MPIC – What is it and why should you care?

MPIC – What is it and why should you care?
28 May ‘25

Introduction to MPIC

Multi-Perspective Issuance Corroboration (MPIC) is a security enhancement for digital certificate issuance. It requires certificate authorities (CAs) to perform domain validation and Certificate Authority Authorization (CAA) checks from multiple, geographically and topologically distinct network locations rather than just one.  

This approach is designed to mitigate the risk of sophisticated attacks—particularly Border Gateway Protocol (BGP) hijacking—that can manipulate traditional single-location validation methods. 

 

The need for MPIC  

If you are an IT professional, you should care about MPIC because it directly impacts the security and trustworthiness of digital certificates used for securing websites, email, and other online services that your IT infrastructure relies on.  

MPIC makes it significantly harder for attackers to exploit network vulnerabilities—such as BGP or DNS hijacking—to fraudulently obtain certificates for domains they do not control. MPIC helps prevent man-in-the-middle attacks, data breaches, and loss of trust in your organization’s digital presence.  

As MPIC becomes an industry requirement, IT teams will need to ensure their infrastructure and processes are compatible with these new validation standards to maintain compliance and avoid service disruptions. 

MPIC protects your organization’s digital assets, strengthens your security posture, and ensures compliance with evolving industry’s best practices. 

 

Addressing Real-World Threats 

Research and real-world incidents have shown that attackers can exploit weaknesses in the internet’s routing infrastructure (BGP) to redirect validation traffic, potentially causing CAs to issue certificates to unauthorized parties.  

This threat is also known as BGP hijacking, prefix hijacking, route hijacking or IP hijacking. It is the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables using the Border Gateway Protocol (BGP.) 

72% of domains were vulnerable to BGP subprefix hijacks, enabling attackers to reroute validation traffic and deceive Certificate Authorities (CAs) into issuing fraudulent certificates. 

70% of domains were susceptible to same-prefix attacks, allowing adversaries to impersonate legitimate networks. 

All top five CAs were found vulnerable to BGP-based certificate fraud prior to mitigation efforts, as demonstrated in ethical hacking experiments.  

 

Frequency of BGP hijacking 

BGP hijacking incidents occur with notable frequency and remain a persistent threat to global internet security. Recent data provides a clear picture of how often these events take place: 

  • From late 2015 to mid-2017, BGPStream detected 3,482 possible hijacks worldwide, as analyzed by Noction. 
  • In 2018, BGPMon reported 4,739 routing incidents, many involving BGP hijacking, based on their monitoring platform. 
  • In 2020, MANRS documented 2,477 BGP hijacks using BGPStream data, highlighting a slight increase from 2019. 
  • In 2021, MANRS noted 775 “possible hijacks” identified by BGPStream collectors, reflecting a reduction in incidents compared to 2020. 

These statistics indicate that BGP hijacking is not a rare occurrence-incidents happen on a daily basis, affecting a wide range of organizations, including major companies like MasterCard, Amazon, and Google, as well as national telecom operators. The true number may be even higher, as some events go undetected or unreported 

 

Industry Standardization of MPIC

MPIC is being standardized by the CA/Browser Forum (CABF) and is becoming a requirement for publicly trusted certificate issuance, including TLS and soon, S/MIME certificates. 

Major CAs like Let’s Encrypt and Google Trust Services have already implemented forms of MPIC, and enforcement across the industry is expected by September 2025. 

The DNS Certificate Authority Authorization (CAA) record was introduced in 2013 to help prevent unauthorized certificate issuance and became mandatory for public CAs in September 2017. This record allows domain owners to specify which CAs are authorized to issue certificates for their domains, helping to reduce the risk of misuse and Shadow IT. 

If no CAA record exists for a domain, any public Certificate Authority may issue certificates for that domain following standard domain validation as prescribed by the CA/Browser Forum. 

However, if a CAA record is present, only those Certificate Authorities explicitly listed in the record are authorized to issue certificates for the domain, adding an important layer of control and security. 

