/project-origin-5608/Origin-Light-z59e1.png "Origin Light")
Draft - Subject to Ratification of IPTC Media Provenance Committee
Project Origin is an alliance of leading organizations from the publishing and technology worlds, working together to create a process where the provenance and technical integrity of content can be confirmed, establishing a chain of trust from the publisher to the consumer. This allows the consumer to be assured that the content they are consuming really comes from the publisher they think it does, to "transit" the pre-existing trust that consumer has with this publisher, as a defense against attempts at impersonation by unknown adversaries.
Project Origin utilizes the Content Credentials technology developed by the Coalition for Content Provenance and Authenticity (C2PA). Content Credentials leaves decisions regarding trust anchors to the particular application and ecosystem in which it is being used, and it is in this regard that Project Origin defines trust anchors and policies for the news and media ecosystem, where trust relationships already exist between consumers and publishers, and those trust relationships are threatened by malicious third parties attempting to intercept and tamper with, or release, content impersonating those brands. In contrast to other public key infrastructures or C2PA-based ecosystems, identities in this ecosystem are particularly high-value, and the cost of a successful misappropriation or mis-issuance of signing credentials is particularly high, due to signed content being attributed to the signer effectively forever. As a result, this ecosystem demands a much more rigorous real-world standard of validating applicants for signing credentials, which we begin to define in this preview.
As of version 1.4 of the C2PA specification, the only supported signing credential type is X.509v3 certificates. Eventually, Project Origin intends to publish a list of root certificates from various Certification Authority (CA) operators that comply with this policy and standard, as well as a list of acceptable Extended Key Usages (EKUs) which consumers in this application ecosystem can rely upon for identifying the signers of content. Project Origin also intends to publish a list of root certificates from various CA operators that are suitable for signing time-stamps, in accordance with the C2PA standard.
In its current preview, Project Origin will publish a list of end-entity certificates that have been through a lightweight identity verification process, intended to serve the early requirements of news organisations wanting a C2PA certificate for identification and signing of their content.
This policy represents a "preview" of the Origin Trust List, not the final document, and will continue to be revised and expanded.
At the launch of the preview, the list will contain a handful of news organisations, whose identities have been vetted by the organisations who are members of Project Origin. After being vetted, these organisations have then had a certificate issued to them by Trupic, Inc., an early partner of Project Origin.
This is not intended to be the final process for issuing an "Origin Verified Publisher" certificate. As Project Origin develops as part of the IPTC Media Provenance Working Group, we fully expect to make this process much more open, and to move to a validation process involving multiple CA operators, issuing with EKUs tied to the identity verification process.
If you are a news publisher and you are interested in getting hold of an "Origin Verified Publisher" certificate for signing your content via C2PA / Content Credentials, then please get in touch on our Contact page.
Validators wishing to validate that a certificate was issued according to this policy can do the following:
assess whether the end entity certificate is on the OVPTL PEM list, running through the list, comparing each certificate with the certificate being validated
C2PA 2.0 includes a reference to a "C2PA Public Trust List", which is a currently unreleased list of root CAs which intend to issue end-entity certificates identifying hardware devices and software. It also allows for additional trust lists to be processed by the validator, of which the Origin Verified Publisher Trust List (OVPTL) is one.
It is the intention of this policy to be used in sympathy with the "C2PA Public Trust List", when released, with the expectation that the identity of the end-entities are mutually exclusive.
For example, a publishing organisation is an identity that could be issued as part of the Origin Verified Publisher Trust List, but that same organisation could also produce software. That software may also wish to gain identity separate from its developing organisation, and so the C2PA Public Trust List may be a good place to gain a certificate verifying that identity. Which certificate a given application or organisation wishes to use to sign is a decision for them, based on their use case, application and ecosystem.