From a8bb0a42065ed91c5eb572b10ee7251615478532 Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Thu, 22 Aug 2024 14:23:18 -0700 Subject: [PATCH 1/2] Fix incorrect info re certs --- docs/getting-started.mdx | 7 ------- docs/prod-cert.mdx | 9 ++------- 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/docs/getting-started.mdx b/docs/getting-started.mdx index fa1c9239..6f74d2de 100644 --- a/docs/getting-started.mdx +++ b/docs/getting-started.mdx @@ -108,13 +108,6 @@ The above list is for reference only; inclusion does not imply endorsement by CA When you purchase a certificate, you must select at least one of the extended key usage (EKU) fields that specify what the certificate can be used for: **email protection** and **document signing**. Applications that use the CAI SDK won't accept the certificate unless it has one of these EKUs. -Certificate authorities offer many levels of validation. For Content Credentials, one of these types is highly recommended (though not required): - -- **Organization Validated (OV).** The CA validates the organization's identity by checking its credentials against extensive databases, including those held by local governments. -- **Extended Validation (EV).** A fully authenticated certificate, needed to offer secure web locations, email, and financial transactions. - -If you don't get an OV certificate, then the Content Credentials that use the certificate won't display your organization name, as shown in the examples on [verify.contentauthenticity.org](https://verify.contentauthenticity.org/). - ### Extracting the certificate To work with the certificate, you need to extract it. When the CAI SDK adds Content Credentials to an asset, it incorporates the certificate (including the associated public key) into the manifest. diff --git a/docs/prod-cert.mdx b/docs/prod-cert.mdx index 29aabdbc..001be1c8 100644 --- a/docs/prod-cert.mdx +++ b/docs/prod-cert.mdx @@ -34,14 +34,9 @@ CAs offer a variety of different kinds of certificates (links below are to [Digi - The simplest and least expensive option is an [S/MIME email certificate](https://www.digicert.com/tls-ssl/compare-secure-email-smime-certificates). - Other options, such as [document signing certificate](https://www.digicert.com/signing/compare-document-signing-certificates) require more rigor (like proving your identity) and cost more. -### CA validation +### Organization name -CAs offer many levels of validation. For Content Credentials, one of these types is highly recommended (though not required): - -- **Organization Validated (OV).** The CA validates the organization's identity by checking its credentials against extensive databases, including those held by local governments. -- **Extended Validation (EV).** A fully authenticated certificate, needed to offer secure web locations, email, and financial transactions. - -If you don't get an OV certificate, then the C2PA [Verify tool](https://verify.contentauthenticity.org/) won't display your organization name in the Content Credentials. +If you want the C2PA [Verify tool](https://verify.contentauthenticity.org/) to display your organization name in the Content Credentials, your certificate must include the "O" or [Organization Name attribute OID value: 2.5.4.10](https://www.alvestrand.no/objectid/2.5.4.10.html) in the Distinguished Name information. The CA may require some validation steps to prove you are part of that organization (details vary by CA). ## The C2PA Python example From f62106790f56ff01e6d11006d573a932c15f732a Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Fri, 23 Aug 2024 09:12:48 -0700 Subject: [PATCH 2/2] Add tip to earlier section with xref --- docs/prod-cert.mdx | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/prod-cert.mdx b/docs/prod-cert.mdx index 001be1c8..5d91f832 100644 --- a/docs/prod-cert.mdx +++ b/docs/prod-cert.mdx @@ -25,6 +25,10 @@ A CSR is just an unsigned certificate that's a template for the certificate that A CSR comprises a public key, as well as ["distinguished name" information](https://knowledge.digicert.com/general-information/what-is-a-distinguished-name) that identifies the individual or organization requesting the certificate. The distinguished name includes a common name, organization, city, state, country, and e-mail address. Not all of these fields are required and will vary depending with the assurance level of the desired certificate. +:::tip +For the C2PA [Verify tool](https://verify.contentauthenticity.org/) to display your organization name in the Content Credentials, your CSR must include the "O" or Organization Name attribute in the distinguished name information. See [below](#organization-name) for details. +::: + You sign the CSR with your private key; this proves to the CA that you have control of the private key that corresponds to the public key included in the CSR. Once the requested information in a CSR passes a vetting process and domain control is established, the CA may sign the public key to indicate that it can be publicly trusted. ### Types of certificates @@ -36,7 +40,7 @@ CAs offer a variety of different kinds of certificates (links below are to [Digi ### Organization name -If you want the C2PA [Verify tool](https://verify.contentauthenticity.org/) to display your organization name in the Content Credentials, your certificate must include the "O" or [Organization Name attribute OID value: 2.5.4.10](https://www.alvestrand.no/objectid/2.5.4.10.html) in the Distinguished Name information. The CA may require some validation steps to prove you are part of that organization (details vary by CA). +If you want the C2PA [Verify tool](https://verify.contentauthenticity.org/) to display your organization name in the Content Credentials, your certificate must include the "O" or [Organization Name attribute](https://www.alvestrand.no/objectid/2.5.4.10.html) (OID value 2.5.4.10) in the distinguished name information. The CA may require some validation steps to prove you are part of that organization (details vary by CA). ## The C2PA Python example