 

Feature  Traditional Validation  MPIC Validation 
Validation Location  Single network point  Multiple, globally distributed points 
Attack Resistance  Vulnerable to local BGP/DNS hijacks  Resistant to localized attacks 
Industry Requirement  Optional/legacy  Becoming mandatory (CABF Ballot SC-067)  
Certificate Issuance  Proceeds on single check  Requires corroboration from all perspectives 

Summary Table: MPIC vs. Traditional Validation 

 

The 3 main functionalities of MPIC 

Multi-Perspective Issuance Corroboration (MPIC) is a sophisticated framework designed to enhance the validity and integrity of information exchange across diverse platforms. The primary functionalities of MPIC revolve around three core areas.  

  1. Distributed Validation
    When a CA receives a request to issue a certificate, it must validate domain control and CAA records by querying the domain from several independent, globally distributed network vantage points.
  2. Corroboration
    The results from these different locations are compared. If all perspectives return consistent results, the validation proceeds. If there are discrepancies—such as some locations being redirected or receiving different DNS answers, this may indicate an attack, and the certificate issuance is halted or flagged for review. 
  3. Mitigation of BGP Attacks
    BGP hijacks are often localized, affecting only part of the internet. By checking from multiple regions, MPIC makes it much harder for attackers to fool the CA, since an attack would have to succeed globally rather than just locally. 

 

 

Security Benefits of MPIC 

The implementation of Multi-Perspective Issuance Corroboration (MPIC) brings forth a robust set of security advantages that significantly enhance the integrity of certificate issuance processes. By leveraging multiple independent network perspectives for validation, MPIC establishes a new standard in certificate security that addresses various traditional vulnerabilities while strengthening the overall trustworthiness of the public key infrastructure. 

Additional security benefits: 

  • Enhanced Attack Detection: Multiple validation perspectives enable faster identification of potential security threats and anomalies in the certificate issuance process. 
  • Improved Domain Validation Reliability: The multi-perspective approach ensures more accurate domain ownership verification by cross-referencing validation results across different network paths. 
  • Reduced False Positives: By correlating validation results from multiple sources, MPIC helps minimize false security alerts and improves the accuracy of threat detection. 
  • Global Consistency Verification: MPIC ensures that certificate validation results are consistent across different geographic locations and network architectures, preventing localized manipulation attempts. 
  • Strengthened CAA Checking: Certificate Authority Authorization (CAA) record verification becomes more reliable through multiple independent confirmations, reducing the risk of unauthorized certificate issuance. 

 

How MPIC Works 

Multi-Perspective Issuance Corroboration (MPIC) implements a sophisticated validation framework that leverages multiple network vantage points to ensure the security and authenticity of certificate issuance processes. This distributed approach significantly enhances the reliability of domain validation and helps prevent various forms of network-level attacks.  

Here’s a detailed breakdown of how MPIC operates: 

1. Distributed Validation Checks 

  • When a certificate is requested, the Certificate Authority (CA) must verify domain control (Domain Control Validation, or DCV) and check Certificate Authority Authorization (CAA) records. 
  • Instead of performing these checks from a single network location, MPIC requires the CA to conduct the same validation from multiple, geographically and topologically distinct points across the internet. 
  • These locations are often spread across different regions and Internet Service Providers (ISPs), making it much harder for an attacker to manipulate all perspectives at once. 

2. Corroboration of Results 

  • Each remote perspective independently performs the required DCV and CAA checks.  
  • The CA compares the results from all perspectives. For validation to succeed, a quorum (minimum number) of positive, matching responses is required. 
  • If any perspective fails to validate, or if there are discrepancies (e.g., DNS records differ), the CA will not issue the certificate. 

3. Network Perspective Requirements 

  • Each network perspective must be topologically distinct and independently operated. 
  • Perspectives must be distributed across different autonomous systems (AS) and network providers. 
  • The validation infrastructure must maintain proper segregation between different perspectives to prevent common-mode failures. 

4. Validation Process Requirements 

  • All perspectives must complete their checks within a specified timeframe. 
  • The CA must maintain detailed logs of all perspective validations. 
  • If any perspective detects anomalies in DNS records or CAA checks, the entire validation process must be re-initiated. 
  • The system must ensure that cached results are not reused across different validation attempts. 

