The internet PKI currently relies on trust-on-first-use (TOFU) for certificate issuance, where certificate authorities use insecure communication to validate domain control. This creates vulnerabilities to man-in-the-middle attacks and BGP hijacking. Multi-Perspective Issuance Corroboration (MPIC) will become mandatory in September 2025 to improve security by requiring validation from multiple geographic locations. A new research proposal suggests integrating DNSSEC with PKI through cryptographic domain validation methods, with some aspects already adopted including mandatory DNSSEC validation for certificate authorities. This convergence could create a fully authenticated trust model combining DNSSEC security with PKI transparency and control.
Table of contents
Cryptographically Secured Domain ValidationConvergence of Internet PKI and DNSSEC?Other NewsSort: