Are there any initiatives to apply C2PA to HTTPS/TLS non-repudiation so that servers hosting content become part of the chain of custody? #44
Comments
|
@pirate Interesting concept! No, we haven't discussed this specific area. We have had some previous conversions about WARC, Internet Archives and such - but nothing about how TLS certs (or just server identity) applies. Definitely something for us to consider! |
|
I'd like to second this! It'd be great to allow alternate Certificate Profiles to still produce Content Credentials. Maybe with some trade off in the trust model since they're easier to get? FWIW I couldn't find any mention of non-repudiation in the spec but it is in the rust cert validation |
|
In the meantime, https://tlsnotary.org/ has done some incredible work in this area, they figured out how to do a ZK proof with a witness server. It allows for signed attestation of a TLS session content by 3rd parties without having to share the cleartext with them or modify the TLS protocol at all. Of course it would still be great to have other solutions too, protocl-layer or not :) |
Right now HTTPS/TLS does not support non-repudiation. https://security.stackexchange.com/questions/103645/does-ssl-tls-provide-non-repudiation-service
It's a huge problem for internet archiving, legal cases, and journalism because no one can provably verify that a server provided some specific content (without having to trust the client who recorded it to have not tampered with the recording).
Addressing the lack of non-repudiation could be done by signing packets inside a TLS session (or using some of the other providence techniques discussed by C2PA), and would allow the server hosting content to be provably part of the chain-of-custody.
This solves the problems of:
The text was updated successfully, but these errors were encountered: