Draft:Open MPIC

Submission declined on 13 May 2025 by Theroadislong (talk). This draft's references do not show that the subject qualifies for a Wikipedia article. In summary, the draft needs multiple published sources that are: in-depth (not just passing mentions about the subject) reliable secondary independent of the subject Make sure you add references that meet these criteria before resubmitting. Learn about mistakes to avoid when addressing this issue. If no additional references exist, the subject is not suitable for Wikipedia. If you would like to continue working on the submission, click on the "Edit" tab at the top of the window. If you have not resolved the issues listed above, your draft will be declined again and potentially deleted. If you need extra help, please ask us a question at the AfC Help Desk or get live help from experienced editors. Please do not remove reviewer comments or this notice until the submission is accepted. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Easy tools: Citation bot (help) | Advanced: Fix bare URLs Declined by Theroadislong 16 days ago. Last edited by Willnoco 15 days ago. Reviewer: Inform author. Resubmit Please note that if the issues are not fixed, the draft will be declined again.

• Comment: one source only and that is a blog. Theroadislong (talk) 16:15, 13 May 2025 (UTC)

Open MPIC (Open Multi-Perspective Issuance Corroboration) is an open-source project developed by researchers at Princeton University to protect against BGP hijacking attacks during certificate issuance. It provides a scalable, API-based implementation of the Multi-Perspective Issuance Corroboration (MPIC) technique, which enhances the security of domain control validation used by Certificate Authorities (CAs).

Domain control validation is a process used by CAs to verify that a requester has control over a given domain name before issuing a certificate. This process is vulnerable to BGP routing attacks, where an attacker reroutes traffic to impersonate a domain during validation. Such attacks can result in fraudulent certificates being issued.

The MPIC technique, proposed in a 2018 USENIX paper by Princeton researchers, mitigates this risk by performing validation from multiple, geographically distinct network vantage points. Because many BGP attacks are localized, validation from unaffected perspectives can detect inconsistencies and prevent certificate issuance.

Several major CAs have implemented MPIC-like mechanisms. However, these implementations are often tied to proprietary infrastructure:

• Let's Encrypt uses MPIC in its Boulder CA but supports only ACME validations.
• Google Trust Services operates an internal MPIC system restricted to Google's environment.
• Cloudflare developed an HTTP API-based MPIC but does not yet support non-ACME methods.

Open MPIC was created to provide a flexible, cloud-agnostic implementation that can be deployed independently by any CA.

• ACME and non-ACME support: Supports HTTP and DNS-based validation with flexible URL structures.
• RESTful API: Exposes MPIC functionality via secure HTTPS APIs.
• CAA compliance checking: Concurrent or on-demand retrieval of CAA records from multiple perspectives.
• Detailed logging: Complies with draft CA/B Forum MPIC logging requirements; includes perspective identifiers, validation results, and challenge metadata.
• Secure infrastructure: Uses TLS and encrypted channels for all communications; designed with best practices in mind.
• Automated deployment: Supports one-command deployment via cloud access tokens; includes configuration and monitoring scripts.
• Serverless option: Can operate entirely via serverless functions to reduce costs and complexity.
• High configurability: CA administrators can define quorum policies, network locations, and perspective counts.
• Cross-cloud compatibility: Designed to be cloud-provider agnostic to accommodate CA preferences and reduce vendor lock-in.

The project was announced on February 13, 2024, on the CITP blog.^[1] The project is maintained by Princeton's Center for Information Technology Policy and published at its official site.^[2]

Notably, engineers from Sectigo—a major public certificate authority—have contributed early feedback and real-world deployment insights to help shape the architecture of Open MPIC.

The project’s official repositories are available on GitHub at github.com/open-mpic, which includes the API specification, core Python library, and multiple deployment models. Interested contributors can engage with the maintainers through the GitHub issues pages or by contacting the team via the project email list.

• Public key infrastructure
• Certificate Authority
• Domain validation
• BGP hijacking
• Let's Encrypt
• Google Trust Services

• Official blog post
• Princeton CITP website