Clarify guidance issue280 #36
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
||
| The C2PA Technical Working Group may approve and merge PRs in accordance with its prevailing processes for approving technical contributions to the C2PA specification. | ||
|
|
||
| C2PA's Technical Working Group may also decide to remove malicious or non-conformant algorithms from the list of approved soft binding algorithms. |
Contributor
There was a problem hiding this comment.
how it is going to be determined if an algorithm is malicious or non-conformant?
Collaborator
Author
There was a problem hiding this comment.
Good point @alexandersolonskycastlabs and @jcollomosse, how about:
Suggested change
| C2PA's Technical Working Group may also decide to remove malicious or non-conformant algorithms from the list of approved soft binding algorithms. | |
| C2PA's Technical Working Group may also decide to remove malicious or non-conformant entries from the list of approved soft binding algorithms. |
and I will add more precise criteria below in the "selection rules" section.
Member
|
Agreed, I think this should refer to a non-conformant entry i.e. to the
SBAL schema, and malicious in the context of spam or harmful entries to the
list rather than an algorithm and its function
…On Fri, 28 Nov 2025, 12:30 alexandersolonskycastlabs, < ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In README.md
<#36 (comment)>
:
> @@ -1,9 +1,25 @@
# Soft Binding Algorithm List
-C2PA specifies a mechanism for recovering a C2PA Manifest for an asset, for example when the metadata containing the C2PA Manifest has been stripped. This mechanism is a [soft binding](https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_soft_binding) (for example an invisible watermark or content fingerprint). The soft binding is used to look-up the C2PA Manifest within a Manifest Repository. The soft binding is described by the [soft binding assertion](https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_soft_bindings).
+C2PA specifies a mechanism for recovering a C2PA Manifest for an asset, for example when the metadata containing the C2PA Manifest has been stripped. This mechanism is a [soft binding](https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_soft_binding), for example an invisible watermark or content fingerprint. The soft binding is used to look-up the C2PA Manifest within a Manifest Repository. The soft binding is described by the [soft binding assertion](https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_soft_bindings).
+
+The soft binding assertion contains a field `alg` uniquely identifies the algorithm used to compute the soft binding. The Soft Binding Algorithm List is an authoritative list of soft binding algorithm names that may be used as identifiers within the `alg` field. Entries in the list also contain additional information on the algorithms.
+
+## Guidelines for submitting a new entry
+
+### Pull request
+Developers of soft binding algorithms may request these be added as new entries in the soft binding algorithm list. Developers may also request amendments to their entries. These requests may be made by submitting a Pull Request (PR) adding to or editing the [softbinding-algorithm-list JSON array](softbinding-algorithm-list.json) in this repository and following the [schema](softbinding-algorithm-list-schema.json).
+
+### Selection rules
+
+The C2PA Technical Working Group may approve and merge PRs in accordance with its prevailing processes for approving technical contributions to the C2PA specification.
+
+C2PA's Technical Working Group may also decide to remove malicious or non-conformant algorithms from the list of approved soft binding algorithms.
how it is going to be determined if an algorithm is malicious or
non-conformant?
—
Reply to this email directly, view it on GitHub
<#36 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABYLIHAUY6SSRWZBEB73GL337A56LAVCNFSM6AAAAACNO25F52VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZTKMJYHAYDEOJZG4>
.
You are receiving this because your review was requested.Message ID:
***@***.***>
|
lrosenthol
requested changes
Dec 1, 2025
README.md
Outdated
| ## Guidelines for submitting a new entry | ||
|
|
||
| ### Pull request | ||
| Developers of soft binding algorithms may request these be added as new entries in the soft binding algorithm list. Developers may also request amendments to their entries. These requests may be made by submitting a Pull Request (PR) adding to or editing the [softbinding-algorithm-list JSON array](softbinding-algorithm-list.json) in this repository and following the [schema](softbinding-algorithm-list-schema.json). |
Contributor
There was a problem hiding this comment.
Why does it have to be the developer? What if a user of an open source algorithm would like it added?
Collaborator
Author
There was a problem hiding this comment.
@lrosenthol it does not need to be a developer but should be someone who is affiliated with the company. As for an opensource algorithm only forks will work as otherwise there would be X times the same entry and that would not be interoperable. In the case of a fork the owner of the fork should submit it.
Collaborator
Author
There was a problem hiding this comment.
What do you think of:
Suggested change
| Developers of soft binding algorithms may request these be added as new entries in the soft binding algorithm list. Developers may also request amendments to their entries. These requests may be made by submitting a Pull Request (PR) adding to or editing the [softbinding-algorithm-list JSON array](softbinding-algorithm-list.json) in this repository and following the [schema](softbinding-algorithm-list-schema.json). | |
| Owners of soft binding algorithms may request these be added as new entries in the soft binding algorithm list. Owner may also request amendments to their entries. These requests may be made by submitting a Pull Request (PR) adding to or editing the [softbinding-algorithm-list JSON array](softbinding-algorithm-list.json) in this repository and following the [schema](softbinding-algorithm-list-schema.json). A request has to be submitted by an individual affiliated with the company owning the submitted proprietary algorithm or a maintainer of the submitted open source algorithm or its fork. |
|
|
||
| For an entry to be approved the following criteria are important: | ||
| - The entry has to comply with the [schema](softbinding-algorithm-list-schema.json) and include all the mendatory fields. | ||
| - The PR has to be sumitted by a representative of the named technology (e.g., the commercial vendor, or open source repository maintainer). |
Contributor
There was a problem hiding this comment.
I don't understand why this requirement...
Collaborator
Author
There was a problem hiding this comment.
@lrosenthol - we should not allow anyone to submit any algorithm. Someone not affiliated with company X should not be able to submit an entry for company X as company X might not want their algorithm to be listed.
Collaborator
Author
There was a problem hiding this comment.
As per @jcollomosse @alexandersolonskycastlabs comments above:
Suggested change
| - The PR has to be sumitted by a representative of the named technology (e.g., the commercial vendor, or open source repository maintainer). | |
| For a PR (new entry or update) to be approved the following criteria are important: | |
| - The entry has to conform with the [schema](softbinding-algorithm-list-schema.json) and include all the mandatory fields. | |
| - The entry should not be malicious (e.g., spam) or harmful. | |
| - The PR has to be submitted by an individual affiliated with the company owning the submitted proprietary algorithm or a maintainer of the submitted open source algorithm or its fork. |
Co-authored-by: Leonard Rosenthol <[email protected]>
Co-authored-by: Leonard Rosenthol <[email protected]>
jcollomosse
approved these changes
Dec 17, 2025
Member
jcollomosse
left a comment
jcollomosse
left a comment
There was a problem hiding this comment.
LGTM and I support it but I feel like this is policy position that ought to be run past TWG and/or @lrosenthol before merging.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.