Security Bloggers Network 
SBN

Open MPIC: The open-source path to secure Multi-Perspective Issuance Corroboration

Avatar photo by Tim Callan on May 19, 2025

Open MPIC is an open-source framework designed to help Certificate Authorities (CAs) meet new Multi-Perspective Issuance Corroboration (MPIC) requirements from the CA/Browser Forum. Developed with contributions from Princeton and Sectigo, it helps mitigate BGP hijack risks through globally distributed validation, quorum logic, and flexible deployment options. Open MPIC is a practical, evolving solution that advances the resilience of the WebPKI.

Certificate Authorities (CAs) are now on the clock.

New baseline requirements from the CA/Browser Forum—specifically section 3.2.2.9—introduce a phased rollout of Multi-Perspective Issuance Corroboration (MPIC). These rules aim to stop a dangerous type of exploit: Border Gateway Protocol (BGP) hijacking.

BGP is the decades-old system that helps route internet traffic—but it wasn’t designed with security in mind. Attackers can abuse BGP to silently reroute requests, including domain validation checks used by CAs, creating a narrow window to impersonate websites and trick a CA into issuing a fraudulent certificate.

In fact, BGP attacks have become enough of a problem that even the U.S. government has even raised concerns about them.

The remedy for BGP attacks is to validate a DNS entry from multiple, separate places in the heirarchy of the internet (‘multiple perspectives’). Therefore, the new MPIC rules require CAs to validate domain control and CAA records from multiple global vantage points. And to help CAs get there, Sectigo is helping lead the development of Open MPIC: a community-driven, open-source framework originally built by Princeton researchers.

Let’s dive more into BGP attacks, how MPIC stops them, and how Sectigo is contributing to the Open MPIC ecosystem.

The problem: BGP attacks on domain validation

When a CA performs a domain control check, it assumes the traffic it sends is reaching the right server. But that’s not always true.

BGP hijacking lets attackers quietly reroute traffic on the internet. It doesn’t break encryption or compromise a server—it simply changes the road signs. If a CA is only validating from a single network perspective, it can be fooled into thinking a domain is under the applicant’s control when it’s not.

“What makes BGP hijacking so dangerous is that you don’t need to hijack the route for very long to succeed,” said Dmitry Sharkov, Principal Architect at Sectigo and lead architect for Open MPIC. “You can briefly divert a CAs validation check to a malicious server, trick it into issuing a legitimate certificate, and then disappear. That’s all it takes.”

Sharkov compares BGP hijacking to a scene from Mission: Impossible — Ghost Protocol:

“Two bad guys think they’re meeting each other in a hotel, but one of them is actually talking to Tom Cruise in disguise. They’ve been misled by a signage trick. That’s exactly what happens in a BGP hijack—except it’s the CA that’s being duped.”

The consequences are severe: Once a fraudulent certificate is issued, it can be used to impersonate legitimate sites and intercept encrypted traffic.

The solution: Multi-Perspective Issuance Corroboration (MPIC)

The fix is to make certificate validation less reliant on any one route. That’s the idea behind MPIC.

Instead of validating a domain from a single network location, MPIC requires CAs to check from multiple, geographically diverse vantage points. If one region gets mislead by a BGP hijack, others can catch the discrepancy—and stops the certificate from being issued.

“CAs must now affirm domain control from distinct and distant vantage points,” said Sharkov. “This isn’t optional—it’s becoming the norm.”

Since March 15th, 2025, CAs have been on the hook for monitoring domain validations using at least two remote network perspectives. By September 15th, enforcement kicks in—requiring quorum logic to ensure that if even one perspective disagrees, issuance can be halted. And from March 15th through December 15th, 2026, the bar rises again, with a phased rollout toward five geographically diverse perspectives.

The goal is clear: Make it statistically improbable for an attacker to fool every perspective at once.

What is Open MPIC?

Open MPIC is an open-source framework designed to help CAs meet MPIC requirements without reinventing their validation stack.

