Skip to main content

EGWG 2025-05-15: The C2PA Conformance Program, Scott Perry

By May 20, 2025May 22nd, 2025Blog
EGWG 2025-05-15: The C2PA Conformance Program, Scott Perry

Status: Verified by Presenter

Please note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.

Here is a detailed briefing document reviewing the main themes and most important ideas or facts from the provided source, generated by Google’s NotebookLM:

Briefing Document: Review of C2PA and its Governance

Date: May 15, 2024
Source: Excerpts from “GMT20250515-145218_Recording_2560x1440.mp4”
Presenter: Scott Perry, Co-chair of Trust over IP’s Foundations Steering Committee, Founder and CEO of the Digital Governance Institute, Co-chair of the Creator Assertions Working Group at the Decentralized Identity Foundation (DIF).
Topic: C2PA (Coalition for Content Provenance and Authenticity) and the Application of Trust over IP’s Governance Metamodel.

1. Executive Summary

This briefing summarizes a presentation by Scott Perry on the Coalition for Content Provenance and Authenticity (C2PA) and the application of the Trust over IP (ToIP) governance metamodel to its conformance program. The C2PA is an industry-wide initiative creating a technical standard to attach “truth signals” or provenance information to digital objects. Facing a critical need to operationalize and govern this specification to ensure market trust and adoption, the C2PA has adopted the ToIP governance metamodel. This framework provides the necessary structure to establish a conformance program, define roles and responsibilities, manage risks, and create trust lists for compliant products and certification authorities. The program is set to officially launch on June 4th, initially focusing on self-assertion for conformance and introducing two levels of implementation assurance, with plans for independent attestation and higher assurance levels in the future.

2. Key Themes and Ideas

  • The Problem of Trust in Digital Objects: The presentation highlights the growing challenge of establishing trust and authenticity for digital content in a world of easily manipulated or AI-generated media. This is particularly relevant for industries like telecommunications struggling with identity and verification, as noted by a participant’s observation about OTPs and SMS verification.
  • C2PA as a Standard for Provenance and Authenticity: The C2PA specification aims to provide a technical solution by creating a “content credential” or manifest that is cryptographically bound to a digital object. This manifest acts as a ledger of actions taken on the object, providing a history and “nutrition label” of its source and modifications. “basically, it’s all of the major tech companies except Apple… coming together to create a standard for provenence, authenticity, truth signals on digital objects that can be digitally attached to digital objects.”
  • Content Credential (Manifest): This is the core mechanism of the C2PA. It is a digitally attached ledger of actions taken on a digital object, such as “Camera took picture,” “edited picture,” or “an AI took this picture.” This manifest is “bound to it and linked to it” in a “cryptographically binding format,” providing tamper evidence.
  • Scope of C2PA Responsibility: The C2PA primarily focuses on “created assertions,” which are “product-driven,” documenting actions taken within a product (e.g., a camera generating a picture, Photoshop editing an image).
  • Distinction from “Gathered Assertions”: The C2PA does not take responsibility for “gathered assertions,” which are claims made by individuals or organizations outside of a product (e.g., “I Scott Perry took the picture” or industry-specific identifiers). These are the purview of other groups like CAWG (Content Authenticity Working Group) and related efforts like the Creator Assertions working group at DIF.
  • Binding Mechanism: The C2PA uses X.509 certificates to bind the generator product to the digital asset. “when a picture is taken, the X509 certificate will be used will be binding it will be used to bind it bind the product to the asset.” This requires camera manufacturers and other product vendors to obtain certificates from approved Certification Authorities (CAs).
  • The Need for Governance: While the C2PA created a technical specification, they recognized the critical need for a governance framework to operationalize and control the standard’s implementation and use in the market. “the key aspect is you have a spec out but you can’t control the use of the specification… they couldn’t get, you know, their arms around, you know, the on controlling its the specification use.”
  • Application of ToIP Governance Metamodel: Scott Perry highlights how the ToIP governance metamodel provided the necessary structure for the C2PA to build its conformance program. “I came in with my toolkit from the the trust over IP project and it worked beautifully. It just created the structure to allow them to make the right decisions for themselves.”
  • Key Components of the Governance Program (based on ToIP):Risk Assessment: Started with a “threats and harms task force” to identify major risks, particularly around the tampering of evidence and manifests.
  • Governance Requirements and Framework: Defined primary documents (specification, security requirements, legal agreements) and control documents (privacy, inclusion, equitability requirements). A key output is a glossary of terms for the new ecosystem.
  • Governance Roles and Processes: Identified key roles: the Governing Authority (C2PA Steering Committee), the Administering Party (Conformance Task Force), and Governed Parties (CAs, Generator Product companies, Validator Product companies).
  • Legal Agreements: Formal agreements are being established between the C2PA and governed parties outlining roles, responsibilities, conformance requirements, and dispute resolution mechanisms.
  • Conformance Criteria and Assurance: Defined based on the C2PA specification and implementation security requirements. The program includes “four levels of of assurance around the implementation of products,” though initially rolling out with two levels. These levels are tied to “security objectives” and assessed against the “target of evaluation” (the product and its supporting infrastructure).
  • Conformance Process: Involves an intake form, application review, assessment of infrastructure (initially self-assertion, moving towards independent attestation), legal agreement signing, and adding records to trust lists.
  • Residual Risk Assessment and Adaptation: The program includes a process to learn from the rollout, identify unmet requirements or issues, and adapt the program for continuous improvement.
  • Trust Lists (Registries): Central to the program are trust lists identifying approved Generator Products, Validator Products, and Certification Authorities. A timestamp authority trust list is also being added.
  • Levels of Assurance: The program is defining levels (initially rolling out two) to reflect different degrees of confidence in the implementation of the C2PA specification and associated security requirements. Achieving a higher level of assurance requires meeting all requirements for that level.
  • Self-Assertion (Initial Rollout): Due to the complexity of auditing and getting the program launched quickly, the initial phase requires participants to self-assert that they meet the specification and requirements.
  • Conformance Certificate: Upon successful conformance, products will receive a certificate tied to an OID (Object Identifier) denoting the assurance level they have achieved. This OID in the manifest’s certificate will identify the assurance level of the provenance information.
  • JPEG Trust and Copyright: While C2PA provides provenance information that can be used for copyright, it doesn’t define ownership or copyright laws. JPEG Trust is mentioned as an organization creating an ISO standard focused on copyrights in concert with the C2PA standard.
  • Relationship with W3C: The C2PA is actively engaged with the W3C, with discussions happening at the technical working group level regarding related standards like PROV (for provenance).
  • Future Directions: Plans include introducing higher levels of assurance, implementing independent attested conformance, developing quality control software for assessing product compliance, and establishing a fee structure for the conformance program.
  • CAWG (Content Authenticity Working Group) as a Broader Ecosystem: CAWG is viewed as a potentially larger ecosystem dealing with identity, metadata, endorsements, and AI learning process specifications, which will need to create their own applications and standards that can integrate with the C2PA foundation.

