Formal Comment: Consent-State Verification as a Separate Interoperable Service Layer (Post-TRQP, Post-v1.2)

[justin-hofstad]

Title: Formal Comment: Consent-State Verification as a Separate Interoperable Service Layer (Post-TRQP, Post-v1.2)

---

Submitted by: Digital Double Technologies (DDT)
Date: March 7, 2026
Related: C2PA Issue #3 (org.c2pa.digital-likeness assertion namespace)

---

Summary

CAWG Identity Assertion v1.2 (ratified December 2025) establishes a well-scoped specification for creator identity. It covers creator identity only. Subject consent is explicitly orthogonal and not addressed. DDT submits this comment to argue that as CAWG evaluates TRQP for Trust Registry implementation, consent-state verification should be a separate, interoperable service layer rather than a function embedded in the identity assertion or the Trust Registry itself.

This is no longer a theoretical gap. In February 2026, SSL.com became the first publicly trusted CA to issue production-ready C2PA-conformant certificates, with Truepic among its named customers. A production signing chain is now live and generating C2PA manifests for identity-derived content: performer scans, likeness captures, on-set footage. That chain does not include a consent assertion field. The infrastructure exists. The consent layer does not.

The Core Distinction

• CAWG identity assertions (v1.2): who created this content, and can that identity claim be verified? (creator-side provenance)
• DDT's Consent Receipt Object (CRO) + Identity Permission State (IPS): does the person depicted currently authorize this use? (subject-side consent state)

These are complementary layers. The Identity Permission State (IPS) layer functions analogously to OCSP in the PKI/TLS ecosystem: certificate validity is determined at issuance; permission state must be queryable in real time. Conflating the two produces brittle revocation, structural state staleness, and scope conflation.

The Ask

DDT requests:

1. A presentation slot at an upcoming CAWG meeting to walk through IPS architecture as a TRQP-compatible consent-state endpoint
2. Discussion of C2PA Issue add community spec docs #3 (org.c2pa.digital-likeness) alongside CAWG identity assertions
3. Exploration of whether TRQP's query model can accommodate consent-state routing to IPS endpoints

Reference

Full formal comment including prior art analysis available upon request or at the DDT standards repository:

github.com/digitaldoubletechnologies/ddt-standards

We welcome engagement from CAWG participants, Trust Registry contributors, and TRQP authors.

[justin-hofstad]

@scouten-adobe - I wanted to flag this issue directly to you given your role as CAWG identity assertion maintainer and CAWG co-chair at DIF.

I am Justin Hofstad, founder of Digital Double Technologies (DDT). I filed Issue #259 here as the initial public reference point, and I want to be precise about where DDT sits architecturally relative to what the identity assertion already defines.

The CAWG identity assertion establishes who the creator or authorizer of content is. DDT is concerned with something orthogonal: the identity subject depicted in the content.
These are not competing claims. They can coexist in the same C2PA manifest, and the absence of a normative layer for the second category is the gap this issue addresses.

In DDT's architecture, the org.c2pa.digital-likeness assertion in a C2PA manifest carries a pointer and a hash field. It is not an identity claim. The identity claim belongs to CAWG and the DIF identity layer. DDT's Identity Permission State (IPS) queries against that established identity to return a live consent state: whether the subject has consented to the use in question, under what scope, and as of the moment of query.
The OCSP analogy is the clearest way to describe it: IPS is to consent what OCSP is to certificate validity. Not the record, but the live queryable state of the record.

That last property is the design constraint that makes this layer non-trivial.
Consent needs to be live and malleable. If it is static, it is not consent; it is a record of a past agreement with no mechanism to reflect revocation, suspension, or scope modification.
The commercial context is not hypothetical. Sony PXW-Z300 cameras and SSL.com signing infrastructure are generating C2PA manifests in production today. Those manifests establish provenance for content that may depict identifiable subjects. There is currently no field in those manifests for subject consent state. Provenance is being recorded without a parallel mechanism for permission.

Collamosse confirmed that the subject-creator distinction, framed technically the way DDT frames it, is genuinely new in the standards context. DDT is not proposing to redefine identity establishment. The proposal is to define the consent-state layer that sits above identity establishment: it takes a resolved CAWG identity as input and returns a mutable, revocable permission state as output.

If you see this as in scope for CAWG, I would welcome guidance on the appropriate path to contribute it formally. If you would route it elsewhere within DIF, I am equally open to that direction. Either way, I want to make sure these two layers are designed to compose cleanly from the start.

Justin Hofstad
Founder, Digital Double Technologies
<github.com/digitaldoubletechnologies/ddt-standards>