An Explainer Guide on Multi-Perspective Issuance Corroboration (MPIC)
 An Explainer Guide on Multi-Perspective Issuance Corroboration (MPIC)
2 votes, average: 4.50 out of 52 votes, average: 4.50 out of 52 votes, average: 4.50 out of 52 votes, average: 4.50 out of 52 votes, average: 4.50 out of 5 (2 votes, average: 4.50 out of 5, rated)
Loading...
September 10, 2025 Comments closed

An Explainer Guide on Multi-Perspective Issuance Corroboration (MPIC)

in Hashing Out Cyber Security, Monthly Digest

Internet security is leveling up with MPIC. While your organization likely won’t need to do anything to prepare, here’s what to know about the industry’s changes and why they’re good for security

Starting Sept 15, 2025, all publicly trusted certification authorities (CAs such as DigiCert, Sectigo, etc.) must perform domain validation and CAA record checks using multiple network perspectives. This method, known as multi-perspective issuance corroboration (MPIC), aims to ensure that an attacker who poisons or compromises DNS servers in one area won’t be able to issue an SSL/TLS or S/MIME certificate for a domain they don’t control.

This concept of MPIC is similar to how the National Hockey League (NHL) relies on multiple officials (two referees, 2 linesmen) during a hockey game:

  • The refs strategically position themselves in different positions around the ice, so they have different gameplay vantage points. (Think of this as different “network perspectives.”)
  • If all officials agree that a puck crosses the net’s red line without penalty, then the team scores a goal.
  • If even just one of those officials reports seeing the situation differently, then the goal goes under review to determine whether it’s valid or must be disallowed.

Seeing as how this next phase of the certificate issuance requirement rollout takes effect next week, and we’ve not talked much about MPIC before, now seems like the perfect time to briefly talk about what MPIC entails for websites and email. We’ll also address why these changes are happening and how this multiple vantage point verification approach improves security by mitigating fraudulent server certificate issuances.

Let’s hash it out.

TL;DR: Key Takeaways About Multi-Perspective Issuance Corroboration

  • Defining MPIC: MPIC is the process of verifying a domain’s legitimacy by checking domain control validation (DCV) and certificate authority authorization (CAA) records from multiple network perspectives.
  • What it does: The purpose of MPIC is to prevent DNS poisoning and border gateway protocol (BGP) hijackings. This helps to prevent traffic re-routing, phishing attacks, data compromises, and fraudulent (rogue) SSL/TLS and S/MIME certificate issuances.
  • What’s changing: Starting Sept. 15, CAs MUST use at least two (2) remote network perspectives to perform their verifications — it’s no longer optional. (This is just one of several phased changes that will occur through 2026, which we’ll speak more about later.)
  • Who will be impacted by the Sept. 15 changes: MPIC primarily affects public CAs. It will have little to no direct impact on most of our customers, the exceptions being organizations that rely on complex architectures (i.e., advanced firewall rules, multiple DNS providers, etc.).
  • Why these changes are necessary: vulnerable internet routing, slow RPKI ROV adoption (i.e., Resource Public Key Infrastructure Route Origin Validation), and single-perspective DCV leaves websites and data vulnerable.

What Is Multi-Perspective Issuance Corroboration (MPIC)?

An overview illustration that conveys the concept of multi perspective issuance corroboration (MPIC)
Image caption: An illustration demonstrating the basic concept of multi-perspective issuance corroboration involving domain and CAA validation checks performed using primary and remote network perspectives.

MPIC, which is also known as multiple vantage point domain control verification, is a method of verifying with multiple sources that a domain is legitimate and available prior to issuing an SSL/TLS certificate. Namely, it does this by performing the following checks using multiple servers:

  • Domain control validation (DCV) check: This process verifies that the requested certificate’s contact details match the web or email domain or IP address in question. This includes:
    • ACME protocol challenges (i.e., http-01 and dns-01)
    • DNS CNAME- and TXT-based web & email validations
    • DNS File-based validations (for non-wildcard certificates)
  • CAA record check: The CA verifies that it’s authorized to issue PKI digital certificates on behalf of the specified domain or IP address (for SSL/TLS certificates) and on behalf of an email domain (for S/MIME certificates).

Traditional DCV Is Vulnerable to Localized BGP Attacks

The issue here is that the traditional DCV process is vulnerable to BGP hijacks in which a threat actor redirects your server’s legitimate traffic and directs it to one they control instead. If they do that, then they could potentially:

  • issue a fraudulent (rogue) SSL/TLS certificate for your domain,
  • deploy the certificate on a site they control, and
  • trick your users into thinking their phony site is legitimate (so they can steal your customers’ sensitive data and do other bad things).

The idea here is that when multiple independent sources — particularly those in different geographic regions — indicate that a website is authentic, then it’s more likely to be true. (It’s a lot harder to trick multiple diverse vantage points, so illegitimate servers are more likely to fail validation.)

MPIC Requires CAs to Corroborate Their Primary Network Perspectives

MPIC is part of a larger security standard and key industry security baseline requirements:

These standard and security requirement documents aim to prevent hackers from impersonating legitimate websites and email domains by requiring CAs to check domain-related info using diverse sources.

You see, the DCV and CAA checks are traditionally performed by a single (primary) network perspective. This means that if an attacker tricks that single network perspective, they’ll be able to do the things we mentioned in the previous section.

With MPIC, however, the primary network perspective is substantiated by other remote network perspectives.

  • Primary network perspective: This is a single server or set of resources.   
  • Remote network perspectives: Two or more independent servers from different servers (i.e., those on separate networks and geographic regions) that either confirm or contrast the primary network perspective’s results.
A set of illustrations that demonstrate the difference between single-perspective validaiton and multi-perspective validation (MPIC)
Image caption: Two scenarios showing the difference between CA checks and certificate issuance based on a single vantage point versus multiple perspectives. Credit: This diagram is based on the concepts illustrated by Birge-Lee et. al.

