wip

crandmck · crandmck · commit 190471080b11 · 2025-08-28T16:58:51.000-07:00
diff --git a/docs/conformance.mdx b/docs/conformance.mdx
@@ -0,0 +1,19 @@
+---
+id: conformance
+title: C2PA conformance program
+---
+
+In mid-2025, C2PA launched its [conformance program](https://c2pa.org/conformance) and the transition to the official C2PA trust list. The [temporary (interim) trust list](trust-list.mdx) is being retired, since it was a temporary measure for early C2PA implementations.
+
+The temporary trust list provided critical support during the early adoption phase of C2PA and enabled the C2PA Verify website to:
+
+- Determine which certificates were valid.
+- Prevent unknown signers from appearing as valid.
+
+The new [C2PA trust list](https://github.com/c2pa-org/conformance-public/tree/main/trust-list), governed under the C2PA conformance program, introduces key enhancements:
+
+- A new [public certificate policy](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Certificate%20Policy.pdf) that specifies C2PA requirements for certificate authorities (CAs).
+- Higher security and interoperability.
+- Stronger accountability and governance.
+- Alignment with the C2PA 2.x technical specification.
+- A robust governance framework.
diff --git a/docs/trust-list.mdx b/docs/trust-list.mdx
@@ -1,10 +1,14 @@
 ---
 id: verify-known-cert-list
-title: Verify tool known certificate list
+title: The interim trust list
 ---
 
 import verify_unknown_source from '../static/img/verify-cc-unknown-source.png';
 
+:::warning
+The process described on this page is deprecated. The C2PA has released its official trust lists, and Verify will be updated to use them soon. See [Conformance](conformance.mdx) for more information.
+:::
+
 The C2PA **[Verify tool](https://contentcredentials.org/verify)** uses a list of _known certificates_ (sometimes referred to as a "trust list") to determine whether a Content Credential was issued by a known source. If an asset's Content Credential was not signed by a known certificate, the Verify tool will display this message:
 
 <img
@@ -15,11 +19,15 @@ The C2PA **[Verify tool](https://contentcredentials.org/verify)** uses a list of
 Conversely, if the Content Credential was signed by a known certificate, the Verify tool will display the [name of the certificate owner and time of the claim signature](verify.mdx#title-and-signing-information).
 
 :::note
-Currently, **[Verify](https://contentcredentials.org/verify)** uses a temporary list, but in mid-2025, the C2PA released its official trust lists, and Verify will be updated to use them soon.
+Currently, **[Verify](https://contentcredentials.org/verify)** uses the temporary trust list described here, but in 2025 the C2PA released its official trust lists, and Verify will be updated to use them soon.
 :::
 
 ## Temporary known certificate list
 
+The temporary known certificate list (also known as the _interim trust list_) will remain operational **through December 31, 2025**. During this time, C2PA will continue to accept new certificates following the process described below. At some point, the Verify site will distinguish between Content Credentials from conforming products on the official C2PA trust list and those relying on the interim trust list.
+
+On **January 1, 2026**, the temporary trust list will be frozen: CAI will not add any new entries or make updates. Existing certificates will remain valid, and the Verify site will distinguish Content Credentials signed using those certificates. Eventually, those certificates will expire and no longer be usable for signing. However, if content was signed during the certificate's validity period, the content will always be considered valid against the interim trust list.
+
 The [contentcredentials.org](https://contentcredentials.org/) site hosts the following files that it uses to [validate signing certificates](https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_c2pa_signers). Together, these files form the _temporary known certificate list_:
 
 - **The temporary end-entity certificate list** in https://contentcredentials.org/trust/allowed.pem consists of end-entity certificates. If the certificate is on this list, it is considered "known." To reduce bandwidth consumption, a [version with SHA-256 hashes](https://contentcredentials.org/trust/allowed.sha256.txt) of the certificates is also available.
