: Additional CRL Characteristics Desired in CP/CPS","ASSIGNED","[close on 2026-03-06] [ca-compliance] [policy-failure]","2026-01-09 15:48:27","2026-02-27 11:26:20",17
2007116," --","task","D-Trust: CRL URL Disclosure","ASSIGNED","[ca-compliance] [disclosure-failure]","2025-12-19 06:22:17","2026-03-02 04:25:00",19
2009149," --","task","D-Trust: Expired certificate provided on the CA TLS test website for demonstration of valid certificates","ASSIGNED","[ca-compliance] [policy-failure]","2026-01-08 04:14:02","2026-02-27 10:29:03",10
2011430," --","task","D-Trust: Delayed publication of audit attestation letters in the CCADB","ASSIGNED","[ca-compliance] [audit-delay]","2026-01-20 06:51:29","2026-03-02 04:23:59",17
2012511," --","task","D-Trust: CRL HTTP Media Type","ASSIGNED","[ca-compliance] [crl-failure]","2026-01-26 08:16:11","2026-02-27 10:26:18",7
2012101," --","task","Telia: S/MIME Misissuance - incorrect subject information for Multipurpose sponsor-validated-profile","ASSIGNED","[ca-compliance] [smime-misissuance] Next update 2026-03-17","2026-01-23 04:25:35","2026-03-02 10:51:56",9
2015567," --","task","Government of Saudi Arabia, NIC (SDAIA): Missing Contact Information in CCADB","ASSIGNED","[ca-compliance] [disclosure-failure]","2026-02-09 10:37:18","2026-02-18 01:03:16",5
1911183," --","task","[meta] Delayed Revocation","ASSIGNED","[ca-compliance] [meta] [leaf-revocation-delay]","2024-08-01 13:05:04","2025-06-10 13:05:50",4
2011713," --","task","TrustAsia: ACME Authorization Reuse Non-Compliance","ASSIGNED","[ca-compliance] [dv-misissuance] Next update 2026-03-05","2026-01-21 09:12:29","2026-02-11 07:26:51",9
2011865," --","task","TrustAsia: SSL DV Mis-issuance against CP/CPS (IPAddress)","ASSIGNED","[ca-compliance] [dv-misissuance] Next update 2026-03-05","2026-01-22 04:50:09","2026-02-11 07:27:25",7
2007070," --","task","SECOM: Non conformant SCT Encoding Due to SCT Modification by Cybertrust Japan (CTJ)","ASSIGNED","[ca-compliance] [ov-misissuance]","2025-12-19 00:01:55","2026-02-26 01:37:40",19
2017840," --","task","SECOM: Repository service disruption affecting subordinate CAs (CTJ)","ASSIGNED","[ca-compliance] ","2026-02-19 03:49:12","2026-03-01 15:54:46",3
1962829," --","task","Microsoft PKI Services: Policy document bug","ASSIGNED","[ca-compliance] [policy-failure]","2025-04-25 19:10:29","2026-02-27 15:19:03",62
1965612," --","task","Microsoft PKI Services: Failure to Revoke in 5 Days for 1962829","ASSIGNED","[ca-compliance] [leaf-revocation-delay]","2025-05-09 18:34:01","2026-03-03 08:40:06",190
1999850," --","task","Microsoft PKI Services: OCSP Non-Compliance","ASSIGNED","[ca-compliance] [ocsp-failure] Next update 2026-04-24","2025-11-12 17:29:14","2026-02-19 09:29:22",9
2015186," --","task","DigiCert: Subject Serial Numbers for Non-Commercial Entities","ASSIGNED","[ca-compliance] [ev-misissuance]","2026-02-06 14:18:45","2026-02-26 10:58:14",5
2017185," --","task","DigiCert: CAA processing during network disruption","ASSIGNED","[ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance]","2026-02-16 11:53:36","2026-03-02 23:39:40",7
2015566," --","task","Echoworx: Missing Contact Information in CCADB","ASSIGNED","[ca-compliance] [disclosure-failure]","2026-02-09 10:37:14","2026-02-10 13:19:01",6
