Features for manual verification

Question

Features for manual verification

eeeps opened this issue 6 months ago · comments

Problem:

People and organizations want to publish assets containing meaningful content credentials, but are working with:

existing libraries of media, which do not have C2PA provenance
new media coming from cameras and editing flows which have not yet adopted C2PA, which also lack C2PA provenance.

These people and organizations need some way to attest that the media is authentic, and associate their organization's trustworthiness with this attestation.

I wrote up a proposal for enabling this sort of thing with a new action (c2pa.verified): https://github.com/eeeps/verified-c2pa-action-explainer. However if there are existing solutions to this problem that I have overlooked, or even just conversations about it that I have missed, please let me know!

Leonard Rosenthol · Answer 1 · Thu Jan 18 2024 10:23:52 GMT+0800 (China Standard Time)

@eeeps You don't need a specific action for this - just add the C2PA Manifest to the next version of the asset, marking the original (w/o manifest) as a parent ingredient. This is what stock sites like Adobe Stock have been doing for quite a while now.

If you want an action, I believe that Adobe Stock uses c2pa.published.

Eric Portis · Answer 2 · Fri Jan 19 2024 00:14:45 GMT+0800 (China Standard Time)

@lrosenthol That would require the entity who wishes to make the attestation to implement signing (acquire a certificate, get on relevant trust lists, install and operationalize open source tooling). In this use case, I am envisioning a piece of software (e.g. Photoshop, or a cloud-based DAM solution) allowing its users to make these attestations, and tie them to specific facts about the image presented in the c2pa.metadata. Also possibly separately-in-time from their publishing flow. Does that make sense?

It's possible that the recommendation here is that anyone who wants to make a verifiable statement about the media must implement a signing flow and sign manifests themselves. Is that the case?

Leonard Rosenthol · Answer 3 · Mon Feb 12 2024 21:47:44 GMT+0800 (China Standard Time)

It's possible that the recommendation here is that anyone who wants to make a verifiable statement about the media must implement a signing flow and sign manifests themselves. Is that the case?

If you want the verifiable statement to be part of the provenance of the asset, that can be verified as part of the C2PA validation process - then yes, those statements would need to be signed and incorporated into a C2PA Manifest.

Of course, there are a variety of other groups working on external attestation systems such as the CredWeb effort from the W3C.