CAWG’s identity assertion: A framework for asserting provenance

Eric Scouten, CAWG co-chair
23 January 2026

I am often asked to explain how the CAWG identity assertion works and how it fits into the overall content authenticity ecosystem. This page is intended to provide a useful overview for understanding the identity assertion.

The C2PA ecosystem

There are five independent organizations that collaborate to define and support the content authenticity ecosystem:

  • The Coalition for Content Provenance and Authenticity (C2PA) is a standards development organization that defines a core technical framework that allows many kinds of metadata (known collectively as “assertions”) to be securely attached to a specific piece of digital media. It then uses that framework to define specific kinds of metadata that can be asserted by the hardware or software implementing C2PA. Think of this as the “What and how” for digital media.

  • The Creator Assertions Working Group (CAWG) is a standards development organization that builds upon the C2PA framework by defining how human-generated metadata about digital media fits into the C2PA ecosystem. This work is primarily encapsulated in CAWG’s identity assertion and metadata assertion specifications. Think of this as the “Who” for digital media.

  • The Content Authenticity Initiative (CAI) is a business alliance that promotes the cause of digital provenance through education and public policy advocacy. It is also the name of the business unit at Adobe which supports all three of these organizations through open source, open standards development, and support of Adobe product teams implementing CAI.

  • The International Press Telecommunications Council (IPTC) is the global standards body of the news media. IPTC provides the technical foundation for the news ecosystem and describes how news-related metadata is represented in the C2PA ecosystem.

  • JPEG Trust (ISO/IEC 21617) is a standards development organization that provides a framework for establishing trust in media. This framework includes aspects of authenticity, provenance, attribution, intellectual property rights, and integrity through secure and reliable annotation of the media assets throughout their life cycle.

For the remainder of this page, I will speak of C2PA, CAWG, and other standards that build upon the C2PA core specification as the C2PA ecosystem.

CAWG is not part of C2PA

A common misconception is that CAWG is a working group within C2PA. It is not.

C2PA has since 2024 chosen to focus exclusively on metadata that can be directly attested to by a hardware device or software tool without human input.

CAWG was created at that time to provide a home for metadata that is attested to by individual or organizational content creators. It is a working group within the Decentralized Identity Foundation (DIF). A membership in DIF is required to participate in CAWG.

Who signs what?

When an individual or organization wants to claim attribution for a specific content, they sign with their own credentials, separately from the hardware or software tool that generated the binary representation of that content. This separation provides a clear indication of who is taking responsibility for what parts of the content, as shown in the table below:

  C2PA claim generator CAWG named actor

Specification

C2PA Content Credentials

CAWG identity assertion

Who is signing?

Hardware or software product

Individual or organizational content creator

Who issues the credentials?

X.509 certificates are issued to “conforming products” (i.e. hardware or software products that demonstrate compliance with C2PA rules)

Multiple credential types (see CAWG credential types below)

How many signatures?

Exactly one, required

Any number, optional

Available for those content creators who wish to identify themselves as content creators.

What are they taking responsibility for?

Information available without human input, e.g.

  • GPS data

  • Time of capture

  • Edit actions taken

  • Was AI used?

  • Ingredients incorporated

Information provided by humans, e.g.

  • Who created the content?

  • Events or locations depicted in content

  • Other metadata for context

CAWG credential types

An important aspect of the CAWG identity assertion is that it is built to make use of many credential types. The core requirements for credential formats are that they:

  1. Are independently verifiable. (In other words, a public key for a given credential can be located by any interested verifying party.)

  2. Have the capacity to sign arbitrary binary payloads. In practice, the payloads are relatively small (typically 1KB or less). The content of the payload, when signed by private keys controlled by the credential holder, indicates the credential holder’s knowledge of the specific digital media asset being described.

As of this writing, the 1.2 version of the CAWG identity assertion describes two credential types:

  1. X.509 certificates. As part of an interim governance plan, S/MIME certificates typically used to convey organizational identity and widely available through well-governed certificate authorities, can be used to sign CAWG identity assertions.

    These certificates are not compatible with the C2PA claim generator certificates used to sign C2PA manifests.

  2. Identity claims aggregation credentials. These credentials are a specialized version of W3C Verifiable Credentials which allow a trusted platform vendor (known here as an identity claims aggregator) to gather information about a user, typically an individual content creator, and replay those signals on their behalf to sign CAWG identity assertions.

    This version of the CAWG identity assertion is not otherwise compatible with W3C Verifiable Credentials.

Possible future credential types

As of this writing (early 2026), work is underway to explore adding two more credential types:

  • W3C Verifiable Credentials, with a specific emphasis on First Person Network credentials

  • Authentic Chained Data Containers (ACDC), with a specific emphasis on verifiable LEIs

CAWG makes no guarantee regarding when or whether these credential types will be supported.

How is this different from XMP, IPTC, and Exif?

Let’s start with how the C2PA ecosystem is similar to the existing metadata formats: Many of the same kinds of information that can be conveyed using XMP, IPTC Photo Metadata, and Exif standards (e.g., capture device information, location, description, and authorship claims) can also be conveyed through the C2PA ecosystem.

What sets the C2PA ecosystem apart is:

  • C2PA metadata is securely attached to content. C2PA uses cryptographic hashes and signatures to ensure that metadata is not changed since it was changed. These techniques also ensure that a valid C2PA manifest can not be transplanted and used to describe content other than the specific file that it was intended to describe. We think of this as a tamper-evident “nutrition label” for content.

  • C2PA metadata contains an audit trail. Unlike XMP, IPTC Photo Metadata, and Exif, C2PA metadata retains prior attestations when existing content is incorporated into new content. This means that a content consumer can trace back through potentially many sources and read the attestations from each source’s creator.

  • CAWG identity assertions require secure digital credentials. A claim of authorship, as described by the CAWG identity assertion, can only be signed using a digital credential using a private/public key pair. This serves to prevent false claims of authorship.