Merge pull request #212 from contentauth/cawg-id

Initial docs for CAWG identity

Author: crandmck

docs/manifest/cawg-id.md

@@ -0,0 +1,162 @@
+---
+id: cawg-id
+title: CAWG identity assertions
+---
+
+The [Creator Assertions Working Group (CAWG)](https://cawg.io/) identity assertion enables a credential holder to prove control over a digital identity and to use that identity to document a content creator’s role(s) in a C2PA asset’s lifecycle.
+
+There are two different ways to provide identity assertions:
+
+- Using an [X.509 certificate](https://cawg.io/identity/1.1/#_x_509_certificates_and_cose_signatures) to sign the identity claims. Enterprises or large organizations can use this approach to assert their identity in a particular trust ecosystem; for example, a news organization or publisher. The SDK can validate and sign these claims.
+- Using an [identity claim aggregator](https://cawg.io/identity/1.1/#_identity_claims_aggregation).  Individuals can use this approach to document their role in creating an asset by using identity signals collected and verified by a third-party aggregator. The SDK can validate these claims only.  Signing is not supported.
+
+:::note
+The SDK can validate claims for both kinds of identity assertions, but can only sign claims for identity assertions using an X.509 certificate.
+:::
+
+## Using an X.509 certificate
+
+When providing an identity assertion by using an X.509 certificate, the value of `signer_payload.sig_type` must be `cawg.x509.cose`. The signature value must be a COSE signature as described in the [CAWG Identity Assertion technical specification](https://cawg.io/identity/1.1/#_x_509_certificates_and_cose_signatures).
+
+## Using an identity claim aggregator
+
+As defined in the [CAWG Identity Assertion technical specification](https://cawg.io/identity/1.1/#_identity_claims_aggregation), content creators may wish to document their role in creating an asset using identity signals such as:
+- Verified web sites
+- Social media accounts
+- Official ID documentation
+- Professional accreditations
+- Organizational affiliations
+
+To facilitate the use of such identity signals, the content creator may use the services of a trusted third-party intermediary known as a _identity claims aggregator_ to gather these signals and to restate them on their behalf.
+
+The identity claims aggregator:
+
+- Collects and verifies identity attestation claims from various identity providers such as social media sites and ID verification vendors.
+- Creates a unique asset-specific credential that binds the identity attestation claims to a specific asset.
+
+## Identity assertion
+
+An identity assertion using an identity claims aggregator has this general form in JSON:
+
+```json
+"assertions": [
+  ...
+  {
+    "label": "cawg.identity",
+    "data": {
+      "@context": [
+        "https://www.w3.org/ns/credentials/v2",
+        "https://cawg.io/identity/1.1/ica/context/"
+      ],
+      "type": [
+        "VerifiableCredential",
+        "IdentityClaimsAggregationCredential"
+      ],
+      "issuer": "did:web:connected-identities.identity.adobe.com",
+      "validFrom": "2025-04-29T17:34:44Z",
+      "verifiedIdentities": [
+        {
+          "type": "cawg.<type>",
+          "username": "<string>",
+          "uri": "<uri>",
+          "verifiedAt": "<DateTime>",
+          "provider": {
+            "id": "<string>",
+            "name": "<string>"
+          }
+        },
+        ...
+      ]
+    }
+  }
+]
+```
+
+### Verified identity types
+
+The following table describes the allowed values of the `type` property of `verifiedIdentities` array elements.
+
+| Value        |  Meaning |
+|--------------|----------|
+| `cawg.document_verification` | The identity provider verified one or more government-issued identity documents presented by the content creator.
+| `cawg.web_site` | The content creator has proven control over a specific domain to the identity claims aggregator._
+| `cawg.affiliation` | The identity provider is attesting to the content creator’s membership in an organization. This could be a professional organization or an employment relationship.
+| `cawg.social_media` | The content creator has demonstrated control over an account (typically a social media account) hosted by the identity provider.
+| `cawg.crypto_wallet` | The content creator has demonstrated control over an account (typically a crypto-wallet) hosted by the identity provider.
+
+:::note
+The above table is based on the [CAWG identity assertion technical specifications](https://cawg.io/identity/1.1/#vc-credentialsubject-verifiedidentity-type).
+:::
+
+### Example
+
+```json
+"assertions": [
+  ...
+  {
+    "label": "cawg.identity",
+    "data": {
+      "@context": [
+        "https://www.w3.org/ns/credentials/v2",
+        "https://cawg.io/identity/1.1/ica/context/"
+      ],
+      "type": [
+        "VerifiableCredential",
+        "IdentityClaimsAggregationCredential"
+      ],
+      "issuer": "did:web:connected-identities.identity.adobe.com",
+      "validFrom": "2025-04-29T17:34:44Z",
+      "verifiedIdentities": [
+        {
+          "type": "cawg.social_media",
+          "username": "xyz",
+          "uri": "https://www.instagram.com/xyz",
+          "verifiedAt": "2024-10-08T18:04:08Z",
+          "provider": {
+            "id": "https://instagram.com",
+            "name": "instagram"
+          }
+        },
+        {
+          "type": "cawg.social_media",
+          "username": "xyz",
+          "uri": "https://www.behance.net/xyz",
+          "verifiedAt": "2024-10-22T19:31:17Z",
+          "provider": {
+            "id": "https://behance.net",
+            "name": "behance"
+          }
+        },
+        {
+          "type": "cawg.social_media",
+          "username": "J Smith",
+          "uri": "https://www.linkedin.com/in/jsmith",
+          "verifiedAt": "2024-10-08T18:03:41Z",
+          "provider": {
+            "id": "https://linkedin.com",
+            "name": "linkedin"
+          }
+        },
+        {
+          "type": "cawg.social_media",
+          "username": "xyz",
+          "uri": "https://twitter.com/xyz",
+          "verifiedAt": "2024-10-08T18:03:49Z",
+          "provider": {
+            "id": "https://twitter.com",
+            "name": "twitter"
+          }
+        }
+      ],
+      "credentialSchema": [
+        {
+          "id": "https://cawg.io/identity/1.1/ica/schema/",
+          "type": "JSONSchema"
+        }
+      ]
+    }
+  }
+  ...
+]
+```
+

scripts/fetch-readme.js

@@ -179,6 +179,11 @@ const readmes = [
     repo: 'contentauth/c2pa-rs',
     path: 'docs/usage.md',
   },
+  {
+    dest: resolve(__dirname, '../docs/rust-sdk/docs/cawg-id.md'),
+    repo: 'contentauth/c2pa-rs',
+    path: 'docs/cawg-identity.md',
+  },
   {
     dest: resolve(__dirname, '../docs/rust-sdk/docs/release-notes.md'),
     repo: 'contentauth/c2pa-rs',

sidebars.js

@@ -45,6 +45,10 @@ const sidebars = {
           type: 'doc',
           id: 'manifest/manifest-validation',
         },
+        {
+          type: 'doc',
+          id: 'manifest/cawg-id',
+        },
         {
           type: 'doc',
           id: 'manifest/manifest-examples',
@@ -231,6 +235,11 @@ const sidebars = {
           id: 'rust-sdk/docs/supported-formats',
           label: 'Supported media formats',
         },
+        {
+          type: 'doc',
+          id: 'rust-sdk/docs/cawg-id',
+          label: 'Using CAWG identity assertions',
+        },
         {
           type: 'doc',
           id: 'rust-sdk/docs/release-notes',