Multi-Perspective Issuance Corroboration (MPIC) Arrives

 April 15, 2025

What’s Changing? 

Domain Control Validation (DCV) and CAA checks for publicly trusted TLS and S/MIME certificates must be performed using Multi-Perspective Issuance Corroboration, or “MPIC”.  

Why This Change? 

In line with the CA/Browser Forum’s baseline requirements for issuing publicly trusted TLS and S/MIME certificates, GlobalSign is implementing this change to improve security and assurance in the domain control validation process.  

MPIC was introduced to mitigate BGP hijacking, and similar attacks which could be leveraged to manipulate the results of domain claims or CAA records. As the name suggests, “Multi-Perspective Issuance Corroboration” means when a CA performs domain control validation (DCV), it must run these checks from multiple perspectives or from multiple, independent geographic network locations. 

How Does This Affect You? 

For most customers this is a transparent change. While there are no impacts to existing certificates, reissues and renewals performed on publicly trusted TLS or S/MIME certificates after their respective enforcement dates will have MPIC enforced. 

What Actions Need to be Taken? 

Organizations implementing allowlists and/or blocklists to restrict access to their systems from external IP addresses or ranges will need to ensure any network endpoints which are in-scope for validation checks, allow these checks to be performed from multiple external network locations.  

What Products Are Affected by This Change? 

All publicly trusted TLS and S/MIME certificates:  

TLS Certificates: 

  • On Atlas – TLS DV and TLS OV. 
  • On GCC – DV SSL, OV SSL, EV SSL, AlphaSSL 

S/MIME Certificates: 

  • On Atlas – Secure Mail and Secure Mail Enterprise  
  • On GCC – PersonalSign 1, PersonalSign 2 Pro, Personal Sign 2 Department, Enterprise PKI Lite for Personal Digital ID, Enterprise PKI Lite for Department Digital ID, and Enterprise PKI Lite for S/MIME. 

When Do These Changes Take Effect? 

MPIC for CAA Checks 

Effective Date: 

February 25, 2025 

Scope: 

All publicly trusted TLS and S/MIME Certificates 

Platforms: 

GCC and Atlas 

 

MPIC for Domain Control Validation 

Effective Date: 

February 25, 2025 

Scope: 

All publicly trusted TLS Certificates 

Platform: 

Atlas and GCC 

 

Effective Date: 

April 28, 2025 

Scope: 

All publicly trusted S/MIME Certificates 

Platforms: 

GCC 

 

< Back to CA/Browser Forum Updates