Loading...
As of September 2025, the certificate authority space is experiencing a significant shift in how they perform domain control and certificate authority authorization (CAA) checks. MPIC (Multi-Perspective Issuance Corroboration) is required under CA/Browser Forum policy for TLS and S/MIME certificate issuance trust.
This article will describe MPIC requirements, the technical application of MPIC, quorum requirements, timelines for enforcement (with information from DigiCert and Sectigo), and recommendations for organizations to prepare.
What is MPIC?
MPIC requires Certificate Authorities (CAs) to characterize a domain’s control (DCV) and its CAA records indicated from multiple independent network perspectives (i.e., unique geographic / network vantage points) rather than relying on a single perspective.
Also Read: End of WHOIS-Based DCV Methods: What You Need to Know and How to Transition
The overall purpose of the requirement is to defend against attacks such as BGP hijacking or DNS poisoning/spoofing, whereby a malicious actor may intercept or redirect traffic, so that a single-perspective DCV could appear valid despite the malicious actor’s not being the legitimate domain controller.
How MPIC Works?
Here are the core components and methods involved:
| Component / Step | Description |
| Primary Network Perspective | The CA’s normal infrastructure (or “trusted” internal perspective) where the DCV / CAA / HTTP / DNS / ACME checks are first performed. |
| Remote Network Perspectives | Additional independent locations (servers on different networks / geographies) utilized to repeat those checks. These are “outside” of the primary location, so routing anomalies or network level compromises that can happen in one geographic area can’t hide from detection. |
| Validation Methods Affected | HTTP-based challenges (e.g. http-01), DNS-based methods (TXT, CNAME, …), ACME protocols (http-01, dns-01), IP address based methods, CAA record checks. |
| Consistency Requirement (Corroboration) | In order for a certificate to be issued, the remote perspectives need to match (or roughly match per the quorum rules) the primary perspective. If there is no agreement, the issuance of the certificate can be paused or rejected depending on the severity and number of differences. |
Who is Affected?
Customers requesting publicly trusted TLS certificates that are required to perform Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) validation.
This includes organizations using:
- ACME-based automation
- HTTP, DNS, or email-based DCV methods
S/MIME certificates are expected to have the same requirements in the future.
MPIC Quorum Requirements & Allowed Non-Corroborations
These are the rules governing how many remote perspectives must agree, and how many disagreements (non-corroborations) are allowed, based on the total number of perspectives used.
| Number of Remote Perspectives Used | Minimum Required Agreement / Corroboration | Allowed Non-Corroborating Results |
| 2–5 remote perspectives | All must agree (no non-corroborations allowed) | 0 |
| 6 or more remote perspectives | At least (total minus allowed non-corroborations) must agree | Up to 2 non-corroborations allowed |
Timelines & Enforcement Phases
Here is a consolidated timeline of the key dates:
| MPIC Implementation Dates | Type(s) of PKI Certificate(s) Affected | Minimum Unique Remote Perspectives Required |
| March 15, 2025 | SSL/TLS | 2+ |
| May 15, 2025 | S/MIME | 2+ |
| Sept. 15, 2025 | SSL/TLS and S/MIME | 2+ |
| March 15, 2026 | SSL/TLS and S/MIME | 3+ (at least 2 from distinct Regional Internet Registries) |
| June 15, 2026 | SSL/TLS and S/MIME | 4+ (at least 2 from distinct Regional Internet Registries) |
| Dec. 15, 2026 | SSL/TLS and S/MIME | 5+ (at least 2 from distinct Regional Internet Registries) |
Key Risks & Common Issues Organizations Should Watch
Make Sure DNS Propagation is Complete
- Use multiple global DNS propagation checking tools to verify that DNS records (A, AAAA, CNAME, TXT, and CAA) are being seen globally.
- Try to avoid DNS providers that consistently demonstrate longer propagation times in certain regions.
- If you’re operating multiple DNS providers, be sure they are synchronized.
Keep Firewall and Network Controls in Mind
- We’ve now instructed your CA to check validation requests from multiple locations globally, depending on the CA in use.
- Double-check that you’re not blocking CA validation traffic with firewalls, geo-blocking, or IP allow-listing beyond any necessary restrictions.
- If you’re using file-based HTTP validation, verify that the validation directories are prod accessible from all areas.
Refresh Validation Mechanisms
- ACME (http-01, dns-01) challenges need to be resolved accurately from everyone’s perspective.
- If you’re using DNS TXT-based validation, make sure there are not any stale DNS records that will confuse the validation process.
- With CAA records, make sure that the records allow for the CA you aimed to use and that records resolved globally are visible to CAs.
Identify SAN Certificates
- Each Subject Alternative Name (SAN) in a certificate request will be individually validated.
- So, make sure all SAN records propagate globally so that you won’t get caught out by failure.
Expect Edge Cases
- If you’re using split-horizon DNS (different DNS record answers for two or more locations), validation can fail.
- Organizations that operate with DNS zones only visible to internal users will have to pivot to globally visible validation methods in DNS validation records.
- If you’re using allowable inbound ranges, ensure CA validation traffic is allowed.
Conclusion
Multi-Perspective Issuance Confirmation (MPIC) represents a fundamental change to how certificate validation will take place and will mitigate long-standing risks, such as DNS tampering and BGP hijacking.
Although the changes are primarily aimed at the CA’s side, organizations are responsible for ensuring that their DNS and firewall setups, and validation endpoints, are all globally authoritative and reachable.
Therefore, the earlier organizations can prepare, the better, and ultimately results in greater protection without any additional effort- a helpful step in preserving digital trust.
