Joe GanleyOct 5, 2025
Tim Bray

I was recently quoted as saying, about online media, that we can “change the global Internet conversation for the better, by making it harder for liars to lie and easier for truth-tellers to be believed.”

I thought I should offer details. So here’s a little scenario, the “Nadia story”, and an explanation of how to make it easier to tell when media is faked and when it’s real. https://www.tbray.org/ongoing/When/202x/2025/10/01/C2PA-For-Social-Media

#C2PA

Social Media Provenance Challenge

ongoing by Tim Bray
Oct 4, 2025 at 9:37pmWeb
Show threadMatt PanaroOct 4, 2025
@timbray I may be missing something here, but this verification scheme seems like it would make it very easy for Nadia to be IDed/found/prosecuted for trumped up interference/resisting-arrest/national-security charges?
Show threadTim BrayOct 4, 2025
@eigen Well, signing is 100% opt-in. So if Nadia feels she’s at risk she can pass up the advantages of signing. And if you're going to get in trouble for with the government, even an authoritarian one, for posting a picture, I don't see whether or not it's signed making much difference.
Show threadJeffrey YasskinOct 4, 2025
@timbray +1 that this is a necessary change to how the C2PA org is planning to do things. TLS keys probably aren't ideal, but I sent a comment about using either .well-known or files at particular URLs instead.
Show threadTim BrayOct 4, 2025
@jyasskin I'm really unconvinced by the worries about TLS cert re-use. It seems perverse to have two different keys both of which are used to demonstrate signature by some particular server. Also, re-use has the large advantage that nobody has to invent anything new, everyone can go on using Let’s Encrypt or whoever exactly like they do now.
Show threadEric SchultzOct 4, 2025
@timbray I worry about the privacy implications here. Would people understand the risks when they post? And, if this is widely deployed, I worry that countries would require this for posting media online.
Show threadTim BrayOct 4, 2025
@wwahammy As to privacy implications, obviously signing is optional. But if someone's going to get in legal trouble for posting a picture, even under an oppressive government, I don't think whether or not it's signed would affect that much.
Show threadseismo!allegra!utzooOct 5, 2025
@timbray great read. Thanks.