
What is a CAWG Identity Assertion?
Definition: The Content Authenticity Web Group (CAWG) Identity Assertion v1.2 is a DIF-ratified standard, finalized 15 December 2025, for binding verified creator identity to C2PA manifests via W3C Verifiable Credentials, independent of the signing certificate.
TL;DR: The signing certificate says which service signed. The CAWG identity assertion says who the creator or platform is, using Verifiable Credentials, separate from the cert. Two signature types exist: cawg.x509.cose and cawg.identity_claims_aggregation.
Why identity is separate from the certificate
A signing certificate proves the signer's key. It does not, on its own, say that the named creator is who they claim to be. The CAWG identity assertion fills that gap by attaching verifiable identity claims, an affiliation, a website, a social account, that a verifier can check against the issuing authorities, independent of the X.509 cert that signed the manifest.
The two signature types
cawg.x509.cose ties identity to an X.509 certificate. cawg.identity_claims_aggregation aggregates multiple verified identities, which is how a platform names itself plus a creator plus a verified domain in one assertion. The aggregation form is what enterprise deployments use to express "signed by Original Pictures on behalf of Acme Corp, verified at acme.com."
What it enables
Selective disclosure. A freelance photographer in a hostile environment can publish under a redacted identifier while still carrying a verifiable affiliation. A newsroom can name the masthead without exposing the stringer. Identity becomes opt-in and granular rather than all-or-nothing.
The incident behind this
The WPP CEO deepfake attempt of May 2024 used a cloned voice and image with no identity assertion behind it. A verifiable identity layer on authentic executive communications gives recipients something concrete to check rather than a gut feeling.
Implementation
{ "label": "cawg.identity", "sig_type": "cawg.identity_claims_aggregation", "verifiedIdentities": [ { "type": "cawg.affiliation", "name": "Acme Corp" }, { "type": "cawg.web_site", "uri": "https://acme.com" } ] }
FAQ
Does the identity assertion expose personal data?
Only what the creator opts to publish. CAWG supports affiliation, website, and social-account claims, each opt-in, and supports redacted identifiers for at-risk creators.
Where Original Pictures stands today
Original Pictures ships three things today: a Sign API, a Verify API, and the SDKs that wrap them. One POST /v1/sign attaches a C2PA-format manifest, an invisible TrustMark watermark, and an OpenTimestamps anchor. The open-source verifier checks any of it without calling us.
Two things are on the near roadmap, and we name them as roadmap, not as shipped: C2PA Conformance Program recognition (target Q3 2026, until then our manifests use the published C2PA v2.2 format and any C2PA-aware validator can read them, but third-party validators will show our signer as not-yet-listed), and a consumer capture app (Q3 2026). We do not sell a capture SDK, and we do not claim Trust-List membership we do not yet hold.
Bottom line: A CAWG identity assertion answers who, separately from the certificate that answers which signer. Use the aggregation type to name a platform and a creator together with verifiable, opt-in claims.
Related
Original Pictures is progressing through the C2PA Conformance Program; our signing certificate is not yet on the official C2PA Trust List. Target: Q3 2026. We will not describe ourselves as "C2PA-certified" until it is true.
Original Pictures provides content-provenance infrastructure. It does not by itself constitute legal compliance with the EU AI Act or any other regime; compliance depends on how you deploy it, your disclosures, and your governance. Figures are drawn from public reporting, verify against primary sources before citing in regulated materials. Nothing here is legal advice.
Last verified 2026-05-25. Author: Mahdi Kazempour, Founder, Original Pictures.