robstradling
commented
5 years ago I've just updated https://crt.sh/mozilla-disclosures so that it no longer considers technically-constrained intermediates in its "inconsistent audit" and "inconsistent CP/CPS" checks (see https://github.com/crtsh/certwatch_db/commit/a5c58e5ddbbd66fdcc8f83a6c99d507a78a44af0).
If the discussion on this PR reaches a different conclusion, I'll update the crt.sh checks accordingly.
Determine and document what is expected when not all of the intermediate certs with the same Subject+SPKI are technically constrained. e.g. is it OK for these to be inconsistent as per: https://crt.sh/mozilla-disclosures#disclosedwithinconsistentaudit For example: https://crt.sh/?id=1612093347 -- technically constrained, so no audit statements https://crt.sh/?id=319549067 -- not technically constrained, so audit statements required
Subject + SPKI SHA256 | 98F39514BA28174E9B3D46C7997E27F759FACFD96C26E3A38834BC9B6BDA27F7