DoH server validation underspecified

[chris-wood]

Clients still need to perform some verification of oblivious DoH servers, such as the TLS certificate check described in {{DDR}}. This certificate check can be done when looking up the configuration on the gateway as described in {{config-fetch}}, which can either be done directly, or via the relay or another proxy to avoid exposing client IP addresses. Since the oblivious gateway that is discovered dynamically uses a well-known URI on the same host as the target, as described in {{config-fetch}}, the certificate evaluation for the connection to well-known gateway URI also covers the name of the target DoH server.

This feels underspecified to me. Is the requirement to verify that the target DoH server and its advertised gateway are operated by the same entity, or something else?

[tfpauly]

Yeah, it is saying that the target and gateway must have the expected DoH server TLS cert. Can clarify.