I don't think CRLs usually are, under current infrastructure anyway.

How can you verify the certificate of the server when it's signed by the certificate you want to fetch; or check that it hasn't been revoked when what you're connecting to is its own CRL/OCSP? What about the risk of infinite loops?

Cross-signatures, or multi-signatures, perhaps; or going opportunistic and simply not minding on that occasion?

Nope, for now they just use HTTP, and pin what they need to, to the fingerprint.

They should, however, specify an SHA-256 fingerprint. SHA-1 doesn't really cut it anymore. But that's what Mozilla currently require, so that's what Amazon provided. https://wiki.mozilla.org/CA:Information_checklist

No it's not. In order to establish a TLS connection, you'd have to do a revocation check. Can't perform that if you need a TLS connection to get the CRL.

As far as the certificate, I'm guessing there are many, many checks as to the authenticity of the key before it ships.

Plus, they'd have to use a cert from another CA, since theirs are not trusted yet. That's not elegant in a process that is used to start CAs.