- From: Steven Rowat <steven_rowat@sunshine.net>
- Date: Thu, 2 Sep 2021 12:26:39 -0700
- To: Leonard Rosenthol <lrosenth@adobe.com>, "public-credentials (public-credentials@w3.org)" <public-credentials@w3.org>
- Message-ID: <2a28b1ef-96cd-97b3-d9c5-a7aa15453917@sunshine.net>
On 2021-09-02 9:42 am, Leonard Rosenthol wrote: > Steven – not sure how you see C2PA manifests and DID documents being similar. A C2PA manifest is an entity designed to be embedded into an asset (image, video, document, etc.) and fully functional when offline (though, of course, there are also opportunities/improvements that can exist when online). A DID document, on the other hand, is an entity returned by a service based on the resolution of its DID method and so required to work only when online. OK, I see this distinction for the Document as currently envisaged; being online. But could you not simply design a version of the DID Document to be carried in, bound to, the asset, and call it a 'Manifest DID Document'? Again, why is a fully parallel new system necessary -- one which, I assume, might be working online anyway in many use cases, and possibly a majority of the time? > You are correct that in C2PA we view DIDs as an identifier to what we define as an actor – which could be a human, a machine, an organization, etc. But DIDs are expressly designed to identify anything -- including the 'asset'. Why limit it to just an 'actor'. DIDs were not designed merely to apply to 'actors' like people and machines. They also refer to specific assets like your 'image, video, document'. But you're not taking advantage of this, apparently. You're splitting those two major uses: you're saying that actors can be identified in one way (including VCs with their own DIDs), but assets need a new way, which you're going to re-define, and which is, according to your system, definitely not DIDs. > For DID documents that don’t return VC’s, you rightly point out that we don’t have a solution at this time – and I would welcome discussions with you and others about what sorts of use cases you envision and how we could support them. As I was getting at above: how will you handle, say, a small publisher or self-publisher of assets which they are identifying using a system of DIDs. What if the publisher, or author, and each of the assets they produce, are all identified as a linked system of DIDs, so that a user refers back to the DID Document from any asset. Can this somehow be integrated into the C2PA system? If it could, it would seem to be a plus, because as you point out, your system is designed to work offline also. But without that, for you to create such a new C2PA system of binding the provenance, and identifying the creator and the asset, without being able to trade data with DID Document publishing systems, seems like it will merely create a new siloing of publishing methods. What if Adobe and Microsoft, who are part of C2PA, support it -- and Apple doesn't? Will only people who read the New York Times on Microsoft Windows have C2PA provenance for the stories, but not those who read it on Apple? And what if Jane Doe publishes, by herself, an exposé of New York Times reporting practices. She can only do this and get C2PA provenance if she uses Microsoft Windows? Your answer will be, I predict (in fact, I think it's stated in your spec): but we want everyone to use C2PA. And one ring to rule them. And that's exactly what the DID system is doing, too, AFAIK. So it still seem to me that they're competing, not complementary, at this point, to the degree that I understand both systems. But I look forward to being corrected. :-) Steven Rowat > Leonard From: Steven Rowat <steven_rowat@sunshine.net> Date: Thursday, September 2, 2021 at 12:13 PM To: Leonard Rosenthol <lrosenth@adobe.com>, public-credentials (public-credentials@w3.org) <public-credentials@w3.org> Subject: Re: C2PA Specifications - First Public Draft On 2021-09-01 6:08 am, Leonard Rosenthol wrote: I’ve been mentioning the work of the Coalition for Content Provenance and Authenticity (C2PA) for a while now, including our usage of W3C Verifiable Credentials. I am excited to announce that the first public draft of our specification is available for review and comment. I would welcome the input from this community on how we have chosen to integrate VC’s into our system. [snip]... The draft specification can be accessed through the C2PA > website<https://c2pa.org/public-draft/><https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fc2pa.org%2Fpublic-draft%2F&data=04%7C01%7Clrosenth%40adobe.com%7C5a74c69ef2604aaf148e08d96e2ca18e%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637661960234430686%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=HKh%2BmyM9ZL9rCTaCZkPmNUR0%2BG14at3FK1668dRZDgk%3D&reserved=0>, and comments will be accepted through a web submission > form<https://docs.google.com/forms/d/e/1FAIpQLSevOsvZKHIc_4Dljk7IkoW37mcuItUEV3I6hoUZhR2suxRVPg/viewform><https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSevOsvZKHIc_4Dljk7IkoW37mcuItUEV3I6hoUZhR2suxRVPg%2Fviewform&data=04%7C01%7Clrosenth%40adobe.com%7C5a74c69ef2604aaf148e08d96e2ca18e%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637661960234440657%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=H1q05OZ2LrXP43w5d%2FC6Ap795xiYPNAfs8ZMZAOBpvQ%3D&reserved=0> and > GitHub<https://github.com/c2pa-org/public-draft><https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fc2pa-org%2Fpublic-draft&data=04%7C01%7Clrosenth%40adobe.com%7C5a74c69ef2604aaf148e08d96e2ca18e%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637661960234440657%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=wlMhxgxtAVRXhbKyV%2B%2F%2BKnoD9c7U6P0mwmwqk70bNx4%3D&reserved=0> until November 30, 2021. Leonard, C2PA seems like a very interesting and ambitious project. But after scanning through, my take is that it recreates something like DID Documents. In other words that it's a parallel project that performs the same function, not an extension into new function. Am I off base here, or is this true, in your opinion? I note that you only use DIDs a single time, in section 7.1, the Verifiable Credential example. And then right away you specifically note about this that DIDs are not necessary for VCs: > "Although the example above and many examples in the W3C Verifiable Credentials data model specification use Decentralized Identifiers (DIDs) as the value of the id field, DIDs are not necessary for W3C Verifiable Credentials to be useful. Specifically, W3C Verifiable Credentials do not depend on DIDs and DIDs do not depend on W3C Verifiable Credentials. DID-based URLs are just one way to express identifiers associated with subjects, issuers, holders, credential status lists, cryptographic keys, and other machine-readable information associated with a W3C Verifiable Credential." And that's the only place in this whole, very large, specification, that DIDs appear. And VCs themselves, you indicate, are a tolerated add-on, but not necessary either for your system (as far as I can determine). So: On a continuum of possibility, I'll ask whether you think the C2PA project is *closer* to aiming for... 1. Integrating with DID based provenance systems, so that there can be > interoperability with DID published data (and formal DID Documents). or 2. Creating a document provenance system that has no need for DIDs, so that DIDs will be unnecessary and die out, and the functions they're aiming for replaced by the C2PA system? Steven Rowat C2PA is accepting new members. To join, visit https://c2pa.org/membership/<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fc2pa.org%2Fmembership%2F&data=04%7C01%7Clrosenth%40adobe.com%7C5a74c69ef2604aaf148e08d96e2ca18e%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637661960234450608%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=KK43oM%2FJrgjUpfMR9057bCLq72KOhkpiBMSrMLBAEwQ%3D&reserved=0>. About C2PA The Coalition for Content Provenance and Authenticity (C2PA) is an open, technical standards body addressing the prevalence of misleading information online through the development of technical standards for certifying the source and history (or > provenance) of media content. C2PA is a Joint Development Foundation project, formed through an alliance between Adobe, Arm, BBC, Intel, Microsoft and Truepic. For more information, visit c2pa.org. ###
Received on Thursday, 2 September 2021 19:26:59 UTC