[HN Gopher] C2PA Releases Spec of First Industry Standard for Co... ___________________________________________________________________ C2PA Releases Spec of First Industry Standard for Content Provenance Author : wglb Score : 12 points Date : 2022-02-26 04:00 UTC (19 hours ago) (HTM) web link (c2pa.org) (TXT) w3m dump (c2pa.org) | Pulcinella wrote: | Is there a high level overview of how this is supposed to work? | Is there anything to keep people from just lying? E.g. Oh this | deepfake of a politician eating people is totally real. See the | C2PA content provenance metadata says it was filmed by a BBC | journalist's cellphone camera! | wglb wrote: | Tim provides a walkthrough: | https://twitter.com/timbray/status/1486770745841577989 | infogulch wrote: | > And that's all security measures can ever do, drive up the | cost of bad behavior and reduce the domain in which it's | accessible and economic. Looks to me like C2PA will do that. | fxtentacle wrote: | The camera creates a hash of the raw image data and signs that | with a private key => If the camera firmware is secure, you | can't fake this. | | Photoshop modifies the image => hash of the new image data is | signed by your personal private key + signature includes camera | hash => if someone steals your image, you can prove that your | created the Jpeg based off your raw | | But yes, it doesn't protect against you using your camera to | take a photo of your screen showing a deepfaked image. It might | just make this more expensive to fake if it includes GPS into | the signature. | gruez wrote: | >If the camera firmware is secure, you can't fake this. | | that's a big if. | | >Photoshop modifies the image => hash of the new image data | is signed by your personal private key + signature includes | camera hash => if someone steals your image, you can prove | that your created the Jpeg based off your raw | | I don't get what this part is supposed to solve. Desktop | editing software allow arbitrary manipulation of image, and | there's basically no hope of some sort of TEE to keep the | private key secure. Therefore it's useless for guaranteeing | authenticity (ie. the image faithfully represents what was | captured), and is really only useful for ensuring that a | given publication endorses such image. In other words, it's | basically gpg signing an image. That's not done today, but | you can already verify whether an image comes from a | publication by checking linking directly to their site (eg. | if a given image is claimed to be from nytimes, you link to | nytimes.com). | jrochkind1 wrote: | Can anyone explain to an HN "technical but not expert in the | specific area" audience what this actually is? The press release | is leaving me confused. ___________________________________________________________________ (page generated 2022-02-26 23:01 UTC)