Validating that a CSR is legit

[Guest]

[smithsa]

We all know that when a CA receives a CSR, they must verify that the CSR really came from the rightful owners of the domain named in the CSR. But is that really what happens in practice? Does the CA verify that THIS CSR came the owner, or A CSR came from the owner?

What I mean by this is that the CA will typically contact the Technical Contact (TC) and ask "I received a CSR for this domain, did you send it?". From my experience (or maybe I'm forgetting), there isn't any attempt to have the TC verify that what the CA is acting on is really the CSR that he sent. In other words, if a fraudster knows that a company is going to send a CSR to a certain CA, he could send one also. Depending on how careful the CA and TC are, the CA may end up signing the fraudster's request by mistake.

Should we be concerned by this? It seems that the only attacks I can imagine by doing this are kind of contrived. Still, is there any way to check that what the CA is signing is what the TC really sent?

[Tags:]