2009941," --","task","Firmaprofesional: Misissuance of TLS Subordinate CA ""AC Firmaprofesional - Secure Web 2024""","ASSIGNED","[ca-compliance] [ca-misissuance]","2026-01-13 02:59:12","2026-02-27 05:09:14",15
2011855," --","task","Firmaprofesional: Delayed revocation of TLS certificates affected by bug #2009941","ASSIGNED","[ca-compliance] [leaf-revocation-delay] [ca-revocation-delay] Next update 2026-02-27","2026-01-22 04:13:47","2026-02-27 05:10:42",8
2016066," --","task","Firmaprofesional: Delayed preliminary response under BR 4.9.5 (Bug #2009941)","ASSIGNED","[ca-compliance] [policy-failure]","2026-02-11 02:36:54","2026-03-02 04:16:53",4
2016475," --","task","Firmaprofesional: Delayed revocation disclosure of TLS Subordinate CA certificate Secure Web 2024 in CCADB","ASSIGNED","[ca-compliance] [disclosure-failure]","2026-02-12 08:15:17","2026-02-25 12:29:21",3
2012157," --","task","Actalis: Issuance of certificate using keys previously reported as compromised","ASSIGNED"," [close on 2026-03-06] [ca-compliance] [dv-misissuance]","2026-01-23 08:30:42","2026-02-27 11:31:47",8
2016672," --","task","certSIGN: certificates with delayed SCT signature","ASSIGNED","[ca-compliance] [ov-misissuance]","2026-02-13 03:01:07","2026-02-27 10:50:34",5
2017747," --","task","Google Trust Services: Outdated BR version in some validation records","ASSIGNED","[ca-compliance] [policy-failure] Next update 2026-03-03","2026-02-18 13:48:20","2026-02-27 09:52:40",2
2004699," --","task","Netlock: CA in AIA in PEM format","ASSIGNED","[ca-compliance] [policy-failure]","2025-12-08 05:50:23","2026-03-02 11:17:02",22
2007948," --","task","NETLOCK: Full Incident Report was not published within 14 days of notification","ASSIGNED","[ca-compliance] [disclosure failure]","2025-12-29 12:30:46","2026-03-02 11:18:12",13
2011314," --","task","Netlock: unspecifed revocation code (0) in CRL","ASSIGNED","[ca-compliance] [crl-failure]","2026-01-19 13:40:56","2026-03-02 11:19:15",14
2013395," --","task","NETLOCK: Missing Related Incidents section in the bug report","ASSIGNED","[ca-compliance] [policy-failure]","2026-01-29 12:50:07","2026-02-26 11:18:03",5
2013400," --","task","NETLOCK: did not file a preliminary incident report or respond to a third-party report within the 72-hour timeframe","ASSIGNED","[ca-compliance] [policy-failure]","2026-01-29 12:56:39","2026-02-26 11:19:33",6
2007105," --","task","Asseco DS / Certum: CRL URLs disclosed in CCADB do not exactly match the CRL URLs in certificates","ASSIGNED","[ca-compliance] [disclosure-failure] Next update 2026-03-31","2025-12-19 05:32:26","2026-01-16 10:32:55",5
2015564," --","task","Carillon Information Security: Missing Contact Information in CCADB","ASSIGNED","[ca-compliance] [disclosure-failure]","2026-02-09 10:37:02","2026-03-03 05:31:37",7
2005194," --","task","Buypass: Findings in 2025 ETSI Audit - Audit Incident Report #1 - Compliance auditing on support processes","ASSIGNED","[ca-compliance] [audit-finding]","2025-12-10 05:20:20","2026-03-02 06:40:52",9
2005196," --","task","Buypass: Findings in 2025 ETSI Audit - Audit Incident Report #2 - Supply chain policy","ASSIGNED","[ca-compliance] [audit-finding]","2025-12-10 05:22:48","2026-03-02 06:41:02",11
2010885," --","task","Sectigo: Inaccuracy of CCADB-Disclosed URL for eIDAS CP/CPS","ASSIGNED","[close on 2026-03-04] [ca-compliance] [disclosure-failure]","2026-01-16 08:07:58","2026-02-25 18:21:25",5
2019995," --","task","Sectigo: Package patching gap within Certificate Systems","ASSIGNED","[ca-compliance] [uncategorized]","2026-02-27 09:52:48","2026-02-27 10:24:34",1
1986968," --","task","Financijska agencija (Fina): Mis-issued certificates","ASSIGNED","[ca-compliance] [dv-misissuance]","2025-09-04 09:47:06","2026-02-19 08:20:59",36
1983263," --","task","PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #3 â Internal Audit","ASSIGNED","[ca-compliance] [audit-finding]","2025-08-15 07:05:23","2026-02-24 02:16:43",14
1983267," --","task","PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #7 â Change Management","ASSIGNED","[ca-compliance] [audit-finding] Next update 2026-03-20","2025-08-15 07:09:40","2026-01-27 07:16:07",16
1985816," --","task","PKIoverheid: TSP Cleverbase Findings in 2025 ETSI Audit - Incident Report #1 â Incorrect issuer CA listed in CPS","ASSIGNED","[ca-compliance] [audit-finding] Next update 2026-04-14","2025-08-28 08:39:28","2026-01-27 07:16:50",8
2017845," --","task","HARICA: Incorrect nCAId in PSD2 QCStatement for QWACs","ASSIGNED","[ca-compliance]","2026-02-19 04:11:13","2026-02-27 04:29:18",2
2014590," --","task","IdenTrust: Unauthorized OCSP responses for cross-signed roots","ASSIGNED","[ca-compliance] [ocsp-failure]","2026-02-04 14:52:56","2026-02-17 16:58:16",4
2014609," --","task","IdenTrust: Cross-signed root certificate mis-issuance","ASSIGNED","[ca-compliance] [ca-misissuance]","2026-02-04 16:30:24","2026-02-20 15:22:44",4
2014610," --","task","IdenTrust: Root OCSP Signer certificate mis-issuance","ASSIGNED","[ca-compliance] [uncategorized]","2026-02-04 16:38:27","2026-02-20 15:06:39",4
2016267," --","task","IdenTrust: Gap between audit periods","ASSIGNED","[ca-compliance] [audit-failure]","2026-02-11 14:48:59","2026-02-25 16:20:55",2
2016585," --","task","IdenTrust: Test Certificates from cross-signed roots not disclosed in CT Logs","ASSIGNED","[ca-compliance] [uncategorized]","2026-02-12 15:13:02","2026-02-26 07:30:29",4
1990254," --","task","SwissSign: recommendation on risk assessment","ASSIGNED","[ca-compliance] [audit-finding] Next update 2026-04-30","2025-09-23 09:08:48","2025-10-28 05:50:25",6
1990263," --","task","SwissSign: recommendation on BIA/BCP review","ASSIGNED","[ca-compliance] [audit-finding] Next update 2026-04-30","2025-09-23 09:53:15","2025-10-28 05:51:27",4
1990266," --","task","SwissSign: recommendation on BIA/BCP test coverage","ASSIGNED","[ca-compliance] [audit-finding] Next update 2026-04-30","2025-09-23 09:55:40","2025-10-28 05:51:38",4
1990269," --","task","SwissSign: recommendation on document release dual control","ASSIGNED","[ca-compliance] [audit-finding] Next update 2026-04-30","2025-09-23 10:03:05","2025-10-28 05:51:48",4
1990271," --","task","SwissSign: recommendation on firewall review","ASSIGNED","[ca-compliance] [audit-finding] Next update 2026-04-30","2025-09-23 10:05:31","2025-10-28 05:51:54",4
1990272," --","task","SwissSign: recommendation on backup testing","ASSIGNED","[ca-compliance] [audit-finding] Next update 2026-04-30","2025-09-23 10:06:29","2025-10-28 05:52:09",4
1990274," --","task","SwissSign: recommendation on synchronization of staging and production environments","ASSIGNED","[ca-compliance] [audit-finding] Next update 2026-04-30","2025-09-23 10:07:10","2025-10-28 05:52:18",4
