Multi-Perspective Issuance Corroboration (MPIC) is a security enhancement for digital certificate issuance. It requires certificate authorities (CAs) to perform domain validation and Certificate Authority Authorization (CAA) checks from multiple, geographically and topologically distinct network locations rather than just one.
This approach is designed to mitigate the risk of sophisticated attacks—particularly Border Gateway Protocol (BGP) hijacking—that can manipulate traditional single-location validation methods.
If you are an IT professional, you should care about MPIC because it directly impacts the security and trustworthiness of digital certificates used for securing websites, email, and other online services that your IT infrastructure relies on.
MPIC makes it significantly harder for attackers to exploit network vulnerabilities—such as BGP or DNS hijacking—to fraudulently obtain certificates for domains they do not control. MPIC helps prevent man-in-the-middle attacks, data breaches, and loss of trust in your organization’s digital presence.
As MPIC becomes an industry requirement, IT teams will need to ensure their infrastructure and processes are compatible with these new validation standards to maintain compliance and avoid service disruptions.
MPIC protects your organization’s digital assets, strengthens your security posture, and ensures compliance with evolving industry’s best practices.
Research and real-world incidents have shown that attackers can exploit weaknesses in the internet’s routing infrastructure (BGP) to redirect validation traffic, potentially causing CAs to issue certificates to unauthorized parties.
This threat is also known as BGP hijacking, prefix hijacking, route hijacking or IP hijacking. It is the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables using the Border Gateway Protocol (BGP.)
72% of domains were vulnerable to BGP subprefix hijacks, enabling attackers to reroute validation traffic and deceive Certificate Authorities (CAs) into issuing fraudulent certificates.
70% of domains were susceptible to same-prefix attacks, allowing adversaries to impersonate legitimate networks.
All top five CAs were found vulnerable to BGP-based certificate fraud prior to mitigation efforts, as demonstrated in ethical hacking experiments.
BGP hijacking incidents occur with notable frequency and remain a persistent threat to global internet security. Recent data provides a clear picture of how often these events take place:
These statistics indicate that BGP hijacking is not a rare occurrence-incidents happen on a daily basis, affecting a wide range of organizations, including major companies like MasterCard, Amazon, and Google, as well as national telecom operators. The true number may be even higher, as some events go undetected or unreported
MPIC is being standardized by the CA/Browser Forum (CABF) and is becoming a requirement for publicly trusted certificate issuance, including TLS and soon, S/MIME certificates.
Major CAs like Let’s Encrypt and Google Trust Services have already implemented forms of MPIC, and enforcement across the industry is expected by September 2025.
The DNS Certificate Authority Authorization (CAA) record was introduced in 2013 to help prevent unauthorized certificate issuance and became mandatory for public CAs in September 2017. This record allows domain owners to specify which CAs are authorized to issue certificates for their domains, helping to reduce the risk of misuse and Shadow IT.
If no CAA record exists for a domain, any public Certificate Authority may issue certificates for that domain following standard domain validation as prescribed by the CA/Browser Forum.
However, if a CAA record is present, only those Certificate Authorities explicitly listed in the record are authorized to issue certificates for the domain, adding an important layer of control and security.
| Feature | Traditional Validation | MPIC Validation |
| Validation Location | Single network point | Multiple, globally distributed points |
| Attack Resistance | Vulnerable to local BGP/DNS hijacks | Resistant to localized attacks |
| Industry Requirement | Optional/legacy | Becoming mandatory (CABF Ballot SC-067) |
| Certificate Issuance | Proceeds on single check | Requires corroboration from all perspectives |
Summary Table: MPIC vs. Traditional Validation
Multi-Perspective Issuance Corroboration (MPIC) is a sophisticated framework designed to enhance the validity and integrity of information exchange across diverse platforms. The primary functionalities of MPIC revolve around three core areas.
The implementation of Multi-Perspective Issuance Corroboration (MPIC) brings forth a robust set of security advantages that significantly enhance the integrity of certificate issuance processes. By leveraging multiple independent network perspectives for validation, MPIC establishes a new standard in certificate security that addresses various traditional vulnerabilities while strengthening the overall trustworthiness of the public key infrastructure.
Additional security benefits:
Multi-Perspective Issuance Corroboration (MPIC) implements a sophisticated validation framework that leverages multiple network vantage points to ensure the security and authenticity of certificate issuance processes. This distributed approach significantly enhances the reliability of domain validation and helps prevent various forms of network-level attacks.
Here’s a detailed breakdown of how MPIC operates:
1. Distributed Validation Checks
2. Corroboration of Results
3. Network Perspective Requirements
4. Validation Process Requirements
5. Error Handling and Reporting
Domain Control Validation (DCV) is a critical component of the certificate issuance process, and MPIC enhances the security of these validations by applying its multi-perspective approach across all standard validation methods. By implementing MPIC across various DCV methods, Certificate Authorities ensure consistent and reliable validation regardless of the chosen verification technique. This comprehensive coverage ensures that the security benefits of multi-perspective validation are maintained across all certificate issuance scenarios.
