New Issuance Requirements Improve HTTPS Certificate Validation

Trust in HTTPS certificate issuance has been enhanced with new practices mandated by the CA/Browser Forum Baseline Requirements meant to strengthen certificate validation.

While the certificate issuance process has previously required that the Certification Authority (CA) verifies the requestor’s legitimate control over the domain, Border Gateway Protocol (BGP) attacks and prefix-hijacking have been used to obtain fraudulent certificates.

To improve domain control validation, Multi-Perspective Issuance Corroboration (MPIC) was added to the baseline requirements, as it proved to be effective against real-world BGP hijacks.

“Rather than performing domain control validation and authorization from a single geographic or routing vantage point, which an adversary could influence as demonstrated by security researchers, MPIC implementations perform the same validation from multiple geographic locations and/or Internet Service Providers,” Google explains.

After a ballot to require the adoption of MPIC received unanimous support from the involved stakeholders, the validation improvement became a requirement ...