Just like when it comes to getting diagnosed with a serious condition, it’s always best to get a second or even a third opinion before taking action. Likewise, CAs must check with at least two other servers (preferably more) in the same way.

An Overview of MPIC Quorum Requirements

If your organization is one of the few that will be affected by the new MPIC requirements, here’s a quick breakdown of what you must know:

MPIC Implementation DatesType(s) of PKI Certificate(s) AffectedMinimum Unique Remote Perspectives Required
March 15, 2025SSL/TLS2+
May 15, 2025S/MIME2+
Sept. 15, 2025SSL/TLS and S/MIME2+
March 15, 2026SSL/TLS and S/MIME3+ (at least 2 must be from distinct regional internet registries)
June 15, 2026SSL/TLS and S/MIME4+ (at least 2 must be from distinct regional internet registries)
Dec. 15, 2026SSL/TLS and S/MIME5+ (at least 2 must be from distinct regional internet registries)

Table caption: A breakdown of the remote network perspectives and unique regional internet registries (RIRs) requirements for CAs issuing server and email signing certificates.

Do the remote perspectives always have to agree? Not necessarily. Here’s a quick breakdown of how many non-corroborating results are allowed based on the number of remote network perspectives used:

  • If a CA uses 2-5 remote perspectives (in addition to its primary network perspective), then they all have to demonstrate consistency.
  • If the CA bumps it up to 6 or more remote perspectives (in addition to its primary network perspective), then up to two non-corroborations are allowed.   

Just How Pressing of an Issue Is MPIC for Most Domain Owners?

The answer depends on the size and complexity of your organization’s IT infrastructure.

  • It’s something that will occur in the background for most of our customers. So, there’s nothing to do to prepare for the changes in most cases.
  • If your organization is one of the edge cases — i.e., you have BGP route update delays, or you have firewall rules in place to restrict traffic from certain geographic regions or are using whitelists to only allow CA access to the folders where you keep validation files — then these MPIC-related changes will likely apply to you.

Are You One of the Outlier Organizations? Here’s How to Prepare for MPIC 

As a web or email domain owner using file-based validation, ensure your server allows access to your validation endpoints from any IP address or location for remote validation.

For all validation types, ensure your DNS records are fully propagated worldwide to ensure consistent validations from multiple remote network perspectives. You can check your domain’s status using a DNS propagation tool.

An example of a DNS propagation report
Image caption: An example DNS propagation check for a test website using the tool found at dnspropagation.net.

How Did All of This Come About? A Brief History

MPIC is also known as multiple vantage point verification and multi-perspective domain validation (MPDV). The concept was first introduced in 2017, two years after the discovery of a PKI vulnerability related to the border gateway protocol came to light.

MPIC is a separate yet complementary to resource public key infrastructure (RPKI) framework and route origin validation (ROV), a combined approach that aims to increase protection against BGP hijacking. In a nutshell, a BGP attack occurs when an IP prefix is incorrectly announced (whether maliciously or unintentionally) by an autonomous system that’s not authorized to do so, resulting in traffic being diverted to the wrong destination.

BGP, on its own, is a good thing — it’s essentially the Google Maps of the internet. (It’s how your web clients and apps know which path to use to get to their destination site when navigating the maze that is the internet.) But BGP is dependent on having good, reliable information to guide it.

BGP Wasn’t Designed with Security Top of Mind

If BGP routing information is hijacked (i.e., manipulated by a threat actor), it means that a bad guy can provide false data that results in:

  • traffic being routed away from your legitimate domain, and
  • CAs being tricked into validating the attacker and issuing a certificate for your domain.

This leaves a gaping hole in the security of the domain control validation process. Thankfully, MPIC is just one of several changes regarding DCV in recent years. Others include:

Multiple Network Perspectives = Stronger Verification

The goal of MPIC is to prevent bad guys from manipulating internet routing to get CAs to issue SSL/TLS certificates for websites that aren’t theirs. When CAs check a domain’s legitimacy using only one source, it creates a single point of failure.

Cybercriminals and nation-states know this, and, historically, have exploited BGP-related vulnerabilities. For example, attackers were able to fraudulently issue a server certificate for a South Korean cryptocurrency company’s domain via BGP hijacking in early 2022. This resulted in the theft of 2.28 billion South Korean won (KRW), or what equates to nearly $2 million USD based on the exchange rate at the time.

We understand that not all BGP hijackings are malicious. Many are thought to have occurred by accident:

Ultimately, it’s the intentional BGP hijackings and attacks that MPIC and RPKI are designed to prevent.

Let’s Wrap This Up

We hope this article has helped shed light on the concept of multi-perspective issuance corroboration. MPIC enforcement aims to strengthen the integrity of CA certificate issuance and mitigate some of the risks associated with BGP hijacking. It’s another layer of internet security that’s complementary to RPKI framework and other BGP security mechanisms.

The good news about the Sept. 15 changes is that virtually all of the heavy lifting is being done by the CAs that issue your SSL/TLS and S/MIME certificates. So, once you’ve ensured that your systems support remote validation checks from multiple service networks and geographic regions, you should be good to go.

Have additional questions or need assistance with checking whether your domain is MPIC-compliant? Our Support team is here to help. 

Author

Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.

Recent Posts

Follow Us

Free Ebooks

eBook
Email Spoofing Defense 101 (A 5-Step Guide)

Download Now

eBook
Certificate Lifecycle Management Best Practices Guide

Download Now

eBook
10 Code Signing Best Practices

Download Now