Trusteddit Certificate Policy

This Certificate Policy (CP) defines the rules and requirements governing the issuance, management, usage, and revocation of certificates within the Trusteddit Public Key Infrastructure (PKI).

Trusteddit operates as a C2PA-focused intermediate certificate authority (CA), issuing content signing certificates for digital media authentication. These certificates enable content creators, publishers, and media organizations to cryptographically bind provenance metadata to their digital assets in accordance with the Coalition for Content Provenance and Authenticity (C2PA) technical specification.

This CP is structured in accordance with RFC 3647, “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework.”

Trusteddit does not issue certificates for TLS/SSL, code signing, email (S/MIME), or any purpose other than C2PA content signing and timestamping. Certificates issued under this policy are intended exclusively for use with the C2PA specification and its associated trust model.

Document Title

Trusteddit Certificate Policy

Version

0.1 (DRAFT)

OID

[DRAFT -- To be assigned upon policy finalization]

Publication Location

https://trusteddit.com/pki/certificate-policy

1.3.1 Certification Authorities

Trusteddit Intermediate CA -- Operated by SanMarcSoft LLC. Issues end-entity certificates for C2PA content signing. The intermediate CA certificate is signed by one or more recognized root CAs to establish trust chain linkage compatible with the C2PA Trust List.

1.3.2 Registration Authorities

Trusteddit serves as its own Registration Authority (RA). The RA function is responsible for verifying the identity of certificate applicants before certificates are issued by the CA.

1.3.3 Subscribers

Subscribers are individuals or organizations that apply for and are issued C2PA content signing certificates by the Trusteddit CA. Subscribers include content creators, media organizations, news agencies, and any entity that wishes to cryptographically sign digital content for provenance verification.

1.3.4 Relying Parties

Relying parties are individuals, organizations, or software applications that verify C2PA content credentials signed with certificates issued by the Trusteddit CA. This includes verification tools, social media platforms, content management systems, and any application implementing C2PA verification.

1.3.5 Other Participants

Time-Stamp Authority (TSA): Trusteddit operates an RFC 3161 compliant TSA to provide trusted timestamps for content signing operations. Timestamps enable signature verification even after the signing certificate has expired, provided the signature was created during the certificate's validity period.

1.4.1 Appropriate Certificate Uses

• Signing C2PA manifests and assertions on digital media (images, video, audio, documents)
• Authenticating the identity of content creators and publishers within the C2PA ecosystem
• Establishing provenance chains for digital content
• Timestamping content signing operations via the TSA

1.4.2 Prohibited Certificate Uses

• TLS/SSL server or client authentication
• Code signing for software distribution
• Email encryption or signing (S/MIME)
• Any purpose not related to C2PA content authentication
• Signing content on behalf of another entity without proper authorization

Organization Administering the Document

SanMarcSoft LLC, operating as Trusteddit

Contact Person

PKI Policy Authority
Email: [email protected]

Person Determining CP/CPS Suitability

The Trusteddit Policy Authority is responsible for determining whether a Certificate Practice Statement conforms to this Certificate Policy.

CP Approval Procedures

This CP is approved by the Trusteddit Policy Authority. Changes to this CP require review and approval by the Policy Authority. Material changes will be communicated to affected parties and published to the repository.

3.1.1 Types of Names

Certificates issued by Trusteddit use X.500 Distinguished Names (DNs). End-entity certificates include the subscriber's organization name in the Subject field, along with the Common Name (CN) identifying the certificate holder.

3.1.2 Need for Names to Be Meaningful

The Distinguished Name in the certificate subject field must be meaningful and accurately represent the identity of the subscriber. Anonymous or pseudonymous certificates are not issued under this policy.

3.1.3 Anonymity or Pseudonymity of Subscribers

Trusteddit does not issue anonymous or pseudonymous certificates. All subscribers must be identified by their legal name or registered organization name.

3.1.4 Rules for Interpreting Various Name Forms

Distinguished Names are interpreted in accordance with the X.500 standard and applicable RFC specifications (RFC 5280).

3.1.5 Uniqueness of Names

Trusteddit ensures that Distinguished Names are unique within the CA's namespace. No two active certificates will share the same Subject DN unless they represent the same entity.

3.2.1 Method to Prove Possession of Private Key

Applicants must demonstrate possession of the private key corresponding to the public key submitted for certification. This is accomplished through the submission of a Certificate Signing Request (CSR) signed with the applicant's private key, which the CA validates.

3.2.2 Authentication of Organization Identity

For organization subscribers, Trusteddit validates the organization's identity through:

• Verification of legal existence using government-issued business records or equivalent documentation
• Confirmation of the applicant's authority to act on behalf of the organization
• Verification of the organization's operational existence and contact information

3.2.3 Authentication of Individual Identity

For individual subscribers, Trusteddit validates identity through:

• Government-issued photo identification document
• Verification of the individual's association with the stated organization (if applicable)
• Email domain verification for the contact address

3.2.4 Non-verified Subscriber Information

Non-verified information, if any, is clearly marked as such within the certificate. Trusteddit makes no representations regarding the accuracy of non-verified information.

3.2.5 Validation of Authority

Trusteddit validates that the certificate applicant has the authority to request the certificate on behalf of the named organization, using documented authorization from an officer or authorized representative.

3.3.1 Identification and Authentication for Routine Re-key

Subscribers requesting certificate re-key must authenticate using their existing valid certificate or through re-verification of identity using the procedures described in Section 3.2.

3.3.2 Identification and Authentication for Re-key After Revocation

After revocation, subscribers must undergo the full initial identity validation process as described in Section 3.2 to obtain a new certificate.

