feat: add settings structs to the public API

[ok-nick]

This PR exposes our settings structs to the public API and adds json schemas to them for better compatibility with our bindings.

For reviewers:

• What fields do we want exposed and what fields do we not want exposed?
• Do we want to move around any fields?

[codspeed-hq]

CodSpeed Performance Report

Merging #1447 will not alter performance

_{Comparing ok-nick/pub-settings (9d80172) with main (2ffde3d)}

Summary

✅ 16 untouched
⏩ 2 skipped¹

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[ok-nick]

Maybe we should have verify_c2pa_trust and verify_cawg_trust to be clear they are separate and also to clarify it doesn't encompass timestamp trust. I'll add to the docs that verify_timestamp_trust should be used in that case.

[gpeacock]

It seems to me that if you configure the Trust settings, you probably want to use them. So why do we need a separate set of flags to enable them?

[ok-nick]

We currently do have a separate set of flags to enable them, see Trust::verify_trust_list (CAWG) and Verify::verify_trust (C2PA).

[gpeacock]

Ok, but why? Trust lists are required by the spec, I guess disabling could be useful for debugging?

[ok-nick]

I'd like to hear @scouten-adobe input on this.

[scouten-adobe]

We have a separate Trust structure (see https://github.com/contentauth/c2pa-rs/pull/1447/files/aee4a005f7ebabead90b13bb5f9afe92a177f40f#diff-40b334ea0cacc187a239b5763c0403155527f660c81e8e90462bc01a3c36bf0dR50) which already occurs twice, once for CAWG and once for C2PA.

I'd like to see us move as much of this configuration into that tree and then the question of which one you are enabling/disabling will be much more obvious (IMHO).

[tmathern]

Shouldn't we keep core features config SDK-internal?

[ok-nick]

I think the core settings in this PR are reasonable to expose to the user.

[gpeacock]

Let's make sure we get Maurice's opinion on these

[gpeacock]

Let's make sure we get Maurice's opinion on these

[scouten-adobe]

We have a separate Trust structure (see https://github.com/contentauth/c2pa-rs/pull/1447/files/aee4a005f7ebabead90b13bb5f9afe92a177f40f#diff-40b334ea0cacc187a239b5763c0403155527f660c81e8e90462bc01a3c36bf0dR50) which already occurs twice, once for CAWG and once for C2PA.

I'd like to see us move as much of this configuration into that tree and then the question of which one you are enabling/disabling will be much more obvious (IMHO).

[mauricefisher64]

Why do we support TIFF thumbnails>

[ok-nick]

It's naturally supported by the image crate although I have no objection to removing it.

[mauricefisher64]

Why are we fetching OCSP responses for every certificate as a default!

certificate_status_fetch = "all"
certificate_status_should_override = true

[ok-nick]

Hm, that's interesting. @scouten-adobe any input on this?

[mauricefisher64]

How is this meant to be used in the settings file? Without an "off" choice then the presence of OCSPFetchScope will mean we are fetching responses. I do not thing fetching should ever default to on.

[ok-nick]

certificate_status_fetch is defined as Option<OcspFetchScope> that defaults to None.

[mauricefisher64]

Has nothing to do with Reader, the value determines whether we fetch OCSP during validation.

[ok-nick]

Yep, that's what I was trying to convey. The docs seem to match your description, which part seems unclear?