Ask HN: Why isn't there a standard file format for sharing signed content?

1 point by Difwif 1 year ago | 4 comments
Photos and videos would be the major use case but why don't we have a standardized file type that includes something like a PGP signature? At a minimum photos could be signed by the photographer and signatures could be shared to services running a transparency log allowing authors to publicly declare creation of the hash to avoid people stripping signatures and resharing. At the limit we could imagine the camera signing the raw image, the photo editor signing their edit along with the original, etc. A chain of trust seems pretty easy to establish in a single file.

Especially with the recent commentary related to OpenAI:Sora, I'm seeing a lot of doom and gloom around not being able to trust anything online anymore... But didn't GPG solve this 20 years ago? Just about everything you need to solve this problem has already be done for signing files. Of course GnuGPG doesn't make it easy for everyone to use.

I prototyped something simple that just uses gpg and tar to create a chain of trust for files. The next step would be to create some kind of PKI or Web of trust for people to easily create keys tied to their identities and record hashes/signatures. The hard part is adoption. There is nothing technically preventing us from having every piece of media shared on social media to include a full verification log of every edit all the way back to its creation. Any photo with the log could be dismissed as fake.

What am I missing? Why isn't this solved already? All the major social media companies claim trust is a really hard problem to solve but it doesn't seem like anyone has even attempted to do this. Has anyone worked on this and failed for some reason?

  • Someone 1 year ago
    https://contentauthenticity.org.

    I haven’t used it, so I don’t know how good it works, but they claim tooling supports a fairly large set of file formats. See https://opensource.contentauthenticity.org/docs/c2patool#sup...

    • pavel_lishin 1 year ago
      XKCD has covered part of the reason: https://xkcd.com/927/

      And the other thing you mention, signing data, is only as good as trusting the author themselves. Let's say there's a contentious video and it's cryptographically signed by Stefan Mousetentacle. Who is Mr. Mousetentacle, and why do we trust that he actually took the video, and didn't generate it?

      • Difwif 1 year ago
        Isn't the issue that there's zero standards for a single signed photo?

        I agree trusting the author is an issue. It's certainly more of an issue the way PGP keys work today for normal people. The idea of a Web of Trust that the GnuPG documentation talk about could just be taken to a pretty obvious web 2.0 conclusion.

        A website that associates an authorized identify to signing keys. 80% of the problem gets solved when large companies sign their photos, OpenAI signs Sora generated videos, Canon produces keys for every camera that can be registered with the owner, etc. People certify each other as real individuals. People start establishing histories of producing trusted signed content. Users flag keys/identities as fraudulent. The network gets stronger the more its used and soon enough it gets easy to spot an outlier.

        • pavel_lishin 1 year ago
          > OpenAI signs Sora generated videos

          What stops me from stripping out their signature, and replacing it with my signature? What stops me from running a video through a Canon camera, signing it with the key that's registered to me in their servers?

          And the outliers is where interesting footage will often come from. Few people in my web of trust are likely to happen to catch breaking news on their phone.