Revocation requests must be authenticated. Subscribers may request revocation of their own certificates by authenticating to the Trusteddit system using credentials established during certificate issuance. Trusteddit may also initiate revocation based on evidence of key compromise, policy violation, or cessation of operations.

4.1.1 Who Can Submit a Certificate Application

Certificate applications may be submitted by any individual or organization that intends to sign digital content using C2PA-compliant credentials. Applicants must agree to the Trusteddit Subscriber Agreement before a certificate is issued.

4.1.2 Enrollment Process and Responsibilities

The enrollment process includes:

1. Applicant generates a key pair and submits a CSR to Trusteddit
2. Applicant provides required identity documentation
3. Applicant agrees to the Subscriber Agreement
4. Trusteddit validates the application per Section 3.2
5. Upon successful validation, the certificate is issued

4.2.1 Performing Identification and Authentication Functions

Trusteddit performs all identification and authentication functions as described in Section 3. The CA verifies the identity of the applicant, the authority of the applicant to request the certificate, and the applicant's possession of the private key.

4.2.2 Approval or Rejection of Certificate Applications

Certificate applications are approved when all identity validation requirements have been satisfied and the applicant has agreed to the Subscriber Agreement. Applications are rejected when identity cannot be verified, documentation is insufficient, or the applicant fails to meet the requirements of this CP.

4.2.3 Time to Process Certificate Applications

Trusteddit endeavors to process certificate applications within five (5) business days of receiving a complete application. Processing time may vary depending on the complexity of identity validation.

4.3.1 CA Actions During Certificate Issuance

Upon approval of a certificate application, the Trusteddit CA:

1. Generates the certificate using the validated CSR
2. Signs the certificate with the Trusteddit intermediate CA private key
3. Assigns a unique serial number to the certificate
4. Publishes the certificate to the repository and provides it to the subscriber

4.3.2 Notification to Subscriber by the CA of Issuance

Trusteddit notifies the subscriber of certificate issuance via the email address provided during the application process. The notification includes instructions for retrieving the certificate.

4.4.1 Conduct Constituting Certificate Acceptance

A subscriber is deemed to have accepted a certificate when they download or use the certificate, or fail to object to the certificate content within seven (7) days of issuance notification.

4.4.2 Publication of the Certificate by the CA

The CA publishes all issued certificates in its repository. OCSP responses confirming the certificate status are available immediately upon issuance.

4.4.3 Notification of Certificate Issuance by the CA to Other Entities

Trusteddit does not routinely notify entities other than the subscriber of certificate issuance, unless required by law or contractual obligation.

4.5.1 Subscriber Private Key and Certificate Usage

Subscribers must use their private keys and certificates only for C2PA content signing purposes as described in Section 1.4.1. Subscribers are responsible for protecting their private keys in accordance with the Subscriber Agreement.

4.5.2 Relying Party Public Key and Certificate Usage

Relying parties must verify the certificate chain, check certificate revocation status, and confirm the certificate is being used for its intended purpose before relying on a signature. Relying parties should verify C2PA manifests using the full trust chain including the Trusteddit intermediate CA and the applicable root CA.

Certificate renewal (issuance of a new certificate with the same key pair and subject information) is supported when the subscriber's identity information remains current. Renewal requires that the existing certificate has not been revoked and the identity information has been re-validated within the time period specified in the CPS.

Certificate re-key (issuance of a new certificate with a new key pair) follows the procedures described in Section 3.3 for identification and authentication. The subscriber generates a new key pair and submits a new CSR.

Certificate modification (changing certificate information other than the public key) requires revocation of the existing certificate and issuance of a new certificate. Identity re-validation is required per Section 3.2.

4.9.1 Circumstances for Revocation

A certificate shall be revoked when any of the following conditions occur:

• The subscriber's private key has been compromised or is suspected of being compromised
• The information in the certificate is no longer accurate
• The subscriber has violated the terms of the Subscriber Agreement or this CP
• The subscriber requests revocation
• The CA ceases operations
• Required by applicable law or regulation
• The certificate was issued in error or through fraudulent means

4.9.2 Who Can Request Revocation

The subscriber, the Trusteddit CA, or any party with evidence of key compromise or policy violation may request certificate revocation.

4.9.3 Procedure for Revocation Request

Revocation requests must be submitted via authenticated channels. The requester must provide the certificate serial number and reason for revocation. Identity is authenticated per Section 3.4.

4.9.4 Revocation Request Grace Period

Subscribers must notify Trusteddit of any suspected key compromise or grounds for revocation without unreasonable delay, and in no event later than twenty-four (24) hours after discovery.

4.9.5 Time Within Which CA Must Process Revocation Request

Trusteddit processes revocation requests within four (4) hours for key compromise and within twenty-four (24) hours for all other reasons. The CRL is updated immediately upon revocation.

4.9.6 Certificate Suspension

Trusteddit does not support certificate suspension. Certificates are either valid or revoked.

Trusteddit provides certificate status information through:

• OCSP Responder: Real-time certificate status queries available at the OCSP endpoint specified in issued certificates (Authority Information Access extension)
• CRL Distribution: Certificate Revocation Lists published at the CRL Distribution Points specified in issued certificates, updated at least every 24 hours

A subscription ends when the certificate expires, is revoked, or the subscriber terminates the Subscriber Agreement. Upon end of subscription, the subscriber must cease using the private key for signing new content. Previously signed content remains verifiable through the trust chain and timestamping.

Trusteddit does not provide key escrow services for subscriber private keys. Subscribers are solely responsible for the secure storage and backup of their own private keys. The CA does not possess, and has never possessed, copies of subscriber private keys.