1990275," --","task","SwissSign: recommendation on publication process for CA related data","ASSIGNED","[ca-compliance] [audit-finding] Next update 2026-04-30","2025-09-23 10:07:40","2025-10-28 05:52:27",4
1990276," --","task","SwissSign: recommendation on evaluation of cloud service providers","ASSIGNED","[ca-compliance] [audit-finding] Next update 2026-04-30","2025-09-23 10:08:11","2025-10-28 05:52:39",4
1990277," --","task","SwissSign: recommendation on CA-specific risk assessment","ASSIGNED","[ca-compliance] [audit-finding] Next update 2026-04-30","2025-09-23 10:08:41","2025-10-28 05:52:51",4
1990281," --","task","SwissSign: recommendation on self-assessment tool","ASSIGNED","[ca-compliance] [audit-finding] Next update 2026-04-30","2025-09-23 10:12:19","2025-10-28 05:53:00",4
1990282," --","task","SwissSign: recommendation on linting software updates","ASSIGNED","[ca-compliance] [audit-finding] Next update 2026-04-30","2025-09-23 10:12:55","2025-11-03 00:50:16",11
1990284," --","task","SwissSign: recommendation on review of key pair generation implementation","ASSIGNED","[ca-compliance] [audit-finding] Next update 2026-04-30","2025-09-23 10:13:29","2025-10-28 05:53:56",4
1990285," --","task","SwissSign: recommendation on log review process","ASSIGNED","[ca-compliance] [audit-finding] Next update 2026-04-30","2025-09-23 10:14:00","2025-10-28 05:54:20",4
2007216," --","task","GoDaddy: CRL Disclosure in CCADB Mismatch with Issued Certificates","ASSIGNED","[ca-compliance] [disclosure failure]","2025-12-19 16:13:07","2026-03-01 11:38:49",11
2007217," --","task","GoDaddy: Partitioned CRL files missing Issuing Distribution Point","ASSIGNED","[ca-compliance] [disclosure failure] Next update 2026-03-20","2025-12-19 16:15:11","2026-03-02 10:50:54",11
2015563," --","task","Byte Computer: Missing Contact Information in CCADB","ASSIGNED","[ca-compliance] [disclosure-failure]","2026-02-09 10:36:51","2026-02-10 10:07:31",2
2006333," --","task","CFCA: EV Certificates misissued with incorrect businessCategory","ASSIGNED","[close on 2026-03-10] [ca-compliance] [ev-misissuance]","2025-12-16 04:59:00","2026-03-03 06:49:03",25
2011238," --","task","Telekom Security / DFN: CRL of âDFN-Verein Certification Authority 2â contains empty revoked certificate list","ASSIGNED","[ca-compliance] [crl-failure] Next update 2026-04-30","2026-01-19 07:10:05","2026-02-27 00:06:45",8
2015569," --","task","Swiss BIT (FOITT): Missing Contact Information in CCADB","ASSIGNED","[ca-compliance] [disclosure-failure]","2026-02-09 10:37:29","2026-02-10 10:08:09",2
2005939," --","task","Microsec: CT Logging mistakes","ASSIGNED","[ca-compliance] [uncategorized]","2025-12-14 06:45:10","2026-03-01 05:58:58",14
2015565," --","task","Certicamara: Missing Contact Information in CCADB","ASSIGNED","[ca-compliance] [disclosure-failure]","2026-02-09 10:37:08","2026-02-10 10:08:45",2
2012274," --","task","Chunghwa Telecom: Issuance of certificate using keys previously reported as compromised","ASSIGNED","[close on 2026-03-07] [ca-compliance] [ov-misissuance]","2026-01-24 02:43:56","2026-02-28 14:22:26",14
2013805," --","task","iTrusChina: Finding in Routine WebTrust Audit - Domain validation records without the TLS BR version","ASSIGNED","[ca-compliance] [audit-finding]","2026-02-01 18:51:31","2026-02-28 00:00:57",5
