Markovian Protocol / Content Provenance

C2PA Content Credentials Live

C2PA binds provenance to media through a signed manifest: who produced a file, and when. That manifest travels inside the file and can be stripped out. A Markovian COMMIT rides into the manifest as a custom assertion and registers the asset on a Bitcoin-anchored chain, so the proof of existence survives even after the C2PA credential is removed.

How It Connects

COMMIT as a C2PA custom assertion

The asset is hashed, that hash is committed to the Markovian chain, and the returned markovian-provenance/v1 record is embedded in the C2PA manifest as a namespaced assertion, com.markovianprotocol.provenance.v1. The same asset bytes are now bound twice: once by the C2PA claim signature, once by the Markovian chain record.

// hash the asset, commit the hash, get the record data_hash = sha256(asset_bytes) record = POST /stamp { data_hash } // merkle_root + ZK commitment, Bitcoin-anchored // embed the record as a C2PA assertion, then sign the manifest assertion com.markovianprotocol.provenance.v1 = record c2pa.sign(asset, manifest) // claim signature co-binds asset + assertion

The Trust Model

Provenance, not truth

The C2PA claim signature attests who signed the manifest. The Markovian record attests that the asset bytes existed at a point in time, anchored to Bitcoin. Neither asserts the content is accurate. A stamp proves data was committed at a time, not that it is correct.

Markovian adds nothing to authorship, that is the C2PA signature's job. What it adds is an independent timestamp with no single certificate authority, a BN128 Pedersen commitment, an account-free public verifier, and the one property a C2PA manifest cannot provide on its own: survival of stripping.

Proven

A real signed asset, manifest and chain

A real image was stamped, the record embedded as the assertion, and the C2PA manifest signed and validated. The asset hash is committed on the Markovian chain, so the bare bytes verify independently of the manifest.

C2PA Manifest + Markovian Commitment

c2pa validationvalid dev signing cert

assertioncom.markovianprotocol.provenance.v1

asset data_hash3d7738a7108a534f3467512509380251c2235e19cd521ac4c3f224fa385b1756

commit merkle_root5d56de52a87855b04ca8a3a89f045f3375f9523e80a887352ad682f96f6cf7f6

anchorBitcoin-anchored Markovian chain

attestationprovenance-only; proves data was committed at this time, not that it is correct

Verify the commitment

Survives Stripping

The credential can be removed. The proof cannot.

A C2PA manifest is metadata embedded in the file, and it can be stripped by a re-encode or an export. When that happens, the Content Credential is gone. The Markovian commitment is not in the file, it is on the chain, keyed to the hash of the asset bytes. Anyone holding the stripped file can hash it and find the same record.

# strip the manifest, the C2PA credential is gone sha256(stripped_asset) == data_hash # still the committed hash GET /verify/<merkle_root> # still resolves: verified true

This is the additive case for the door. C2PA is the rich credential while it is attached. Markovian is the durable anchor that outlives it.

Honest Status

On the signing certificate

The proof above is signed with a C2PA development certificate, so a strict C2PA verifier will report the signer as not on the production trust list. That is expected, and it does not weaken the Markovian guarantee: trust here is carried by the Bitcoin-anchored chain record and the public verifier, not by the C2PA certificate. A production deployment that wants a trusted Content Credential badge uses an end-entity certificate from a conforming certificate authority. The Markovian assertion and its verification are identical either way.

Verify Live

Check it without trusting this page

A C2PA-aware reader inspects the manifest and the embedded assertion. The public verifier returns the provenance record behind the asset hash, with no account and no dependency on this site.

Public verifier View on GitHub