Take Quiz

Multi-Perspective Issuance Corroboration
Date: 2025-04-08 | Length: 2.75 hrs

Your name and email are stored only in your browser local storage for convenience. They are not retained server-side.

NameEmail

Question 1

What is the principal security weakness that Multi-Perspective Issuance Corroboration (MPIC) is designed to mitigate in the certificate issuance process?

The vulnerability caused by phishing attacks used to steal certificate enrolment tokens from administrators. The possibility of man-in-the-middle attacks exploiting improperly validated certificate chains during TLS handshake. The risk of fraudulently issued certificates due to BGP prefix-hijacking and border gateway protocol attacks influencing single-point domain validation. The threat of attackers compromising private keys stored on Certificate Authority servers through insider threats.

Question 2

According to the episode, what is the CA/Browser Forum's timeline for increasing the number of required geographic or network perspectives used in domain control validation through MPIC?

One perspective from each Regional Internet Registry (RIR) region starting from March 2025, totaling five regions immediately. Starting with two perspectives in March 2025, increasing to three by June 2026, and five by December 2026. Immediately requiring five perspectives in March 2025 with no further scheduled increases. Starting with three perspectives in March 2025 and doubling to six perspectives by December 2026.

Question 3

What is the operational principle behind MPIC that reduces the probability of an attacker successfully exploiting BGP prefix hijacking in domain validation?

Performing domain control validation from multiple, geographically and topologically diverse locations to prevent a single compromised routing path from causing fraudulent validation. Using cryptographic signatures embedded in the BGP routing announcements to authenticate routing paths. Deploying onboard monitoring systems in routers to detect and autonomously block prefix hijacking in real time. Relying exclusively on Certificate Transparency logs to detect invalid certificate issuance after the fact.

Question 4

Which of the following best describes why previous single-point domain control validation was vulnerable to routing attacks, according to the episode?

Because validation was performed without any form of cryptographic signature or key exchange. Because the domain control validation files were sometimes publicly guessable or leaked, leading to unauthorized control. Because validation querying from a single geographic or network location can be misdirected by compromised routers, enabling an attacker’s server to respond instead of the legitimate domain owner. Because attackers could exploit DNS cache poisoning directly to redirect validation queries without affecting BGP routing.

Question 5

What are the minimum requirements for domain control validation perspectives as per the CA/Browser Forum's MPIC requirement that must be met by December 2026?

Validation must be performed from at least five remote network perspectives spanning at least two Regional Internet Registry regions. Validation must be performed solely from the Certificate Authority's primary data center for consistency. Validation must be performed from three perspectives all within the same RIR region for simplified trust. Validation perspectives may be reduced to a single perspective if a domain uses DNSSEC signed records.

Cancel

Episode #1020 Quiz

Question 1

Question 2

Question 3

Question 4

Question 5