When boulder-observer is configured to probe a CRL URL, it says that probing failed if it fails to read a response, or if it failed to parse the CRL. However, it is possible for the wrong CRL to be served by that URL, which is just as bad of an error (and compliance violation).
It would be good for the prober to confirm that the URL from which it fetched the CRL appears in the CRL's issuingDistributionPoint extension.
When boulder-observer is configured to probe a CRL URL, it says that probing failed if it fails to read a response, or if it failed to parse the CRL. However, it is possible for the wrong CRL to be served by that URL, which is just as bad of an error (and compliance violation).
It would be good for the prober to confirm that the URL from which it fetched the CRL appears in the CRL's
issuingDistributionPoint
extension.