TIP vs C2PA: Why the Next Layer of Content Provenance Has to Be Built on Identity, Not on Watermarks

Every serious conversation about Trust Identity Protocol begins with the same question. Sometimes it comes from a journalist, sometimes from a regulator, occasionally from a competing protocol's own engineers. The question is some version of "Isn't C2PA already doing this?" The Coalition for Content Provenance and Authenticity has spent four years building the spec. Adobe, Microsoft, the BBC, and Intel founded it. Sony, Leica, and Nikon now ship cameras that sign at capture. ISO ratified its successor, JPEG Trust, in 2024. The question is fair.

The answer is yes and no. C2PA is real, it is good, and the parts of the content-provenance problem it set out to solve are largely solved. The parts it did not set out to solve are the parts that are about to matter most. This essay is the honest accounting that anyone evaluating both standards deserves.

The conclusion, stated up front, is that the next decade of AI content authenticity needs both standards working together: C2PA at the moment of capture, TIP at the moment of publication, and a public registry both can write to. They are not competitors. They are complements. The mistake would be to choose one and pretend the other does not exist.

What C2PA Got Right

Let me give C2PA the steelman before I get to the harder parts. There is no honest way to argue against TIP-and-C2PA convergence without first stating what makes C2PA the most successful content-provenance project in recent memory.

First, C2PA solved the most important problem of its scope: binding metadata to a specific file in a way that can be cryptographically verified. A C2PA-signed JPEG carries a manifest that records the camera, the time, the location (if the photographer chose to include it), the editing software that touched the file, and the operations performed. If a Sony Alpha A9 III captures an image, the C2PA manifest is signed at the moment of capture by a key stored in the camera's secure element. By the time the image leaves the camera, the manifest is sealed. That is genuinely new. No previous standard achieved this with comparable adoption.

Second, C2PA earned distribution. Adobe's market position made it possible. Photoshop, Lightroom, and Firefly all read and write C2PA manifests today. OpenAI added C2PA to DALL-E outputs in February 2024 and extended it across image generation thereafter. Microsoft uses C2PA in Azure OpenAI Service for the content its models produce. The BBC has signed editorial content with C2PA in production since 2023. When you talk to a regulator about content provenance and they have heard of one standard, it is overwhelmingly C2PA. That is the kind of momentum that takes a decade to build.

Third, C2PA cleared the standardization bar. JPEG Trust, the ISO standard built on C2PA's manifest model, is now ISO/IEC 21617. Standards bodies do not endorse content-provenance approaches lightly. The CAI to C2PA to JPEG Trust pathway took five years of patient engineering work and an enormous amount of corporate cat-herding. That work product is now reusable for every protocol that follows.

I will not pretend any of this is small. It is the work of an industry, and it is the foundation everything else gets built on. The right way to read TIP is not as a replacement for C2PA. It is as the next layer.

C2PA proves a piece of content was captured by a particular camera. TIP proves a piece of content was published by a particular person.

What C2PA Was Never Designed to Solve

Now the harder part. C2PA is excellent at what it was designed to do. The next paragraphs are not a critique of its design. They are an accounting of what its design did not include, and why those omissions matter more in 2026 than they did in 2021.

C2PA does not verify human identity. The C2PA manifest is signed by a key that belongs to an organization (Adobe), a device (a Sony camera), or an automated system (an OpenAI inference server). The signature attests that this key produced this manifest. It does not attest that the key is held by a real, deduplicated person. In a world where most newly published content is generated by systems rather than people, this is an important distinction. C2PA can prove that DALL-E generated an image. It cannot prove that a human chose to publish it, or which human, or whether that human has been verified as a real, single individual.

C2PA depends on traditional public-key infrastructure. The trust chain that validates a Sony camera's signature traces back through a chain of certificate authorities, eventually anchoring at a small handful of root CAs. This is the same trust model that runs HTTPS. It works, but it concentrates governance in the operators of those root CAs and the standards bodies that audit them. When one of those CAs misissues a certificate, or when a government compels disclosure of a private key, the failure radius is correspondingly large.

C2PA's cryptographic primitives are not post-quantum. The signatures today are RSA-2048 or ECDSA-P-256. These are state-of-the-art classical algorithms. They are also vulnerable in principle to a sufficiently capable quantum adversary, the kind NIST began standardizing defenses against in August 2024 with FIPS 203, 204, and 205. C2PA can be upgraded. The standard is not yet upgraded. Every signature being issued today is being issued with a primitive that will need to be rotated.

C2PA's manifests are not robust to platform transformations. Most major platforms strip metadata on upload as a privacy measure. Facebook, Instagram, X, Reddit, and YouTube all process media before serving it. The C2PA manifest, attached as ancillary file data, frequently does not survive. C2PA proponents are working on this. The current state is that a C2PA-signed image, in 2026, often arrives at its viewer with no manifest at all. The cryptography is fine. The plumbing is not.