DNS-based domain validation commonly involves placing a specific validation string within a DNS TXT record. Alternatively, a DNS CNAME record may be used to redirect validation checks to a trusted web server controlled by the certificate requester, enabling flexible and secure validation workflows.
MPIC applies to all major DCV methods, including:
These are all commonly used validation methods that are subject to MPIC requirements. Each of these methods benefits from the additional security layer that multi-perspective validation provides.
The adoption of Multi-Perspective Issuance Corroboration (MPIC) follows a phased implementation timeline established by the CA/Browser Forum and major browser vendors to balance security improvements with operational feasibility. This graduated approach allows certificate authorities (CAs) and relying parties to adapt their infrastructure while maintaining the stability of certificate issuance ecosystems. The enforcement framework was formally ratified in Ballot SC067v3 (August 2024) and expanded through subsequent CAB Forum resolutions, with full compliance required by 2025 per updated Baseline Requirements.
Reporting Phase (January 2024 – March 2025):
MPIC runs in passive monitoring mode, with CAs required to log validation discrepancies but not block issuance. Let’s Encrypt began early implementation in 2020 as a proof-of-concept (per their 2020 blog post).
Enforcement Phase (March 31, 2025 – Ongoing):
Post Google’s mandated deadline, certificates require MPIC validation from ≥3 independent network perspectives. Full enforcement (≥5 perspectives) takes effect September 15, 2025 per CAB Forum Resolution 2024-87.
Grace Period Provisions:
CAs may issue non-compliant certificates for ≤5% of total volume until June 2026 to accommodate legacy systems, as noted in Sectigo’s TLS CPS v6.1.0 documentation.
The ACME protocol, used by agents such as Certbot and WinACME to automate certificate issuance, always consults the DNS CAA record before requesting certificates. This applies regardless of whether the target Certificate Authority is public or private.
When certificates are requested via ACME from a private CA, the CA’s hostname or fully qualified domain name (FQDN) must be included in the domain’s CAA record. This ensures that private CAs also comply with CAA authorization policies, preventing unauthorized certificate issuance.
This section outlines the critical timelines for compliance with Multi-Perspective Issuance Corroboration (MPIC) standards and the industry’s adoption strategy.
MPIC represents a significant step forward in securing digital certificate issuance against emerging network-level threats.
Technical Requirements
Impact on Organizations
Future Developments
Key Takeaway: MPIC is not just a technical upgrade but a systemic shift in certificate security, requiring proactive adaptation from IT teams to maintain compliance and thwart increasingly sophisticated network-level attacks.
It is critical that all publicly accessible DNS servers operated by an organization are properly synchronized. Without tight synchronization, public certificate requests could fail starting from September 2025 due to enforcement of Multi-Perspective Issuance Corroboration (MPIC) requirements.
Discrepancies in DNS data across servers, including CAA records and domain validation DNS entries, pose a significant risk to the certificate issuance process. Organizations must ensure that DNS records are consistent and updated promptly across all servers globally to prevent validation failures and denial of certificate issuance.
Note that certificate management systems such as KeyTalk CKMS can request PKI X.509 certificates from major public Certificate Authorities including DigiCert and GlobalSign and therefore are subject to MPIC and DNS synchronization requirements.
Organizations operating multiple DNS servers, especially those geographically distributed across regions such as Europe and Asia, must ensure that CAA records and other DNS entries used for domain validation are fully synchronized with consistent, low TTL (Time To Live) values. A TTL of 300 seconds (5 minutes) or less is recommended to minimize propagation delays and prevent inconsistencies that could result in validation failures.
Without such synchronization, differences in DNS records across locations may lead to failed certificate issuance as multi-perspective validations could detect discrepancies and halt the process.
For example, a DNS record for “domain.com” should be identical in all regions where DNS servers operate, such as Europe and Asia, to ensure consistent validation results during multi-perspective checks.
If DNS records are inconsistent or not synchronized across these multiple servers, the likelihood of public Certificate Authorities rejecting certificate issuance requests increases significantly.
In this blogpost we did an in-depth overview of Multi-Perspective Issuance Corroboration (MPIC), a forthcoming standard for digital certificate issuance designed to enhance security against sophisticated network-level attacks such as BGP hijacking.
The main key points are:
Conclusion: MPIC represents a fundamental shift in digital certificate security. IT teams and organizations must proactively adapt their systems to integrate MPIC standards, ensuring robust protection against emerging security threats and aligning with industry-best practices.
Do you want to know more on how KeyTalk can help your organization with MPIC? Please contact us and we’ll discuss the challenges and possible solutions.
The KeyTalk Team