2016722," --","task","PostSignum: Mis-issued certificate","ASSIGNED","[ca-compliance] [ov-misissuance]","2026-02-13 06:49:09","2026-02-27 10:49:23",13
1993357," --","task","SHECA: TLS certificate key generation online","ASSIGNED","[ca-compliance] [dv-misissuance] [ov-misissuance] Next update 2026-02-28","2025-10-08 12:46:26","2026-02-28 09:14:54",33
1994051," --","task","SHECA: Delayed revocation of TLS certificates affected by bug #1993357","ASSIGNED","[ca-compliance] [leaf-revocation-delay] Next update 2026-02-28","2025-10-13 11:23:58","2026-02-28 09:15:12",41
2015383," --","task","SHECA: CRL of root CA not published within 24 hours","ASSIGNED","[ca-compliance] [crl-failure]","2026-02-08 23:14:45","2026-02-27 18:59:41",5
"Bug ID","Priority","Type","Summary","Status","Whiteboard","Opened","Updated","Number of Comments"
2012326," --","task","FNMT: Issuance of certificate using keys previously reported as compromised","RESOLVED","[ca-compliance] [ev-misissuance]","2026-01-25 02:34:37","2026-02-27 10:26:19",10
2014833," --","task","FNMT: Delayed response to CPR sender related bug 2012326","RESOLVED","[ca-compliance] [policy-failure]","2026-02-05 10:14:55","2026-03-02 12:33:27",4
2010600," --","task","D-Trust: CRLs of CAs issuing CA certificates exceed the maximum validity period","RESOLVED","[ca-compliance] [crl-failure]","2026-01-15 07:25:29","2026-02-27 10:25:48",12
2012934," --","task","Telia: Inccorrect CRL URL on a Root CA record in CCADB","RESOLVED","[ca-compliance] [disclosure-failure]","2026-01-27 22:13:14","2026-02-25 18:21:56",6
2007072," --","task","TrustAsia: CRL disclosure address incorrectly using HTTPS scheme in CCADB","RESOLVED","[ca-compliance] [disclosure-failure]","2025-12-19 00:16:36","2026-01-25 21:26:31",7
2004654," --","task","SECOM: Invalid stateOrProvinceName","RESOLVED","[ca-compliance] [ov-misissuance]","2025-12-08 02:09:35","2026-02-12 09:13:31",15
1979475," --","task","Microsoft PKI Services: End Entity Certificate Mis-issuance against CPS (BasicConstraints)","RESOLVED","[ca-compliance] [policy-failure] [ov-misissuance]","2025-07-25 17:21:43","2026-01-20 07:57:54",33
2007221," --","task","Microsoft PKI Services: Improper Disclosure of CRL","RESOLVED","[ca-compliance] [disclosure failure]","2025-12-19 16:39:37","2026-03-02 12:32:59",16
2008847," --","task","Microsoft PKI Services: Sample Site Certificates expired","RESOLVED","[ca-compliance] [policy-failure]","2026-01-06 14:37:42","2026-02-16 19:28:05",10
2009539," --","task","Microsoft PKI Services: Improper Disclosure of CRLs â IDP â Existing CAs","RESOLVED","[ca-compliance] [disclosure-failure]","2026-01-09 17:09:51","2026-02-16 19:27:38",9
2009541," --","task","Microsoft PKI Services: Failure to report within 72 hrs - Sample Site Certs Expired","RESOLVED","[ca-compliance] [policy-failure]","2026-01-09 17:10:57","2026-02-11 07:13:54",6
2009542," --","task","Microsoft PKI Services: Improper Disclosure of CRLs â IDP â New CAs","RESOLVED","[ca-compliance] [disclosure-failure]","2026-01-09 17:13:09","2026-02-16 19:27:11",9
2009543," --","task","Microsoft PKI Services: Improper Disclosure of CRLs â Does Not Match CA Subject","RESOLVED","[ca-compliance] [disclosure-failure]","2026-01-09 17:14:19","2026-02-09 12:17:47",7
2009545," --","task","Microsoft PKI Services: Improper Disclosure of CRLs â Protocol Scheme","RESOLVED","[ca-compliance] [disclosure-failure]","2026-01-09 17:15:03","2026-02-11 07:17:08",8
