contentauth · crandmck · Jan 8, 2026 · Dec 19, 2025 · Jan 5, 2026 · Jan 5, 2026
diff --git a/docs/conformance/cert-checks.mdx.txt b/docs/conformance/cert-checks.mdx.txt
@@ -0,0 +1,120 @@
+---
+id: cert-checks
+title: Cert checks (saved)
+---
+
+## Checking your certificate
+
+Before requesting to [add your signing certificate to the interim known certificate list](#how-to-add-a-certificate-to-the-list), perform a preliminary check to ensure the certificate is configured properly.
+
+### Prerequisites
+
+The preliminary certificate check procedure below requires the following tools. You must install them if you haven't done so already:
+
+- [jq](https://jqlang.org/), a lightweight and flexible command-line JSON processor. On macOS, if you have [Homebrew](https://brew.sh/), you can install jq by entering `brew install jq`.
+- [OpenSSL](https://www.openssl.org/), a cryptographic software library and CLI. It's installed on many systems such as macOS (but make sure you have a recent version). If OpenSSL is not installed on your system, see the [list of unofficial binary distributions](https://wiki.openssl.org/index.php/Binaries).
+- [C2PA Tool](c2patool/readme.md), the command line tool for working with C2PA manifests and media assets.
+
+### Procedure
+
+:::note
+In the example commands given below, `cert.pem` is your certificate file.
+:::
+
+Check your certificate by following these steps:
+
+1. **Ensure that signing with the certificate doesn't have any validation errors** by using a C2PA Tool command like this:
+
+   ```
+   c2patool ./image.jpg trust --allowed_list ./cert.pem
+   ```
+
+   Confirm that the result does not contain a `validation_status` field, which indicates an error.
+
+1. **Confirm that the `signature_info.issuer` field in the manifest is correct**. This field determines what [Verify displays for the organization name](verify.mdx#title-and-signing-information) after "Issued by ...". Use a C2PA Tool command like this:
+
+   ```
+   c2patool ./image.jpg trust --allowed_list ./cert.pem \
+   | jq --args '.manifests[].signature_info.issuer'
+   ```
+
+   The response should be something like this:
+
+   ```
+   "XYZ Inc."
+   ```
+
+   Where "XYZ Inc." is the name of your organization.
+
+1. **Use `openssl` to perform basic verification of the certificate** you're submitting; for example:
+
+   ```
+   openssl x509 -noout -text -in 'cert.pem' | grep 'Subject:'
+   ```
+
+   Example response:
+
+   ```
+   Subject: organizationIdentifier=XYZ-7155227, C=US, ST=Delaware, L=Dover, O=Whatever Inc., SN=xxx, GN=xxx, CN=xxx
+   ```
+
+## Using the interim known certificate list
+
+You can use the C2PA Tool or the CAI JavaScript library to determine whether a certificate is on the interim known certificate list.
+
+### Using with C2PA Tool
+
+The [C2PA Tool documentation](c2patool/docs/usage.md#configuring-trust-support) explains how to use the interim known certificate list with the tool.
+
+### Using with the JavaScript library
+
+To load and use these lists with the JavaScript library (`c2pa-js`), pass them to the `read` function as shown in the following TypeScript example:
+
+```ts
+import { createC2pa, type ToolkitSettings } from 'c2pa';
+import wasmSrc from 'c2pa/dist/assets/wasm/toolkit_bg.wasm?url';
+import workerSrc from 'c2pa/dist/c2pa.worker.min.js?url';
+
+async function loadTrustResource(file: string): Promise<string> {
+  const res = await fetch(`https://contentcredentials.org/trust/${file}`);
+
+  return res.text();
+}
+
+async function getToolkitSettings(): Promise<ToolkitSettings> {
+  const [trustAnchors, allowedList, trustConfig] = await Promise.all(
+    ['anchors.pem', 'allowed.sha256.txt', 'store.cfg'].map(loadTrustResource),
+  );
+
+  return {
+    trust: {
+      trustConfig,
+      trustAnchors,
+      allowedList,
+    },
+    verify: {
+      verifyTrust: true,
+    },
+  };
+}
+
+async function readFile(asset: File) {
+  const c2pa = await createC2pa({
+    wasmSrc,
+    workerSrc,
+  });
+
+  return c2pa.read(asset, {
+    settings: await getToolkitSettings(),
+  });
+}
+```
+
+:::note
+This code is for illustration purposes only. To ensure acceptable performance, production code should reuse the `c2pa` object and cache the output of `getToolkitSettings()` to avoid making unnecessary network calls.
+:::
+
+Follow these steps:
+
+1. [**Do a preliminary check of your certificate**](#checking-your-certificate) to ensure it meets the requirements for C2PA signing certificates and to be in the Verify interim certificate list.
+1. **Submit your request** by ....
diff --git a/docs/conformance.mdx → docs/conformance/index.mdx b/docs/conformance.mdx → docs/conformance/index.mdx
@@ -1,9 +1,8 @@
 ---
-id: conformance
 title: C2PA conformance program
 ---
 
