On March 15, 2025, SSL.com will implement an initial deployment of MPIC. This update is in support of the requirements defined in Ballot SC-067 v3 of the CA/Browser Forum’s Server Certificate Working Group (SC-067). The goal of this new requirement is to enhance the security and trustworthiness of digital certificates by requiring validations of domain information and verification of CA Authorization (CAA) records from multiple Internet network perspectives.
What is MPIC?
MPIC requires that certificate authorities (CAs) perform domain validation and CAA checks from multiple geographically and topographically distinct network points. This extra checking helps to detect and prevent potential attacks where an attacker manipulates Domain Name Services (DNS) responses, Border Gateway Protocol (BGP) hacking or other network configurations to fraudulently obtain certificates.Deployment Schedule
The deployment timeline for SSL.com closely follows the CA/B Forum’s timeline. The following are high level details of the roll out.- March 15, 2025 – Implementation of at least 2 remote Network Perspectives. For a transitional period up to one month, MPIC quorum will not be enforced by SSL.com.
- September 15, 2025 – Enforcement of the MPIC for all TLS certificate issuances.
- March 15, 2026 – Implementation of at least 3 remote Network Perspectives from at least 2 distinct Regional Internet Registry (RIR) regions.
- June 15, 2026 – Implementation of at least 4 remote Network Perspectives from at least 2 distinct RIR regions.
- December 15, 2026 – Implementation of at least 5 remote Network Perspectives from at least 2 distinct RIR regions.
Quorum Requirements
The CA/B Forum specifies the number of positive responses to a validation check as a quorum. The requirements start with one positive response and then increase to ensure that the negative responses never exceed the positive responses. For the latest information on the quorum requirements visit CA/Browser Forum’s Baseline Requirements, specifically Ballot SC-067. In addition, SSL.com will publish updated information to our customers.Impact for Customers of Public Certificate Authorities
Customers of Public CAs should not need to make any changes to prepare for this change. Customers may notice these changes:- Enhanced Security: The likelihood of unauthorized certificate issuance is reduced.
- Potential Validation Delays: The additional checks could introduce slight delays.
- Increased Transparency: There will be details of the validation process to provide for review and auditing.
- No Action Required: In general, no action is required on the customer side. Customers should ensure that their DNS configurations are healthy and accessible from various network locations to facilitate efficient validation.
Why is This Necessary?
The implementation of MPIC addresses these specific security concerns:- Mitigating DNS and BGP Manipulation Attacks: Attackers have exploited vulnerabilities by manipulating DNS responses or BGP routes in localized regions to obtain unauthorized certificates. MPIC helps detect such anomalies by cross-referencing validation data from multiple network perspectives.
- Strengthening Public Trust: By adopting MPIC, CAs demonstrate a commitment to higher security standards, thereby reinforcing trust in the digital certificates.
