C2PA Trust List
The C2PA Trust List is the certificate-trust layer underneath Content Credentials validation. It helps validators decide whether a signer belongs to a recognized provenance ecosystem, but it does not prove that a media claim is true, complete, lawful, or fair.
Definition
The C2PA Trust List is a C2PA-managed list of X.509 certificate trust anchors that issue certificates to hardware and software signers used to sign C2PA claims. In practice, it is one of the roots that lets a validator treat a Content Credential as signed by a recognized generator, editor, publisher, device, or service rather than by an unknown certificate chain.
The trust list is not the whole Content Credentials system. A C2PA Manifest records provenance assertions and is bound to an asset by hashes and signatures. The trust list helps validate the signer side of that record. A separate C2PA TSA Trust List covers Time Stamping Authorities. C2PA 2.0 introduced the default C2PA Trust List for hardware and software certificates, while validators can also use configured trust lists, user-selected lists, or private credential stores.
This distinction matters for synthetic-media governance. "Valid credential," "trusted signer," "known publisher," "AI-generated label," and "true depiction" are different claims. The trust list can support the first two. It cannot settle the last one.
Mechanism
In C2PA validation, the claim signature includes an identity credential in the COSE signature headers. A validator checks that credential, builds a certificate chain from the signing certificate through intermediates to a trust anchor, and evaluates whether the certificate is acceptable for C2PA claim signing. The 2.4 specification defines the c2pa-kp-claimSigning extended key usage and says trust-anchor configurations for that EKU include, at minimum, the signer trust anchors provided by C2PA.
The time-stamp path is separate. The specification says validators maintain a separate list of X.509 certificate trust anchors for Time Stamping Authorities, including the C2PA TSA Trust List. That separation keeps "this claim was signed by an accepted content signer" distinct from "this time-stamp was issued by an accepted TSA."
Validation records can also carry evidence of which trust basis was used. The C2PA validation-results map may include a specification version and a trustListURI when a non-default trust list was used. That is small but important: a provenance display without validator version, trust source, and certificate-chain evidence can look cleaner than the trust decision actually was.
Current Context
As of June 25, 2026, C2PA describes the official Trust List as part of its Conformance Program. The C2PA conformance page says the program covers generator products, validator products, and certification authorities, and that conforming products are placed on a public list. The same page says the official C2PA Trust List launched in mid-2025, the earlier Interim Trust List was a temporary early-adoption measure, and the Interim Trust List was frozen on January 1, 2026.
The Conformance Explorer exposes live versions of the conforming-products list, the C2PA Trust List, and the C2PA TSA Trust List. That turns a provenance badge into an ecosystem claim: not only "this file has a manifest," but "this validator recognized a signer chain or time-stamp chain under a particular trust configuration."
Governance Use
For newsrooms, courts, archives, platforms, campaigns, and public agencies, the trust list should be part of the evidence file. A serious review should preserve the validator product and version, C2PA specification version, signer certificate, issuer chain, trust-list source, TSA evidence, revocation status, validation errors, active manifest, ingredient manifests, and viewer-facing language.
Trust lists also define institutional power. A certificate authority or product that enters the list becomes part of the media-authenticity infrastructure. A product excluded from the list may still create useful provenance for a local community, but public validators may present it differently. That makes trust-list governance a media-policy question, not only a PKI detail.
Limits
C2PA's explainer is explicit that Content Credentials provide no value judgment about whether provenance data is good or bad. They can show that provenance is well formed, untampered, valid, trusted, and associated with the asset. They do not prove truth, consent, legality, editorial judgment, or moral authority.
There are also security and usability risks. C2PA security guidance discusses name-collision and identity-confusion attacks where a trusted-looking certificate or a sequence of signed edits can mislead human viewers. Implementation guidance describes revocation as best effort: revocation information may not be present, and consumers may choose not to query a certificate authority for privacy reasons. Private credential stores can support trusted out-of-band relationships, but they require careful handling and do not make a self-signed credential globally trusted.
Review Record
- Signer path: record signing certificate, issuer chain, EKU, trust anchor, trust-list source, validation time, and validator version.
- Time path: record TSA certificate, TSA trust list, time-stamp evidence, claimed signing time, and revocation information.
- Display path: preserve the user-interface language that translated validation status into "trusted," "unknown," "legacy," or similar labels.
- Boundary: state whether the evidence supports signer recognition, asset binding, edit history, or only a local/private trust decision.
Source Discipline
Claims about the C2PA Trust List should cite the C2PA technical specification, conformance page, conformance explorer, implementation guidance, and security considerations. Do not collapse the C2PA Trust List into all Content Credentials, CAWG identity assertions, watermarking, blockchain provenance, publisher reputation, or fact-checking.
Spiralist Reading
Spiralism reads the C2PA Trust List as a root store for public memory. The image carries a credential, the credential carries a signature, the signature points to a certificate, and the certificate asks the viewer to accept an institution upstream.
That chain is useful. It is also a transfer of trust from the visible media object to a hidden governance list. The right discipline is to keep the chain visible: who signed, who issued, which list accepted it, which validator said so, and which claims still remain outside the certificate path.
Related Pages
- Content Provenance and Watermarking
- CAWG Identity Assertions
- Synthetic Media and Deepfakes
- Information Disorder
- Election Integrity and AI
- California AI Transparency Act
- Verifiable Credentials
- Decentralized Identifiers
- Rekor Transparency Log
- Sigstore
- AI Audit Trails
- Provenance and Content Credentials
Sources
- C2PA, Conformance, reviewed June 25, 2026.
- C2PA, C2PA Conformance Explorer, reviewed June 25, 2026.
- C2PA, Content Credentials: C2PA Technical Specification 2.4, reviewed June 25, 2026.
- C2PA, C2PA and Content Credentials Explainer, reviewed June 25, 2026.
- C2PA, C2PA Implementation Guidance 2.4, reviewed June 25, 2026.
- C2PA, C2PA Security Considerations 2.4, reviewed June 25, 2026.