IPTC Media Provenance Policy

The below diagram illustrates the steps involved in obtaining and using an IPTC Verified News Publisher certificate during Phase 1 of the project.

Diagram showing the four steps involved in obtaining and using a publisher certificate under the IPTC Verified News Publisher programme.

The publisher obtains a certificate from an approved Certificate Authority. See Certificate Policy for details on which certificates are eligible. Right now we recommend the GlobalSign S/MIME Email Signing – Department certificate.
1. This can involve either the publisher generating their own public/private keypair and using a Certificate Signing Request, or:
2. The publisher requests that the Certificate Authority generates a keypair. In this case the keys are sent to the publisher using a secure message in a format known as PKCS#12.
The publisher sends the certificate to IPTC for approval as a Verified News Publisher. See our notes on the IPTC application procedure.
1. IPTC verifies that the news outlet is eligible. See credential policy for details.
2. If IPTC determines that the publisher meets our criteria, the certificate is added to the Verified News Publishers List.
The publisher signs content using the private key generated in step 1.
1. The IPTC can provide tools to help publishers to sign content, including adding publisher metadata according to the Verified News Publisher metadata assertion specification (currently under development)
2. Alternatively, the publisher can use c2patool or commercial software to sign their content, as long as it allows for the publisher’s certificate to be used to sign content.
3. The publisher publishes their content in the usual way – to their own web site and to social media outlets.
If a consumer wants to verify the signed content, they can do so using a C2PA validator service.
1. We expect that eventually the C2PA validation service will be built in to browsers, web platforms (such as social media platforms and search engines) and operating systems. But in the meantime, users can use browser plugins or upload content directly to validators.
2. The validator checks that the digital “hash” of the content matches the signed version; checks that the signature matches the certificate; and
3. The validator can also show metadata extracted from embedded “assertions” within the signed content.
4. If the validator is aware of the Origin IPTC verified News Publishers List, the tool will show whether the content’s certificate matches an entry on the VNP List.
5. The validator includes information on whether the content had been tampered with after signing, information on metadata that was included by the publisher at signing time, and details of who signed the content.