It started as proof-of-concept from researchers at Princeton University: just three Python scripts aimed at testing MPIC viability. Now, Sectigo’s Sharkov is taking the architect lead and working in collaboration with co-founders Henry Birge-Lee and Grace Cimaszewski to develop and maintain the project’s core library, API specifications, and deployment solutions.

“We didn’t want CAs to start from zero or roll their own fragile solutions,” said Sharkov. “Open MPIC gives them a head start—open, extensible, and ready to scale.”

Open MPIC currently supports two main deployment options:

  • AWS Lambda: A serverless setup that scales automatically. Ideal for CAs that want fast, elastic validation with minimal overhead.
  • Docker Microcontainers: For full control. Deploy to production on EC2 or Kubernetes, and test locally using Docker Compose.

Built-in features include quorum logic, distance enforcement, and perspective diversity—all aligned with CA/B Forum MPIC rules.

“You can configure Open MPIC to run in three regions today or fifteen tomorrow,” Sharkov said. “It supports perspective selection logic, so you’re compliant with requirements like minimum 500 km separation and regional registry diversity.”

Lastly, Open MPIC isn’t an academic artifact or one-off repo. It’s jointly maintained by Sectigo and Princeton, with active feedback and bug reports from other CAs.

“We’ve got a live Slack with CAs asking deployment questions, submitting issues, even suggestion new features,” said Sharkov. “Some contributors stay anonymous, but the feedback loop is already making the project stronger.”

What’s next for Open MPIC?

As more CAs ramp up for full MPIC enforcement on September 15th, 2025, Open MPIC is preparing for real-world scale. Sharkov notes that the project will evolve on several fronts—performance, feature support, and responsiveness to industry feedback.

“In the fairly immediate future, there’s going to be continued tuning around performance, around tuning, just from a usability standpoint,” Sharkov said. “As CAs—including, of course, Sectigo—start to use Open MPIC at full volume, we want to make sure that it can handle that volume effectively.”

One of the next major milestones is supporting MPIC for S/MIME validations, as required in future phases of the CA/B Forum baseline requirements. Beyond that, Open MPIC is positioned as a community-led, flexible foundation that can grow with the ecosystem.

“We may be able to run with it as is, but that really depends on what the community learns—and what Sectigo learns—as we run Open MPIC at scale,” Sharkov said. “If requirements change or we discover areas for improvement, we’re in a good position to adapt. Open MPIC is built to evolve.”

A broader commitment to open-source security

Open MPIC sets the stage for a more resilient domain validation model—one where certificate issuance depends on consensus, not trust in a single path.

MPIC isn’t a theoretical idea anymore; it’s policy. And Open MPIC is a working, open-source framework to help CAs implement it without starting from scratch.

Contributing to the WebPKI is a core tenet of a reputable CA. Sectigo has long contributed to the shared infrastructure behind various open-source WebPKI projects, including certificate transparency (crt.sh), validation linting (pkimetal, zlint, certlint), and ecosystem tooling (Certbot, CT logs, CA cross-signing). Holding more CA/Browser Forum leadership positions than any other CA, Sectigo also regularly contributes to standards, implements them early, and helps the ecosystem adopt them at scale.

Open MPIC continues that work, offering a practical, standards-aligned solution to a very real threat.

If you are interested in participating in the engineering of Open MPIC, feel free to join the Slack workspace (openmpic.slack.com) and the mailing list.

More information is on the Open MPIC website.

Related posts:

Root Causes 327: What Is Multi-perspective Domain Validation? (MPIC)

Root Causes 441: New White House Initiative Targets BGP

Root Causes 216: What is crt.sh?

*** This is a Security Bloggers Network syndicated blog from Sectigo authored by Tim Callan. Read the original post at: https://www.sectigo.com/resource-library/open-mpic-open-source-multi-perspective-validation

Tim Callan 0 Comments
Avatar photo

Tim Callan

Tim Callan is responsible for ensuring Sectigo’s CA practices conform to industry and regulatory requirements and the company’s published Certificate Practices. Tim has more than twenty years’ experience as a strategy and product leader for successful B2B software and SaaS companies, with fifteen years’ experience in the SSL and PKI technology spaces.

tim-callan has 59 posts and counting.See all posts by tim-callan