Conformance

Conforming Products

The C2PA recognizes that parties that rely on media for critical decisions need assurance that files that contain C2PA Content Credentials were created using products, devices, or services that implement the C2PA Content Credentials specification correctly and securely. Likewise, those relying parties need assurances that products that validate files with C2PA Content Credentials do so correctly and securely.

In response, the C2PA has created the C2PA Conformance Program to fulfill the above needs, whereby it evaluates C2PA implementations for:

1. Functional correctness with respect to the normative requirements of the C2PA Content Credentials specification
2. Security of implementation following a minimum set of widely-accepted secure design best practices

The C2PA Conformance Program makes the results of that evaluation known by including said implementations on the public C2PA Conforming Products List with a status of `conformant`. Entities implementing Generator Products or Validator Products may wish to submit their implementations for evaluation by the C2PA Conformance Program, and if deemed to meet its requirements, to obtain the aforementioned public recognition that their implementations have been deemed by the C2PA Conformance Program to be Conforming Products.

C2PA Trust List and C2PA TSA Trust List

The C2PA Content Credentials standard relies on the use cryptographic key pairs and digital certificates, as well as cryptographic time-stamps, to create digital signatures over the Claims in C2PA Manifests, thereby protecting their integrity and facilitating the authentication of the entities that produced them.

This creates a dual need:

1. Entities implementing Generator Products which have been deemed “conformant” by the C2PA Conformance Program, require digital certificates and time-stamps to sign the C2PA Claims in media they produce, and need those digital certificates and time-stamps to be issued by Certification Authorities and Time-Stamping Authorities that are trusted to perform such functions by relying parties.
2. Relying parties need cryptographic assurance of the identity of the entities that sign over C2PA claim in C2PA assets.

As such, the C2PA maintains the C2PA Trust List and the C2PA TSA Trust List. The former lists root or issuing Certification Authorities that issue claim signing certificates to instances of conformant Generator Products, and the latter lists root or issuing Certification Authorities that issue time-stamping certificates to Time-Stamping Authorities.

The organizations that operate the Certification Authorities on these lists have demonstrated conformance with the requirements outlined in the C2PA Certificate Policy, and as such have been deemed eligible by the C2PA Conformance Program to render Certificate Services and Time-Stamping Services to Generator Products.

• Looking for more information? Read Program Details on GitHub.
• Interested in Participating? Fill out the Expression of Interest form.