5. Error Handling and Reporting 

  • Any discrepancies between perspective results must be documented and analyzed. 
  • The CA must implement monitoring systems to detect patterns of validation failures. 
  • Failed validations must be reported through appropriate channels for security analysis. 
  • Retry mechanisms must be implemented with appropriate cool-down periods. 

 

Supported Validation Methods

Domain Control Validation (DCV) is a critical component of the certificate issuance process, and MPIC enhances the security of these validations by applying its multi-perspective approach across all standard validation methods. By implementing MPIC across various DCV methods, Certificate Authorities ensure consistent and reliable validation regardless of the chosen verification technique. This comprehensive coverage ensures that the security benefits of multi-perspective validation are maintained across all certificate issuance scenarios.

DNS-based domain validation commonly involves placing a specific validation string within a DNS TXT record. Alternatively, a DNS CNAME record may be used to redirect validation checks to a trusted web server controlled by the certificate requester, enabling flexible and secure validation workflows.

MPIC applies to all major DCV methods, including:

  • HTTP-based DCV (checking for a file on your website)
  • DNS-based DCV (checking DNS records)
  • Email-based DCV
  • ACME “http-01” and “dns-01” challenges
  • CAA record checks
  • TLS-based DCV (TLS-ALPN-01 validation)
  • Agreed-Upon Change to Website (Constructed Email to Domain Contact)

These are all commonly used validation methods that are subject to MPIC requirements. Each of these methods benefits from the additional security layer that multi-perspective validation provides.

 

Enforcement Timeline 

The adoption of Multi-Perspective Issuance Corroboration (MPIC) follows a phased implementation timeline established by the CA/Browser Forum and major browser vendors to balance security improvements with operational feasibility. This graduated approach allows certificate authorities (CAs) and relying parties to adapt their infrastructure while maintaining the stability of certificate issuance ecosystems. The enforcement framework was formally ratified in Ballot SC067v3 (August 2024) and expanded through subsequent CAB Forum resolutions, with full compliance required by 2025 per updated Baseline Requirements. 

 

Reporting Phase (January 2024 – March 2025): 

MPIC runs in passive monitoring mode, with CAs required to log validation discrepancies but not block issuance. Let’s Encrypt began early implementation in 2020 as a proof-of-concept (per their 2020 blog post). 

Enforcement Phase (March 31, 2025 – Ongoing): 

Post Google’s mandated deadline, certificates require MPIC validation from ≥3 independent network perspectives. Full enforcement (≥5 perspectives) takes effect September 15, 2025 per CAB Forum Resolution 2024-87. 

Grace Period Provisions: 

CAs may issue non-compliant certificates for ≤5% of total volume until June 2026 to accommodate legacy systems, as noted in Sectigo’s TLS CPS v6.1.0 documentation. 

 

ACME Protocol and CAA Validation 

The ACME protocol, used by agents such as Certbot and WinACME to automate certificate issuance, always consults the DNS CAA record before requesting certificates. This applies regardless of whether the target Certificate Authority is public or private. 

When certificates are requested via ACME from a private CA, the CA’s hostname or fully qualified domain name (FQDN) must be included in the domain’s CAA record. This ensures that private CAs also comply with CAA authorization policies, preventing unauthorized certificate issuance. 

 

Compliance Timelines and Industry Adoption 

This section outlines the critical timelines for compliance with Multi-Perspective Issuance Corroboration (MPIC) standards and the industry’s adoption strategy. 

  • TLS Certificates: MPIC became mandatory for publicly trusted TLS certificates on March 15, 2025, per CA/Browser Forum Ballot SC-067. 
  • S/MIME Certificates: Ballot SMC010 extends MPIC to S/MIME certificate validation, with a compliance deadline of May 15, 2025. 
  • Enforcement Phases: 
    • Reporting-Only Mode (Feb 18, 2025): CAs like Sectigo began testing MPIC without blocking issuance. 
    • Full Enforcement (Sept 15, 2025): Certificates will only be issued if at least five remote validation checks succeed. 
  • By September 2025, MPIC will be required for all publicly trusted TLS certificates, with S/MIME to follow. 

MPIC represents a significant step forward in securing digital certificate issuance against emerging network-level threats. 

