On Tue, Jun 3, 2014 at 5:14 AM, Rob Stradling <rob.stradling at comodo.com> wrote: > How does the attacker obtain the legitimate customer's CSR? A CSR isn't generally considered secret, right? I wouldn't think to protect it. Cheers AGL