CPP Status: v1.0 Release Candidate — Verify, Don't Trust. External third-party verification required.
VAP PROFILE: CAPTURE PROVENANCE

CPP - Capture Provenance Profile

The Evidentiary Foundation for Media Capture

"Your moments, verifiably sealed."

— Proving capture events, not content truth

" As AI-generated imagery becomes indistinguishable from captured media, the ability to prove when, where, and by whom a capture event occurred becomes critical for personal archives, legal evidence, and historical documentation. "

CPP is NOT a content authentication system.

CPP IS a framework for creating verifiable capture records that third parties can independently audit.

"Verify, Don't Trust." — External RFC 3161 TSA anchoring ensures independent verifiability.

CPP Specification Three-Layer Architecture ACE Extension Join Development

VeriCapture (B2B)

Evidence-grade capture for legal & journalism

VeriCapture Moments (B2C)

Future-proof family memories

What CPP Proves and Does NOT Prove

Clear distinction between objective capture data and subjective interpretation

CPP PROVES

  • A capture event occurred at timestamp T
  • The media file has not been modified since sealing
  • The capture device reported location L
  • No sealed media was deleted from the sequence
  • An authentication attempt occurred (optional)

CPP DOES NOT PROVE

  • The content is "true" or "authentic"
  • The scene depicted actually happened
  • The photographer's identity
  • The content is free of staging or manipulation
  • The authenticated person is who they claim to be

Design Philosophy: "We prove capture events occurred. We do not claim they depict truth."

Target Use Cases

CPP application scope by priority

Priority A Critical

Legal Evidence

Court-admissible capture records

Key: RFC 3161 TSA, chain of custody

News / Journalism

Source verification for media

Key: Deletion detection, timestamping

Priority B High

Personal Archives

Family memories with provenance

Key: Long-term verification, ease of use

Insurance Claims

Damage documentation

Key: Location proof, timestamp proof

Priority C Medium

Academic Research

Field data collection

Key: Integrity, reproducibility

Real Estate

Property documentation

Key: Date proof, completeness

Threat Model

What CPP addresses and what it doesn't

Threats CPP Addresses

Backdating

Claiming capture occurred at an earlier time

Mitigation: RFC 3161 TSA external timestamp

Tampering

Modifying media after capture

Mitigation: SHA-256 hash chain, digital signature

Cherry-Picking

Deleting unfavorable captures

Mitigation: Merkle tree deletion detection

Fabrication

Claiming AI-generated content was captured

Mitigation: Capture event attestation

Threats CPP Does NOT Address

Scene Staging

Content truth outside scope

Alternative: Human judgment, investigation

Device Compromise

Hardware security out of scope

Alternative: TEE/Secure Enclave (future)

Identity Fraud

Identity verification not claimed

Alternative: External KYC services

Network Interception

Transport security out of scope

Alternative: TLS, certificate pinning

CPP Event Model

Core events in the media capture lifecycle

CPP Event Lifecycle

┌─────────────────────────────────────────────────────────────────────────┐ │ CPP Event Lifecycle │ ├─────────────────────────────────────────────────────────────────────────┤ │ │ │ [User Action] │ │ │ │ │ ▼ │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │ CAPTURE │───▶│ SEAL │───▶│ SHARE │───▶│ VERIFY │ │ │ │ │ │ │ │(optional)│ │(optional)│ │ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │ │ │ │ │ │ │ │ │ ▼ ▼ │ │ Local Hash External Anchor │ │ Computed (RFC 3161 TSA) │ │ │ │ [Optional: Attested Capture Extension] │ │ │ │ │ ▼ │ │ ┌─────────────┐ │ │ │ CAPTURE_ATT │ (Biometric attestation attempt recorded) │ │ └─────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────────┘

CAPTURE

Media Capture Initiated

Records the capture event with device ID, media hash, and timestamp.

Required Fields:

  • • DeviceID, MediaHash, Timestamp
  • • MediaType, MediaFormat
  • • Location (OPTIONAL)

SEAL

Cryptographic Seal Applied

Applies cryptographic seal with external timestamp anchor.

Required Fields:

  • • EventHash, Signature, AnchorProof
  • • MerkleRoot, MerkleProof
  • • TSA Response (RFC 3161)

SHARE

Media Shared (Optional)

Records sharing with verification link for recipients.

Required Fields:

  • • RecipientHash (optional)
  • • ShareMethod: LINK, EXPORT, AIRDROP, MESSAGE
  • • VerificationURL

VERIFY

Third-Party Verification (Optional)

Records when third parties verify the capture.