C2PA has no public, free, federated registry. The verification flow assumes a viewer's software queries a CA chain. There is no global, anyone-can-query, no-account-required lookup of who is allowed to sign what. A journalist or regulator cannot, in 2026, paste a TIP-style URI into a public lookup tool and get a verifiable answer about the signer. They have to install software, parse the manifest, and trust a CA chain they may not be able to audit.

These five gaps are not failures of C2PA. They are the boundary of the problem C2PA chose to attack. Identity, federation, post-quantum cryptography, transformation-robustness, and public-registry semantics were not in scope. The next layer has to be.

Why TIP Starts with Identity

The first design choice in Trust Identity Protocol is that every signature is bound to a single verified human. Not an organization. Not a camera. Not a server. A person, who has been verified by an accredited Verification Provider through a four-stage biometric process, and who holds the private signing key on hardware they control.

This is a difficult choice. It costs a lot in the form of verification infrastructure, jurisdictional compliance (BIPA in Illinois, CUBI in Texas, the Washington biometric privacy statute, GDPR Article 9, India's Digital Personal Data Protection Act 2023, and so on), and the operational complexity of running an accreditation program for Verification Providers across multiple legal jurisdictions. It is much easier to issue keys to organizations and devices than to people.

We chose identity-first anyway. The reason is that the dominant problem of the 2026 to 2036 decade is not whether content was captured by a real camera. It is whether content was published by a real person, and which person. A deepfake of a presidential candidate does not become more believable because a real camera captured the original footage that was deepfaked. It becomes less believable when the candidate themselves can publish, under their own verified identity, a rebuttal that anyone in the world can cryptographically confirm came from them. C2PA's manifest cannot do that. TIP-IDs can.

There is a second reason. Identity is the asymmetric primitive. Anyone can capture an image. Anyone can run a generative model. But only one verified human can possess the private key that signs as a particular TIP-ID. The cost of forging a TIP-ID is not the cost of stripping a watermark; it is the cost of compromising a hardware-resident private key that has never left a secure enclave. The two costs are not comparable.

A watermark can be removed. A signature whose private key is held by a verified human, on hardware they control, cannot be silently forged.

Why TIP Federates Trust

The second design choice is that no single company controls the registry. C2PA's trust chain traces to a small set of root CAs that operate under contract. The AI Trust Registry, where every TIP-ID and CTID is queryable, is operated by a federated network of accredited Node Operators under the governance of the AI Trust Council. The Council itself is governed by a public Charter and five equal-voting constituencies: Creators, Institutions, Publishers, Operators, and Partners.

This is also a difficult choice. A federated body is harder to operate than a corporate body. Decisions take longer. Edge cases are messier. Federations have failed historically: think of the various "decentralized identity" efforts of the 2018 to 2022 era, most of which died from governance fatigue. TIP's bet is that decentralization can work if the underlying governance is constitutional, the operational rhythm is predictable (a Genesis Block Ceremony every June 1, an Annual Trust Summit every late summer, public records every year-end), and the participation cost for the largest constituencies is genuinely zero.

A journalist in Nairobi has the same protocol vote as a Fortune 500 platform in San Francisco. That single rule is what changes the politics of trust infrastructure. C2PA, run as a consortium of large companies, cannot truthfully claim that property. The AI Trust Council, run by its five constituencies under public Charter, can.

Why TIP Bets on Post-Quantum

The third design choice is the cryptographic foundation. TIP signs with ML-DSA-65 (FIPS 204), encapsulates session keys with ML-KEM (FIPS 203), and reserves SLH-DSA (FIPS 205) as a stateful-hash signature fallback for high-assurance operations. NIST standardized these primitives in August 2024 in direct response to the credible long-term threat of quantum computers capable of breaking RSA-2048 and ECDSA-P-256.

A reasonable person can argue that the post-quantum threat is not imminent. Estimates of when a cryptographically relevant quantum computer arrives range from 2030 to 2040, and many specialists put it further out. The argument for using post-quantum primitives today is not that the threat is here. It is that signatures issued today on weak primitives will still be in the public record when stronger primitives become necessary. Mass primitive rotation is one of the hardest operational problems in cryptography. The protocol that starts post-quantum does not have to rotate. The protocol that did not is going to wish it had.

There is a second argument. NIST FIPS 203, 204, and 205 are now the recommended primitives for U.S. federal systems handling sensitive data. EU and U.K. analogs are following. Standards-aware integrators are already asking for post-quantum signatures in procurement. Choosing the future-proof primitive at the design moment is much cheaper than retrofitting it under regulatory pressure.

Where the Two Standards Should Converge

None of this is an argument for replacing C2PA. The honest design is to compose them.

