c2pa-org / specifications

The public specifications for the C2PA
Creative Commons Attribution 4.0 International
102 stars 12 forks source link

Features for manual verification #45

Open eeeps opened 10 months ago

eeeps commented 10 months ago

Problem:

People and organizations want to publish assets containing meaningful content credentials, but are working with:

  1. existing libraries of media, which do not have C2PA provenance
  2. new media coming from cameras and editing flows which have not yet adopted C2PA, which also lack C2PA provenance.

These people and organizations need some way to attest that the media is authentic, and associate their organization's trustworthiness with this attestation.

I wrote up a proposal for enabling this sort of thing with a new action (c2pa.verified): https://github.com/eeeps/verified-c2pa-action-explainer. However if there are existing solutions to this problem that I have overlooked, or even just conversations about it that I have missed, please let me know!

lrosenthol commented 10 months ago

@eeeps You don't need a specific action for this - just add the C2PA Manifest to the next version of the asset, marking the original (w/o manifest) as a parent ingredient. This is what stock sites like Adobe Stock have been doing for quite a while now.

If you want an action, I believe that Adobe Stock uses c2pa.published.

eeeps commented 10 months ago

@lrosenthol That would require the entity who wishes to make the attestation to implement signing (acquire a certificate, get on relevant trust lists, install and operationalize open source tooling). In this use case, I am envisioning a piece of software (e.g. Photoshop, or a cloud-based DAM solution) allowing its users to make these attestations, and tie them to specific facts about the image presented in the c2pa.metadata. Also possibly separately-in-time from their publishing flow. Does that make sense?

It's possible that the recommendation here is that anyone who wants to make a verifiable statement about the media must implement a signing flow and sign manifests themselves. Is that the case?

lrosenthol commented 9 months ago

It's possible that the recommendation here is that anyone who wants to make a verifiable statement about the media must implement a signing flow and sign manifests themselves. Is that the case?

If you want the verifiable statement to be part of the provenance of the asset, that can be verified as part of the C2PA validation process - then yes, those statements would need to be signed and incorporated into a C2PA Manifest.

Of course, there are a variety of other groups working on external attestation systems such as the CredWeb effort from the W3C.