Skip to main content

C2PA conformance program

The C2PA conformance program helps to ensure that products that read and create Content Credentials are compliant with the C2PA Content Credentials specification.

The C2PA conformance program covers:

info

If you're developing a product that reads or creates Content Credentials, you can apply for the C2PA conformance program. If accepted, the product is added to the conforming products list, which indicates it is compliant with the C2PA Content Credentials specification.

To start the process, fill out C2PA's expression of interest form.

When you apply to the conformance program, you will:

  • Sign a legal agreement with the C2PA.
  • Provide evidence supporting your application such as diagrams and documentation.
  • Work with the conformance program staff to resolve any questions.
tip

Use the Conformance Explorer to browse and search live versions of the C2PA conforming products list and trust lists.

Products

Validator products

A validator product can read and validate a manifest store for a digital asset. A conforming validator product produces correct validation results according to the C2PA Content Credentials specification.

For more information, see C2PA Conformance Program Documents, specifically C2PA conformance program - section 6.1.1, Validator Product Specification Requirements.

Generator products

A generator product can generate manifest data for a digital asset. A conforming generator product produces manifest data that conforms to the C2PA Content Credentials specification, creates assertions in the asset's active manifest and signs a claim using a valid X.509 certificate on the C2PA trust list.

For more information, see C2PA Conformance Program Documents, specifically:

Security requirements

When you apply to the conformance program, you must fill out the information required in the product security architecture template in Appendix C of the C2PA Generator Product Security Requirements, providing details on:

  • The organization submitting the application.
  • The product, its capabilities, and the systems it uses or relies upon.
  • The product's security architecture, including methods for key generation and storage, and protections against various kinds of misconfiguration, abuse, and exploitations.

Assurance levels

A conforming product's assurance level indicates the level of confidence that claims it signs reflect its intended behavior. A higher assurance level indicates a greater level of confidence. Currently, the conformance program has two assurance levels: level 1 and level 2:

The assurance level is encoded as the value of a custom X.509 v3 certificate extension in the product's claim signing certificate. The C2PA defines the max assurance level of a generator product based on the security attributes of its overall implementation architecture. The assurance level in the certificate issued to a particular instance of a conforming generator product may be lower than the max assurance level.

Certificate authorities

The C2PA certificate policy specifies requirements for certificate authorities (CAs) that issue claim signing certificates for use by generator products, and the requirements that those products have to meet when using the certificates.

CAs that meet the certificate policy can be on the C2PA trust list, and can issue certificates to conforming generator products under the C2PA conformance program.