From 3aa4fde3bb967a49299e5ac25d53c33ce3d7d02e Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Thu, 1 May 2025 11:40:16 -0700 Subject: [PATCH 1/9] Initial doc for CAWG identity --- docs/manifest/cawg-id.md | 102 +++++++++++++++++++++++++++++++++++++++ sidebars.js | 4 ++ 2 files changed, 106 insertions(+) create mode 100644 docs/manifest/cawg-id.md diff --git a/docs/manifest/cawg-id.md b/docs/manifest/cawg-id.md new file mode 100644 index 0000000..9cf29bd --- /dev/null +++ b/docs/manifest/cawg-id.md @@ -0,0 +1,102 @@ +--- +id: cawg-id +title: CAWG identity assertions +--- + +The [Creator Assertions Working Group (CAWG)](https://cawg.io/) defines assertions that enable content creators to express individual and organizational intent about their content. +The CAWG identity assertion enables a credential holder to prove control over a digital identity and to use that identity to document the content creator’s role(s) in a C2PA asset’s lifecycle. + +## Verified identities + +As defined in the [CAWG Identity Assertion technical specification](https://cawg.io/identity/1.1-draft/#_identity_claims_aggregation), + + +Content creators may wish to document their role in creating an asset using common identity signals such as: +- Verified web sites +- Social media accounts +- Official ID documentation +- Professional accreditations +- Organizational affiliations + +To facilitate the use of such identity signals, the content creator may use the services of a trusted third-party intermediary known as a _identity claims aggregator_ to gather these signals and to restate them on their behalf. + +The identity claims aggregator performs two important roles: + +- It collects and verifies identity attestation claims from various identity providers such as social media sites and ID verification vendors. +- When the content creator creates content, it creates a unique asset-specific credential binding the identity attestation claims collected earlier to the specific C2PA asset being described. + +An identity claims aggregation claim does not support a content creator using their own credential to directly issue their own signature for an identity assertion. + + +## Example + +```json +"assertions": [ + ... + { + "label": "cawg.identity", + "data": { + "@context": [ + "https://www.w3.org/ns/credentials/v2", + "https://cawg.io/identity/1.1/ica/context/" + ], + "type": [ + "VerifiableCredential", + "IdentityClaimsAggregationCredential" + ], + "issuer": "did:web:connected-identities.identity.adobe.com", + "validFrom": "2025-04-29T17:34:44Z", + "verifiedIdentities": [ + { + "type": "cawg.social_media", + "username": "xyz", + "uri": "https://www.instagram.com/xyz", + "verifiedAt": "2024-10-08T18:04:08Z", + "provider": { + "id": "https://instagram.com", + "name": "instagram" + } + }, + { + "type": "cawg.social_media", + "username": "xyz", + "uri": "https://www.behance.net/xyz", + "verifiedAt": "2024-10-22T19:31:17Z", + "provider": { + "id": "https://behance.net", + "name": "behance" + } + }, + { + "type": "cawg.social_media", + "username": "J Smith", + "uri": "https://www.linkedin.com/in/xyz", + "verifiedAt": "2024-10-08T18:03:41Z", + "provider": { + "id": "https://linkedin.com", + "name": "linkedin" + } + }, + { + "type": "cawg.social_media", + "username": "xyz", + "uri": "https://twitter.com/xyz", + "verifiedAt": "2024-10-08T18:03:49Z", + "provider": { + "id": "https://twitter.com", + "name": "twitter" + } + } + ], + "credentialSchema": [ + { + "id": "https://cawg.io/identity/1.1/ica/schema/", + "type": "JSONSchema" + } + ] + } + } + ... +] +``` + diff --git a/sidebars.js b/sidebars.js index 0be6851..07fb52b 100644 --- a/sidebars.js +++ b/sidebars.js @@ -45,6 +45,10 @@ const sidebars = { type: 'doc', id: 'manifest/manifest-validation', }, + { + type: 'doc', + id: 'manifest/cawg-id', + }, { type: 'doc', id: 'manifest/manifest-examples', From a801bf5d9c472e46ba4579a74a9c58bd2cc200fe Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Thu, 1 May 2025 11:48:21 -0700 Subject: [PATCH 2/9] Add new cawg file from c2pa-rs --- scripts/fetch-readme.js | 6 ++++++ sidebars.js | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/scripts/fetch-readme.js b/scripts/fetch-readme.js index bd32f51..1ac4958 100644 --- a/scripts/fetch-readme.js +++ b/scripts/fetch-readme.js @@ -179,6 +179,12 @@ const readmes = [ repo: 