From a055bdb2953c0551c16c59c3bfc3186d2957acc8 Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Tue, 12 Aug 2025 11:32:29 -0700 Subject: [PATCH 1/3] Initial commit --- docs/signing/get-cert.md | 8 +++++--- docs/trust-list.mdx | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/signing/get-cert.md b/docs/signing/get-cert.md index 9322ccf..a6e050b 100644 --- a/docs/signing/get-cert.md +++ b/docs/signing/get-cert.md @@ -7,7 +7,8 @@ title: Getting a signing certificate Best practices for handling keys and certificates are beyond the scope of this documentation. Always protect your private keys with the highest level of security; for example, never share them through insecure channels such as email. ::: -To sign manifest claims, you must have an X.509 v3 security certificate and key that conform to the requirements laid out in the [C2PA specification](https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#x509_certificates). +To sign manifest claims, you must have an X.509 v3 security certificate and key that conform to the requirements laid out in the [C2PA specification](https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#x509_certificates). Additionally, the C2PA program provides a [Certificate Policy](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Certificate%20Policy.pdf) containing the requirements for a certification authority (CA) to follow when issuing C2PA claim signing certificates and the requirements for the use of such certificates. + ## Purchasing a certificate @@ -32,10 +33,11 @@ You must purchase a signing certificate from a certificate authority (CA). The | CA | S/MIME email signing | Document signing | |----|----------------------|------------------| -| GlobalSign | [S/MIME email signing](https://shop.globalsign.com/en/secure-email) | [Document signing](https://shop.globalsign.com/en/document-signing) | -| IdenTrust | [S/MIME email signing](https://www.identrust.com/digital-certificates/secure-email-smime) | [Document signing](https://www.identrust.com/digital-certificates/document-signing) | | Comodo Cybersecurity | [S/MIME email signing](https://ssl.comodoca.com/s-mime) | [Document signing](https://ssl.comodoca.com/document-signing-certificates) | | Digicert | [S/MIME email signing](https://www.digicert.com/tls-ssl/secure-email-smime-certificates) | [Document signing](https://www.digicert.com/signing/document-signing-certificates) | +| GlobalSign | [S/MIME email signing](https://shop.globalsign.com/en/secure-email) | [Document signing](https://shop.globalsign.com/en/document-signing) | +| IdenTrust | [S/MIME email signing](https://www.identrust.com/digital-certificates/secure-email-smime) | [Document signing](https://www.identrust.com/digital-certificates/document-signing) | +| SSL.com | [S/MIME email signing](https://www.ssl.com/certificates/s-mime-certificates/) | [Document signging](https://www.ssl.com/certificates/document-signing-certificates/) | ### Certificate signing requests (CSRs) diff --git a/docs/trust-list.mdx b/docs/trust-list.mdx index c142ea2..e11e242 100644 --- a/docs/trust-list.mdx +++ b/docs/trust-list.mdx @@ -15,7 +15,7 @@ The C2PA **[Verify tool](https://contentcredentials.org/verify)** uses a list of Conversely, if the Content Credential was signed by a known certificate, the Verify tool will display the [name of the certificate owner and time of the claim signature](verify.mdx#title-and-signing-information). :::note -The C2PA intends to publish an official public list of known certificates. Until then, **[Verify](https://contentcredentials.org/verify)** uses a temporary list. The list is subject to change and will be deprecated when C2PA publishes the official list. +Currently, **[Verify](https://contentcredentials.org/verify)** uses a temporary list, but in mid-2025, the C2PA released its official trust lists, and Verify will be updated to use them soon. ::: ## Temporary known certificate list From 190471080b1163e14316672d9abbefc951654483 Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Thu, 28 Aug 2025 16:58:51 -0700 Subject: [PATCH 2/3] wip --- docs/conformance.mdx | 19 +++++++++++++++++++ docs/trust-list.mdx | 12 ++++++++++-- 2 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 docs/conformance.mdx diff --git a/docs/conformance.mdx b/docs/conformance.mdx new file mode 100644 index 0000000..24c9527 --- /dev/null +++ b/docs/conformance.mdx @@ -0,0 +1,19 @@ +--- +id: conformance +title: C2PA conformance program +--- + +In mid-2025, C2PA launched its [conformance program](https://c2pa.org/conformance) and the transition to the official C2PA trust list. The [temporary (interim) trust list](trust-list.mdx) is being retired, since it was a temporary measure for early C2PA implementations. + +The temporary trust list provided critical support during the early adoption phase of C2PA and enabled the C2PA Verify website to: + +- Determine which certificates were valid. +- Prevent unknown signers from appearing as valid. + +The new [C2PA trust list](https://github.com/c2pa-org/conformance-public/tree/main/trust-list), governed under the C2PA conformance program, introduces key enhancements: + +- A new [public certificate policy](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Certificate%20Policy.pdf) that specifies C2PA requirements for certificate authorities (CAs). +- Higher security and interoperability. +- Stronger accountability and governance. +- Alignment with the C2PA 2.x technical specification. +- A robust governance framework. diff --git a/docs/trust-list.mdx b/docs/trust-list.mdx index e11e242..d104923 100644 --- a/docs/trust-list.mdx +++ b/docs/trust-list.mdx @@ -1,10 +1,14 @@ --- id: verify-known-cert-list -title: Verify tool known certificate list +title: The interim trust list --- import verify_unknown_source from '../static/img/verify-cc-unknown-source.png'; +:::warning +The process described on this page is deprecated. The C2PA has released its official trust lists, and Verify will be updated to use them soon. See [Conformance](conformance.mdx) for more information. +::: + The C2PA **[Verify