2007098," --","task","GlobalSign: misalignment of CRL URL in CCADB with issued certificates","RESOLVED","[ca-compliance] [disclosure-failure]","2025-12-19 05:00:22","2026-02-12 09:13:04",8
2004521," --","task","TWCA: CA Certificate not published in DER Encoded Format","RESOLVED","[ca-compliance] [policy-failure]","2025-12-05 22:30:14","2026-01-13 14:22:39",10
2007219," --","task","DigiCert: Some certificates issued with CRLDPs that donât exactly match CCADB disclosures","RESOLVED","[ca-compliance] [disclosure failure]","2025-12-19 16:36:17","2026-02-16 19:25:48",7
2009491," --","task","DigiCert: Several non-functioning AIA URLs","RESOLVED","[ca-compliance] [policy-failure]","2026-01-09 13:29:04","2026-02-16 19:26:33",12
2004698," --","task","NAVER Cloud Trust Services: Failure to respond to CPR within 24 hours","RESOLVED","[ca-compliance] [policy-failure] [external]","2025-12-08 05:49:22","2026-01-15 08:35:09",7
2004733," --","task","NAVER Cloud Trust Services: CA Certificate not published in DER Encoded Format","RESOLVED","[ca-compliance] [policy-failure]","2025-12-08 08:04:05","2026-01-15 08:34:38",7
2006711," --","task","NAVER Cloud Trust Services: Encoding non-conformity in SCT extensions","RESOLVED","[ca-compliance] [uncategorized]","2025-12-17 10:26:21","2026-02-11 07:18:03",11
2004704," --","task","Certigna: Failure to respond to CPR within 24 hours","RESOLVED","[ca-compliance] [policy-failure] [external]","2025-12-08 06:16:42","2026-02-27 10:34:28",14
2004732," --","task","Certigna: AIA CA issuer field pointing to PEM encoded cert","RESOLVED","[ca-compliance] [policy-failure]","2025-12-08 07:59:46","2026-01-05 07:20:24",14
2007238," --","task","Certigna: CRL URL Disclosure","RESOLVED","[ca-compliance] [disclosure failure]","2025-12-20 03:13:03","2026-01-12 08:32:45",4
2007132," --","task","Disig: Certificates with invalid embedded SCT signature","RESOLVED","[ca-compliance] [uncategorized]","2025-12-19 08:20:44","2026-02-11 07:19:06",15
2008972," --","task","Disig: Delayed Full Incident Report","RESOLVED","[ca-compliance] [policy-failure]","2026-01-07 08:04:47","2026-01-27 17:23:33",4
2001327," --","task","NETLOCK: Missing CDP Disclosure in CCADB","RESOLVED","[ca-compliance] [disclosure-failure]","2025-11-20 05:48:14","2026-01-05 07:21:00",12
2007297," --","task","eMudhra emSign PKI Services: CRL URL Mismatch Between CCADB Disclosure and Issued Certificates","RESOLVED","[ca-compliance] [disclosure failure]","2025-12-21 04:56:39","2026-02-23 12:53:52",13
2007066," --","task","Disig: Missing CA Disig R2I2 Certification Service Full CRL URLs in CCADB","RESOLVED","[ca-compliance] [disclosure-failure]","2025-12-18 23:40:20","2026-01-20 07:57:24",10
1983269," --","task","PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #9 â Lifecycle Management","RESOLVED","[ca-compliance] [audit-finding]","2025-08-15 07:11:31","2026-01-27 17:24:16",15
1983270," --","task","PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #10 â Firewall Rules and Review","RESOLVED","[ca-compliance] [audit-finding]","2025-08-15 07:12:58","2026-01-13 14:20:49",10
1983271," --","task","PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #11 â Anti-Malware Software","RESOLVED","[ca-compliance] [audit-finding]","2025-08-15 07:14:13","2026-01-28 01:00:41",13
2008021," --","task","PKIoverheid: TSP CIBG Findings in 2025 ETSI Audit - Incident Report #1 â Document Management","RESOLVED","[ca-compliance] [audit-finding]","2025-12-30 07:16:26","2026-02-09 12:16:29",6
2008023," --","task","PKIoverheid: TSP CIBG Findings in 2025 ETSI Audit - Incident Report #2 â Supply Chain Management","RESOLVED","[ca-compliance] [audit-finding]","2025-12-30 07:17:55","2026-02-19 09:13:11",9
2008024," --","task","PKIoverheid: TSP CIBG Findings in 2025 ETSI Audit - Incident Report #3 â Asset Management","RESOLVED","[ca-compliance] [audit-finding]","2025-12-30 07:19:04","2026-02-09 12:16:52",6
2008025," --","task","PKIoverheid: TSP CIBG Findings in 2025 ETSI Audit - Incident Report #4 â Incident Management","RESOLVED","[ca-compliance] [audit-finding]","2025-12-30 07:19:59","2026-02-09 12:17:15",6
2008026," --","task","PKIoverheid: TSP CIBG Findings in 2025 ETSI Audit - Incident Report #5 â Risk Management","RESOLVED","[ca-compliance] [audit-finding]","2025-12-30 07:22:03","2026-02-09 12:15:05",6
2008027," --","task","PKIoverheid: TSP CIBG Findings in 2025 ETSI Audit - Incident Report #6 â Access Control Management","RESOLVED","[ca-compliance] [audit-finding]","2025-12-30 07:22:47","2026-02-09 12:15:29",6
2008028," --","task","PKIoverheid: TSP CIBG Findings in 2025 ETSI Audit - Incident Report #7 â Change Management","RESOLVED","[ca-compliance] [audit-finding]","2025-12-30 07:23:57","2026-02-19 09:12:48",10
2008029," --","task","PKIoverheid: TSP CIBG Findings in 2025 ETSI Audit - Incident Report #8 â Human Resources Management","RESOLVED","[ca-compliance] [audit-finding]","2025-12-30 07:24:58","2026-02-09 12:16:05",6
1991558," --","task","IdenTrust: TLS self audit testing below 3%","RESOLVED","[ca-compliance] [policy-failure]","2025-09-29 16:04:25","2026-01-15 08:35:46",14
2004492," --","task","IdenTrust: CA Certificate not published in DER Encoded Format","RESOLVED","[ca-compliance] [policy-failure]","2025-12-05 15:02:09","2026-02-05 08:33:32",8
2006483," --","task","IdenTrust: CT Logging Mistakes","RESOLVED","[ca-compliance] [uncategorized]","2025-12-16 14:19:57","2026-01-20 07:58:26",7
2002402," --","task","GoDaddy: Missing R1 Intermediate Full CRL URLs in CCADB","RESOLVED","[ca-compliance] [disclosure-failure]","2025-11-25 13:22:15","2026-01-13 14:22:05",9
2004845," --","task","GoDaddy: CA Certificates Published in PEM format","RESOLVED","[ca-compliance] [policy-failure]","2025-12-08 17:00:32","2026-02-11 07:17:34",10
2005399," --","task","CFCA: DV OCA caIssuers Returns PEM Encoded Certificate (RFC 5280 Section 4.2.2.1 Violation)","RESOLVED","[ca-compliance] [policy-failure]","2025-12-10 18:49:24","2026-02-18 07:45:40",15
2009134," --","task","CFCA: reporting delayed when handling incident bug #2005399","RESOLVED","[ca-compliance] [policy-failure] [disclosure-failure]","2026-01-08 01:43:59","2026-02-18 07:47:01",12
2010525," --","task","CFCA: reporting delayed when handling incident bug #2006333","RESOLVED","[ca-compliance] [policy-failure]","2026-01-15 01:40:46","2026-02-18 07:46:26",8
2004668," --","task","Telekom Security: Root-CA certificates published in PEM encoded format","RESOLVED","[ca-compliance] [policy-failure]","2025-12-08 02:56:05","2026-01-20 07:56:46",10