-The [C2PA conformance program](https://c2pa.org/conformance) was launched in mid-2025 to help ensure that products that read and create Content Credentials are compliant with the C2PA Content Credentials specification.
+The [C2PA conformance program](https://c2pa.org/conformance) helps to ensure that products that read and create Content Credentials are compliant with the C2PA Content Credentials specification.
 
 The C2PA conformance program covers:
 
@@ -24,7 +23,7 @@ When you apply to the conformance program, you will:
 - Work with the conformance program staff to resolve any questions.
 
 :::tip
-Use the [**Conformance Explorer**](https://spec.c2pa.org/conformance-explorer/) to browse and search live versions of the C2PA [Conforming Products List](#products) and [trust lists](#c2pa-trust-lists).
+Use the [**Conformance Explorer**](https://spec.c2pa.org/conformance-explorer/) to browse and search live versions of the C2PA [conforming products list](#products) and [trust lists](trust-lists.mdx).
 :::
 
 ## Products
@@ -47,9 +46,12 @@ For more information, see [C2PA Conformance Program Documents](https://github.co
 - [C2PA Generator Product Security
   Requirements](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Generator%20Product%20Security%20Requirements.pdf)
 
+<!--
 #### Preliminary certificate check
 
-To confirm all the settings in your signing certificate, you can follow the [preliminary certificate check](getting-started/trust-list.mdx#checking-your-certificate) for the interim trust list to help ensure everything is as expected.
+To confirm all the settings in your signing certificate, you can follow the preliminary certificate check to help ensure everything is as expected.
+
+-->
 
 #### Security requirements
 
@@ -74,27 +76,4 @@ The assurance level is encoded as the value of a custom X.509 v3 certificate ext
 
 The [C2PA certificate policy](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Certificate%20Policy.pdf) specifies requirements for certificate authorities (CAs) that issue claim signing certificates for use by generator products, and the requirements that those products have to meet when using the certificates.
 
