W3C home > Mailing lists > Public > public-credentials@w3.org > September 2021

Re: C2PA Specifications - First Public Draft

From: Leonard Rosenthol <lrosenth@adobe.com>
Date: Thu, 2 Sep 2021 18:56:28 +0000
To: Adrian Gropper <agropper@healthurl.com>
CC: Steven Rowat <steven_rowat@sunshine.net>, "public-credentials (public-credentials@w3.org)" <public-credentials@w3.org>
Message-ID: <MN2PR02MB69927991F1E686DEE6CD4AF0CDCE9@MN2PR02MB6992.namprd02.prod.outlook.com>
Let’s (hopefully) agree that at the core of either of the issues you raise is TRUST.

Either you trust the person/organization/government that signed the asset or you don’t.  If I discover an asset that claims that you, Adrian Gropper, authored it *but* it is signed by an entity that I know you have no relationship with – then I am not going to trust it.  However, if you signed the asset yourself (using a known certificate of yours that I trust) *or* you had another trusted party sign on your behalf, then I will trust it.

Concerning opportunities for the C2PA technology to be used in ways that can harm individuals,. I will point you to Section 16.2 of our spec (https://c2pa.org/public-draft/#_harms_misuse_and_abuse) clearly identifying how we are assessing our technology in this arena.  If you have ideas about approaches that we could take to reduce such situations, we would welcome your input.

Leonard

From: Adrian Gropper <agropper@healthurl.com>
Date: Thursday, September 2, 2021 at 1:27 PM
To: Leonard Rosenthol <lrosenth@adobe.com>
Cc: Steven Rowat <steven_rowat@sunshine.net>, public-credentials (public-credentials@w3.org) <public-credentials@w3.org>
Subject: Re: C2PA Specifications - First Public Draft
Leonard,

I don't think it's as simple as you imply. The decision to post a photo anonymously or pseudonymously is almost never mine alone. There are platform constraints, self-censorship, and the inability to predict future concerns as current (lack) of privacy regulations together with near-zero network, storage, and processing costs encourage an unlimited and growing number of data brokers and aggregators.

Bottom line, any digital content scheme that makes surveillance more efficient will be abused by the powerful under the current or foreseeable conditions. See: https://en.wikipedia.org/wiki/Pre-crime<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FPre-crime&data=04%7C01%7Clrosenth%40adobe.com%7Ccce5dd8284174aa1537908d96e36e000%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637662004235899805%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nTgnQCQTpaLZMGqUk8xhdIKb0S3HRc2epJYFQ8q1VeE%3D&reserved=0>

- Adrian

On Thu, Sep 2, 2021 at 12:49 PM Leonard Rosenthol <lrosenth@adobe.com<mailto:lrosenth@adobe.com>> wrote:
Adrian – great question!

If you take a photo that you wish to share with friends on Facebook, then you are making a statement that you want that image associated with you including being known as the author/photographer of that image…so as other reshare it, the fact that you took the photo is not lost.  Of course, you could just as reasonably choose to not put any information about yourself in the image and post it anonymously to some other network – and that would be fine too.  The choice is always yours about how much (or how little) of your information you choose to share!

Leonard

From: Adrian Gropper <agropper@healthurl.com<mailto:agropper@healthurl.com>>
Date: Thursday, September 2, 2021 at 12:35 PM
To: Steven Rowat <steven_rowat@sunshine.net<mailto:steven_rowat@sunshine.net>>
Cc: Leonard Rosenthol <lrosenth@adobe.com<mailto:lrosenth@adobe.com>>, public-credentials (public-credentials@w3.org<mailto:public-credentials@w3.org>) <public-credentials@w3.org<mailto:public-credentials@w3.org>>
Subject: Re: C2PA Specifications - First Public Draft
DIDs and VCs are burdened by their "self-sovereign" aspirations. "Content" may be able to avoid many privacy concerns to the extent it's not linked to people. It would be interesting to understand the principal use-cases and how C2PA avoids indirect linkage of Content to people.

- Adrian

On Thu, Sep 2, 2021 at 12:15 PM Steven Rowat <steven_rowat@sunshine.net<mailto:steven_rowat@sunshine.net>> wrote:
On 2021-09-01 6:08 am, Leonard Rosenthol wrote:

I’ve been mentioning the work of the Coalition for Content Provenance and Authenticity (C2PA) for a while now, including our usage of W3C Verifiable Credentials.  I am excited to announce that the first public draft of our specification is available for review and comment.  I would welcome the input from this community on how we have chosen to integrate VC’s into our system.

