Missing documentation: known certificate list

[hackerfactor]

On Dec 19, 2023, Andy Parsons announced that Verify (using C2PA) was using a "known certificate" list for certs. He further wrote that "Early next year, the C2PA will issue clear guidance about how this will work going forward, as known cert lists are an essential part of the C2PA trust model." https://discord.com/channels/983153151341371422/986451330992320512/1186650830422691900

It's mid-March and about 3 months since this announcement was made. We are past what I would consider "early next year".

As far as I can tell, Content Credentials does use some kind of internal whitelist of known certificates.

1. Where is this "known certificate" requirement and details documented?
2. Where can we download this list of known certificates?
3. How does a verifying service identify the list of providers who offer "known certificate" lists?
4. How does someone register a new cert with a known cert list?
5. What company(ies) manage this list?
6. How is the list vetted?

[lrosenthol]

It is important not to mix SPECIFICATION with IMPLEMENTATION.

The C2PA spec is quite clear that there is a C2PA Trust List that is the one mandated trust list for verifier, but that other trust lists may be chosen by specific implementations. At this time, we have not yet published the details of the C2PA Trust List - but we expect that information soon. In the meantime, the "Verify" service uses it's own private list, as it is permitted to do by spec.

If you have questions about how to get on that list, you should contact the implementer of that list.