Ballot SC-067: Require Multi-Perspective Issuance Corroboration

MPIC ensures that domain validation and CAA checks are confirmed from at least two independent network locations, at least 500 km apart, to mitigate the risk of global BGP attacks.

To comply with CA/Browser Forum’s SC067, TuringSign is implementing Multi-Perspective Issuance Corroboration (MPIC) for Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) checks.

 

What is MPIC?

Multi-Perspective Issuance Corroboration (MPIC) is a process defined in the CA/Browser Forum Baseline Requirements (Section 3.2.2.9) in which the results of domain validation and CAA checks performed by one network location (the Primary Network Perspective) must be confirmed by at least one or more geographically separate network locations before a certificate can be issued.

 

MPIC Rule:

Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks must be performed from at least two independent network perspectives that are geographically separated by a minimum of 500 kilometers, in accordance with CA/Browser Forum Baseline Requirements (Section 3.2.2.9).

 

MPIC Phased Implementation Timeline

*  RIR = Regional Internet Registry (IPE, APNIC, ARIN, AfriNIC, LACNIC) 

*  Source: CA/Browser Forum Baseline Requirements, Section 3.2.2.9 

 

 Impact for SSL/TLS certificates DCV Methods

 

 
 How to prepare
  • Certificates issued before February 18, 2025, will remain valid until they expire or are revoked.
  • TuringSign will not be issued if multi-perspective checks fail to corroborate the primary Domain Control Validation (DCV) or Certification Authority Authorization (CAA) records, starting no later than September 15, 2025.
  • Customers should ensure their DNS configurations are correctly set up and accessible from multiple network locations to meet the validation requirements.

 

Information about Ballots:https://cabforum.org/2024/08/05/ballot-sc067v3-require-domain-validation-and-caa-checks-to-be-performed-from-multiple-network-perspectives-corroboration/

 

Latest Post

0
    0
    Your Cart
    Your cart is empty

    Trustworthy AI for Better SSL

    TuringSign is actively innovating in cutting-edge AI technology to make traditional SSL workflows quicker, more efficient, more accurate and less costly.

    We apply automation to routine tasks including technical support and high assurance organization validation. This not only saves time but also minimizes errors and ensures faster, more reliable support for TuringSign users. With AI handling routine queries and tasks, your team can focus on more complex issues.

    Compare & Buy

    Automation for Unmatched Speed

    Check mark with hand icon.

    Full Automation

    Fully Automate your SSL Management with ACME

    Analysis analytics column graphic improvement icon.

    Fastest OCSP

    Boost Page Loading Speeds with our Industry-Leading OCSP

    Achievement icon.

    Priority Validation

    Get High-Assurance Certificates Faster than ever

    Compare & Buy

    Best Value Pricing

    Lowest Prices for Best-in-Class Products : Affordability with excellence.

    Standard DV SSL

    DigiCert $64
    Sectigo $99
    GlobalSign $249
    GoDaddy $69
    TuringSign $59

    Wildcard DV SSL

    DigiCert $629
    Sectigo $499
    GlobalSign $849
    GoDaddy $349
    TuringSign $259

    Single OV SSL

    DigiCert $312
    Sectigo $199
    GlobalSign $349
    Entrust $199
    TuringSign $179

    Wildcard OV SSL

    DigiCert $984
    Sectigo $879
    GlobalSign $949
    Entrust $799
    TuringSign $699

    EV SSL

    DigiCert $468
    Sectigo $279
    GlobalSign $599
    GoDaddy $399
    TuringSign $209

    Source: Netcraft SSL Server Survey, August 2024. Provided for reference only. 3rd Party prices may have change.

    Compare & Buy

    Join the Waitlist

    Next Steps

    1. Validate Domain (Authenticate domain depending on which method you choose)

    Check the email that has been sent to you. To confirm the domain ownership rights for your certificate, you need to copy the validation code from the approval email, follow the link in it and paste the validation code into the corresponding field.

    From the email, please click the link to the verification page, Once in the verification page, please enter the code provided in the email for verification.

    That’s it!

    After you have completed verification, a confirmation email will be sent to you. And shortly after, an issue confirmation will be sent to you via email. You can follow the link to the portal to download your newly issued certificate.

    If you have followed the steps above and did not receive an approval email to your mailbox, please click the link to the portal and double check your validation method or contact us for help. 

    Another way of verifying a domain is DNS (TXT record) Verification. If you selected DNS Authentication as your verification method, you will receive a unique TXT record via email consisting of two parts:

    • 1. Name: Name/Host/Alias/TXT: Blank or @
    • 2. Value/Points to/Destination:”wisekey=XXXXXXX”
    • TTL: This is your TTL (Time-To-Live) value. Set it to 3600 or lower.

    Verify by adding a TXT record in your DNS. Please verify and check if you have added the correct record

    Please submit a requestfor support if you face any issues.

    Depending on your DNS provider, You may have to wait for at least an hour for the changes to take effect in the DNS Servers. You will be notified via email when the domain is verified.

    The third method of verifying a domain is HTTP File Upload Verification. After choosing File Authentication as your verification method, you will receive an email and be asked to download a unique verification file (Format: .txt) and upload it to a specific directory on your web server.



    Verify by uploading the attached file fileauth.txt in your web server as follows:



    • 1. Download the text file fileauth.txt (attached with the email).
    • 2. Upload the above file (fileauth.txt) to your host in this EXACT path: http://my-domain.com/.well-known/pki-validation/fileauth.txt


    You may have to wait for at least an hour for the changes to take effect in the validation services. You will be notified via email when the domain is verified.

    Please submit a request for support if you face any issues.

    2. Receive Confirmation (After validation an email will be sent with a link to certificate)

    3. Download certificate and upload to hosting

    Notice: After generating a CSR,
    1. Copy the Private KEY and keep this to yourself for reference.
    2. Copy only the CSR above and use(paste)
    in to request your TS Certificate.
    3. Click the top left button to close.

    TuringSign
    Powered by  GDPR Cookie Compliance
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.