The SSL moment for creative work

In 1994, browsing the early commercial web meant typing your credit card number into a form that would transmit it across the open internet in cleartext. Catalog companies running early e-commerce trials in that year sometimes asked customers to phone in payment details instead. The form on the page was decoration; the transaction happened by voice.

Ten years later the form had stopped being decoration and the phone call had stopped being polite. The architecture that moved between those two states was small, mostly invisible, and politically expensive to build. The same architecture is being assembled right now for creative work, and the platforms that lay the pipes during the current window are the ones that get to charge rent on them for the decade after.

What actually shipped in 1995

Netscape published SSL 1.0 internally in 1994 and shipped SSL 2.0 in Navigator in early 1995. The protocol layered a key exchange, a certificate format, and a verification routine on top of standard TCP. None of those pieces was new. The work was in the assembly and the politics.

The politics ran two directions at once. Export controls capped key length at forty bits for non-US builds for most of the 1990s, which made SSL theoretically defeatable for years longer than it should have been. Browsers shipped two versions: one for US users with full key length and one for the rest of the world with the regulator-friendly weakened build. The relaxation in 2000 was a regulatory event, not an engineering one.

The certificate-authority politics were slower and uglier. VeriSign acquired RSA Data Security's certificate business in 1995 and spent the next decade in commercial disputes about who could issue what. The audit standards that became WebTrust for CAs in 2000 took years of dispute resolution between the CAs, the auditors, and the browser vendors. The padlock icon in the address bar was a marketing artifact stretched across a fifteen-year political fight.

That fifteen-year fight is what made SSL invisible. The protocol bit was the small piece. The institutional bit was almost everything.

Why creative provenance is in the same shape

The C2PA specification published its first stable version in early 2022. The standard covers a manifest format, a cryptographic signing scheme, and a verification protocol for media files. Adobe, Microsoft, the BBC, the New York Times, Sony, Canon, and Nikon are among the signatories. The membership list is the SSL-1995 list translated to the creative supply chain: tool vendors, distribution platforms, capture hardware manufacturers, and a few major publishers.

The protocol bit of C2PA is not the hard part. The hard parts are the same three pieces SSL spent fifteen years solving. First, native rendering in mainstream tools, the equivalent of the browser padlock. Second, a certificate-authority equivalent for human attestation, which is the institutional layer above the manifest and the part most platforms have not seriously begun. Third, regulatory clarity, the EU AI Act being the early loud voice and the United States likely lagging by two to four years.

The first piece is tracking. Adobe Photoshop, Premiere, and Lightroom render C2PA assertions by default on supported file formats as of late 2025. Canon and Sony have shipping mirrorless camera bodies that write C2PA on capture. Microsoft Edge surfaces a content credentials indicator on supported image types. None of these is the consumer-iPhone-OS-level integration that would make the signal universal, but the gradient is moving in one direction.

The third piece is loading from Brussels. Article 50 of the AI Act, the machine-readable disclosure clause, is the regulatory hammer C2PA was designed to absorb. Large model providers and content platforms operating in the EU have been quietly retrofitting their manifest pipelines through 2025 to be ready.

The second piece, the human-attestation layer, is the open lane. C2PA assertions can record that a piece was produced by software, but not authoritatively that a specific human signed it. That is a separate registry. It needs a separate institution. Humark, PuraTrust, and AU-SVRN are three early attempts at that institution in three different markets, and the architecture is identical across all three: an append-only registry, a cryptographic signing protocol, and a free public lookup.

What an Adobe-of-1995 mistake looks like in 2026

Several platforms are racing to ship private provenance schemes in 2026. The pitch is faster integration, vendor-controlled rendering, custom verification UIs. The pitch is correct in a six-month window. It is wrong on the three-year horizon.

A closed scheme on a category where an open standard is already shipping in mainstream tools is going to lose to the standard the moment the standard hits feature parity, because the standard is rendered everywhere the closed scheme is not. The 1995 version of this mistake was every browser vendor that tried to run a private secure-transport scheme alongside SSL. None of them are remembered. Netscape lost the browser war and SSL still won.

The investor temperature on closed provenance is higher than the architectural reality justifies, because the pitch decks describe a category that does not exist yet. The category that exists is open-standard infrastructure work, slow and politically loaded and indispensable.

Where the next thirty-six months land

By the end of 2028, three things will be true. C2PA rendering will be a default in at least one mainstream consumer phone OS at the file-picker level. The EU AI Act's provenance language will have produced at least one significant enforcement action against a platform that did not implement compliant manifests. A small number of cross-brand attestation registries will have become the verification surface for the publishing supply chain.

The platforms that lay the pipes during 2026 and 2027 are the ones that get cited in the third bullet. The platforms still arguing about whether the category exists in 2028 are looking at the certificate-authority economics of 2010 without the certificate-authority position. By the time the work looks easy, the slots have been allocated.

That is the shape of every infrastructure inflection. SSL ran the same play. So did email authentication, so did container orchestration, so will provenance. The lesson is in the calendar, not the engineering.