cawg updates

crandmck · crandmck · commit 33b35d39cac4 · 2025-07-24T12:56:55.000-07:00
diff --git a/docs/manifest/reading/legacy.md b/docs/manifest/reading/legacy.md
@@ -9,9 +9,26 @@ As much as possible, an application should **write** manifest data that conforms
 For READING old claims (only) … v1 actions and ingredients
 </div>
 
+## Legacy ingredients
+
+Existing manifests may contain any of these three kinds of ingredients:
+- V1, with label `c2pa.ingredient` (deprecated).
+- V2, with label `c2pa.ingredient.v2` (deprecated).
+- V3, with label `c2pa.ingredient.v3`, which addresses the issue of validating ingredients after redaction.  
+
+## Legacy actions
+
+Existing manifests may contain two versions of actions: original v1 actions, with label `c2pa.actions`, and revised v2 actions, with label `c2pa.actions.v2`. While a v1 action is fully specified in its actions array, a v2 action may either be fully specified in an element of the actions array or it may be derived from an element in the templates array with the same action name.
+
 ## Legacy metadata assertions
 
-Older versions of the SDK had individual assertions for each metadata standard, as detailed below.
+Existing manifests may contain individual assertions for each metadata standard:
+- [Exif assertion](#exif-assertion)
+- [IPTC metadata assertion](#iptc-metadata-assertion)
+- [Creative Work assertion](#creative-work-assertion)
+
+In the latest version of the SDK, Exif and IPTC assertions are now CAWG assertions, and the CreativeWork assertion is not supported at all.
+
 
 ### Exif assertion
 
diff --git a/docs/manifest/writing/cawg-id.md b/docs/manifest/writing/cawg-id.md
@@ -5,35 +5,16 @@ title: Writing CAWG identity assertions
 
 The [Creator Assertions Working Group (CAWG)](https://cawg.io/) identity assertion enables a credential holder to prove control over a digital identity and to use that identity to document a content creator’s role(s) in a C2PA asset’s lifecycle.
 
-There are two different ways to provide identity assertions:
-
-- Using an [X.509 certificate](https://cawg.io/identity/1.1/#_x_509_certificates_and_cose_signatures) to sign the identity claims. Enterprises or large organizations can use this approach to assert their identity in a particular trust ecosystem; for example, a news organization or publisher. The SDK can validate and sign these claims.
-- Using an [identity claim aggregator](https://cawg.io/identity/1.1/#_identity_claims_aggregation).  Individuals can use this approach to document their role in creating an asset by using identity signals collected and verified by a third-party aggregator. Adobe applications (for example) use this method to provide identity claims.  
+The SDK can write and sign claims for CAWG identity assertions provided using an [X.509 certificate](https://cawg.io/identity/1.1/#_x_509_certificates_and_cose_signatures) to sign the identity claims. Enterprises or large organizations can use this approach to assert their identity in a particular trust ecosystem; for example, a news organization or publisher. The SDK can validate and sign these claims.
 
 :::note
-The SDK can validate claims for both kinds of identity assertions, but can only sign claims for identity assertions using an X.509 certificate.
+CAWG identity assertions can also be created using an [identity claim aggregator](https://cawg.io/identity/1.1/#_identity_claims_aggregation), but the SDK only read and validate claims for these kinds of assertions. It cannot write them.
 :::
 
 ## Using an X.509 certificate
 
 When providing an identity assertion by using an X.509 certificate, the value of `signer_payload.sig_type` must be `cawg.x509.cose`. The signature value must be a COSE signature as described in the [CAWG Identity Assertion technical specification](https://cawg.io/identity/1.1/#_x_509_certificates_and_cose_signatures).
 
-## Using an identity claim aggregator
-
-As defined in the [CAWG Identity Assertion technical specification](https://cawg.io/identity/1.1/#_identity_claims_aggregation), content creators may wish to document their role in creating an asset using identity signals such as:
-- Verified web sites
-- Social media accounts
-- Official ID documentation
-- Professional accreditations
-- Organizational affiliations
-
-To facilitate the use of such identity signals, the content creator may use the services of a trusted third-party intermediary known as a _identity claims aggregator_ to gather these signals and to restate them on their behalf.
-
-The identity claims aggregator:
-
-- Collects and verifies identity attestation claims from various identity providers such as social media sites and ID verification vendors.
-- Creates a unique asset-specific credential that binds the identity attestation claims to a specific asset.
-
 ## Identity assertion
 
 An identity assertion using an identity claims aggregator has this general form in JSON:
