hngopher.com

       [HN Gopher] C2PA Releases Spec of First Industry Standard for Co...
       ___________________________________________________________________
        
       C2PA Releases Spec of First Industry Standard for Content
       Provenance
        
       Author : wglb
       Score  : 12 points
       Date   : 2022-02-26 04:00 UTC (19 hours ago)
        
 (HTM) web link (c2pa.org)
 (TXT) w3m dump (c2pa.org)
        
       | Pulcinella wrote:
       | Is there a high level overview of how this is supposed to work?
       | Is there anything to keep people from just lying? E.g. Oh this
       | deepfake of a politician eating people is totally real. See the
       | C2PA content provenance metadata says it was filmed by a BBC
       | journalist's cellphone camera!
        
         | wglb wrote:
         | Tim provides a walkthrough:
         | https://twitter.com/timbray/status/1486770745841577989
        
           | infogulch wrote:
           | > And that's all security measures can ever do, drive up the
           | cost of bad behavior and reduce the domain in which it's
           | accessible and economic. Looks to me like C2PA will do that.
        
         | fxtentacle wrote:
         | The camera creates a hash of the raw image data and signs that
         | with a private key => If the camera firmware is secure, you
         | can't fake this.
         | 
         | Photoshop modifies the image => hash of the new image data is
         | signed by your personal private key + signature includes camera
         | hash => if someone steals your image, you can prove that your
         | created the Jpeg based off your raw
         | 
         | But yes, it doesn't protect against you using your camera to
         | take a photo of your screen showing a deepfaked image. It might
         | just make this more expensive to fake if it includes GPS into
         | the signature.
        
           | gruez wrote:
           | >If the camera firmware is secure, you can't fake this.
           | 
           | that's a big if.
           | 
           | >Photoshop modifies the image => hash of the new image data
           | is signed by your personal private key + signature includes
           | camera hash => if someone steals your image, you can prove
           | that your created the Jpeg based off your raw
           | 
           | I don't get what this part is supposed to solve. Desktop
           | editing software allow arbitrary manipulation of image, and
           | there's basically no hope of some sort of TEE to keep the
           | private key secure. Therefore it's useless for guaranteeing
           | authenticity (ie. the image faithfully represents what was
           | captured), and is really only useful for ensuring that a
           | given publication endorses such image. In other words, it's
           | basically gpg signing an image. That's not done today, but
           | you can already verify whether an image comes from a
           | publication by checking linking directly to their site (eg.
           | if a given image is claimed to be from nytimes, you link to
           | nytimes.com).
        
       | jrochkind1 wrote:
       | Can anyone explain to an HN "technical but not expert in the
       | specific area" audience what this actually is? The press release
       | is leaving me confused.
        
       ___________________________________________________________________
       (page generated 2022-02-26 23:01 UTC)