2013576," --","task","Microsec: ""DV valid"" test website certificate issued under incorrect root","RESOLVED","[ca-compliance] [policy-failure]","2026-01-30 08:02:10","2026-02-27 10:25:22",6
2005567," --","task","Chunghwa Telecom: CA Certificates Published in PEM format","RESOLVED","[ca-compliance] [policy-failure]","2025-12-11 09:01:10","2026-02-03 07:41:55",16
2005762," --","task","Chunghwa Telecom: Failure to respond to CPR within 24 hours","RESOLVED","[ca-compliance] [policy-failure]","2025-12-12 07:10:14","2026-02-05 08:32:58",9
2008260," --","task","Chunghwa Telecom: Delayed audit disclosure for GTLSCA","RESOLVED","[ca-compliance] [audit-delay]","2025-12-31 11:54:11","2026-02-19 09:11:21",17
2008782," --","task","Chunghwa Telecom: Findings in 2025 WebTrust Audit - GTLSCA Audit Incident Report #1 - mass certificate revocation plan","RESOLVED","[ca-compliance] [audit-finding] ","2026-01-06 11:17:11","2026-02-18 07:44:40",7
2008788," --","task","Chunghwa Telecom: Findings in 2025 WebTrust Audit - GTLSCA Audit Incident Report #2 - Domain validation records without the TLS BR version","RESOLVED","[ca-compliance] [audit-finding] ","2026-01-06 11:38:32","2026-02-11 07:15:44",10
2008799," --","task","Chunghwa Telecom: Findings in 2025 WebTrust Audit - GTLSCA Audit Incident Report #3 - Missing vulnerability scan","RESOLVED","[ca-compliance] [audit-finding] ","2026-01-06 12:03:18","2026-02-19 09:13:33",7
2008803," --","task","Chunghwa Telecom: Findings in 2025 WebTrust Audit - GTLSCA Audit Incident Report #4 - Missing evaluation for third parties","RESOLVED","[ca-compliance] [audit-finding] ","2026-01-06 12:18:56","2026-02-12 09:12:26",8
2009043," --","task","Chunghwa Telecom: Delayed disclosure to Bug 2008782 GTLSCA Audit Incident Report #1 - mass certificate revocation plan","RESOLVED","[ca-compliance] [policy-failure] [disclosure-failure]","2026-01-07 13:37:32","2026-02-19 09:00:14",7
2009045," --","task","Chunghwa Telecom: Delayed disclosure to Bug 2008788 GTLSCA Audit Incident Report #2 - Domain validation records without the TLS BR version","RESOLVED","[ca-compliance] [policy-failure] [disclosure-failure]","2026-01-07 13:41:18","2026-02-19 08:59:06",10
2009046," --","task","Chunghwa Telecom: Delayed disclosure to Bug 2008799 GTLSCA Audit Incident Report #3 - Missing vulnerability scan","RESOLVED","[ca-compliance] [policy-failure] [disclosure-failure]","2026-01-07 13:46:03","2026-02-19 08:58:41",8
2009048," --","task","Chunghwa Telecom: Delayed disclosure to Bug 2008803 GTLSCA Audit Incident Report #4 - Missing evaluation for third parties","RESOLVED","[ca-compliance] [policy-failure] [disclosure-failure]","2026-01-07 13:49:17","2026-02-19 08:57:25",7
1992540," --","task","VikingCloud: Unplanned Access Event","RESOLVED",,"2025-10-03 18:16:41","2026-02-18 07:42:41",10
2012629," --","task","VikingCloud: CP/CPS and SecureTrust Root transition intermediate timing issue","RESOLVED","[ca-compliance] [policy-failure]","2026-01-26 16:22:25","2026-02-19 08:58:00",4
2005149," --","task","SHECA: CA Certificate not published in DER Encoded Format","RESOLVED","[ca-compliance] [policy-failure]","2025-12-10 00:19:34","2026-01-27 17:22:56",11
2007089," --","task","SHECA: subordinate certificates have not published the complete CRL address in CCADB","RESOLVED","[ca-compliance] [disclosure-failure]","2025-12-19 03:06:11","2026-02-16 19:29:30",9
