Skip to content

Clarify guidance issue280 #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
domguinard wants to merge 4 commits into
base: main
Choose a base branch
from
+22 −6
Open

Clarify guidance issue280 #36

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a71fb3d
Adding selection rules for new entry
domguinard Nov 28, 2025
88df534
Update README.md
domguinard Dec 17, 2025
7fab7c7
Update README.md
domguinard Dec 17, 2025
1ba5580
Merge branch 'main' into clarify-guidance-issue280
domguinard Dec 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 20 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,25 @@
# Soft Binding Algorithm List

C2PA specifies a mechanism for recovering a C2PA Manifest for an asset, for example when the metadata containing the C2PA Manifest has been stripped. This mechanism is a [soft binding](https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_soft_binding) (for example an invisible watermark or content fingerprint). The soft binding is used to look-up the C2PA Manifest within a Manifest Repository. The soft binding is described by the [soft binding assertion](https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_soft_bindings).
C2PA specifies a mechanism for recovering a C2PA Manifest for an asset, for example when the metadata containing the C2PA Manifest has been stripped. This mechanism is a [soft binding](https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_soft_binding), for example an invisible watermark or content fingerprint. The soft binding is used to look-up the C2PA Manifest within a Manifest Repository. The soft binding is described by the [soft binding assertion](https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_soft_bindings).

The soft binding assertion contains a field `alg` which uniquely identifies the algorithm used to compute the soft binding. The Soft Binding Algorithm List is an authoritative list of soft binding algorithm names that may be used as identifiers within the `alg` field. Entries in the list also contain additional information on the algorithms.

## Guidelines for submitting a new entry

### Pull request
Developers of soft binding algorithms may request these be added as new entries in the soft binding algorithm list. Developers may also request amendments to their entries. These requests may be made by submitting a Pull Request (PR) that adds to, or edits, the [softbinding-algorithm-list JSON array](softbinding-algorithm-list.json) in this repository and following the [schema](softbinding-algorithm-list-schema.json).

### Selection rules

The C2PA Technical Working Group may approve and merge PRs in accordance with its prevailing processes for approving technical contributions to the C2PA specification.

C2PA's Technical Working Group may also decide to remove malicious or non-conformant algorithms from the list of approved soft binding algorithms.
Copy link
Contributor

@alexandersolonskycastlabs alexandersolonskycastlabs Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how it is going to be determined if an algorithm is malicious or non-conformant?

Copy link
Collaborator Author

@domguinard domguinard Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point @alexandersolonskycastlabs and @jcollomosse, how about:

Suggested change
C2PA's Technical Working Group may also decide to remove malicious or non-conformant algorithms from the list of approved soft binding algorithms.
C2PA's Technical Working Group may also decide to remove malicious or non-conformant entries from the list of approved soft binding algorithms.

and I will add more precise criteria below in the "selection rules" section.


For an entry to be approved the following criteria are important:
- The entry has to comply with the [schema](softbinding-algorithm-list-schema.json) and include all the mendatory fields.
- The PR has to be sumitted by a representative of the named technology (e.g., the commercial vendor, or open source repository maintainer).
Copy link
Contributor

@lrosenthol lrosenthol Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand why this requirement...

Copy link
Collaborator Author

@domguinard domguinard Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lrosenthol - we should not allow anyone to submit any algorithm. Someone not affiliated with company X should not be able to submit an entry for company X as company X might not want their algorithm to be listed.

Copy link
Collaborator Author

@domguinard domguinard Dec 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As per @jcollomosse @alexandersolonskycastlabs comments above:

Suggested change
- The PR has to be sumitted by a representative of the named technology (e.g., the commercial vendor, or open source repository maintainer).
For a PR (new entry or update) to be approved the following criteria are important:
- The entry has to conform with the [schema](softbinding-algorithm-list-schema.json) and include all the mandatory fields.
- The entry should not be malicious (e.g., spam) or harmful.
- The PR has to be submitted by an individual affiliated with the company owning the submitted proprietary algorithm or a maintainer of the submitted open source algorithm or its fork.

- The provided URLs have to resolve (e.g., `softBindingResolutionApis`, `informationalUrl`)


The soft binding assertion contains a field `alg` that serves to uniquely identify the algorithm used to compute the soft binding. The Soft Binding Algorithm List is an authoritative list of soft binding algorithm names that may be used as identifiers within the `alg` field. Entries in the list also contain additional information on the algorithms.

Developers of soft binding algorithms may request these be added as new entries in the soft binding algorithm list. Developers may also request amendments to their entries. These requests may be made by submitting a pull request (PR) adding to or editing the [softbinding-algorithm-list JSON array](softbinding-algorithm-list.json) in this repository and following the [entry schema](softbinding-algorithm-entry-schema.json).

The C2PA Technical Working Group may approve and merge PRs in accordance with its prevailing processes for approving technical contributions to the C2PA specification. C2PA's Technical Working Group may also decide to remove malicious or non-conformant algorithms from the list of approved soft binding algorithms.
4 changes: 2 additions & 2 deletions softbinding-algorithm-list.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -297,7 +297,7 @@
"informationalUrl": "https://arxiv.org/abs/2308.12770"
}
},
{
{
"identifier": 21,
"alg": "ai.contentlens.image.basewmk",
"type": "watermark",
Expand Down Expand Up @@ -367,4 +367,4 @@
"informationalUrl": "https://api.contentlens.tech/audio/docs"
}
}
]
]
Loading