Update docs for C2PA conformance program

docs/conformance.mdx

@@ -0,0 +1,53 @@
+---
+id: conformance
+title: C2PA conformance program
+---
+
+In mid-2025, C2PA launched its [conformance program](https://c2pa.org/conformance) for:
+
+- Products that read and validate Content Credentials, referred to as _validator products_.
+- Products that generate Content Credentials, referred to as _generator products_.
+- Certificate authorities (CAs)
+
+## Validator products
+
+A _validator product_ can read and validate a manifest store for a digital asset.
+A conforming validator product is accountable for producing correct validation results that conform to the C2PA Content Credentials specification.
+
+For more details, see [C2PA conformance program](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Conformance%20Program.pdf).
+
+## Generator products
+
+A _generator product_ can generate a manifest store for a digital asset that conforms to the C2PA Content Credentials specification. A generator product creates assertions in the asset's active manifest and signs a claim using a valid X.509 certificate on the C2PA trust list.
+
+A conforming generator product is accountable for producing correct manifests and claims that conform to the C2PA Content Credentials specification.
+
+For more details, see [C2PA conformance program](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Conformance%20Program.pdf).
+
+## Certificate authorities
+
+The C2PA certificate policy sets requirements for a Certificate Authority (CA) that issues claim signing certificates to developers of generator products, and the requirements that those developers have to meet in the use of the certificates.
+
+The policy requires that CAs only issue claim signing certificates to generator products that are on the conforming products list.
+
+CAs that comply with the certificate policy and want to issue certificates under the C2PA conformance program must apply to the C2PA governing authority for inclusion on the
+C2PA trust list.
+
+## C2PA trust lists
+
+The new [C2PA trust lists](https://github.com/c2pa-org/conformance-public/tree/main/trust-list), governed under the C2PA conformance program, introduces key enhancements:
+
+- A new [public certificate policy](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Certificate%20Policy.pdf) that specifies C2PA requirements for certificate authorities (CAs).
+- Higher security and interoperability.
+- Stronger accountability and governance.
+- Alignment with the C2PA 2.x technical specification.
+- A robust governance framework.
+
+C2PA maintains two trust lists:
+
+- **C2PA trust list**: A list of X.509 certificate trust anchors (either root or subordinate certification authorities) that issue certificates to conforming generator products under the C2PA Certificate Policy.
+- **C2PA time-stamping authority (TSA) trust list**: A list of X.509 certificate trust anchors (either root or subordinate certification authorities) that issue time-stamp signing certificates to TSAs.
+
+### Interim trust list
+
+With the introduction of the C2PA trust list, the existing [temporary (interim) trust list](trust-list.mdx) is being retired. It provided critical support during the early adoption phase of C2PA and enabled the [C2PA Verify website](https://contentcredentials.org/verify) to determine which certificates were valid and prevent unknown signers from appearing as valid.

docs/signing/get-cert.md

@@ -7,7 +7,8 @@ title: Getting a signing certificate
 Best practices for handling keys and certificates are beyond the scope of this documentation.  Always protect your private keys with the highest level of security; for example, never share them through insecure channels such as email.
 :::
 
-To sign manifest claims, you must have an X.509 v3 security certificate and key that conform to the requirements laid out in the [C2PA specification](https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#x509_certificates).
+To sign manifest claims, you must have an X.509 v3 security certificate and key that conform to the requirements laid out in the [C2PA specification](https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#x509_certificates). Additionally, the C2PA program provides a [Certificate Policy](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Certificate%20Policy.pdf) containing the requirements for a certification authority (CA) to follow when issuing C2PA claim signing certificates and the requirements for the use of such certificates.
+
 
 ## Purchasing a certificate
 

docs/trust-list.mdx

@@ -1,10 +1,14 @@
 ---
 id: verify-known-cert-list
-title: Verify tool known certificate list
+title: The interim trust list
 ---
 
 import verify_unknown_source from '../static/img/verify-cc-unknown-source.png';
 
+:::warning Warning
+The process described on this page is deprecated. The C2PA has released its official trust lists, and Verify will be updated to use them soon. See [C2PA conformance program](conformance.mdx) for more information.
+:::
+
 The C2PA **[Verify tool](https://contentcredentials.org/verify)** uses a list of _known certificates_ (sometimes referred to as a "trust list") to determine whether a Content Credential was issued by a known source. If an asset's Content Credential was not signed by a known certificate, the Verify tool will display this message:
 
 <img
@@ -15,11 +19,15 @@ The C2PA **[Verify tool](https://contentcredentials.org/verify)** uses a list of
 Conversely, if the Content Credential was signed by a known certificate, the Verify tool will display the [name of the certificate owner and time of the claim signature](verify.mdx#title-and-signing-information).
 
 :::note
-The C2PA intends to publish an official public list of known certificates. Until then, **[Verify](https://contentcredentials.org/verify)** uses a temporary list. The list is subject to change and will be deprecated when C2PA publishes the official list.
+Currently, **[Verify](https://contentcredentials.org/verify)** uses the temporary trust list described here, but in 2025 the C2PA released its official trust lists, and Verify will be updated to use them soon.
 :::
 
 ## Temporary known certificate list
 
+The temporary known certificate list (also known as the _interim trust list_) will remain operational **through December 31, 2025**. During this time, C2PA will continue to accept new certificates following the process described below. At some point, the Verify site will distinguish between Content Credentials from conforming products on the official C2PA trust list and those relying on the interim trust list.
+
+On **January 1, 2026**, the temporary trust list will be frozen: CAI will not add any new entries or make updates. Existing certificates will remain valid, and the Verify site will distinguish Content Credentials signed using those certificates. Eventually, those certificates will expire and no longer be usable for signing. However, if content was signed during the certificate's validity period, the content will always be considered valid against the interim trust list.
+
 The [contentcredentials.org](https://contentcredentials.org/) site hosts the following files that it uses to [validate signing certificates](https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_c2pa_signers). Together, these files form the _temporary known certificate list_:
 
 - **The temporary end-entity certificate list** in https://contentcredentials.org/trust/allowed.pem consists of end-entity certificates. If the certificate is on this list, it is considered "known." To reduce bandwidth consumption, a [version with SHA-256 hashes](https://contentcredentials.org/trust/allowed.sha256.txt) of the certificates is also available.

sidebars.js

@@ -295,6 +295,11 @@ const sidebars = {
         },
       ],
     },
+    {
+      type: 'doc',
+      label: 'C2PA conformance program',
+      id: 'conformance',
+    },
     {
       type: 'category',
       label: 'Durable Content Credentials',