New HTTPS certificate issuance requirements are set to strengthen validation practices to improve security. The CA/Browser Forum Baseline Requirements mandate Multi-Perspective Issuance Corroboration (MPIC) and linting to enhance the certificate issuance process. Traditionally, Certification Authorities (CAs) have verified domain control, but BGP attacks and prefix hijacking led to fraudulent certificates being issued. MPIC, implemented from multiple geographic locations or ISPs, helps counter these risks by verifying domain control from diverse vantage points.
MPIC was introduced after a ballot in support of its adoption gained unanimous approval.
Starting March 15, 2025, CAs must use MPIC when issuing publicly-trusted certificates, ensuring better validation and protection. In addition to MPIC, linting will become mandatory to detect errors, inconsistencies, and ensure proper formatting in certificates. Linting is an automated process that helps detect issues such as weak cryptographic algorithms and improves certificate interoperability.
Google notes that linting also aids in ensuring compliance with industry standards, reducing risks associated with non-compliance.
The Open MPIC Project is one initiative some CAs are using to support MPIC, helping to standardize implementations across the industry. The practice of linting will also contribute to the ongoing effort to reduce vulnerabilities in the certificate issuance process and enhance web security.
Looking ahead, by July 15, 2025, Chrome will prohibit weak domain control validation methods, further advancing the safety of the Web PKI ecosystem. Google emphasizes the importance of collaboration among security professionals and stakeholders to continually improve the web’s security and minimize risks before harm can occur. The new requirements highlight a proactive approach to strengthening HTTPS certificate validation and ensuring a safer internet experience.
Reference:
