IPTC Verified News Publisher Credential Policy
This document states the set of requirements on and the process of the issuance of “IPTC Verified News Publisher Credentials“, as part of the wider system of Verified News Publisher Certificates. Please see “IPTC Verified News Publisher Certificate Policy” for more details on certificate issuance, validity and revocation.
Requirements
NOTE: These requirements are subject to change, and are potentially restrictive in order to manage the number of eligible organisations in our early phased roll out plan. They are expected to change subject to feedback.
Applications to the IPTC Verified News Publisher programme are not currently “open”. We are in a phased roll-out process where applications will be assessed and processed according to a number of internal priorities, including ease of identity proofing (which may be easier for IPTC members), whether the market the publisher operates in is already served by the initial roll-out, and many others. We expect this to change as roll-out continues.
Organisations must apply via their “Authorized Officer”, see Glossary. The “Application Procedure” document covers the steps required to apply.
Issued Credential
The IPTC Media Provenance Committee will issue a credential, lasting 1 year, to an organisation that has met the above requirements. The credential will identify the authorised officer, and optionally, include an identity of a certificate issuance contact, who, in combination with the authorised officer, will be the only people authorised to request and receive a certificate from a Certificate Authority participating in the Verified News Publisher programme.
Revocation
Revocation of an IPTC Verified News Publisher Credential is done as part of the Verified News Publisher Certificate system as a whole. The “Certificate Policy” document includes further details on the revocation requirements on certificate, and please also refer to documentation and guidance from issuing CA on revocation to understand their specific procedures.
For Verified News Publisher Credentials, revocation events can include the following (although IPTC reserves the right to revoke credentials and certificates for any reason):
- Discovery that the details provided in the self-certification form to not match (or have not matched) the organisation listed, during the validity period of the Verified News Publisher Credential
- Discovery that the organisation’s Verified News Publisher Certificate or Credentials (and their associated private keys) are being used by anyone other than the organisation that was issued the Verified News Publisher Credential
- A notification to IPTC from the registrant requesting revocation for any reason
When IPTC is made aware of one of these events, the registration contacts for the organisation will be contacted with details of the next steps. If remediation is a possible next step, best efforts will be made to allow remediation within a 30 day window of event discovery. Failure to remediate within this time period will result in the revocation procedure below being executed. However, in some safety-critical cases, remediation may not be possible, or the remediation timeframe may be reduced or removed entirely, resulting in a revocation instruction being sent immediately.
Revocation Procedure
- a revocation instruction is sent to the CA of the associated Verified News Publisher Certificate informing them that the registrants’ Verified News Publisher Credential has been revoked, and that we are requesting that any associated certificates are revoked too.
- the Verified News Publisher Credential is revoked by IPTC
- if there are any Verified News Publisher Certificates associated with the Credential on the IPTC Verified News Publisher List, they are revoked too
Glossary
Authorised Officer
An authorised officer is either:
- An existing delegate of an organisation listed in the “Application Procedures” document under the “Short-cut” process, or
- a member of the legally-recognised top-level governance structure in a given organisation, or
- any other member of the organisation authorised by 2. to act on their behalf in this matter
In the case of 2 or 3, documentation must be submitted to prove that the authorised officer is a current employee. Documentation should also prove that the officer is member of the top-level governance structure, or, where such authorisation has been delegated, that the top-level governance structure has authorised the officer.