Added caBX chunk for Content Credentials #542
#544
Conversation
|
Should the document be repeating C2PA's security claims ("secure, tamper-evident ...") as-is? I've seen others dispute whether the chunk meets its security goals. For instance, this author has been quite vocal against it. |
|
Thanks for the link, those should certainly be added to the Security Considerations. Dropping an entire |
|
This analysis seems fairly worrying; in particular, a bunch of data was removed from a PNG image, other data added, and it still validates as unaltered. |
|
I'll review the PR in sec, but let me comment on those specific blogs... The author of those pages has a long history of "intermixing" implementations with specifications. All of the issues in those blogs were in specific implementations that long been fixed! They also all pre-date the C2PA's new Conformance Program (https://c2pa.org/conformance/) and refer to older versions of our specification. We can certainly point to the security sections of the C2PA specification itself if you wish. |
| 63 61 42 58 | ||
| </pre> | ||
|
|
||
| <p>The <span class="chunk">caBX</span> chunk contains content credentials |
There was a problem hiding this comment.
| <p>The <span class="chunk">caBX</span> chunk contains content credentials | |
| <p>The <span class="chunk">caBX</span> chunk contains Content Credentials |
|
|
||
| <p>The <span class="chunk">caBX</span> chunk contains content credentials | ||
| (provenance, and edit history) metadata | ||
| in a secure, tamper-evident (cryptographically verifiable) |
There was a problem hiding this comment.
| in a secure, tamper-evident (cryptographically verifiable) | |
| in a tamper-evident (cryptographically verifiable) |
| in a secure, tamper-evident (cryptographically verifiable) | ||
| and standardized way | ||
| to enable publishers and consumers | ||
| to determine the authenticity of media. |
There was a problem hiding this comment.
| to determine the authenticity of media. | |
| to determine the authenticity of media. | |
| It can also be used to declare whether a given image | |
| was created or edited by Generative AI or a human | |
| or a combination of same. |
| </p> | ||
|
|
||
| <p>For embedding into PNG, | ||
| <a href="https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_embedding_manifests_into_png">section A.3.2. of Content Credentials</a> |
There was a problem hiding this comment.
| <a href="https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_embedding_manifests_into_png">section A.3.2. of Content Credentials</a> | |
| <a href="https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_embedding_manifests_into_png">section A.3.2. of the Content Credentials specification</a> |
4 participants
This intentionally brief chunk description does three things:
I updated the chunk ordering table to add
caBX, requiring that it be beforeIDAT(CC suggests but does not require before IDAT) and also to disallow multiplecaBX. @lrosenthol are those correct?I have not yet updated the chunk ordering diagrams, pending review of this PR.