Podcast
Root Causes 485: What Is Open MPIC?
Hosted by
Original broadcast date
April 12, 2025
Guest Dmitry Sharkov joins us to describe Open MPIC, the open-source project to help public CAs support MPIC.
Podcast Transcript
Lightly edited for flow and brevity.
Tim CallanWe have a guest. We do indeed. I want to introduce Dmitry Sharkov, and Dmitry is a Technical Architect here at Sectigo. And in particular, Dmitry, we want to talk today about MPIC – Multi-Perspective Issuance Corroboration, which I know you have been deeply involved in. So welcome, Dmitry.So, MPIC, if you're not familiar with it, we've covered this in several previous episodes. We're not going to go over the basics. Go review that again. But MPIC, the first requirement for Multi-Perspective Issuance Corroboration, which affects both domain control validation and CAA checking is due to occur on March 15 of 2025, which is after our recording date but before our broadcast date for this particular episode. So Dmitry, tell us about what you've done with MPIC and in particular, let's make sure we cover open MPIC.
Dmitry SharkovSure. So, first of all, I'm fairly new to Sectigo. I joined in early summer of last year, and shortly after joining, got involved in MPIC and specifically figuring out how we're going to tackle the requirements around MPIC and through just connections and conversations, found out that open MPIC is a project that's out there that's being driven by researchers at Princeton. There was a publication around that project published earlier that year. So about a year ago at this point, just over a year ago. I figured I’d take a look at it and see if it makes sense to build on that for MPIC at Sectigo. Just try to understand what's going on with that project because the idea behind open MPIC is to have a self-hosted MPIC solution that a CA can just spin up and run and be compliant with the requirements around MPIC without having to sort of roll their own solution. The idea being that MPICs requirements for one assume, especially once you have enough perspectives out there, for the Multi-Perspective Corroboration, that you have something of a global footprint. That your perspectives span multiple continents. So there's that, and then also, there were other MPICs, or other MPIC implementations out there, but they were ACME specific, and there wasn't really one out there for non-ACME methods.Tim CallanSo, let me make sure I'm getting this right. The idea behind Open MPIC is that basically the hard work has been done for somebody, and forgive me if the terminology isn’t quite right, but basically, if somebody integrates with or writes to Open MPIC, then they can tie into the rest of that technical work and architecture that’s been put together. Is that correct?Dmitry SharkovSo it’s self-hosted, which means you're going to pull this thing down and run it on your own infrastructure, or infrastructure you rent. So like a cloud provider. You configure it. But the idea is, it's supposed to be turnkey. So it's kind of just follow a readme, follow some basic instructions, paint by numbers, sort of push button, deploy, and off you go. So what's left for a Certificate Authority to do then is, effectively to integrate with it. So they they've got the service spun up, they're running the service, and they have to monitor and so forth. But then what they have to write, then as a client for that service, so they have to integrate their existing certificate pipeline into it.Tim CallanAnd the idea is that that is just a much less work and much less risk and requires much less understanding than the rest of MPIC. Is that right?Dmitry SharkovBecause then all you have to do is know what endpoint you have to write a basic web client for and make that call whenever you're doing your CAA or DCV checks.Tim CallanSo right now, there is a requirement that MPIC is in monitoring only mode, and in September, that's going to move to the mode where you actually take action, but then the number of endpoints is going to increase over several years. Is Open MPIC going to have to continue to be modified to match those changing requirements? Is it all ready to go now? How does that work?Dmitry SharkovSo it's ready to go now as far as that goes. There's actually a couple of different deployment patterns that Open MPIC supports today, and we can talk about ways in which Open MPIC may continue to evolve. One way might be more deployment patterns. The two it has today are AWS, Lambda and then Docker micro containers.So the Lambda one, there's a configuration file. You're going to tell it what regions you want to deploy your perspectives to, and then it will do it. So if you want to deploy it to three perspectives today, you can. If you want to deploy to 15 today, you can. There's logic built into the solution around creating sort of valid sets or cohorts of perspectives for you to make sure that your corroborating perspectives, that set is compliant in terms of their existences, the number of regional Internet registries that are represented in that set and so forth. So Lambda is one.