-CAs on the C2PA trust list can issue certificates to conforming generator products under the C2PA conformance program.
-
-## C2PA trust lists
-
-C2PA maintains two trust lists:
-
-- [**C2PA trust list**](https://github.com/c2pa-org/conformance-public/blob/main/trust-list/C2PA-TRUST-LIST.pem): A list of X.509 certificate trust anchors (either root or subordinate certification authorities) that issue certificates to conforming generator products under the C2PA Certificate Policy.
-- [**C2PA time-stamping authority (TSA) trust list**](https://github.com/c2pa-org/conformance-public/blob/main/trust-list/C2PA-TSA-TRUST-LIST.pem): A list of X.509 certificate trust anchors (either root or subordinate certification authorities) that issue time-stamp signing certificates to TSAs.
-
-### Interim trust list retirement
-
-With the introduction of the C2PA trust list, the existing [interim (temporary) trust list](getting-started/trust-list.mdx) is being retired on the following timeline:
-
-- **Through December 31, 2025**: The [interim trust list](getting-started/trust-list.mdx) will remain operational. During this time:
-  - The [Verify site](https://verify.contentauthenticity.org) will continue to display manifests signed by certificates on the interim trust list as trusted, but with a disclaimer that the manifests were made with an older version of the trust model.
-  - New certificates will continue to be added to the interim trust list when requested.
-  - Product developers are strongly encouraged to apply to the C2PA conformance program and use the official C2PA trust list.
-- **On January 1, 2026**: The interim trust list will be frozen:
-  - No new certificates will be added to the list, and no updates will be made.
-  - Existing certificates will remain valid for legacy support.
-
-Eventually, the certificates on the interim trust list will expire and will not be usable for signing. However, if content was signed during the certificate's validity period, the content will always be considered valid against the legacy trust model.
-
-Validator products are encouraged to begin distinguishing between Content Credentials signed with certificates on the interim trust list (typically tied to Content Credentials specification version version 1.4) and those from conforming products using the official C2PA trust list.
+CAs that meet the certificate policy can be on the C2PA trust list, and can issue certificates to conforming generator products under the C2PA conformance program.
diff --git a/docs/conformance/trust-lists.mdx b/docs/conformance/trust-lists.mdx
@@ -0,0 +1,60 @@
+---
+id: trust-lists
+title: Trust lists
+---
+
+import verify_unknown_source from '@site/static/img/verify-cc-unknown-source.png';
+
+C2PA maintains two [trust lists](https://spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_trust_lists): the C2PA _trust list_ and the C2PA _time-stamping authority (TSA) trust list_.
+
+## C2PA trust list
+
+The [**C2PA trust list**](https://github.com/c2pa-org/conformance-public/blob/main/trust-list/C2PA-TRUST-LIST.pem) is a list of X.509 certificate trust anchors (either root or subordinate certification authorities) that issue certificates to conforming generator products under the C2PA Certificate Policy.
+
+Conforming generator products must use a certificate that can be traced back to a certificate on the C2PA trust list. Conforming validator products must refer to the C2PA trust list to determine whether Content Credentials were signed with a valid certificate.
+
+:::tip
+For a readable view of the C2PA trust list, see the [C2PA Conformance Explorer](https://spec.c2pa.org/conformance-explorer/), and click **C2PA Trust List**.
+:::
+
+## C2PA time-stamping authority trust list
+
+The [**C2PA time-stamping authority (TSA) trust list**](https://github.com/c2pa-org/conformance-public/blob/main/trust-list/C2PA-TSA-TRUST-LIST.pem) is a list of X.509 certificate trust anchors (either root or subordinate certification authorities) that issue time-stamp signing certificates to TSAs.
+
+A TSA acts as a trusted third-party "notary service" for data. When a C2PA claim generator signs a manifest, it can send a hash of the data to a C2PA-conformant TSA, which then returns a cryptographically signed timestamp.
+
+Time-stamps enable a validator to confirm that a manifest's signature was created while the signing certificate was valid, even if that certificate has since expired or been revoked. This means validators do not need to query online services for revocation status at the time of consumption, enabling long-term signature validation.
+
+:::tip
+For a readable view of the C2PA time-stamping authority trust list, see the [C2PA Conformance Explorer](https://spec.c2pa.org/conformance-explorer/), and click **C2PA TSA Trust List**.
+:::
+
+## Interim trust list
+
+The interim trust list (ITL) provided critical support during the early adoption phase of C2PA, but it has been superceded by the C2PA trust lists.
+
+**As of January 1, 2026, the ITL has been frozen**:
+
+- No new certificates will be added to the list, and no updates will be made.
+- Existing certificates will remain valid for legacy support.
+
+Eventually, the certificates on the ITL will expire and will not be usable for signing. However, if content was signed during the certificate's validity period, the content will always be considered valid against the legacy trust model.
+
+:::note
+Validator products can still refer to the ITL, but are encouraged to move to the official C2PA trust list. During the transition period, validator products may consult both the frozen ITL and the C2PA trust list, but must distinguish between Content Credentials signed with certificates on the ITL and those from conforming products using the official C2PA trust list.
+:::
+
+### Verify tool
+
+The C2PA **[Verify tool](https://verify.contentauthenticity.org)** currently uses the ITL to validate that Content Credentials were signed using a "known certificate".
+
+If an asset's Content Credentials were not signed by a certificate on the [interim end-entity certificate list](https://github.com/contentauth/verify-site/blob/main/static/trust/allowed.pem) or a certificate whose chain can be traced back to a certificate on the [interim known anchor list](https://github.com/contentauth/verify-site/blob/main/static/trust/anchors.pem), then Verify displays this message:
+
+<img
+  src={verify_unknown_source}
+  style={{ width: '300px', display: 'block', margin: '10px auto' }}
+/>
+
+Conversely, if the Content Credential was signed by a known certificate, the Verify tool will display the name of the certificate owner and time of the claim signature.
+
+At some point Verify will be updated to use the C2PA trust lists instead of the ITL.
diff --git a/docs/getting-started/aca-inspect.mdx b/docs/getting-started/aca-inspect.mdx
@@ -7,7 +7,7 @@ import aca_inspect from '@site/static/img/aca-inspect.png';
 import inspect_actions from '@site/static/img/inspect_actions.png';
 import MarkdownCell from '@site/src/components/MarkdownCell';
 
