You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/conformance.mdx
+11-18Lines changed: 11 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,25 +45,18 @@ C2PA maintains two trust lists:
45
45
-[**C2PA trust list**](https://github.com/c2pa-org/conformance-public/blob/main/trust-list/C2PA-TRUST-LIST.pem): A list of X.509 certificate trust anchors (either root or subordinate certification authorities) that issue certificates to conforming generator products under the C2PA Certificate Policy.
46
46
-[**C2PA time-stamping authority (TSA) trust list**](https://github.com/c2pa-org/conformance-public/blob/main/trust-list/C2PA-TSA-TRUST-LIST.pem): A list of X.509 certificate trust anchors (either root or subordinate certification authorities) that issue time-stamp signing certificates to TSAs.
47
47
48
-
### Interim trust list
48
+
### Interim trust list retirement
49
49
50
-
With the introduction of the C2PA trust list, the existing [interim (temporary) trust list](trust-list.mdx) is being retired.
50
+
With the introduction of the C2PA trust list, the existing [interim (temporary) trust list](trust-list.mdx) is being retired on the following timeline:
51
51
52
-
### Timeline
52
+
-**Through December 31, 2025**: The [interim trust list](trust-list.mdx) will remain operational. During this time:
53
+
- The [Verify site](https://contentcredentials.org/verify) will continue to display manifests signed by certificates on the interim trust list as trusted, but with a disclaimer that the manifests were made with an older version of the trust model.
54
+
- New certificates will continue to be added to the interim trust list when requested.
55
+
- Product developers are strongly encouraged to apply to the C2PA conformance program and use the official C2PA trust list.
56
+
-**On January 1, 2026**: The interim trust list will be frozen:
57
+
- No new certificates will be added to the list, and no updates will be made.
58
+
- Existing certificates will remain valid for legacy support.
53
59
54
-
**Through December 31, 2025**: The [temporary trust list](trust-list.mdx)will remain operational.
60
+
Eventually, the certificates on the interim trust list will expire and will not be usable for signing. However, if content was signed during the interim trustlist certificate's validity period, the content will always be considered valid against the legacy trust model.
55
61
56
-
During this time:
57
-
58
-
- The [Verify site](https://contentcredentials.org/verify) will continue to display manifests signed by certificates on the temporary trust list as trusted, but with a disclaimer that the manifests were made with an older version of the trust model.
59
-
- New certificates will continue to be added to the temporary trust list when requested.
60
-
- Product developers are strongly encouraged to apply to the C2PA conformance program and use the official C2PA trust list.
61
-
62
-
**On January 1, 2026**: The temporary trust list will be frozen.
63
-
64
-
- Existing certificates will remain valid for legacy support.
65
-
- No new certificates will be added to the list, and no updates will be made.
66
-
67
-
Eventually, the certificates on the temporary trust list will expire and will not be usable for signing. However, if content was signed during the temporary trust list certificate's validity period, the content will always be considered valid against the legacy trust model.
68
-
69
-
Validator products are encouraged to begin distinguishing between Content Credentials signed with certificates on the temporary trust list (typically tied to Content Credentials specification version version 1.4) and those from conforming products using the official C2PA trust list.
62
+
Validator products are encouraged to begin distinguishing between Content Credentials signed with certificates on the interim trust list (typically tied to Content Credentials specification version version 1.4) and those from conforming products using the official C2PA trust list.
Copy file name to clipboardExpand all lines: docs/signing/get-cert.md
+9-3Lines changed: 9 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ id: get-cert
3
3
title: Getting a signing certificate
4
4
---
5
5
6
-
:::note Important
6
+
:::warning Important
7
7
Best practices for handling keys and certificates are beyond the scope of this documentation. Always protect your private keys with the highest level of security; for example, never share them through insecure channels such as email.
8
8
:::
9
9
@@ -12,6 +12,10 @@ To sign manifest claims, you must have an X.509 v3 security certificate and key
12
12
13
13
## Purchasing a certificate
14
14
15
+
:::note
16
+
The [C2PA conformance program](https://c2pa.org/conformance/) establishes the requirements governing the issuance of C2PA claim signing certificates for use by product developers. See [C2PA certificate policy](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Certificate%20Policy.pdf) for more information.
17
+
:::
18
+
15
19
The process to purchase a certificate and key is different for each CA: You might be able to simply click a "Buy" button on the CA's website. Or your can make your own key and use it to create a certificate signing request (CSR) that you send to the CA. Regardless of the process, what you get back is a signed certificate that you use to create a certificate chain.
16
20
17
21
The certificate chain starts with the certificate from the last tool that signed the manifest (known as the "end-entity") followed by the certificate that signed it, and so on, back to the original CA issuer. This enables a validating application to determine that the manifest is valid because the certificate chain goes back to a trusted root certificate authority.
@@ -23,9 +27,7 @@ The C2PA specification requires that an "end entity" signing certificate must be
23
27
- An S/MIME email certificate (`id-kp-emailProtection` EKU). This is usually the simplest and least expensive option.
24
28
- A document signing certificate (`id-kp-documentSigning` EKU). Obtaining these kinds of certificates typically have more stringent requirements (like proving your identity) and costs more.
25
29
26
-
:::note
27
30
For more details, see [Certificate requirements](#certificate-requirements) below.
28
-
:::
29
31
30
32
### Certificate authorities (CAs)
31
33
@@ -53,6 +55,10 @@ You sign the CSR with your private key; this proves to the CA that you have cont
53
55
54
56
## Certificate requirements
55
57
58
+
:::note
59
+
The information in this section is superseded by the [C2PA certificate policy](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Certificate%20Policy.pdf) the that establishes the requirements governing the issuance of C2PA claim signing certificates.
60
+
:::
61
+
56
62
A signing certificate and key (credentials) must conform to the requirements in the [C2PA specification X.509 Certificates section](https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#x509_certificates); specifically, it must:
57
63
58
64
- Follow the public key infrastructure (PKI) X.509 V3 specification.
Copy file name to clipboardExpand all lines: docs/trust-list.mdx
+6-2Lines changed: 6 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,16 +18,20 @@ The C2PA **[Verify tool](https://contentcredentials.org/verify)** uses a list of
18
18
19
19
Conversely, if the Content Credential was signed by a known certificate, the Verify tool will display the [name of the certificate owner and time of the claim signature](verify.mdx#title-and-signing-information).
20
20
21
+
## Deprecation timeline
22
+
21
23
:::note
22
24
Currently, **[Verify](https://contentcredentials.org/verify)** uses the interim trust list described here (also referred to as the _temporary trust list_), but Verify will be updated soon to use the official [C2PA trust list](conformance.mdx#c2pa-trust-lists).
23
25
:::
24
26
25
-
## Deprecation timeline
26
-
27
27
The interim trust list (also known as the _temporary trust list_) will remain operational **through December 31, 2025**. During this time, C2PA will continue to accept new certificates following the process described below. At some point, the Verify site will distinguish between Content Credentials from conforming products and those signed using certificates on the interim trust list.
28
28
29
29
On **January 1, 2026**, the interim trust list will be frozen: C2PA will not add any new entries or make updates. Existing certificates will remain valid, but eventually, those certificates will expire and no longer be usable for signing. However, if content was signed during the certificate's validity period, the content will always be considered valid against the interim trust list.
30
30
31
+
:::tip
32
+
For more information about conformance, see [C2PA conformance program](conformance.mdx).
33
+
:::
34
+
31
35
## Interim known certificate list
32
36
33
37
The Verify site hosts the following files that it uses to [validate signing certificates](https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_c2pa_signers). Together, these files form the _interim known certificate list_:
0 commit comments