Merge pull request #161 from contentauth/fix-wrong-cert-info

crandmck · web-flow · commit dead002853de · 2024-08-23T09:19:02.000-07:00
Fix incorrect info re certs
diff --git a/docs/getting-started.mdx b/docs/getting-started.mdx
@@ -108,13 +108,6 @@ The above list is for reference only; inclusion does not imply endorsement by CA
 
 When you purchase a certificate, you must select at least one of the extended key usage (EKU) fields that specify what the certificate can be used for: **email protection** and **document signing**. Applications that use the CAI SDK won't accept the certificate unless it has one of these EKUs.
 
-Certificate authorities offer many levels of validation. For Content Credentials, one of these types is highly recommended (though not required):
-
-- **Organization Validated (OV).** The CA validates the organization's identity by checking its credentials against extensive databases, including those held by local governments.
-- **Extended Validation (EV).** A fully authenticated certificate, needed to offer secure web locations, email, and financial transactions.
-
-If you don't get an OV certificate, then the Content Credentials that use the certificate won't display your organization name, as shown in the examples on [verify.contentauthenticity.org](https://verify.contentauthenticity.org/).
-
 ### Extracting the certificate
 
 To work with the certificate, you need to extract it. When the CAI SDK adds Content Credentials to an asset, it incorporates the certificate (including the associated public key) into the manifest.
diff --git a/docs/prod-cert.mdx b/docs/prod-cert.mdx
@@ -25,6 +25,10 @@ A CSR is just an unsigned certificate that's a template for the certificate that
 
 A CSR comprises a public key, as well as ["distinguished name" information](https://knowledge.digicert.com/general-information/what-is-a-distinguished-name) that identifies the individual or organization requesting the certificate. The distinguished name includes a common name, organization, city, state, country, and e-mail address. Not all of these fields are required and will vary depending with the assurance level of the desired certificate.
 
+:::tip
+For the C2PA [Verify tool](https://verify.contentauthenticity.org/) to display your organization name in the Content Credentials, your CSR must include the "O" or Organization Name attribute in the distinguished name information.  See [below](#organization-name) for details.
+:::
+
 You sign the CSR with your private key; this proves to the CA that you have control of the private key that corresponds to the public key included in the CSR. Once the requested information in a CSR passes a vetting process and domain control is established, the CA may sign the public key to indicate that it can be publicly trusted.
 
 ### Types of certificates
@@ -34,14 +38,9 @@ CAs offer a variety of different kinds of certificates (links below are to [Digi
 - The simplest and least expensive option is an [S/MIME email certificate](https://www.digicert.com/tls-ssl/compare-secure-email-smime-certificates).
 - Other options, such as [document signing certificate](https://www.digicert.com/signing/compare-document-signing-certificates) require more rigor (like proving your identity) and cost more.
 
-### CA validation
-
-CAs offer many levels of validation. For Content Credentials, one of these types is highly recommended (though not required):
-
-- **Organization Validated (OV).** The CA validates the organization's identity by checking its credentials against extensive databases, including those held by local governments.
-- **Extended Validation (EV).** A fully authenticated certificate, needed to offer secure web locations, email, and financial transactions.
+### Organization name
 
-If you don't get an OV certificate, then the C2PA [Verify tool](https://verify.contentauthenticity.org/) won't display your organization name in the Content Credentials.
+If you want the C2PA [Verify tool](https://verify.contentauthenticity.org/) to display your organization name in the Content Credentials, your certificate must include the "O" or [Organization Name attribute](https://www.alvestrand.no/objectid/2.5.4.10.html) (OID value 2.5.4.10) in the distinguished name information. The CA may require some validation steps to prove you are part of that organization (details vary by CA).
 
 ## The C2PA Python example
 
