C2PA Standard
C2PA: the open standard for content provenance.
Backed by Adobe, Microsoft, Google, and Nikon. Implemented by Verbitas.
Important: C2PA manifests can be stripped by image editing tools that do not preserve XMP/JUMBF metadata. This is why Verbitas also embeds an invisible watermark — to recover the provenance record after stripping.
C2PA (Coalition for Content Provenance and Authenticity) is an open technical standard for embedding a signed, machine-readable provenance record in media files. Think of it as a certificate that travels inside the file — it records who created it, what tools were used, and whether it has been modified.
Key requirements
Manifest structure
A C2PA manifest is a JUMBF (JPEG Universal Metadata Box Format) container embedded in the file. It contains the signer identity (X.509 certificate chain), creation assertions, ingredient chain, and a cryptographic hash of the content.
Signing algorithm
C2PA 2.4 supports ECDSA P-256 (primary) and RSA-3072 (legacy). Verbitas uses ECDSA P-256 for all managed signing operations. Enterprise BYOK customers can use any KMS-supported algorithm.
Timestamping
Manifests are RFC 3161 timestamped by a trusted Timestamp Authority (TSA). The timestamp is part of the manifest and survives file distribution.
Revocation
Signing certificates support OCSP and CRL revocation checking. In production, Verbitas requires OCSP status "good" for verification to succeed.
How Verbitas helps
Verbitas implements C2PA 2.4 — the current specification — with ECDSA P-256 signing via AWS KMS, RFC 3161 timestamping, OCSP revocation, and optional blockchain anchoring. Verbitas manifests are readable by any C2PA-compliant reader.
C2PA Standard and content provenance.
Verbitas provides the technical infrastructure. Compliance is your responsibility.