Organizational Identity Profile for Content Credentials

This document defines a lightweight profile of the Content Credentials specification for organizational content creators. The goal is to build on the existing Content Credentials framework to provide creators and publishers the ability to author and cryptographically sign their own assertions.

Version 1.1 Draft 28 May 2026 · Version history

This is a working draft of an upcoming version of this specification and may be changed without warning. Implementors needing a stable specification should instead refer to the 1.0 version of this specification.

License

This specification is subject to the W3C Patent Policy (2004).

For sample or reference code included in the specification itself, that code is subject to the Apache 2.0 license, unless otherwise designated. In the case of any conflict or confusion within this specification repository between the W3C Patent Policy (2004) or other designated license, the terms of the W3C Patent Policy (2004) shall apply.

These terms are inherited from the Decentralized Identity Foundation Project Charter.

Contributing

This section is non-normative.

This specification is an active working draft. If you wish to contribute to its development, please view the CAWG membership page.

Foreword

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. No party shall be held responsible for identifying any or all such patent rights.

Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.

This document was prepared by the Creator Assertions Working Group, a working group of the Decentralized Identity Foundation.

THESE MATERIALS ARE PROVIDED “AS IS.” The Contributors and Licensees expressly disclaim any warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to the materials. The entire risk as to implementing or otherwise using the materials is assumed by the implementer and user. IN NO EVENT WILL THE CONTRIBUTORS OR LICENSEES BE LIABLE TO ANY OTHER PARTY FOR LOST PROFITS OR ANY FORM OF INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER FROM ANY CAUSES OF ACTION OF ANY KIND WITH RESPECT TO THIS DELIVERABLE OR ITS GOVERNING AGREEMENT, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, AND WHETHER OR NOT THE OTHER MEMBER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

1. Standard terms

The key words “MUST,” “MUST NOT,” “REQUIRED,” “SHALL,” “SHALL NOT,” “SHOULD,” “SHOULD NOT,” “RECOMMENDED,” “NOT RECOMMENDED,” “MAY,” and “OPTIONAL” in this document are to be interpreted as described in BCP 14, RFC 2119, and RFC 8174 when they appear in any casing (upper, lower, or mixed).

2. Generator profile definition

A implementation of the Organizational Identity Profile for Content Credentials that generates C2PA claims MUST:

Support the C2PA Content Credentials Specification, version 2.2, 2.3, or 2.4.
Offer the ability for its users to configure organizational identity credentials as defined in §8.2, “X.509 certificates and COSE signatures,” of the CAWG Identity Assertion, version 1.2, and generate identity assertions using those credentials.
Offer the ability for its users to provide additional metadata of interest to the organization via the CAWG Metadata Assertion, version 1.1.

CAWG will review updates to each of these specifications and issue a new version of this profile as appropriate to add support for those versions.

3. Validator profile definition

An implementation of the Organizational Identity Profile for Content Credentials that consumes or presents C2PA claims MUST:

Support the C2PA Content Credentials Specification, version 2.2, 2.3, or 2.4.
In every C2PA manifest that it consumes or presents, it MUST validate every CAWG identity assertion that uses an organizational identity credential as defined in §8.2, “X.509 certificates and COSE signatures,” of the CAWG Identity Assertion specification, version 1.2, and report on the status of said validation. For each identity assertion that is found to be trusted, it MUST prominently display the identity of the organization and its role as claimed in the assertion.
If any trusted identity assertion also references a CAWG Metadata Assertion, as defined in version 1.1 of that specification, the implementation SHOULD display a summary of the information within that metadata assertion.

CAWG will review updates to each of these specifications and issue a new version of this profile as appropriate to add support for those versions.

4. Assertion types and references

An organization creating an assertion defined in the C2PA Content Credentials Specification MUST include such assertion as a gathered assertion rather than a created assertion. These terms are defined in Section 10.3.2.1, “Adding assertions and redactions” of the C2PA Content Credentials Specification.

The implementation MUST reference every such assertion using the referenced assertions mechanism defined in the CAWG identity assertion specification to assert responsibility for the content contained in such assertions.

Appendix A: Version history

This section is non-normative.

28 May 2026

Started 1.1-draft version of this specification, derived from the 1.0 version of this specification. (Version history)
Updated to reference version 2.4 of the C2PA technical specification.
Introduced separate generator and validator profiles with additional requirements for each.