'contentauth/c2pa-rs', path: 'docs/usage.md', }, + { + dest: resolve(__dirname, '../docs/rust-sdk/docs/cawg-id.md'), + repo: 'contentauth/c2pa-rs', + path: 'docs/cawg-identity.md', + branch: 'docs/cawg-id', + }, { dest: resolve(__dirname, '../docs/rust-sdk/docs/release-notes.md'), repo: 'contentauth/c2pa-rs', diff --git a/sidebars.js b/sidebars.js index 07fb52b..ba96c2a 100644 --- a/sidebars.js +++ b/sidebars.js @@ -228,6 +228,11 @@ const sidebars = { id: 'rust-sdk/docs/supported-formats', label: 'Supported media formats', }, + { + type: 'doc', + id: 'rust-sdk/docs/cawg-id', + label: 'Using CAWG identity assertions', + }, { type: 'doc', id: 'rust-sdk/docs/release-notes', From 5312c1f66978240e1bbaad1378d0c578ec12f0ac Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Thu, 1 May 2025 16:08:09 -0700 Subject: [PATCH 3/9] Add more on cawg id assertions --- docs/manifest/cawg-id.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/docs/manifest/cawg-id.md b/docs/manifest/cawg-id.md index 9cf29bd..ff90e95 100644 --- a/docs/manifest/cawg-id.md +++ b/docs/manifest/cawg-id.md @@ -10,7 +10,6 @@ The CAWG identity assertion enables a credential holder to prove control over a As defined in the [CAWG Identity Assertion technical specification](https://cawg.io/identity/1.1-draft/#_identity_claims_aggregation), - Content creators may wish to document their role in creating an asset using common identity signals such as: - Verified web sites - Social media accounts @@ -25,8 +24,23 @@ The identity claims aggregator performs two important roles: - It collects and verifies identity attestation claims from various identity providers such as social media sites and ID verification vendors. - When the content creator creates content, it creates a unique asset-specific credential binding the identity attestation claims collected earlier to the specific C2PA asset being described. -An identity claims aggregation claim does not support a content creator using their own credential to directly issue their own signature for an identity assertion. +An identity claims aggregation claim does not support a content creator using their own credential to directly issue their own signature for an identity assertion. + +The following table describes the allowed values of the `type` property of `verifiedIdentities` array elements. + +| Value | Meaning | +|--------------|----------| +| `cawg.document_verification` | The identity provider has verified one or more government-issued identity documents presented by the named actor. +| `cawg.web_site` | The named actor has proven control over a specific domain to the identity claims aggregator._ +| `cawg.affiliation` | The identity provider is attesting to the named actor’s membership in an organization. This could be a professional organization or an employment relationship. +| `cawg.social_media` | The named actor has demonstrated control over an account (typically a social media account) hosted by the identity provider. +| `cawg.crypto_wallet` | The named actor has demonstrated control over an account (typically a crypto-wallet) hosted by the identity provider. + +Terms used in the above table: +- **Named actor**: The actor whose relationship to a C2PA asset is documented by an identity assertion. Typically, this will be the content creator or publisher, but not necessarily. +- **Identity provider**: Organization or person that attests to the identity of the named actor; This may be the identity assertion generator, a third party contacted by the identity assertion generator, or the issuer of an identity credential that the identity assertion generator uses. +- **Identity claims aggregator**: Collects identity claims (attestations) regarding a named actor from various identity providers and can replay those identity claims into identity assertions on behalf of the named actor. This actor MAY be the same as the identity assertion generator. ## Example From 09fefc6159cfca4fcfd072606d5ae771208cd924 Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Tue, 6 May 2025 14:32:46 -0700 Subject: [PATCH 4/9] Fetch from main branch of c2pa-rs --- scripts/fetch-readme.js | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/fetch-readme.js b/scripts/fetch-readme.js index 1ac4958..6b71efe 100644 --- a/scripts/fetch-readme.js +++ b/scripts/fetch-readme.js @@ -183,7 +183,6 @@ const readmes = [ dest: