C2PA in production

C2PA (Content Credentials) is the closest thing the industry has to a provenance standard. We adopted it early and have spent a year shipping it to production customers. This is the honest report.

What worked

• Hardware-attested capture on iOS 17 / Android 14 is rock solid
• Newsroom workflows took to it immediately
• Banks loved the cryptographic non-repudiation

What didn’t

• Browser support for rendering credentials is uneven
• Manifest stripping by CDNs and image processors is still common
• The spec evolves; pinning to a manifest version requires care