The C2PA Conformance Program provides assurance that products adhere to the Content Credentials specification, and fulfill a set of security requirements to ensure they are producing and validating C2PA data correctly.
The Conformance Program is a risk-based, transparent and unbiased governance process intended to hold generator products, validator products, and certification authorities accountable to the Content Credentials specification, the Certificate Policy, and the Security Requirements. Conforming products are placed on a publicly accessible list. This conveys confidence in the implementation and its security to the public and guarantees interoperability across products in the Content Credentials ecosystem.
The C2PA will provide additional technical guidance and migration instructions with enhancements to this document. It is recommended that you start preparing your implementations for C2PA Conformance and official C2PA Trust List support.
- For more information, see the program details on GitHub.
- Interested in Participating? Fill out the Expression of Interest form.
As part of the C2PA Conformance Program, we are introducing the official C2PA Trust List (C2PA TL) and retiring the Interim Trust List (ITL), since it was a temporary measure for early C2PA implementations. The ITL provided critical support during the early adoption phase of C2PA, enabling the C2PA Verify website to determine which certificates were considered valid and to prevent unknown signers from appearing as valid.
The new C2PA TL introduces key enhancements:
- A new public Certificate Policy which specifies C2PA requirements for CAs
- Higher security and interoperability
- Stronger accountability and governance
- Alignment with the C2PA 2.x specification series
- A robust governance framework
The goals of the Conformance Program and C2PA TL are to:
- Encourage ecosystem alignment with the 2.x specification. This reduces fragmentation between 1.x and 2.x and improves overall security and compatibility.
- Avoid unnecessary disruption for existing implementations. We aim to guide the transition without forcing product teams to move prematurely.
- Incentivize upgrades to C2PA 2.x specification. By eventually sunsetting support for certificates issued under the ITL, we’ll seek to promote ecosystem progress without strict mandates.
- Add Time Stamping Authorities to our Trust Lists that will enable Generator Product companies to obtain time stamp certificates from participating Certification Authorities whose certs appear on the TSA Trust List.
Through December 31, 2025: The ITL will remain operational. During this time, new certificates will continue to be accepted and the Verify site will continue to display manifests as trusted, albeit with a disclaimer that these manifests were made with an older version of the trust model. The C2PA will strongly encourage adoption of the Conformance Program and the official C2PA Trust List.
January 1, 2026: The ITL will be frozen. No new entries will be added, and no updates will be made. Existing certificates will remain valid for legacy support, but no future refreshes or additions will occur. Eventually, those certificates will expire and no longer be usable for signing. However, if content was signed during the ITL certificate’s validity period, the content will always be considered valid against the legacy trust model.
Product Messaging: Implementers are encouraged to distinguish between Content Credentials signed using ITL-based certificates (typically tied to C2PA Specification version 1.4) and those from conforming products using the official C2PA TL, just as the Verify site itself will do..
- Specification 2.x Series: https://c2pa.org/specifications
- Official C2PA Trust List:https://github.com/c2pa-org/conformance-public/tree/main/trust-list
- C2PA Certificate Policy: https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Certificate%20Policy.pdf
- Contact us at
conformance@c2pa.org. - Join the conversation on GitHub: https://github.com/c2pa-org.
- Participate in the open source community, run by the Content Authenticity Initiative on Discord: https://discord.gg/CAI.