Are there any initiatives to apply C2PA to HTTPS/TLS non-repudiation so that servers hosting content become part of the chain of custody?

[pirate]

Right now HTTPS/TLS does not support non-repudiation. https://security.stackexchange.com/questions/103645/does-ssl-tls-provide-non-repudiation-service

It's a huge problem for internet archiving, legal cases, and journalism because no one can provably verify that a server provided some specific content (without having to trust the client who recorded it to have not tampered with the recording).

Addressing the lack of non-repudiation could be done by signing packets inside a TLS session (or using some of the other providence techniques discussed by C2PA), and would allow the server hosting content to be provably part of the chain-of-custody.

This solves the problems of:

• a client presenting some web content thats been tampered with as authentic (e.g. a screenshot + fake WARC recording of a new york times page) in court when in fact the server served some different traffic
• hosts taking something down and denying that they ever hosted it after-the-fact, or presenting different content to each user
• and many more...

[lrosenthol]

@pirate Interesting concept! No, we haven't discussed this specific area. We have had some previous conversions about WARC, Internet Archives and such - but nothing about how TLS certs (or just server identity) applies.

Definitely something for us to consider!