[snip]...

The draft specification can be accessed through the C2PA website<https://c2pa.org/public-draft/><https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fc2pa.org%2Fpublic-draft%2F&data=04%7C01%7Clrosenth%40adobe.com%7Ccce5dd8284174aa1537908d96e36e000%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637662004235909757%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cdMQU0oNJY9uq74xehG9LZ0RXoCBgfS%2FYd3hWdFSTOA%3D&reserved=0>, and comments will be accepted through a web submission form<https://docs.google.com/forms/d/e/1FAIpQLSevOsvZKHIc_4Dljk7IkoW37mcuItUEV3I6hoUZhR2suxRVPg/viewform><https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSevOsvZKHIc_4Dljk7IkoW37mcuItUEV3I6hoUZhR2suxRVPg%2Fviewform&data=04%7C01%7Clrosenth%40adobe.com%7Ccce5dd8284174aa1537908d96e36e000%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637662004235909757%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tiIVfRIonu806uFF4LbteVI7V7KeEWGTMyaExm5YtG8%3D&reserved=0> and GitHub<https://github.com/c2pa-org/public-draft><https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fc2pa-org%2Fpublic-draft&data=04%7C01%7Clrosenth%40adobe.com%7Ccce5dd8284174aa1537908d96e36e000%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637662004235919712%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Bra98u%2FDmJU%2BLkCDCoaTHP08mwUmSDz6YnHLmTESQic%3D&reserved=0> until November 30, 2021.

Leonard,

C2PA seems like a very interesting and ambitious project. But after scanning through, my take is that it recreates something like DID Documents. In other words that it's a parallel project that performs the same function, not an extension into new function. Am I off base here, or is this true, in your opinion?

I note that you only use DIDs a single time, in section 7.1, the Verifiable Credential example. And then right away you specifically note about this that DIDs are not necessary for VCs:

"Although the example above and many examples in the W3C Verifiable Credentials data model specification use Decentralized Identifiers (DIDs) as the value of the id field, DIDs are not necessary for W3C Verifiable Credentials to be useful. Specifically, W3C Verifiable Credentials do not depend on DIDs and DIDs do not depend on W3C Verifiable Credentials. DID-based URLs are just one way to express identifiers associated with subjects, issuers, holders, credential status lists, cryptographic keys, and other machine-readable information associated with a W3C Verifiable Credential."

And that's the only place in this whole, very large, specification, that DIDs appear. And VCs themselves, you indicate, are a tolerated add-on, but not necessary either for your system (as far as I can determine).

So:

On a continuum of possibility, I'll ask whether you think the C2PA project is *closer* to aiming for...

1. Integrating with DID based provenance systems, so that there can be interoperability with DID published data (and formal DID Documents).

or

2. Creating a document provenance system that has no need for DIDs, so that DIDs will be unnecessary and die out, and the functions they're aiming for replaced by the C2PA system?



Steven Rowat











C2PA is accepting new members. To join, visit https://c2pa.org/membership/<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fc2pa.org%2Fmembership%2F&data=04%7C01%7Clrosenth%40adobe.com%7Ccce5dd8284174aa1537908d96e36e000%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637662004235919712%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=VFI3mCvD312wQ7kvk6r%2FvV7L2IvrZDmsY2WssiifLnc%3D&reserved=0>.



About C2PA

The Coalition for Content Provenance and Authenticity (C2PA) is an open, technical standards body addressing the prevalence of misleading information online through the development of technical standards for certifying the source and history (or provenance) of media content. C2PA is a Joint Development Foundation project, formed through an alliance between Adobe, Arm, BBC, Intel, Microsoft and Truepic. For more information, visit c2pa.org<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fc2pa.org%2F&data=04%7C01%7Clrosenth%40adobe.com%7Ccce5dd8284174aa1537908d96e36e000%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637662004235929670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DanMs6rjk5x88irzmhGeEFEhMoBxlLidFDTZQshSrFA%3D&reserved=0>.



###
Received on Thursday, 2 September 2021 18:56:47 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 September 2021 18:56:49 UTC