Trusteddit Relying Party Agreement

“C2PA Content Credential”

A set of cryptographically signed assertions about digital media content conforming to the C2PA technical specification, including manifests, claims, and provenance data.

“Certificate”

An X.509 v3 digital certificate issued by the Trusteddit CA to a Subscriber for the purpose of signing C2PA content credentials.

“Certificate Status Services”

The OCSP responder and CRL distribution services operated by Trusteddit to provide real-time and periodic certificate revocation status information.

“Trust Chain”

The sequence of certificates from the end-entity Certificate through the Trusteddit intermediate CA to the root CA, enabling verification of signatures.

“Verification”

The process of validating a C2PA content credential by checking the digital signature, trust chain, certificate revocation status, and timestamp validity.

“CP” and “CPS”

The Trusteddit Certificate Policy and Certificate Practice Statement, respectively, as published at trusteddit.com/pki/.

As a Relying Party, you agree to the following obligations:

2.1 Verification Procedures

Before relying on a C2PA content credential signed with a Trusteddit-issued Certificate, you shall:

1. Verify the digital signature: Confirm that the cryptographic signature on the C2PA manifest is valid using the public key in the Certificate
2. Validate the trust chain: Verify that the Certificate chains to a trusted root CA through the Trusteddit intermediate CA, and that all certificates in the chain are valid
3. Check revocation status: Query the OCSP responder or download the current CRL to confirm the Certificate has not been revoked at the time of verification
4. Verify certificate usage: Confirm that the Certificate was issued for C2PA content signing and is being used for that purpose
5. Check validity period: Confirm the Certificate was valid at the time the content was signed. Where an RFC 3161 timestamp is present, use the timestamp to determine the signing time

2.2 Reasonable Reliance

You shall exercise reasonable judgment when relying on C2PA content credentials. A valid signature and trust chain confirm the identity of the signer and the integrity of the signed data, but do not guarantee the truthfulness, quality, or legality of the underlying content.

2.3 Timestamp Considerations

When verifying content credentials that include RFC 3161 timestamps from the Trusteddit TSA:

• A valid timestamp proves that the signature existed at the time indicated by the timestamp
• A signature with a valid timestamp remains verifiable even after the signing Certificate has expired, provided the signature was created during the Certificate's validity period
• You should consider both the certificate validity and the timestamp when making trust decisions

2.4 Certificate Limitations

You acknowledge and agree that:

• A Certificate confirms the identity of the Subscriber as validated by Trusteddit, but does not constitute an endorsement of the Subscriber or their content
• Trusteddit does not monitor, review, or approve the content signed by Subscribers
• Certificate status services provide the most current information available to Trusteddit, but there may be a brief delay between a revocation event and the availability of updated status information

2.5 Compliance

You shall comply with this Agreement and all applicable laws and regulations in connection with your use of Trusteddit certificates and PKI services for verification purposes.

Trusteddit agrees to the following obligations to Relying Parties:

3.1 Certificate Status Availability

Trusteddit shall use commercially reasonable efforts to maintain the availability of its OCSP responder and CRL distribution points. Trusteddit targets 99.5% uptime for certificate status services, measured on a monthly basis.

3.2 Accurate Status Information

Trusteddit shall ensure that OCSP responses and CRLs accurately reflect the current revocation status of all issued certificates. Status information is updated within the timelines specified in the CPS.

3.3 Trust Chain Publication

Trusteddit shall publish its intermediate CA certificate and information necessary to construct the trust chain in its public repository. The CA Issuers URL in each issued certificate provides direct access to the intermediate CA certificate.

3.4 Policy Transparency

Trusteddit shall maintain and publish the CP, CPS, and this Agreement in its public repository. Material changes will be communicated with advance notice.

4.1 Trusteddit Representations to Relying Parties

Trusteddit represents and warrants to Relying Parties that:

1. Certificates are issued in accordance with the CP and CPS, including identity validation procedures
2. The information contained in a Certificate was verified at the time of issuance using the procedures described in the CP and CPS
3. Certificate status services (OCSP and CRL) are maintained and updated as described in the CPS
4. Revocation requests are processed within the timelines specified in the CPS

4.2 No Warranty of Content

Trusteddit makes no representations or warranties regarding the accuracy, completeness, quality, legality, or reliability of any content signed using a Trusteddit-issued Certificate. A valid signature confirms the identity of the signer and the integrity of the signed data only.

5.1 Disclaimer

Except as expressly stated in this agreement, Trusteddit provides certificates and PKI services to relying parties “as is” and “as available,” without warranties of any kind, whether express, implied, statutory, or otherwise.

5.2 Limitation of Liability

To the maximum extent permitted by applicable law:

• Trusteddit shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising out of or related to a Relying Party's use of or reliance on any Certificate or PKI service
• Trusteddit shall not be liable for any losses arising from a Relying Party's failure to perform the verification procedures described in Section 2.1
• Trusteddit shall not be liable for the acts or omissions of any Subscriber, including the content they sign
• Trusteddit's total aggregate liability to any Relying Party under this Agreement shall not exceed one thousand US dollars (USD $1,000)

5.3 Conditions for Reliance

Trusteddit's obligations and representations under this Agreement are conditioned on the Relying Party having performed the verification procedures described in Section 2.1. A Relying Party that does not perform these procedures may not rely on Trusteddit's representations and warranties.

6.1 Relying Party Indemnification

You agree to indemnify, defend, and hold harmless Trusteddit, SanMarcSoft LLC, and their officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to:

• Your failure to perform the verification procedures described in Section 2.1
• Your unreasonable reliance on a Certificate or content credential
• Your use of Trusteddit PKI services in violation of this Agreement or applicable law

7.1 Term

This Agreement becomes effective upon your first use of Trusteddit certificate status services or trust chain data for C2PA verification, and remains in effect for as long as you continue to rely on Trusteddit-issued certificates.

7.2 Termination

Either party may terminate this Agreement at any time. You may terminate by ceasing all reliance on Trusteddit-issued certificates. Trusteddit may terminate by providing thirty (30) days written notice, except that Trusteddit's obligations for certificates already issued and in use continue as long as those certificates remain valid.

7.3 Survival

Sections 4, 5, 6, and 8 of this Agreement survive termination.

8.1 Governing Law

This Agreement is governed by the laws of the State of New York, United States, without regard to its conflict of laws principles.

8.2 Entire Agreement

This Agreement, together with the CP and CPS (as incorporated by reference), constitutes the entire agreement between the parties with respect to reliance on Trusteddit certificates.

8.3 Amendments

Trusteddit may amend this Agreement by publishing the updated version to the PKI repository. Material changes take effect thirty (30) days after publication. Continued reliance on Trusteddit certificates after the effective date constitutes acceptance.

8.4 Severability

If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

8.5 Notices

Notices to Trusteddit should be directed to [email protected].