At the capture moment, when a Sony camera captures an image, C2PA's manifest does exactly what it was built to do. The camera's signing key attests to the time, place, and device of capture. That manifest is a fact about the file's birth, and it deserves to travel with the file.

At the publication moment, when the photographer who took that image chooses to publish it on their newsroom's website, on a social platform, or in a journal, TIP adds the second layer. The photographer signs the published version with their TIP-ID and an Origin Code, declaring how the image was produced (OH if shot and lightly edited, AA if AI-assisted in color grading, AG if a generative model was a primary creator). The TIP signature does not invalidate the C2PA manifest; it complements it. A reader querying the AI Trust Registry sees both: the camera's attestation of capture and the publisher's attestation of publication, both verifiable from public infrastructure.

This composition is not theoretical. The TIP specification (CC-BY 4.0) explicitly supports embedding an existing C2PA manifest inside a TIP-CONTENT record. A publisher who has a C2PA-signed source image can sign the publication with their TIP-ID without breaking the C2PA chain. Two attestations, both verifiable. The viewer does not have to choose.

Standards are not zero-sum. C2PA at the capture moment, TIP at the publication moment, and a public registry both can write to.

The Honest Verdict · When to Pick Which

Here is when to pick each.

Pick C2PA, alone, when the question you need to answer is whether a specific file came from a specific device. Camera-to-photo-editor-to-published-image is a clean chain that C2PA handles well. If your use case is camera capture and the receiver is a desktop application that can read C2PA manifests, you are done. Newsrooms with controlled internal production pipelines and broadcast workflows are the strongest C2PA-alone use case.

Pick TIP, alone, when the question is who published a piece of content. If your use case is verifying that a particular journalist filed a particular story, that a particular researcher published a particular paper, or that a particular politician posted a particular video, TIP's identity-first model is more direct than C2PA's organization-or-device model. Personal authorship contexts (op-eds, research publications, social posts) are the strongest TIP-alone use case.

Pick both, composed, for any serious newsroom, platform, or regulator deployment. Composition is the answer for almost every deployment that matters. The two protocols solve different ends of the same pipeline. The reason this essay exists is that almost nobody, in 2026, is talking about composition. Most of the public conversation forces a choice between C2PA and "something else." That framing is wrong.

What This Means for Publishers, Regulators, and Platforms

For publishers, the operational answer is to adopt C2PA where you control the capture pipeline (newsroom cameras, internal production tools) and adopt TIP where you control the publication pipeline (newsroom CMS, byline attribution, public archive). Most large newsrooms will end up with both within five years. The transition cost is small relative to the credibility upside.

For regulators, the operational answer is to write rules that are technology-neutral but require both capture-time and publication-time attestation for high-risk content. EU AI Act Article 50 (effective August 2026) is already moving in this direction. Colorado's AI Act and NYC Local Law 144 are too. Specifying a single standard, like C2PA-only or TIP-only, in a regulation would be a mistake. Specifying the properties (verifiable, cryptographically signed, publicly queryable, identity-bound at publication) is the right move.

For platforms, the answer is to read both attestation surfaces, display both indicators, and let the user decide which they trust. X and TikTok already display "AI-generated" labels based on platform-side heuristics. The next step is to read C2PA manifests and TIP signatures from inbound content and display both. The platform that does this first sets a market standard. The platforms that wait are going to be embarrassed when their feeds become evidently full of unsigned AI content while their nearest competitor proves to readers what is signed and what is not.

What I Want a Skeptic to Take Away

If you are a skeptic of either standard reading to the end of this essay, here is what I want you to take with you.

I am not arguing TIP is better than C2PA. I am arguing TIP is the layer C2PA does not address. The right question to ask of any content-provenance proposal is not "is it good" but "what does it not do." Every protocol has a boundary. The boundary of C2PA is the device that captured the file. The boundary of TIP is the human who published it. The boundary of both, together, is what the next decade of internet trust infrastructure looks like.

We will know we have done this work right if, by 2030, a reader can hover over any consequential piece of public content and see two things: who captured it and who published it. Both verifiable. Both from infrastructure that no single company runs. Both auditable by anyone in any jurisdiction.

That outcome is achievable. It is achievable, however, only if the protocols cooperate rather than compete. The work of the AI Trust Council, of the Content Authenticity Initiative, of JPEG Trust, and of every standards body building toward this future is the work of getting cooperation right. We started TIP because we believed the next layer was missing. We will end this decade in a better place if every meaningful piece of public content has both layers.

Closing

By Dinesh Mendhe, Founder and Chairman, The AI Lab Intelligence Unobscured, Inc. The Trust Identity Protocol specification is published under Creative Commons Attribution 4.0 International. Read the spec at theailab.org/trust-identity-protocol. Read the AI Trust Council Charter at theailab.org/charter. The C2PA specification is at c2pa.org. JPEG Trust is published by ISO as ISO/IEC 21617.