Docker micro containers, you basically create an image from the code base or a set of images, and then that also is paint by numbers, and at that point you can deploy it in any number of ways, and we have examples in Open MPIC for deploying it, either on just like Amazon EC2 just bear compute or Kubernetes, or even for local Docker composed testing. So at that point, you can, again, sort of just extrapolate and take the configuration that deploys to two or three perspectives today and change it to deploy to more. So it's really about targeting different cloud regions, whether you're in GCP alias or Azure.
Jason SorokoDmitry, when we were talking about this earlier, one of the questions was, we probably wouldn't know if anybody were to pick up Open MPIC and use it as a CA. That's interesting enough as it is. But I think it gets to a bigger question, which is, perhaps Tim, you can talk about this, which is, I don't think I remember reading anything in the requirements about CAs actually disclosing what the underlying MPIC solution they were using is. It was more they had to properly declare that they had the right number of corroboration points, and, to be able to fit with the rules as things progress through time. But I think it might be interesting for those of us who are either subscribing to certificates from a CA and obviously, for those of us who are in the CA industry to know what's being used, at least in a friendly way, amongst each other, to understand what's succeeding, what's not, etc., As of right now, like we're talking about this on this podcast but will we hear anything from other CAs about what technologies that they're using to solve this? Will we find out what's popular, what's working, what's not, etc., because I think that that information will be valuable.Tim CallanSo Jason, you're right in that there is nothing in the rules that require disclosure of underlying technology that this is being used to do this. Obviously, your WebTrust auditors will need to see that you're actually doing this. So there will be vetting that the actual multi-issuance, corroboration is occurring. However, that probably wouldn't be revealed there either what the underlying technology is. Now, that said, I think there is every reason to believe that CAs will be very interactive in discussing this. For instance, Dmitry, you will be actually presenting at the next CA/Browser Forum face-to-face, where you're going to be talking about Open MPIC and explaining to CAs what it is, how it works, and why it may make sense for them to use that moving forward. So Jason, I do think that this has been an issue where the community has been very vocal and interactive, and I expect there will be a lot of information sharing, especially since everybody's really kind of learning at the same time.Dmitry SharkovThere is activity today. We have a Slack that we operate for Open MPIC and technical stuff from various CAs do participate and bring up issues or ask questions around deployment and so forth. That activity has helped us make Open MPIC more user friendly, easier to deploy, easier to adopt, and fix bugs along the way as well. Now we don't know what all CAs those technical staff actually represent. I haven't asked, but there is definitely interest and activity here and there already.Jason SorokoIn terms of contribution though Dmitry, the original code that was available to you, to start looking at that was, I think, began by folks over at Princeton, as you say. I do get the impression that you were a very major contributor to Open MPIC as it is right now. So other than that, has there been any other, what you could say, considerable contributions, other than Sectigo at the moment.Dmitry SharkovNot right now. So you're right, the project, when we joined it, it was a kind of proof of concept targeting strictly AWS Lambda. It was three Python scripts that worked, in a fairly narrow subset of DCV validation methods, but they worked, and that code was written by Princeton security researchers, specifically Henry Birge-Lee, who did by far most of that. And from mid-summer last year on through today, it's basically been a pairing effort between him and myself, with occasional folks contributing here and there with a bug fix, a tweak here and there. Some of our other technical staff at Sectigo have helped specifically on configuration deployment, especially around the micro container side of things, but from a coding effort, it's been fairly small team for now. It's really been the two of us, and hopefully going forward, there will be more contribution. It is an open source, fully open source project, MIT licensed people are welcome to contribute, pull requests, anything that they feel it's missing, people are welcome to add.Tim CallanSo I want to ask a question, which is, obviously we said there's this original March 15 monitoring date, and this will be occurring after that, which means, one hopes that all of the BR compliant public CAs will have something in place. What are the reasons that they might want to consider switching from whatever they've put into place to Open MPIC?Dmitry SharkovI think one reason may be the question of the gap, I suppose, between what you can have in place to meet the requirements starting March 15. And what you really need to have starting on September 15. Right now, you only need to have two remote perspectives. They don't necessarily need to be very well functioning, because right now you have to basically do the MPIC attempt and then log that you've made