tool](https://contentcredentials.org/verify)** uses a list of _known certificates_ (sometimes referred to as a "trust list") to determine whether a Content Credential was issued by a known source. If an asset's Content Credential was not signed by a known certificate, the Verify tool will display this message: Date: Fri, 29 Aug 2025 16:55:52 -0700 Subject: [PATCH 3/3] Initial draft of conformance page --- docs/conformance.mdx | 44 +++++++++++++++++++++++++++++++++++++++----- docs/trust-list.mdx | 4 ++-- sidebars.js | 5 +++++ 3 files changed, 46 insertions(+), 7 deletions(-) diff --git a/docs/conformance.mdx b/docs/conformance.mdx index 24c9527..a6c158d 100644 --- a/docs/conformance.mdx +++ b/docs/conformance.mdx @@ -3,17 +3,51 @@ id: conformance title: C2PA conformance program --- -In mid-2025, C2PA launched its [conformance program](https://c2pa.org/conformance) and the transition to the official C2PA trust list. The [temporary (interim) trust list](trust-list.mdx) is being retired, since it was a temporary measure for early C2PA implementations. +In mid-2025, C2PA launched its [conformance program](https://c2pa.org/conformance) for: -The temporary trust list provided critical support during the early adoption phase of C2PA and enabled the C2PA Verify website to: +- Products that read and validate Content Credentials, referred to as _validator products_. +- Products that generate Content Credentials, referred to as _generator products_. +- Certificate authorities (CAs) -- Determine which certificates were valid. -- Prevent unknown signers from appearing as valid. +## Validator products -The new [C2PA trust list](https://github.com/c2pa-org/conformance-public/tree/main/trust-list), governed under the C2PA conformance program, introduces key enhancements: +A _validator product_ can read and validate a manifest store for a digital asset. +A conforming validator product is accountable for producing correct validation results that conform to the C2PA Content Credentials specification. + +For more details, see [C2PA conformance program](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Conformance%20Program.pdf). + +## Generator products + +A _generator product_ can generate a manifest store for a digital asset that conforms to the C2PA Content Credentials specification. A generator product creates assertions in the asset's active manifest and signs a claim using a valid X.509 certificate on the C2PA trust list. + +A conforming generator product is accountable for producing correct manifests and claims that conform to the C2PA Content Credentials specification. + +For more details, see [C2PA conformance program](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Conformance%20Program.pdf). + +## Certificate authorities + +The C2PA certificate policy sets requirements for a Certificate Authority (CA) that issues claim signing certificates to developers of generator products, and the requirements that those developers have to meet in the use of the certificates. + +The policy requires that CAs only issue claim signing certificates to generator products that are on the conforming products list. + +CAs that comply with the certificate policy and want to issue certificates under the C2PA conformance program must apply to the C2PA governing authority for inclusion on the +C2PA trust list. + +## C2PA trust lists + +The new [C2PA trust lists](https://github.com/c2pa-org/conformance-public/tree/main/trust-list), governed under the C2PA conformance program, introduces key enhancements: - A new [public certificate policy](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Certificate%20Policy.pdf) that specifies C2PA requirements for certificate authorities (CAs). - Higher security and interoperability. - Stronger accountability and governance. - Alignment with the C2PA 2.x technical specification. - A robust governance framework. + +C2PA maintains two trust lists: + +- **C2PA trust list**: A list of X.509 certificate trust anchors (either root or subordinate certification authorities) that issue certificates to conforming generator products under the C2PA Certificate Policy. +- **C2PA time-stamping authority (TSA) trust list**: A list of X.509 certificate trust anchors (either root or subordinate certification authorities) that issue time-stamp signing certificates to TSAs. + +### Interim trust list + +With the introduction of the C2PA trust list, the existing [temporary (interim) trust list](trust-list.mdx) is being retired. It provided critical support during the early adoption phase of C2PA and enabled the [C2PA Verify website](https://contentcredentials.org/verify) to determine which certificates were valid and prevent unknown signers from appearing as valid. diff --git a/docs/trust-list.mdx b/docs/trust-list.mdx index d104923..f311513 100644 --- a/docs/trust-list.mdx +++ b/docs/trust-list.mdx @@ -5,8 +5,8 @@ title: The interim trust list import verify_unknown_source from '../static/img/verify-cc-unknown-source.png'; -:::warning -The process described on this page is deprecated. The C2PA has released its official trust lists, and Verify will be updated to use them soon. See [Conformance](conformance.mdx) for more information. +:::warning Warning +The process described on this page is deprecated. The C2PA has released its official trust lists, and Verify will be updated to use them soon. See [C2PA conformance program](conformance.mdx) for more information. ::: The C2PA **[Verify tool](https://contentcredentials.org/verify)** uses a list of _known certificates_ (sometimes referred to as a "trust list") to determine whether a Content Credential was issued by a known source. If an asset's Content Credential was not signed by a known certificate, the Verify tool will display this message: diff --git a/sidebars.js b/sidebars.js index c914a7e..906656f 100644 --- a/sidebars.js +++ b/sidebars.js @@ -295,6 +295,11 @@ const sidebars = { }, ], }, + { + type: 'doc', + label: 'C2PA conformance program', + id: 'conformance', + }, { type: 'category', label: 'Durable Content Credentials',