The Linux Foundation Projects
Skip to main content

Conformance

Conformance Program

The C2PA Conformance Program provides assurance that products producing and consuming Content Credentials adhere to the Content Credentials specification, and fulfill a set of security requirements to ensure they are producing and validating C2PA data correctly.

This Conformance Program is a risk-based, transparent and unbiased governance process intended to hold generator products, validator products and certification authorities accountable to the Content Credentials specification, the Certificate Policy and the Security Requirements. Conforming products are placed on a publicly accessible list. This conveys confidence in the implementation and its security to the public and guarantees interoperability across products in the Content Credentials ecosystem.

C2PA Trust List

Launching the C2PA Trust List

As part of the maturation of the C2PA ecosystem, we have launched the C2PA Conformance Program, and with it the transition to the official C2PA Trust List (C2PA TL). This means we’ll retire the Interim Trust List (ITL) as it was a temporary measure for early C2PA implementations.

Why This Change?

The ITL provided critical support during the early adoption phase of C2PA, determining which certificates were considered valid to the C2PA Verify website and preventing unknown signers from appearing as valid on the Verify website. The new C2PA TL, governed under the C2PA Conformance Program, introduces key enhancements:

  • A new public Certificate Policy which specifies C2PA requirements for CAs
  • Higher security and interoperability
  • Stronger accountability and governance
  • Alignment with the C2PA 2.x specification series
  • A robust governance framework

Goals

  1. Encourage ecosystem alignment with the 2.x specification
    This reduces fragmentation between 1.x and 2.x and improves overall security and compatibility.
  2. Avoid unnecessary disruption for existing implementations
    We aim to guide the transition without forcing product teams to move prematurely.
  3. Incentivize upgrades to C2PA 2.x
    By eventually sunsetting support for certificates issued under the ITL, we’ll seek to promote ecosystem progress without strict mandates.
  4. Adding Time Stamping Authorities to our Trust Lists
    Allowing Generator Product companies to obtain time stamp certificates from participating Certification Authorities whose certs appear on the TSA Trust List.

Plan and Timeline

  1. Through December 31, 2025
    • The ITL will remain operational. During this time, new certificates will continue to be accepted and the Verify site will continue to display manifests as trusted, albeit with a disclaimer that these manifests were made with an older version of the trust model. The C2PA will strongly encourage adoption of the Conformance Program and the official C2PA Trust List.
  2. January 1, 2026
    • The ITL will be frozen. No new entries will be added, and no updates will be made.
    • Existing certificates will remain valid for legacy support, but no future refreshes or additions will occur. Eventually, those certificates will expire and no longer be usable for signing. However, if content was signed during the ITL certificate’s validity period, the content will always be considered valid against the legacy trust model.
    • Support for ITL certificates on the Verify site will be deprecated, with timing to be determined and communicated well in advance.
  3. Product Messaging
    • Implementers are encouraged to begin alerting users that ITL-based certificates (typically tied to C2PA 1.4), will be deprecated, and will eventually be unsupported.

What’s Next?

The C2PA will provide additional technical guidance and migration instructions with enhancements to this document. It is recommended that you start preparing your implementations for C2PA Conformance and official C2PA Trust List support.

Questions?