{"id":3914,"date":"2025-09-16T05:03:26","date_gmt":"2025-09-16T05:03:26","guid":{"rendered":"https:\/\/certera.com\/blog\/?p=3914"},"modified":"2025-09-16T05:03:27","modified_gmt":"2025-09-16T05:03:27","slug":"multi-perspective-issuance-corroboration-strengthening-certificate-validation-security","status":"publish","type":"post","link":"https:\/\/certera.com\/blog\/multi-perspective-issuance-corroboration-strengthening-certificate-validation-security\/","title":{"rendered":"Multi-Perspective Issuance Corroboration: Strengthening Certificate Validation Security"},"content":{"rendered":"\n

As of September 2025, the certificate authority space is experiencing a significant shift in how they perform domain control and certificate authority authorization (CAA) checks. MPIC (Multi-Perspective Issuance Corroboration) is required under CA\/Browser Forum policy for TLS and S\/MIME certificate issuance trust.<\/p>\n\n\n\n

This article will describe MPIC requirements, the technical application of MPIC, quorum requirements, timelines for enforcement (with information from DigiCert and Sectigo), and recommendations for organizations to prepare.<\/p>\n\n\n\n

What is MPIC?<\/h2>\n\n\n\n

MPIC requires Certificate Authorities (CAs) to characterize a domain’s control (DCV) and its CAA records indicated from multiple independent network perspectives (i.e., unique geographic \/ network vantage points) rather than relying on a single perspective.<\/p>\n\n\n\n

Also Read:<\/strong> End of WHOIS-Based DCV Methods: What You Need to Know and How to Transition<\/a><\/p>\n\n\n\n

The overall purpose of the requirement is to defend against attacks such as BGP hijacking or DNS poisoning\/spoofing, whereby a malicious actor may intercept or redirect traffic, so that a single-perspective DCV could appear valid despite the malicious actor\u2019s not being the legitimate domain controller.<\/p>\n\n\n\n

How MPIC Works?<\/h2>\n\n\n\n

Here are the core components and methods involved:<\/p>\n\n\n\n

Component \/ Step<\/strong><\/td>Description<\/strong><\/td><\/tr>
Primary Network Perspective<\/strong><\/td>The CA’s normal infrastructure (or “trusted” internal perspective) where the DCV \/ CAA \/ HTTP \/ DNS \/ ACME checks are first performed.<\/td><\/tr>
Remote Network Perspectives<\/strong><\/td>Additional independent locations (servers on different networks \/ geographies) utilized to repeat those checks. These are “outside” of the primary location, so routing anomalies or network level compromises that can happen in one geographic area can’t hide from detection.<\/td><\/tr>
Validation Methods Affected<\/strong><\/td>HTTP-based challenges (e.g. http-01), DNS-based methods (TXT, CNAME, …), ACME protocols (http-01, dns-01), IP address based methods, CAA record checks.<\/td><\/tr>
Consistency Requirement (Corroboration)<\/strong><\/td>In order for a certificate to be issued, the remote perspectives need to match (or roughly match per the quorum rules) the primary perspective. If there is no agreement, the issuance of the certificate can be paused or rejected depending on the severity and number of differences.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Who is Affected?<\/h2>\n\n\n\n

Customers requesting publicly trusted TLS certificates<\/a> that are required to perform Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) validation. <\/p>\n\n\n\n

This includes organizations using:<\/strong><\/p>\n\n\n\n