resolve(__dirname, '../docs/rust-sdk/docs/cawg-id.md'), repo: 'contentauth/c2pa-rs', path: 'docs/cawg-identity.md', - branch: 'docs/cawg-id', }, { dest: resolve(__dirname, '../docs/rust-sdk/docs/release-notes.md'), From 773999ec73e417950454813c48d71d52a534a6d9 Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Wed, 7 May 2025 09:59:09 -0700 Subject: [PATCH 5/9] Clarify terminology --- docs/manifest/cawg-id.md | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/docs/manifest/cawg-id.md b/docs/manifest/cawg-id.md index ff90e95..89ae636 100644 --- a/docs/manifest/cawg-id.md +++ b/docs/manifest/cawg-id.md @@ -22,25 +22,27 @@ To facilitate the use of such identity signals, the content creator may use the The identity claims aggregator performs two important roles: - It collects and verifies identity attestation claims from various identity providers such as social media sites and ID verification vendors. -- When the content creator creates content, it creates a unique asset-specific credential binding the identity attestation claims collected earlier to the specific C2PA asset being described. - -An identity claims aggregation claim does not support a content creator using their own credential to directly issue their own signature for an identity assertion. +- It creates a unique asset-specific credential that binds the identity attestation claims to a specific C2PA asset. The following table describes the allowed values of the `type` property of `verifiedIdentities` array elements. | Value | Meaning | |--------------|----------| -| `cawg.document_verification` | The identity provider has verified one or more government-issued identity documents presented by the named actor. -| `cawg.web_site` | The named actor has proven control over a specific domain to the identity claims aggregator._ -| `cawg.affiliation` | The identity provider is attesting to the named actor’s membership in an organization. This could be a professional organization or an employment relationship. -| `cawg.social_media` | The named actor has demonstrated control over an account (typically a social media account) hosted by the identity provider. -| `cawg.crypto_wallet` | The named actor has demonstrated control over an account (typically a crypto-wallet) hosted by the identity provider. +| `cawg.document_verification` | The identity provider verified one or more government-issued identity documents presented by the content creator. +| `cawg.web_site` | The content creator has proven control over a specific domain to the identity claims aggregator._ +| `cawg.affiliation` | The identity provider is attesting to the content creator’s membership in an organization. This could be a professional organization or an employment relationship. +| `cawg.social_media` | The content creator has demonstrated control over an account (typically a social media account) hosted by the identity provider. +| `cawg.crypto_wallet` | The content creator has demonstrated control over an account (typically a crypto-wallet) hosted by the identity provider. + +:::note +The above table is based on the [CAWG identity assertion technical specifications](https://cawg.io/identity/1.1/#vc-credentialsubject-verifiedidentity-type). +::: Terms used in the above table: -- **Named actor**: The actor whose relationship to a C2PA asset is documented by an identity assertion. Typically, this will be the content creator or publisher, but not necessarily. -- **Identity provider**: Organization or person that attests to the identity of the named actor; This may be the identity assertion generator, a third party contacted by the identity assertion generator, or the issuer of an identity credential that the identity assertion generator uses. -- **Identity claims aggregator**: Collects identity claims (attestations) regarding a named actor from various identity providers and can replay those identity claims into identity assertions on behalf of the named actor. This actor MAY be the same as the identity assertion generator. +- **content creator**: The actor whose relationship to a C2PA asset is documented by an identity assertion. Typically, this will be the content creator or publisher, but not necessarily. This is a simplified example of a _named actor_, meaning the person, device, or software whose relationship to a C2PA asset is documented by an identity assertion, also