# C2PA Glossary — Trusted vs Valid vs Invalid vs Unsigned

> The four verdict states Verifieddit assigns to a verified file, and what each one actually means.

## Trusted

- **Definition**: C2PA manifest is present, the cryptographic signature is valid, AND the signing certificate chains up to a CA on the loaded trust list.
- **What it tells you**: The file was signed by a known, vetted signer (e.g. a major camera manufacturer, a CAI member, a content platform with a trusted certificate authority). The content has not been modified since signing.
- **Visual cue in Verifieddit**: green badge, "Trusted — Verified Signer".
- **What it does NOT tell you**: anything about *quality* or *factual accuracy* of the depicted scene. A trusted signature only proves origin and integrity, not truth.

## Valid

- **Definition**: C2PA manifest is present, the cryptographic signature is valid, BUT the signing certificate is NOT in the trust list (self-signed, or signed by an issuer the verifier doesn't know).
- **What it tells you**: The content has not been modified since signing — cryptographic integrity is confirmed — but the signer's identity has not been independently verified.
- **Common cases**: Google Pixel cameras, Samsung devices, recent smartphone video, software that self-signs its own credentials.
- **Visual cue in Verifieddit**: amber badge, "Valid — Signer Not Trusted".
- **Use case**: You can trust that this file is unchanged since it was signed, but you should verify the signer's identity out of band before treating the credential as authoritative.

## Invalid

- **Definition**: C2PA manifest is present, but the signature failed validation. The file has been modified since signing, OR the signature itself is corrupt.
- **What it tells you**: The credential cannot be relied on. Either the content was edited (deliberately or by a re-encoder/transcoder) or the signature was tampered with.
- **Visual cue in Verifieddit**: red badge, "Invalid — Integrity Failure".
- **Important**: An Invalid file is *not* automatically a "fake" — many invalidations are caused by benign re-encoding (e.g. social media platforms re-compressing the file). The cryptographic claim, however, can no longer be honoured.

## Unsigned

- **Definition**: No C2PA manifest is present at all.
- **What it tells you**: The file's origin cannot be cryptographically verified. It may be entirely legitimate; it may not be.
- **Visual cue in Verifieddit**: grey badge, "No C2PA Credentials".
- **Most files on the internet today are Unsigned.** C2PA adoption is still growing; the absence of credentials is not evidence of anything by itself.

## Historically Authentic

A special sub-state of **Trusted** or **Valid**: the signing certificate has expired, but an RFC 3161 timestamp proves the signature was created during the certificate's validity period. The signature is treated as cryptographically valid for the historical signing time.

## AI-Generated (overlay verdict)

Verifieddit also runs an AI content detection pass on uploaded images:

- Reads C2PA assertions for `c2pa.digitalSourceType` (the C2PA-standard way to declare AI generation)
- Recognises ~38 known AI generator claim_generator strings (Google Pixel Studio, Gemma, OpenAI, Stability AI, Adobe Firefly, etc.)
- Recognises trusted AI-issuer certificates
- Falls back to a server-side image-based AI detector (rate-limited for guests; unlimited for Enterprise)

If detected, the verdict gets an `AI-Generated Content Detected` overlay independent of the C2PA trust state. A file can be both Trusted AND AI-generated (the credential proves an AI tool produced it).

## See also

- [Why this matters in 2026](/why-2026.md) — EU AI Act context
- [Home / overview](/index.md) — the verification flow
- Enterprise issuing: [trusteddit.com](https://trusteddit.com/?utm_source=verifieddit&utm_medium=glossary-md&utm_campaign=see-also)