Required Fields:

  • • VerifierID
  • • VerificationResult
  • • VerificationTimestamp

Three-Layer Integrity Architecture

Cryptographic foundation for verifiable capture records

┌─────────────────────────────────────────────────────────────────┐ │ Layer 3: External Verifiability │ │ ┌───────────────────────────────────────────────────────────┐ │ │ │ RFC 3161 TSA / Blockchain / SCITT │ │ │ │ • Independent third-party timestamp │ │ │ │ • Cryptographic proof of existence at time T │ │ │ │ • Decentralized verification capability │ │ │ └───────────────────────────────────────────────────────────┘ │ ├─────────────────────────────────────────────────────────────────┤ │ Layer 2: Collection Integrity │ │ ┌───────────────────────────────────────────────────────────┐ │ │ │ RFC 6962 Merkle Tree │ │ │ │ • Batch-level completeness proof │ │ │ │ • Efficient verification O(log n) │ │ │ │ • Deletion detection │ │ │ └───────────────────────────────────────────────────────────┘ │ ├─────────────────────────────────────────────────────────────────┤ │ Layer 1: Event Integrity │ │ ┌───────────────────────────────────────────────────────────┐ │ │ │ SHA-256 Hash + Ed25519 Signature │ │ │ │ • Per-event content integrity │ │ │ │ • Authenticity verification │ │ │ │ • PrevHash linking (OPTIONAL) │ │ │ └───────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────┘
1

Event Integrity

  • SHA-256 hash chain
  • Ed25519 signature
  • NO exclusion lists
2

Collection Integrity

  • RFC 6962 Merkle tree
  • Completeness Invariant (XOR)
  • Deletion detection
3

External Verifiability

  • RFC 3161 TSA (REQUIRED)
  • Verification URL
  • 50+ year retention

Completeness Invariant (CI)

XOR-based deletion detection — the core innovation for proving nothing was removed

// Completeness Invariant Structure
CI = {
  expected_count: n,                           // Number of events
  hash_sum: H(E1) ⊕ H(E2) ⊕ ... ⊕ H(En),      // XOR of all event hashes
  first_timestamp: T1,                         // Earliest event
  last_timestamp: Tn                           // Latest event
}

// Verification Algorithm
if len(events) != expected_count:
    return VIOLATION
if XOR(H(events)) != hash_sum:
    return VIOLATION
return VALID

Why XOR?

  • • Order-independent: A ⊕ B = B ⊕ A
  • • Cannot fake removal without original hash
  • • Constant-size regardless of event count

Detection Capability

  • • Single event deletion: Detected
  • • Multiple event deletion: Detected
  • • Event modification: Detected

Verification URL Architecture

Survives metadata stripping — verification always accessible

https://verify.veritaschain.org/cpp/{verification_code}

SLA

99.95% availability

Retention

50+ years

Recovery

pHash matching

CPP Extension

ACE - Attested Capture Extension

Biometric Attestation at Capture Time

"Who was holding the device when the capture occurred?"

Critical Distinction

ACE proves an authentication attempt occurred.
ACE does NOT verify identity.

ACE PROVES

  • Biometric auth was attempted at capture time
  • Auth result (success/failure/score)
  • Potential duress (unusual patterns)

ACE DOES NOT PROVE

  • The person is who they claim to be
  • Legal identity
  • Absence of coercion

Attestation Results

SUCCESS

Biometric matched enrolled profile

FAILURE

Biometric did not match

TIMEOUT

Auth timed out

CANCELLED

User cancelled auth

NOT_ENROLLED

No biometric enrolled on device

Key Design: Capture proceeds regardless of auth result. Auth failure is recorded, not blocking.

Zero-Knowledge Privacy Approach

"We prove authentication was attempted. We store no biometric data."

What ACE Stores

  • Auth method used
  • Auth result (success/failure)
  • Attempt duration
  • Device attestation chain

What ACE Does NOT Store

  • Facial geometry
  • Fingerprint data
  • Biometric templates
  • Any biometric raw data

Conformance Levels

Tiered compliance for different use cases — Completeness Invariant REQUIRED at all levels

Bronze

Hobbyists, Early Adopters

  • Completeness Invariant (REQUIRED)
  • SHA-256 + Ed25519 (MUST)
  • TSA: Optional
  • ACE: Optional

Use: Personal archives

Self-verifiable only

Silver

Families, Prosumers

  • Completeness Invariant (REQUIRED)
  • Daily RFC 3161 TSA (MUST)
  • Verification URL (MUST)
  • ACE: Optional

Use: Long-term memories

Third-party verifiable

Gold

Legal, Journalism, Enterprise

  • Completeness Invariant (REQUIRED)
  • Per-capture RFC 3161 TSA (MUST)
  • ACE support (REQUIRED)
  • Verification URL (MUST)

Use: Court evidence

Evidence-grade verifiable

Key Principle: External third-party verification (RFC 3161 TSA) is what distinguishes "Provenance Available" from mere self-attestation.

