Request for CA Peer Support on MPIC Implementation

[Ben Wilson]

Hi all,

I've heard from a new CA that is working to implement MPIC and is finding it challenging to get started.

If there are any CAs who have already implemented MPIC (either using Open MPIC or through another approach), would you be willing to share your expertise with them? I think some peer insight could go a long way in helping them move forward.

Let me know if you'd be willing, and I can connect you with them.

Thanks,

Ben

[Henry Birge-Lee]

Hi all,

Obviously the best support comes from another CA going through implementation, but I will mention for a quick way to get started the Open MPIC AWS Lambda implementation can get an API endpoint running fairly quickly. We recently accepted a pull request from Jaime Hablutzel which improved stability and reduced latencies, so at least in our internal testing it is running fairly well now.

Best,

Henry

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CA%2B1gtabs9ijggxE1gf90mT%3Die9m%2B76bqiPzFpDUt0G%3D6p5z3ZQ%40mail.gmail.com.

[Ruby Jane Díez Aquino]

Good day 

 thank you so much  for this email 

\ Iam still looking forward apart from my secure data analyst online regadless of being discrupted   online  working voluntarilty part of MICROSOFT TRADEMARK GUIDANCE

This Guide provides a doctrine to support schools in conducting vulnerability assessments and planning to implement layered physical security elements. The guide is designed for schools to employ in conjunction with the SSAT, a web-based tool that provides further guidance.

[Pedro FUENTES]

Hello,

Yes, we (WISeKey/OISTE) were at the verge of looking for an alternative, as Open MPIC was not behaving satisfactorily, but (thanks to the work of Jaime, in my team) it seems much better now and an approach that we can recommend.

BR/P

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAGxVKU78c96DTgw6SNpO7a1DivfpYns%3DFwikZiq9hia5gYNUqg%40mail.gmail.com.

WISeKey SA

Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790

Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland

Stay connected with WISeKey

THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks

CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender

DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.

[Mike Agrenius Kushner]

Hi,

 

We implemented support for Open MPIC in the latest (9.2) release of EJBCA – we’d be happy to lend any support or answer any questions from any CA’s having issues.

 

Cheers,

Mike

 

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/1C520057-08DB-44A4-A255-0ADC4E6C9910%40wisekey.com.

[大野 文彰]

Hello Mike-san,

 

Does Open-MPIC work with multiple threads?

We are interested to see how long it takes to issue one certificate and whether it works with multiple validation requests in succession.

 

Best regards,

 

ONO Fumiaki / 大野 文彰

SECOM Trust Systems Co., Ltd.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/AM6PR03MB422941E273C5BDB991B5C0DE97B22%40AM6PR03MB4229.eurprd03.prod.outlook.com.

[Szőke Sándor]

Hi,

 

Microsec has developed its own MPIC solution through another approach, operating with more remote network perspectives than currently required.

 

Microsec can offer this solution as a service, or we can help the development for other CAs.

 

Please send us the contact information if anyone is interested in our solution.

 

Thanks,

 

Sándor

--

[Jaime Hablutzel]

For the AWS Lambda implementation (https://github.com/open-mpic/aws-lambda-python), concurrency is handled as described in https://docs.aws.amazon.com/lambda/latest/dg/lambda-concurrency.html:

> When your function receives its very first request…, Lambda creates a new execution environment and runs the code …. During this entire process, this execution environment is busy and cannot process other requests.

> When Lambda finishes processing the first request, this execution environment can then process additional requests for the same function. For subsequent requests, Lambda doesn't need to re-initialize the environment.

Now, if no execution environments are available (e.g., due to inactivity and subsequent termination), an initial request may experience a startup delay of several seconds. Subsequent requests reuse the existing environments and respond quickly.

However, if multiple concurrent requests arrive after a period of inactivity, each may incur this startup delay.

This can likely be improved by maintaining a configurable number of warm execution environments using provisioned concurrency (https://docs.aws.amazon.com/lambda/latest/dg/provisioned-concurrency.html). I’ll try to contribute this to the project when possible—though if someone else wants to tackle it, that’d be great.

For the traditional containers version (https://github.com/open-mpic/open-mpic-containers), this issue likely doesn’t occur since the containers are always running, though I’m less familiar with that setup.

PS: For getting more details I suggest you to sign up to the Open MPIC's Slack as this is off topic here.

[大野 文彰]

Hello,

 

Thank you for providing useful information.

 

Best regards,

 

ONO Fumiaki / 大野 文彰

SECOM Trust Systems Co., Ltd.

 

From: 'Jaime Hablutzel' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Wednesday, April 16, 2025 3:06 AM
To: server...@groups.cabforum.org
Subject: Re: [EXTERNAL]-Re: [Servercert-wg] Request for CA Peer Support on MPIC Implementation

 

For the AWS Lambda implementation (https://github.com/open-mpic/aws-lambda-python), concurrency is handled as described in https://docs.aws.amazon.com/lambda/latest/dg/lambda-concurrency.html:

--

You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/DE1C40B5-D460-4500-B843-0528E7E4E48F%40wisekey.com.

[Daniel Jeffery]

Hello Mike and CAs using EJBCA,

This question piqued my curiosity and I went out to read the EJBCA documentation on how to implement the MPIC validator. I was surprised to read that it appears to ONLY query an Open MPIC endpoint for a CAA test and says nothing about performing any DCV tests. 

Since MPIC DCV tests are MUSTs in the BRs for many validations, I am really curious how CAs using EJBCA are meeting the MPIC requirement. It seems that if Open MPIC is working great, performing all the required checks from EJBCA may be the heart of the confusion for this CA. Can someone from Key Factor or a CA using EJBCA clarify how to run the required DCV tests with the MPIC Validator or if they're using some other tool for that?

Dan

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/AM6PR03MB422941E273C5BDB991B5C0DE97B22%40AM6PR03MB4229.eurprd03.prod.outlook.com.

--

Daniel Jeffery | TLS

fastly.com | @fastly | LinkedIn

[Pedro FUENTES]

Hi Dan

EJBCA doesn’t provide functionalities for DCV, so this must be developed separately by the CA as part of the certificate request and validation process, and this development would include the logic for information reuse according to the BR.

EJBCA allows to define pre-issuance validators, such as linting or CAA checking, so issuance only happens when all checks are successful, but these validators aren’t useful for DCV.

The capability related to MPIC in EJBCA would be, therefore, to ensure that every issuance is checking CAA with multiple perspectives. This is not strictly required in all cases, as the BR has specific wording about the need to use remote perspectives during a reuse period of 398 days. EJBCA doesn’t implement the reuse logic, but some CAs can decide to play safe and still do MPIC CAA for every issuance.

In summary… CAs using EJBCA had to develop already their own DCV capability, and now this development had to be adapted for MPIC.

P

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAFa_RQCn53WUp2CpLbsU_cUgoDXYqf_3zPM_O1AzekKrv__9rw%40mail.gmail.com.

[Daniel Jeffery]

Thank you, Pedro. That is what I was missing. I had assumed EJBCA incorporated DCV capabilities and didn't realize that was left up to the individual CA to implement on their own.

Dan

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/5C7BE2D3-6B5A-4A35-8709-DF0D53540033%40wisekey.com.

[Ryan Hurst]

EJBCA's ACME implementation does support domain control verification. https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/protocols/acme

Ryan

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAFa_RQDwZ%3DKzPaULu9tGLyWONK3_vq6yDRcmUbREzK2OGpVzfQ%40mail.gmail.com.

[Pedro FUENTES]

Yep. I forgot about that. Although I don’t know if that supports MPIC already… (we don’t use it, as we did our own implementation of ACME)

Le 17 avr. 2025 à 18:46, Ryan Hurst <ryan....@gmail.com> a écrit :



To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CALVZKwbj1%2Bd%2Bg%3DzX50PxvjRdL8-%3DSizG7cun4J8DLovebF4mxA%40mail.gmail.com.

[Jeremy Rowley]

Note that this was a reason for open-sourcing DigiCert’s validation as well. You can tie that system into EJCBA and have full support for all allowed BR methods (as EJBCA already has the ACME validation complete). We use EJBCA for some CA operations.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CALVZKwbj1%2Bd%2Bg%3DzX50PxvjRdL8-%3DSizG7cun4J8DLovebF4mxA%40mail.gmail.com.

[Henry Birge-Lee]

Hi all,

To briefly follow up from the Open MPIC side, Open MPIC currently has a stable implementation of ACME http-01 and dns-01. We have tls-alpn-01 support under development. I suspect that putting in an Open MPIC call after the EJBCA built in ACME validation could be used to satisfy the MPIC requirement on the ACME validation methods.

Best,

Henry

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/BY1PR14MB74139DCD75ED9BE8A24E4B9E8EBC2%40BY1PR14MB7413.namprd14.prod.outlook.com.

[Mike Agrenius Kushner]

Hi all,

 

Sorry for the delay in response – we had a long public holiday over Easter here.

 

EJBCA as a PKI implementation doesn’t provide a complete plug-and-play software package for starting up your own public facing CA, rather it’s a generalized certificate engine which we’re bound to keep compliant with cabf requirements. So in terms of features we prioritize, focus is laid on automation, and while we do strive to add as much useful functionality to EJBCA as possible – there are always going to be steps which a CA is required to perform themselves. We’re looking into implementing some degree of automation for non-ACME DCV though.

 

As noted, EJBCA from version 9.2 uses Open MPIC for CAA and ACME, which was the automation which we provided earlier. There were some internal discussions on whether to implement a custom MPIC implementation or to support Open MPIC, but after discussions with some customers we decided to go the Open MPIC route. While there are some regressions in functionality (such as support for tls-alpn-01 as noted by Henry below), we’re big believers in community-driven projects such as Open MPIC and pkimetal (also supported from 9.2), because we regard commonly developed and audited tools to be more likely to be compliant over time. One of the things I personally love about this community is the willingness (as exemplified by Jeremy below) to share tools such as linters and key validation in order to ensure compliance across the board.

 

In terms of future support, I’ve reached out to Henry and my plan is to start a regular cadence of meetings to discuss Open MPIC and further collaboration. 

 

Cheers,

Mike

 

Daniel Jeffery | TLS

fastly.com | @fastly | LinkedIn

 

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAFa_RQCn53WUp2CpLbsU_cUgoDXYqf_3zPM_O1AzekKrv__9rw%40mail.gmail.com.

 

WISeKey SA

Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790

Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland

Stay connected with WISeKey

THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks

 

CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender

 

DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.

 

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/5C7BE2D3-6B5A-4A35-8709-DF0D53540033%40wisekey.com.

 

--

Daniel Jeffery | TLS

fastly.com | @fastly | LinkedIn

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAFa_RQDwZ%3DKzPaULu9tGLyWONK3_vq6yDRcmUbREzK2OGpVzfQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CALVZKwbj1%2Bd%2Bg%3DzX50PxvjRdL8-%3DSizG7cun4J8DLovebF4mxA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/BY1PR14MB74139DCD75ED9BE8A24E4B9E8EBC2%40BY1PR14MB7413.namprd14.prod.outlook.com.

--

You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAGxVKU5Wpx6%2B8FpGK6B8k36umZyonqYrNjodDr1mUkXH8S5ipQ%40mail.gmail.com.