Update docs for C2PA conformance program

[crandmck]

• Added a new page: C2PA conformance program. Should this go higher up in the sidebar navigation? Perhaps right after "Getting started"?
• Updated The interim trust list. nb. docs used to call this the temporary trust list but I adjusted the nomenclature to match that of C2PA.
• Added disclaimers to Purchasing a certificate and Certificate requirements

@andyparsons - QUESTIONS:

• We currently explain how to use the interim trust list with C2PA Tool and the JS library. Should we also add info on using the C2PA trust list? This might be as easy as simply using different URLs in the example code.
• Will the preliminary check process provided by @andrewhalle work for certs from CAs on the C2PA trust list (just ssl.com at this point AFAIK)?
• Currently, the process for getting on the conforming products list is not very user-friendly. After they fill out the expression of interest form, what will they have to do? It would be great to have some kind of guidance about expectations. Also, some kind of preliminary check as we have today for ITL certs (see above) would be nice. Or, honestly, any more concrete information would be good.

[github-actions]

🚀 Deployed on https://deploy-preview-228--cai-open-source.netlify.app

[andyparsons]

THanks Rand this looks good to me. Answers:

• Yes we should explain to the greatest degree possible "how" to use the lists- bothe ITL and C2PA TLs.
• Check process- should work, @andrewhalle to confirm please.
• We should point people to the start of the conformance program, not duplicate anything about the process. What is unfriendly about linking to C2PA conformance?

[crandmck]

We should point people to the start of the conformance program, not duplicate anything about the process. What is unfriendly about linking to C2PA conformance?

Not really "unfriendly", but opaque to a product developer who is just delving into it. The four most relevant PDFs are almost 140 pages long--Requiring someone to understand those borders on being unfriendly: C2PA Conformance Program.pdf, C2PA Generator Product Security Requirements.pdf, C2PA Certificate Policy.pdf, and C2PA Generator Product Security Requirements.pdf.

A product developer might wonder, to get my product on the CP list...

• Do I have to submit my codebase to C2PA?
• Does my product have to pass some test suite or something like that?
• Or is this just a matter of filling out forms that answer questions?

Based on what Ribhav has told me about what he's doing for Adobe products, I think the latter is the case, but that's not clear even after reading all three of the relevant docs. I assume it becomes clear once you submit the "Expression of interest" form, but right now it seems to be a matter of "Get started and THEN find out what you have to do" vs. "Here's a general idea of what you'll need to do, now get started".

Having all the relevant docs in PDF only is also a challenge, because I can't link to a specific section (I have to link to the PDF in the GH repo and then say "see Section XYZ"), which is also not super user-friendly.

[andyparsons]

I agree with you but am concerned with doing this work that really should be the realm of the C2PA. So we will have to maintain the right balance. I like what you have done so far.

"Or is this just a matter of filling out forms that answer questions?" sort of. Parties must:

• sign a legal agreement with the c2pa
• provide evidence in the form of diagrams and documentation
• work with the Conformance Program administrator staff to resolve any questions

[andyparsons]

Approved with comments to be considered.

[andrewhalle]

Rand and I chatted a little bit in Slack. For a developer of a generator product that wants to validate the certificate they got from a CA signs correctly and bears the name they expect, that check process will work great.