🎥 Watch on YouTube 🎥
🎧 Listen On Spotify 🎧
🎧 Listen On Apple Podcasts 🎧

Can you cryptographically sign a lie? Yes, and that single fact exposes a major flaw in how digital trust works today.

In this episode of The SSI Orbit Podcast, host Mathieu Glaude speaks with Scott Perry, CEO of the Digital Governance Institute, about why cryptography alone cannot solve the growing crisis of misinformation, AI-generated content, and digital manipulation.

The conversation centers on C2PA, a global standard that embeds a “nutrition label” into digital content at the moment it is created. This provenance data reveals how a digital object was generated, whether it has been altered, and which tools were used, giving people the context they need to judge trustworthiness.

However, as Scott explains, technical tools are only half of the solution. True digital trust requires governance, including transparent conformance programs, certificate authorities, and accountability frameworks that ensure consistency, security, and fairness across all participating products and industries.

The episode also explores the next layers of the trust stack:
• Creator Assertions, which allow individuals to add identity-backed claims to their content
• JPEG Trust, which adds rights and ownership information for legal clarity and compensation

With fraud, deepfakes, and impersonation rising across journalism, insurance, entertainment, and politics, these combined layers of provenance, identity, rights, and governance represent the new trust infrastructure the internet urgently needs.

Key Insights

• Cryptography is not enough to guarantee truth. Cryptographic signatures can prove integrity and origin, but they cannot determine whether the content itself is accurate or honest.

• AI has amplified the urgency for content provenance. Traditional methods like CAPTCHA are no longer reliable because AI can pass them. This accelerates the need for cryptographic provenance systems.

• C2PA acts as a global provenance standard for digital media. It embeds a signed manifest into images, videos, audio, and other digital objects at the moment of creation, functioning like a “nutrition label” for content.

• Generator products must meet strict governance and conformance requirements. Phones, cameras, and software tools must obtain approved signing certificates through the C2PA conformance program.

• Certificate authorities play a central role. Public CAs and enterprise-grade CAs issue the X.509 certificates used for content credential signing. They must meet the requirements outlined in the C2PA certificate policy.

• Creator Assertions allow individuals and organizations to add identity-backed claims. This layer, governed by the Creator Assertions Working Group under DIF, enables people to add context and metadata to content.

• Rights and ownership require an additional governance layer. JPEG Trust extends the system to define legal rights, IP claims, and ownership for use in court or licensing contexts.

• Industry self-regulation is essential. Sectors like journalism, entertainment, insurance, and brand management are expected to police their own registries and authorized signers.

• Fraud prevention is a major driver. AI-manipulated images are already causing real financial losses in industries like insurance.

• Digital identity credentials will eventually enable end users to sign their own assertions. Verifiable credentials will allow creators to link identity claims to content in a trustworthy way.

• Governance must be transparent and fair. Oversight, checks and balances, and multi-party decision making are essential to avoid exclusion or bias.

Strategies

• Use cryptography combined with governance, not cryptography alone. Provenance, conformance programs, and accountability frameworks must work together.

• Adopt C2PA provenance for any digital content creation flow. Integrate C2PA manifests at the point of generation for images, video, audio, and documents.

• Obtain signing certificates only from trusted certificate authorities. Use public CAs or enterprise-grade CAs approved by the C2PA program.

• Implement secure software practices and continuous attestation. Higher assurance levels require proof of updated patches, secure architecture, and verified implementation.

• Document generator product architecture using the C2PA template. Applicants must clearly describe all components involved in creating and signing content.

• Leverage creator assertions for identity and contextual claims. Individuals or organizations can add structured, signed metadata throughout a content asset’s lifecycle.

• Use provenance and rights frameworks to combat fraud. Industries like insurance and media should implement provenance tools to detect manipulation and support claims assessment.

• Rely on industry-specific trust registries. Fields such as journalism already use trusted lists to validate authorized contributors.

• Build governance frameworks that emphasize transparency and fairness. Prevent exclusion by maintaining multi party oversight and clearly documented decision making.