I don't think CRLs usually are, under current infrastructure anyway.
How can you verify the certificate of the server when it's signed by the certificate you want to fetch; or check that it hasn't been revoked when what you're connecting to is its own CRL/OCSP? What about the risk of infinite loops?
Cross-signatures, or multi-signatures, perhaps; or going opportunistic and simply not minding on that occasion?
Nope, for now they just use HTTP, and pin what they need to, to the fingerprint.
They should, however, specify an SHA-256 fingerprint. SHA-1 doesn't really cut it anymore. But that's what Mozilla currently require, so that's what Amazon provided. https://wiki.mozilla.org/CA:Information_checklist
How can you verify the certificate of the server when it's signed by the certificate you want to fetch; or check that it hasn't been revoked when what you're connecting to is its own CRL/OCSP? What about the risk of infinite loops?
Cross-signatures, or multi-signatures, perhaps; or going opportunistic and simply not minding on that occasion?
Nope, for now they just use HTTP, and pin what they need to, to the fingerprint.
They should, however, specify an SHA-256 fingerprint. SHA-1 doesn't really cut it anymore. But that's what Mozilla currently require, so that's what Amazon provided. https://wiki.mozilla.org/CA:Information_checklist