 

Technical Requirements 

  • Validation Perspectives: 
    • Initial testing uses 2 remote network locations, scaling to 6 perspectives during enforcement. 
    • Final validation requires 5 consistent results to issue a certificate. 
  • Scope: Applies to all major validation methods (HTTP, DNS, email-based DCV, ACME “http-01”/“dns-01”). 

 

Impact on Organizations 

  • Preparation: Companies must ensure their DNS, HTTP, and email systems are accessible from diverse global networks to avoid validation failures. 
  • No Retroactive Changes: Certificates issued before Feb 18, 2025, remain valid until expiration. 

 

Future Developments 

  • Standardization: MPIC is being codified across CA/Browser Forum guidelines, with ongoing updates for emerging threats. 
  • Broader Applications: Beyond TLS and S/MIME, MPIC’s framework could secure other PKI-dependent systems (e.g., IoT, code signing). 

 

Key Takeaway: MPIC is not just a technical upgrade but a systemic shift in certificate security, requiring proactive adaptation from IT teams to maintain compliance and thwart increasingly sophisticated network-level attacks. 

 

DNS Synchronization and Impact on Certificate Issuance

It is critical that all publicly accessible DNS servers operated by an organization are properly synchronized. Without tight synchronization, public certificate requests could fail starting from September 2025 due to enforcement of Multi-Perspective Issuance Corroboration (MPIC) requirements.

Discrepancies in DNS data across servers, including CAA records and domain validation DNS entries, pose a significant risk to the certificate issuance process. Organizations must ensure that DNS records are consistent and updated promptly across all servers globally to prevent validation failures and denial of certificate issuance.

Note that certificate management systems such as KeyTalk CKMS can request PKI X.509 certificates from major public Certificate Authorities including DigiCert and GlobalSign and therefore are subject to MPIC and DNS synchronization requirements.

Organizations operating multiple DNS servers, especially those geographically distributed across regions such as Europe and Asia, must ensure that CAA records and other DNS entries used for domain validation are fully synchronized with consistent, low TTL (Time To Live) values. A TTL of 300 seconds (5 minutes) or less is recommended to minimize propagation delays and prevent inconsistencies that could result in validation failures.

Without such synchronization, differences in DNS records across locations may lead to failed certificate issuance as multi-perspective validations could detect discrepancies and halt the process.

For example, a DNS record for “domain.com” should be identical in all regions where DNS servers operate, such as Europe and Asia, to ensure consistent validation results during multi-perspective checks.

If DNS records are inconsistent or not synchronized across these multiple servers, the likelihood of public Certificate Authorities rejecting certificate issuance requests increases significantly.

Summary

In this blogpost we did an in-depth overview of Multi-Perspective Issuance Corroboration (MPIC), a forthcoming standard for digital certificate issuance designed to enhance security against sophisticated network-level attacks such as BGP hijacking.

The main key points are:

  • Purpose: MPIC aims to improve the integrity and security of certificate issuance processes by requiring validation from multiple, geographically distributed network perspectives, mitigating risks from routing attacks.
  • Benefits: Implementing MPIC enhances attack detection, improves domain validation reliability, reduces false positives, and strengthens global consistency verification and Certificate Authority Authorization (CAA) checks.
  • Technical Implementation: MPIC requires Certificate Authorities to use distributed validation checks, compare results across various network vantage points, and meet stringent orchestration and error handling requirements.
  • Industry Adoption: Major Certificate Authorities are transitioning to MPIC compliance, with enforcement deadlines set for 2025. Organizations must ensure their systems are adaptable to these changes to avoid service disruptions and maintain compliance.

Conclusion: MPIC represents a fundamental shift in digital certificate security. IT teams and organizations must proactively adapt their systems to integrate MPIC standards, ensuring robust protection against emerging security threats and aligning with industry-best practices.

 

Do you want to know more on how KeyTalk can help your organization with MPIC? Please contact us and we’ll discuss the challenges and possible solutions.

 

The KeyTalk Team

Contact us

if you are interested in what we can do for your organisation with PKI / CLM management after reading our blog, please fill in the contact form below and we will contact you right away.