This document states the set of requirements placed on “IPTC Verified News Publisher Certificates”, and describes the two-actor process for the issuance of one to an organization, where a Registration Authority, the IPTC, issues a “Verified News Publisher Credential” attesting to certain information about a publisher and thus “verifying” it, and where a Certificate Authority takes this credential as authorization for the issuance of a Verified News Publisher Certificate to that organization. In the final step, the CA sends the certificate to the IPTC to add the certificate on to its “Verified News Publisher List”.

NOTE: These requirements are subject to change, and are potentially restrictive in order to manage the number of eligible organisations in our early phased roll out plan. They are expected to change subject to feedback.

Verified News Publisher Certificates must follow C2PA 2.0 specification requirements, found here: https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#x509_certificates.

The C2PA specification allows for the use of the emailProtection and documentSigning EKUs, however, certificates intended for inclusion on the Verified News Publisher list must include the id-kp-documentSigning (1.3.6.1.5.5.7.3.36) EKU.

In the future, we may change the mechanism for indicating a Verified News Publisher Certificate. Options include:

1. using a custom EKU as a label
2. including an issuing certificate authority on the IPTC Verified News Publisher List

The CA SHOULD notify the IPTC on the issuance of a new Verified News Publisher Certificate. If valid and authorised, the Verified News Publisher list will then be used to record the hashes of end-entity certificates that have been issued by a certificate authority authorised by the IPTC.

A Verified News Publisher Certificate MUST ONLY be issued to organisations that present a Verified News Publisher Credential, and proof that they are the identified subject of that Credential.

The Subject Distinguished Name of the issued certificate must match the records produced as part of the IPTC Verified News Publisher identity-proof.md requirements, and included in the issued Verified News Publisher Credential. The certificate issuer must ensure that the person being issued their organisation’s certificate is the same person as indicated in either the authorisedOfficer or certificateIssuanceContact fields in the credential.

Any Verified News Publisher Certificate issued MUST have a validity period within or identical to the Verified News Publisher Credential that authorised its issuance.

In Phase 1, a Verified News Publisher Credential may take the form of an email from the managing director of the IPTC, including the above details. In the future, it is expected that the Credential will be a cryptographically signed digital asset.

Revocation of an IPTC Verified News Publisher Certificate broadly follows the split of registration (IPTC) / certificate issuance (CA). This section outlines the revocation requirements for Verified News Publisher Certificates. Please also refer to documentation and guidance from the issuing CA for any extra requirements or procedures.

As per the “Verified News Publisher Credential Policy”, the IPTC may issue a revocation instruction to issuing CAs. CA’s issuing Verified News Publisher Credentials MUST obey revocation instructions from the IPTC.

When an issuing CA revokes a certificate, they MUST issue a revocation notification to the IPTC.

It is expected that each issuing CA will have their own certificate policies defining revocation events and procedures. In addition to them, Verified News Publisher Certificates MUST be revoked when:

• certificate private keys are disclosed outside of the organisation

Additionally, issuing CAs MUST define a policy for the secure handling of private keys, and require that end-entities notify CA’s in the event that keys are handled outside of this policy. Such a notification MUST trigger a revocation.

The certificate authority issuing the certificate must offer an OCSP responder service. It must be delivered over HTTPS, not plain HTTP, to ensure the connection is encrypted.