RFC Errata
RFC 8484, "DNS Queries over HTTPS (DoH)", October 2018
Source of RFC: doh (art)
Errata ID: 6708
Status: Reported
Type: Editorial
Publication Format(s) : TEXT
Reported By: Martin Thomson
Date Reported: 2021-10-14
Section 10 says:
The use of Online Certificate Status Protocol (OCSP) [RFC6960] servers or Authority Information Access (AIA) for Certificate Revocation List (CRL) fetching (see Section 4.2.2.1 of [RFC5280]) are examples of how this deadlock can happen.
It should say:
The use of Online Certificate Status Protocol (OCSP) [RFC6960] servers, Certificate Revocation List (CRL) distribution points (see Section 4.2.1.13 of [RFC5280]), or Authority Information Access (AIA) to retrieve issuer certificates (see Section 4.2.2.1 of [RFC5280]) are examples of how this deadlock can happen.
Notes:
The OCSP part is fine, but the AIA piece is wrong.
For context, there are three different ways (to my knowledge) that a client might make outbound connections in order to validate or build a certification path.
1. CRL - clients fetch CRLs from the designated location. This rarely happens any more as it is grossly inefficient, but it does still happen in some usages.
2. OCSP - clients query OCSP for the status of a certificate.
3. AIA chasing - this is where the TLS handshake doesn't include the full set of certificates required to validate the end-entity certificate, but the certificate includes a URL for that certificate.
AIA itself is a multi-purpose field. It can include multiple elements, one of which is the identity of an OCSP responder (the same one used in (2) above) and the other being the one used in (3). It does not include CRL distribution points, as the text implies.