Implementation Profiles

B2B vs B2C positioning

VeriCapture

B2B Evidence Tool

"Verifiable evidence generation"

  • Target: Legal professionals, journalists, insurers
  • Conformance: Gold (mandatory)
  • Location: ON by default
  • ACE: Mandatory
  • TSA: Per-capture
  • Export: Evidence Pack (PDF + JSON + Proofs)
  • Pricing: Enterprise license

VeriCapture Moments

B2C Consumer Application

"Your moments, verifiably sealed"

  • Target: Families, travelers, memory keepers
  • Conformance: Silver (default), Gold (optional)
  • Location: OFF by default (privacy-first)
  • ACE: Optional with clear explanation
  • TSA: Daily batch (upgradable)
  • Export: Share link + QR
  • Pricing: Freemium / Perpetual verification

Kindness in pricing: Perpetual verification links never expire, even if subscription ends.

C2PA Integration

Complementary positioning with Content Credentials

Aspect C2PA CPP
Question Answered "Is this content authentic?" "Was this media captured?"
Focus Content provenance Capture event provenance
Scope Individual assets Sequential capture records
Deletion Detection Per-asset only Sequence-level
Metaphor Content passport Capture flight recorder

Integration: CPP can embed C2PA manifests while providing additional sequence-level guarantees.

CPP IMPLEMENTATION

VeriCapture

Evidence Generation Tool — CPP v1.0 Compliant iOS Application

VeriCapture

Evidence Generation Tool

VeriCapture is NOT a camera app. It's a professional evidence generation tool that cryptographically records capture events and data provenance in a tamper-evident manner.

RFC 3161 Timestamp Authority support
ACE biometric authentication attestation
Third-party independent verification
Verification Pack export for audit
Legal Evidence Journalism Insurance Construction
Learn More
VeriCapture iOS App
iOS 17.0+ • Utilities

"Verify, Don't Trust."

Important: VeriCapture records capture events — it does NOT verify content truth or legitimacy.

Position within VAP Framework

CPP's position in the framework hierarchy

┌────────────────────────────────────────────────────────────────────────────┐ │ │ │ VAP (Verifiable AI Provenance Framework) │ │ Cross-domain meta-framework for AI audit trails │ │ │ └────────────────────────────────────────────┬───────────────────────────────┘ │ │ defines & maintains │ ┌────────────────────────────────────────────▼───────────────────────────────┐ │ │ │ VSO (VeritasChain Standards Organization) │ │ Independent standards body (Tokyo, Japan) │ │ │ └────────────────────────────────────────────┬───────────────────────────────┘ │ │ publishes domain profiles │ ┌──────────┬───────────────────────┼───────────────────┬──────────┐ │ │ │ │ │ ▼ ▼ ▼ ▼ ▼ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ VCP │ │ CAP │ │ CPP │ │ DVP │ │ ... │ │Finance │ │Content/ │ │Capture │ │Automotive│ │ │ │Profile │ │Creative │ │Provenance│ │ Profile │ │ │ │ v1.1 │ │ v0.2 │ │ v1.0 │ │ (draft) │ │ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ Domain-specific protocol implementations

Profile Comparison

Aspect VCP (Finance) CAP (Content) CPP (Capture)
Subject Trading decisions AI generation decisions Media capture events
Actor Algorithm/Trader AI Model/Creator Device/Photographer
Industries Finance, Trading Games, Film, AI Platforms Personal, Legal, News
Core Events SIG/ORD/EXE/CXL INGEST/TRAIN/GEN/EXPORT CAPTURE/SEAL/SHARE/VERIFY
Time Precision Nanosecond–Millisecond Second–Minute Millisecond–Second

Get Involved

Join the development of CPP and shape the future of capture provenance

CPP Specification

Full technical spec on GitHub

VAP Framework

Parent framework overview

CAP Profile

Content/Creative AI workflows

Join Development

Contribute to CPP standard
"In an age of AI-generated imagery, proving that a moment was captured — not created — becomes invaluable."

— VeritasChain Standards Organization

"Your moments, verifiably sealed."

This work is licensed under CC BY 4.0 International

CPP Specification v1.0.0 Release Candidate — Last Updated: 2026-01-18