-The [**Inspect tool on Adobe Content Authenticity (Beta)**](https://inspect.cr) (often referred to as "ACA Inspect" or simply "Inspect") is a [C2PA conforming validator product](../conformance.mdx#validator-products) that validates and displays Content Credentials for various asset types.
+The [**Inspect tool on Adobe Content Authenticity (Beta)**](https://inspect.cr) (often referred to as "ACA Inspect" or simply "Inspect") is a [C2PA conforming validator product](../conformance/index.mdx#validator-products) that validates and displays Content Credentials for various asset types.
 
 <img
   src={aca_inspect}
@@ -124,7 +124,7 @@ Shows information from the asset's manifest store, as described below:
 
 The top of the right panel displays a thumbnail of the image along with the same title and signing information as shown in the left panel.
 
-If the Content Credential was signed by a certificate that is NOT on the [C2PA trust list](conformance.mdx#c2pa-trust-lists), such as one of the SDK's [test certificates](signing/test-certs.md), then Inspect displays "Unrecognized" at the top of this section with this notice:
+If the Content Credential was signed by a certificate that is NOT on the [C2PA trust list](conformance/trust-lists.mdx#c2pa-trust-list), such as one of the SDK's [test certificates](signing/test-certs.md), then Inspect displays "Unrecognized" at the top of this section with this notice:
 
 import verify_unknown_source from '@site/static/img/unknown-source.png';
 
@@ -133,7 +133,7 @@ import verify_unknown_source from '@site/static/img/unknown-source.png';
   style={{ width: '283px', display: 'block', margin: '10px auto' }}
 />
 
-However, if the Content Credential was signed by a certificate on the [C2PA trust list list](conformance.mdx#c2pa-trust-lists), then this section displays the name of the issuer of the claim signature from the `signature_info.issuer` property in the active manifest, as shown in the example snippet below.
+However, if the Content Credential was signed by a certificate on the [C2PA trust list ](conformance/trust-lists.mdx#c2pa-trust-list), then this section displays the name of the issuer of the claim signature from the `signature_info.issuer` property in the active manifest, as shown in the example snippet below.
 
 :::note
 This section shows the organization name only if the signing certificate includes the "O" or [Organization Name attribute](https://www.alvestrand.no/objectid/2.5.4.10.html) (OID value 2.5.4.10) in the certificate's distinguished name information.

diff --git a/docs/getting-started/index.mdx b/docs/getting-started/index.mdx
@@ -95,7 +95,7 @@ The _C2PA trust list_ is a curated list of certification authorities (CAs) that
 
 Conforming validator products such as the [Inspect tool on Adobe Content Authenticity (Beta)](https://inspect.cr) use the C2PA trust list to determine whether a Content Credential was issued using a certificate that can be traced back to a CA on the C2PA trust list.
 
-Before the introduction of the C2PA trust list, during the early adoption phase of C2PA, the [Verify tool](https://verify.contentauthenticity.org) used [the interim trust list](trust-list.mdx) to determine which certificates were considered valid and prevent unknown signers from appearing as valid. Verify will be updated to use the official [C2PA trust list](conformance.mdx#c2pa-trust-lists).
+The [Verify tool](https://verify.contentauthenticity.org) uses [the interim trust list](../conformance/trust-lists.mdx#interim-trust-list) to determine which certificates are considered valid. Verify will be updated to use the official [C2PA trust list](conformance/index.mdx#c2pa-trust-lists).
 
 ## Identity