How does the CA get the registrar's public key in a way that cannot be spoofed or hacked like you say DNS and HTTP verification can? If your thread model already includes hacking a CA's network infrastructure, getting them to accept the wrong key as valid doesn't seem any more difficult than the others.