A Brief History of Multi-Perspective Issuance Corroboration

By Henry Birge-Lee, Grace Cimaszewski, Liang Wang, Cyrill Krähenbühl, and Prateek Mittal

“Multi-Perspective Issuance Corroboration” (or “MPIC”) is currently under discussion as an industry-wide standard by the CA/Browser Forum Server Certificate Working Group, and possibly by other Forum Working Groups in the future (i.e., the S/MIME Working Group). This is a promising idea that aims to mitigate the risk of equally-specific Border Gateway Protocol (BGP) attacks by validating domain ownership and the corresponding CA’s permission to issue from multiple perspectives spread across the Internet. Our group at Princeton is spearheading the development of this technology and is also offering an implementation of MPIC via the Open MPIC Project. This post summarizes the history of MPIC and our group’s research and development efforts on this technology. We aim to highlight our commitment to open-source contributions. We trust that MPIC will find valuable and diverse applications across various fields, and we look forward to witnessing the positive impact of open innovation.

Author’s note: The technology of using multiple perspectives spread across the Internet to reduce the risk of BGP attacks causing certificate mis-issuance has gone through several different names including: “Multi-Perspective Domain Validation”, “Multiple-Vantage-Point Domain Validation”, “multiVA”, “Multi-Path Validation”, and “Multi-Perspective CAA”. Even though many of the articles we cite used some of these previous names, we use MPIC for consistency given the standardization process ongoing within the CA/Browser Forum.

History of MPIC:

• 2015: Artyom Gavrichenkov presented “Breaking HTTPS With BGP Hijacking” at Black Hat USA which theoretically introduced the vulnerability of the PKI to BGP attacks and discussed localized BGP attacks that affect only a portion of the Internet.

• 2017:
  • Henry Birge-Lee et al. ethically demonstrated the vulnerability of the PKI to BGP attacks for the first time in the wild to obtain a bogus certificate in a demo at HotPETs ‘17. They were also the first to publicly introduce the concept of validating challenges from multiple network perspectives in their abstract for the talk which ultimately became known as MPIC. This paper also linked to the first ever published implementation of multiple vantage point validation which relied upon HTTP proxies connected over VPN tunnels to perform domain control validation at remote perspectives. Let’s Encrypt immediately announced plans to deploy MPIC the day of our HotPETS talk. This ultimately led to a collaboration between our group at Princeton and Let’s Encrypt to further develop and deploy MPIC.
    
  • Let’s Encrypt officially announced that Multi-Perspective Domain Validation was implemented in their codebase and enabled in their staging environment. Their implementation was different from the original implementation by Birge-Lee et al. in that it relied upon running validation code at remote perspectives. In their implementation the primary orchestrating perspective sends information including the domain name to be validated and the challenge information (path and expected value) to the remote perspectives which then initiate their own validation requests. The challenge information and the responses are all sent over encrypted gRPC tunnels which rely on mutually-authenticated TLS sessions.

• 2018: Birge-Lee et al. published a paper at the Usenix Security Symposium that rigorously analyzed attacks (both theoretically and via real-world attack experiments) that an adversary can use to obtain a bogus certificate and developed a taxonomy of BGP attacks on the PKI. This paper used Internet topology simulations and data on 1.8 million domains to provide the first effort to rigorously quantify the vulnerability of domain validation to BGP attacks as well as the security benefits of Multi-Perspective Domain Validation against localized equally-specific BGP attacks.

• 2019: CloudFlare announced the first API-based implementation of multi-perspective validation which offered a single API endpoint that triggers remote validation.

• 2020: Through the collaboration between Princeton and Let’s Encrypt, Let’s Encrypt finalized their production deployment of multi-perspective domain validation and enabled it on all ~1.5 million certificates they sign every day.

• 2021: The Princeton and Let’s Encrypt collaboration lead to Birge-Lee et al. publishing “Experiences Deploying Multi-Vantage-Point Domain Validation at Let’s Encrypt” at Usenix Security ‘21 which detailed Let’s Encrypt’s deployment, studied the impact on benign certificate issuance, and showed the deployment improved security against ethically-launched real-world BGP attacks.

• 2022: Our group at Princeton organized a workshop on securing the PKI that brought together many CAs, root programs, and interested parties. The workshop included a demo by Grace Cimaszewski and Henry Birge-Lee of how Let’s Encrypt’s MPIC implementation could defend against real-world BGP attacks. As discussed in the report, MPIC adoption was a major topic covered at the workshop.
  
• 2023:
  • Following the Princeton workshop and a demo of MPIC by Henry Birge-Lee at a Forum meeting, discussions in the CA/Browser Forum Validation Subcommittee led to the Chrome Root Program assembling a work team to work on how to incorporate MPIC into the Baseline Requirements. Our group at Princeton participated in the work team, and the team’s recommendations were adopted into CA/Browser Forum Server Certificate Working Group Ballot SC-067.
    
  • Cimaszewski and Birge-Lee et al. published “How Effective is Multiple-Vantage-Point Domain Control Validation?” at Usenix Security which used more accurate simulation and modeling techniques to analyze the security benefits of MPIC in light of complex factors like DNS and RPKI. Let’s Encrypt publicly committed to expanding their MPIC deployment based on our recommendations.
    
  • Google Trust Services publicly announced that they used MPIC.

• 2024:
  • Public discussion on Ballot SC-067 to incorporate MPIC into the TLS Baseline Requirements began.
    
  • The Open MPIC Project was launched to offer an API-based open-source implementation that can be easily deployed by any CA. Open MPIC provides the first implementation for non-ACME CAs and allows CAs to deploy MPIC in their own cloud provider accounts. This offers the benefits of a cloud deployment while allowing CAs to have full visibility and control of the code that is running MPIC. In the future we hope to work with interested parties to turn the Open MPIC API Specification into an RFC standard that can also be adopted by other MPIC deployments.
    
    

Conclusion:

Over several years, our group has supported the open development and research of MPIC, including MPIC design, implementation, and deployment.  In the spirit of open innovation, the MPIC contributions from our Princeton team have been given to the public domain. We hope that MPIC finds diverse applications across fields, and look forward to witnessing the positive impact of open innovation. In a subsequent blog post we will discuss our future vision and the details of the Open MPIC project.