the attempt, more or less. So if you have quite a lot to then shore up from that point to actually be able to execute MPIC for every single validation method that you have, and then also, if you expect volume to go up, then Open MPIC might be a good idea for you, because it's fairly light lift. It's pretty scalable. The idea is it's horizontally scalable. It's fully stateless. You can basically throw more hardware at it. The Lambda scales you know, as needed, it's elastic. The other thing is, it's supported by Sectigo. It's supported by Princeton Engineering. As requirements change, and they might, I mean - -Tim CallanOr as bugs are discovered then they might.Dmitry SharkovWell, there's bugs. There’s also, I think to some extent, learning to be done by the PKI community. We're all going to be now at scale doing MPIC, and we're going to see how effective it is, and issues we run into and so forth, and they may inform, what an optimal way to implement MPIC would be, an Open MPIC will be kind of at the head of that. While it's open source, it's fairly resilient. It's reliable. One of the first things we did with the code base was rewrite it and test drive the whole rewrite so it's fairly safe from breaking it's critical logic as well. So people can contribute, and as long as they're adding to the tests, this thing will keep working for everyone.Jason SorokoDmitry, just to let the audience know, Tim and I have done a few podcasts on MPIC. In fact, you got to go back all the way to Episode 140 to listen to Tim and I describe the Border Gateway Protocol attacks, BGP attacks. And then Episode 327, where we first talk about multi-perspective domain validation, what was at the time called MPDV. So Episode 140 and Episode 327, in case you're interested, but you had pulled up some really great analogies to make the understanding of what the attack is a little more intuitive. We can't, for copyright reasons, show the movie, even though Tom Cruise is great, and I would love to be able to show it, because it really helps to illustrate what the attack really is, but maybe in your own words, help us to make a little more intuitive for everyone.Dmitry SharkovI was thinking of what would be a good way to describe, not just what a BGP attack or hijack looks like but what makes it so dangerous, especially in the context of DCV. That's really why BGP is a problem from the standpoint of a Certificate Authority, and really anyone browsing the web is you don't have to hijack BGP for very long to be able to acquire a legitimate certificate using fraudulent routes, and then you're off to the races impersonating a victim. So something similar happens. There's a movie Mission Impossible Ghost Protocol. That's the one where Tom Cruise climbs the Burj Khalifa, tallest building in the world. Anyway, so in that movie, there's a scene where two bad guys, let’s say bad guy A and B, schedule a meeting with one another. They've never met, and they're supposed to exchange something, and Tom Cruise's team figures out a way to make the bad guys think that they're meeting each other when they're really not, so that one of them can make an exchange. And it's really Tom Cruise impersonating the other. And the idea is they're supposed to meet in a room, and really one guy is in one room, and the other one is in a room directly above. And they don't know it, because Tom Cruise's team has messed around with the labeling in the hotel. So there's two rooms labeled like 118 G basically. So one of them was in the real 118, one was the fake 118 G, and they think they're meeting their counterpart, but they're really meeting an impersonator. They're meeting Tom Cruise. So that's basically the analogy, where, if you are, maybe it's a flip in terms of moral alignment, let's just say, but the BGP hijacker is doing the impersonation, and creates a fraudulent route by messing around with routes on the internet. So a CA thinks that they're going to the domain that they're looking to validate, but they end up going somewhere else, really, and they see what they expect to see there, and they issue the certificate to an impersonator, basically. And that's that. BGP hijacking at that point even be detected and stopped, but it's already too late.Tim CallanYou wouldn't know under those circumstances which DCV or CAA exercises had been compromised? There wouldn't really be a way to know that. So that's a bad attack. So what is in the future for Open MPIC?Dmitry SharkovWell, so in the fairly immediate future, there's going to be continued tuning around performance, around logging, things like that, just from a usability standpoint, as CAs, including, of course, Sectigo, starts to use this thing kind of at full volume, making sure that it can handle that volume effectively. And so there's that piece, and then functionally MPIC around S/MIME is coming up. That's around the corner. So Open MPIC will be supporting that and that may be it in terms of what we know for sure it needs and we may be able just run with it at that point. But again, it depends on the learnings of the community, learnings that Sectigo has, running this at scale, at volume whether it needs further tweaking, further optimization, whether we need to change anything around MPIC, even from a requirement standpoint. So Open MPIC will be kind of ready to adjust as needed.Jason SorokoThat's great, Dmitry. Thanks so much for that. Glad to know you're making the internet a safer place. DCV is really important.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