referred to as a _credential subject_ when identified by the subject field of a ToIP verifiable identifier. +- **Identity provider**: Organization or person that attests to the identity of the content creator; This may be the identity assertion generator, a third party contacted by the identity assertion generator, or the issuer of an identity credential that the identity assertion generator uses. +- **Identity claims aggregator**: Collects identity claims (attestations) regarding a content creator from various identity providers and can replay those identity claims into identity assertions on behalf of the content creator. This actor MAY be the same as the identity assertion generator. ## Example From b78225cda87f8d33cf47f367194b7cf6ae67aff3 Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Tue, 13 May 2025 11:49:37 -0700 Subject: [PATCH 6/9] Add note about 2 diff approaches --- docs/manifest/cawg-id.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/manifest/cawg-id.md b/docs/manifest/cawg-id.md index 89ae636..9090a26 100644 --- a/docs/manifest/cawg-id.md +++ b/docs/manifest/cawg-id.md @@ -6,6 +6,17 @@ title: CAWG identity assertions The [Creator Assertions Working Group (CAWG)](https://cawg.io/) defines assertions that enable content creators to express individual and organizational intent about their content. The CAWG identity assertion enables a credential holder to prove control over a digital identity and to use that identity to document the content creator’s role(s) in a C2PA asset’s lifecycle. +There are two different ways to provide identity assertions: + +- Using an [X.509 certificate](https://cawg.io/identity/1.1/#_x_509_certificates_and_cose_signatures) to sign the identity claims. Enterprises or large organizations might often want to use this approach to assert their identity in a particular trust ecosystem; for example, a news organization or publisher. + :::info + The SDK can validate and sign these claims. + ::: +- Using an [identity claim aggregator](https://cawg.io/identity/1.1/#_identity_claims_aggregation). Individuals might often want to use this approach. + :::info + The SDK can validate these claims only. Signing is not currently supported. + ::: + ## Verified identities As defined in the [CAWG Identity Assertion technical specification](https://cawg.io/identity/1.1-draft/#_identity_claims_aggregation), From 5da89fc75ab24cfabc7d0ae401eff0c44bd08a10 Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Wed, 14 May 2025 08:52:54 -0700 Subject: [PATCH 7/9] wip edits --- docs/manifest/cawg-id.md | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/docs/manifest/cawg-id.md b/docs/manifest/cawg-id.md index 9090a26..2a25564 100644 --- a/docs/manifest/cawg-id.md +++ b/docs/manifest/cawg-id.md @@ -8,20 +8,17 @@ The CAWG identity assertion enables a credential holder to prove control over a There are two different ways to provide identity assertions: -- Using an [X.509 certificate](https://cawg.io/identity/1.1/#_x_509_certificates_and_cose_signatures) to sign the identity claims. Enterprises or large organizations might often want to use this approach to assert their identity in a particular trust ecosystem; for example, a news organization or publisher. - :::info - The SDK can validate and sign these claims. - ::: -- Using an [identity claim aggregator](https://cawg.io/identity/1.1/#_identity_claims_aggregation). Individuals might often want to use this approach. - :::info - The SDK can validate these claims only. Signing is not currently supported. - ::: +- Using an [X.509 certificate](https://cawg.io/identity/1.1/#_x_509_certificates_and_cose_signatures) to sign the identity claims. Enterprises or large organizations can use this approach to assert their identity in a particular trust ecosystem; for example, a news organization or publisher. The SDK can validate and sign these claims. +- Using an [identity claim aggregator](https://cawg.io/identity/1.1/#_identity_claims_aggregation). Individuals can use this approach to document their role in creating an asset by using identity signals collected and verified by a third-party aggregator. The SDK can validate these claims only. Signing is not supported. -## Verified identities -As defined in the [CAWG Identity Assertion technical specification](https://cawg.io/identity/1.1-draft/#_identity_claims_aggregation), +## Using an X.509 certificate -Content creators may wish to document their role in creating an asset using common identity signals such as: +TBD + +## Using an identity claim aggregator + +As defined in the [CAWG Identity Assertion technical specification](https://cawg.io/identity/1.1/#_identity_claims_aggregation), content creators may wish to document their role in creating an asset using common identity signals such as: - Verified web sites - Social media accounts - Official ID documentation From 16129fbe50a73116683046eeab2a29c2da13343e Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Fri, 16 May 2025 14:23:57 -0700 Subject: [PATCH 8/9] Cleanup edits --- docs/manifest/cawg-id.md | 58 +++++++++++++++++++++++++++++++--------- 1 file changed, 45 insertions(+), 13 deletions(-) diff --git a/docs/manifest/cawg-id.md b/docs/manifest/cawg-id.md index 2a25564..13decd3 100644 --- a/docs/manifest/cawg-id.md +++ b/docs/manifest/cawg-id.md @@ -3,22 +3,20 @@ id: cawg-id title: CAWG identity assertions --- -The [Creator Assertions Working Group (CAWG)](https://cawg.io/) defines assertions that enable content creators to express individual and organizational intent about their content. -The CAWG identity assertion enables a credential holder to prove control over a digital identity and to use that identity to document the content creator’s role(s) in a C2PA asset’s lifecycle. +The [Creator Assertions Working Group (CAWG)](https://cawg.io/) identity assertion enables a credential holder to prove control over a digital identity and to use that identity to document a content creator’s role(s) in a C2PA asset’s lifecycle. There are two different ways to provide identity assertions: - Using an [X.509 certificate](https://cawg.io/identity/1.1/#_x_509_certificates_and_cose_signatures) to sign the identity claims. Enterprises or large organizations can use this approach to assert their identity in a particular trust ecosystem; for example, a news organization or publisher. The SDK can validate and sign these claims. - Using an [identity claim aggregator](https://cawg.io/identity/1.1/#_identity_claims_aggregation). Individuals can use this approach to document their role in creating an asset by using identity signals collected and verified by a third-party aggregator. The SDK can validate these claims only. Signing is not supported. - ## Using an X.509 certificate -TBD +When providing an identity assertion by using an X.509 certificate, the value of `signer_payload.sig_type` must be `cawg.x509.cose`. The signature value must be a COSE signature as described in the [CAWG Identity Assertion technical specification](https://cawg.io/identity/1.1/#_x_509_certificates_and_cose_signatures). ## Using an identity claim aggregator -As defined in the [CAWG Identity Assertion technical specification](https://cawg.io/identity/1.1/#_identity_claims_aggregation), content creators may wish to document their role in creating an asset using common identity signals such as: +As defined in the [CAWG Identity Assertion technical specification](https://cawg.io/identity/1.1/#_identity_claims_aggregation), content creators may wish to document their role in creating an asset using identity signals such as: - Verified web sites - Social media accounts - Official ID documentation @@ -32,6 +30,46 @@ The identity claims aggregator performs two important roles: - It collects and verifies identity attestation claims from various identity providers such as social media sites and ID verification vendors. - It creates a unique asset-specific credential that binds the identity attestation claims to a specific C2PA asset. +## Identity assertion + +An identity assertion using an identity claims aggregator has this general form in JSON: + +```json +"assertions": [ + ... + { + "label": "cawg.identity", + "data": { + "@context": [ + "https://www.w3.org/ns/credentials/v2", + "https://cawg.io/identity/1.1/ica/context/" + ], + "type": [ + "VerifiableCredential", + "IdentityClaimsAggregationCredential" + ], + "issuer": "did:web:connected-identities.identity.adobe.com", + "validFrom": "2025-04-29T17:34:44Z", + "verifiedIdentities": [ + { + "type": "cawg.", + "username": "", + "uri": "", + "verifiedAt": "", + "provider": { + "id": "", + "name": "" + } + }, + ... + ] + } + } +] +``` + +### Verified identity types + The following table describes the allowed values of the `type` property of `verifiedIdentities` array elements. | Value | Meaning | @@ -46,13 +84,7 @@ The following table describes the allowed values of the `type` property of `veri The above table is based on the [CAWG identity assertion technical specifications](https://cawg.io/identity/1.1/#vc-credentialsubject-verifiedidentity-type). ::: -Terms used in the above table: - -- **content creator**: The actor whose relationship to a C2PA asset is documented by an identity assertion. Typically, this will be the content creator or publisher, but not necessarily. This is a simplified example of a _named actor_, meaning the person, device, or software whose relationship to a C2PA asset is documented by an identity assertion, also referred to as a _credential subject_ when identified by the subject field of a ToIP verifiable identifier. -- **Identity provider**: Organization or person that attests to the identity of the content creator; This may be the identity assertion generator, a third party contacted by the identity assertion generator, or the issuer of an identity credential that the identity assertion generator uses. -- **Identity claims aggregator**: Collects identity claims (attestations) regarding a content creator from various identity providers and can replay those identity claims into identity assertions on behalf of the content creator. This actor MAY be the same as the identity assertion generator. - -## Example +### Example ```json "assertions": [ @@ -94,7 +126,7 @@ Terms used in the above table: { "type": "cawg.social_media", "username": "J Smith", - "uri": "https://www.linkedin.com/in/xyz", + "uri": "https://www.linkedin.com/in/jsmith", "verifiedAt": "2024-10-08T18:03:41Z", "provider": { "id": "https://linkedin.com", From 113f6c336fa50bfb7b806a9189430f58649635c2 Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Fri, 16 May 2025 14:51:02 -0700 Subject: [PATCH 9/9] Minor edits --- docs/manifest/cawg-id.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/manifest/cawg-id.md b/docs/manifest/cawg-id.md index 13decd3..8f192d2 100644 --- a/docs/manifest/cawg-id.md +++ b/docs/manifest/cawg-id.md @@ -10,6 +10,10 @@ There are two different ways to provide identity assertions: - Using an [X.509 certificate](https://cawg.io/identity/1.1/#_x_509_certificates_and_cose_signatures) to sign the identity claims. Enterprises or large organizations can use this approach to assert their identity in a particular trust ecosystem; for example, a news organization or publisher. The SDK can validate and sign these claims. - Using an [identity claim aggregator](https://cawg.io/identity/1.1/#_identity_claims_aggregation). Individuals can use this approach to document their role in creating an asset by using identity signals collected and verified by a third-party aggregator. The SDK can validate these claims only. Signing is not supported. +:::note +The SDK can validate claims for both kinds of identity assertions, but can only sign claims for identity assertions using an X.509 certificate. +::: + ## Using an X.509 certificate When providing an identity assertion by using an X.509 certificate, the value of `signer_payload.sig_type` must be `cawg.x509.cose`. The signature value must be a COSE signature as described in the [CAWG Identity Assertion technical specification](https://cawg.io/identity/1.1/#_x_509_certificates_and_cose_signatures). @@ -25,10 +29,10 @@ As defined in the [CAWG Identity Assertion technical specification](https://cawg To facilitate the use of such identity signals, the content creator may use the services of a trusted third-party intermediary known as a _identity claims aggregator_ to gather these signals and to restate them on their behalf. -The identity claims aggregator performs two important roles: +The identity claims aggregator: -- It collects and verifies identity attestation claims from various identity providers such as social media sites and ID verification vendors. -- It creates a unique asset-specific credential that binds the identity attestation claims to a specific C2PA asset. +- Collects and verifies identity attestation claims from various identity providers such as social media sites and ID verification vendors. +- Creates a unique asset-specific credential that binds the identity attestation claims to a specific asset. ## Identity assertion