3. Important Ideas and Facts

  • The C2PA is the Coalition for Content Provenance and Authenticity.
  • It includes major tech and product manufacturers, excluding Apple initially but aiming to include them.
  • The core technical output is the Content Credential (Manifest), a digitally attached ledger of actions on a digital object.
  • The manifest provides tamper evidence and binds the product to the asset using X.509 certificates.
  • C2PA focuses on “created assertions” (product-driven actions), leaving “gathered assertions” (individual/organizational claims) to other groups like CAWG.
  • The Trust over IP governance metamodel has been successfully applied to structure the C2PA conformance program.
  • The program addresses threats and harms related to tampering and requires adherence to implementation security requirements.
  • The C2PA conformance program will officially launch on June 4th at the Content Authenticity Initiative symposium in New York City.
  • The initial launch will include two levels of implementation assurance and a self-assertion confidence model.
  • Key outputs of the governance program are legal agreements and trust lists of conforming products and certification authorities.
  • The C2PA standard is becoming an ISO standard this year.
  • Timestamp authorities will play a crucial role in providing trust signals related to the time of claim assertion.
  • The program includes mediation and dispute resolution mechanisms in its legal agreements.
  • The governance program provides the structure for the C2PA to “operationalize the spec” and control its use.

4. Key Quotes

  • “basically, it’s all of the major tech companies except Apple… Coming together to create a standard for provenence, authenticity, truth signals on digital objects that can be digitally attached to digital objects.”
  • “what it what it’s proposed to do is to create a ledger of actions against a digital object that is bound to it.”
  • “It’s kind of the nutrition label on food… it’s really the nutrition label of all digital objects.”
  • “The C2PA did not want to get involved in all of the the potential root, you know, actions and and variances about those types of things. They wanted to create the platform.”
  • “They create the platform and they create the binding between the digital asset and the and the manifest using X509 certificates.”
  • “The key aspect is you have a spec out but you can’t control the use of the specification… they couldn’t get, you know, their arms around, you know, the on controlling its the specification use.”
  • “the governance program was needed to operationalize the spec. The spec was had, you know, a limitation in its usefulness without a governance program around it.”
  • “I came in with my toolkit from the the trust over IP project and it worked beautifully. It just created the structure to allow them to make the right decisions for themselves.”
  • “we’re creating a program which will hold generator and validator products accountable to the specific ification that’s already been published.”
  • “We are creating two levels of implement implementation assurance and we are are using a self assertion confidence model we don’t have the mechanisms in place to hold organizations accountable for meeting the specification we don’t have an you know an assurance mechanism in place yet to do that.”
  • “It is the hope that you know copyright laws can use the trust signals that are coming from the CTBA specification and conformance program in use for defining ownership and copyright.”
  • “The conformance criteria is the spec and the spec is now at at level 2.2.”
  • “we are looking at levels of assurance around the implementation of a product. Now it’s not just the product but it’s also its infrastructure.”
  • “These are the kinds of records that were that are in the schema for the trust list.”

5. Next Steps

  • Official launch of the C2PA conformance program on June 4th.
  • Continued work on independent attestation and higher levels of assurance for the conformance program.
  • Development of quality control software or processes for assessing product compliance.
  • Ongoing collaboration with W3C and other relevant standards bodies.
  • Further exploration of the broader CAWG ecosystem and its integration with C2PA.

This briefing provides a foundational understanding of the C2PA, its technical specification, and the crucial role of the newly established governance program, structured using the Trust over IP metamodel, in driving its adoption and ensuring trust in the digital content landscape.

For more details, including the meeting transcript, please see our wiki 2025-05-15 Scott Perry & The C2PA Conformance Program – Home – Confluence