Skip to content

Add X.509 trust model guidance #240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

Add X.509 trust model guidance #240

Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
d63cfa0
Define trust model for X.509 certificates in identity assertions
scouten-adobe Sep 16, 2025
73f0f96
Tweak wording
scouten-adobe Sep 16, 2025
1c13aee
Update to describe an interim trust list per recent discussions
scouten-adobe Sep 29, 2025
09574d3
Update based on recent feedback
scouten-adobe Oct 8, 2025
d99bd07
Cite Mozilla TL
scouten-adobe Oct 8, 2025
b1e9ecb
Typo fix per @lrosenthol
scouten-adobe Oct 9, 2025
a2bf4bb
Cite C2PA time stamp spec
scouten-adobe Oct 9, 2025
18aa164
Accept @chalford suggestion
scouten-adobe Oct 9, 2025
62f7cb3
Merge branch 'main' into x509-trust-guidance
scouten-adobe Oct 16, 2025
e36c4af
Incorporate feedback from @chalford in #244 and edit
scouten-adobe Oct 16, 2025
049c896
Accept feedback from @chalford
scouten-adobe Oct 17, 2025
856cdc5
Refine the interim trust model
scouten-adobe Oct 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 58 additions & 3 deletions docs/modules/ROOT/partials/credential-types/x509.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@ To generate the COSE signature for an *<<_identity_assertion,identity assertion>
* link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_signing_a_claim++[Section 10.3.2.4, “Signing a claim”]
* link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_time_stamps++[Section 10.3.2.5, “Time-stamps”]
+
IMPORTANT: An *<<_identity_assertion,identity assertion>>* MUST NOT contain a v1 time-stamp as defined in link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_choosing_the_payload++[Section 10.3.2.5.2, “Choosing the payload.”]
IMPORTANT: An *<<_identity_assertion,identity assertion>>* MUST NOT contain a v1 time stamp as defined in link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_choosing_the_payload++[Section 10.3.2.5.2, “Choosing the payload.”]
+
An *<<_identity_assertion,identity assertion>>* generator MAY omit the time stamp from the *<<_identity_assertion,identity assertion>>* if it expects that a valid time stamp will be added to the _<<C2PA Manifest>>_ or as a separate link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#time_stamp_manifests++[time-stamp manifest] or link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#timestamp_assertion++[time-stamp assertion].
* link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_credential_revocation_information++[Section 10.3.2.6, “Credential revocation information”]
* link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_hashing++[Section 13.1, “Hashing”]
* link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_digital_signatures++[Section 13.2, “Digital signatures”]
Expand All @@ -23,6 +25,7 @@ In each of the above sections, the following changes MUST be applied:
The `signer_payload` data structure MUST be serialized as described in link:++https://www.rfc-editor.org/rfc/rfc8949.html#name-core-deterministic-encoding++[Section 4.2.1, “Core Deterministic Encoding,”] of RFC 8949: Concise Binary Object Representation.
The resulting byte string is presented to the _<<_credential_holder,credential holder>>_ for signature.
* Any reference to the _claim generator_ MUST be replaced with the _<<_actor,actor>>_ whose _X.509 certificate_ is being used for this assertion.
* The *<<_identity_assertion,identity assertion>>* generator SHALL use an _X.509 certificate_ that complies with the trust model described in xref:_trust_model_for_x_509_certificates[xrefstyle=full].

==== Validating the COSE signature

Expand All @@ -37,5 +40,57 @@ In each of the above sections, the following changes MUST be applied:

* Any reference to the _claim_ MUST be replaced with the CBOR serialization of the `signer_payload` field from the *<<_identity_assertion,identity assertion>>.*
* Any reference to the _claim generator_ MUST be replaced with the _<<_actor,actor>>_ whose _X.509 certificate_ is being used for this assertion.
* The validator SHALL maintain one or more _<<_trust_list,trust lists>>_ which do not need to be the same as the _<<_trust_list,trust lists>>_ used to validate claim generator signatures as described in link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_c2pa_signers++[Section 14.4.1, “C2PA Signers.”]
* The validator SHALL consider any v1 time-stamp as defined in link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_choosing_the_payload++[Section 10.3.2.5.2, “Choosing the payload”] to be invalid.
* A validator MUST NOT issue the status `cawg.identity.trusted` for an *<<_identity_assertion,identity assertion>>* unless the _X.509 certificate_ is found to comply with the trust model as described in xref:_trust_model_for_x_509_certificates[xrefstyle=full].
* To determine the validity of an _X.509 certificate_ in an *<<_identity_assertion,identity assertion>>* signature, the validator MUST first consider any time stamp contained within the *<<_identity_assertion,identity assertion>>.* If no such time stamp exists, the validator MUST then evaluate the C2PA claim signature’s link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_time_stamps++[time stamp] or a subsequent link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#time_stamp_manifests++[time stamp manifest] or link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#timestamp_assertion++[time stamp assertion] to determine the time of signing.
* A validator SHALL consider any v1 time stamp as defined in link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_choosing_the_payload++[Section 10.3.2.5.2, “Choosing the payload”] to be invalid.


==== Trust model for X.509 certificates

A validator shall maintain the following information for evaluating CAWG X.509 signers, known as the *CAWG trust configuration*:

* A list of accepted Extended Key Usage (EKU) values. For each accepted EKU value,
** A list of accepted Certificate Policy (CP) values.
** A list of X.509 certificate trust anchors.

The list of accepted EKUs MUST include `id-kp-documentSigning` (1.3.6.1.5.5.7.3.36).
No certificate policy or trust anchors are required for `id-kp-documentSigning` at this time.

The requirements for link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_time_stamping_authorities++[Time stamping authorities] and link:++https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_private_credential_storage++[Private credential storage] are identical to those stated in the C2PA technical standard.
An implementation MAY share the implementation for these two trust lists between C2PA and CAWG implementations.

[#interim-trust-model]
===== Interim trust model additions

[IMPORTANT]
.Time restrictions for this section
====
The configuration options described in this section are valid only for *identity assertions* generated on or before 31 March 2027.
====

An *identity assertion* generator MUST include a valid time stamp in the <<C2PA Manifest>> or the **identity assertion** as described in xref:_generating_the_cose_signature[xrefstyle=full] to ensure validity under this section.

An *identity assertion* validator MUST evaluate the following conditions, regardless of time of validation.

An *identity assertion* validator MUST be configured to accept an _X.509 certificate_ as trusted when *all* of the following requirements are met:

1. The time of validation is on or before 31 March 2027 _or_ a trusted time stamp establishes that the *identity assertion* was issued on or before 31 March 2027.
2. The EKU `id-kp-emailProtection` (1.3.6.1.5.5.7.3.4) is used.
3. One of the following certificate policy IDs is used:
+
** Organization-validated Multipurpose (2.23.140.1.5.2.2)
** Organization-validated Strict (2.23.140.1.5.2.3)
** Sponsor-validated Multipurpose (2.23.140.1.5.3.2)
** Sponsor-validated Strict (2.23.140.1.5.3.3)
** Individual-validated Multipurpose (2.23.140.1.5.4.2)
** Individual-validated Strict (2.23.140.1.5.4.3)
+
IMPORTANT: This list does not include Mailbox-validated or “legacy” certificate purpose OIDs.
+
NOTE: The issuance criteria for such certificates are specified by the CA/Browser Forum in https://cabforum.org/uploads/CA-Browser-Forum-SMIMEBR-1.0.11.pdf[Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates, version 1.0.11] and may be updated in subsequent versions.
4. The certificate chains up to one of the following roots of trust:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
4. The certificate chains up to one of the following roots of trust:
4. The lists below may include both CA and end-entity certificates. The certificate under validation MUST either be directly included in one of these lists, or have a valid chain of trust to a certificate present in one of these lists.

The IPTC list currently includes end-entity certificates, can we ensure validators support this? That's usually the assumption with end-entity certs in trust lists, but it would be good to be explicit.

+
** The *https://wiki.mozilla.org/CA[Mozilla Root Store with the Email (S/MIME) Trust Bit Enabled].*
A PEM-encoded version of this list is available at https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Email.
** The *https://iptc.org/verified-news-publishers-list/[IPTC Origin Verified News Publishers List].*
A PEM-encoded version of this list is available at https://iptc.org/verified-news-publishers-list/verified-news-publishers-list.pem.