Why we built openclearance
One question, a dozen vocabularies.
Ask whether you may reuse a museum artwork and the answer arrives in fragments. Is it CC0 or a Public Domain Mark? Does the museum's own terms page qualify the licence? Is there a rights statement, a provenance record, a certificate of authenticity? Each answers a different part of the question, in a different format, and none of them tells you the thing you actually need: may I print this and sell it?
The landscape we surveyed
Rights and provenance for cultural works live in separate, non-interoperable systems, each solving one layer well.
| Layer | What carries it today |
|---|---|
| Rights status | Creative Commons (CC0, CC BY…) and the Public Domain Mark; RightsStatements.org (In Copyright, No Known Copyright…) for what CC does not cover |
| Description + provenance | schema.org CreativeWork and Dublin Core: who made it, when, where it lives |
| Determination provenance | W3C PROV: who decided the status, when, on what evidence |
| Content authenticity | C2PA: tamper-evident, signed provenance that travels with the file |
| Institutional terms | each museum's bespoke terms-of-use page, often qualifying the licence in prose |
| Certificates of authenticity | the art world's existing trust documents, built for objects, not reuse |
Each is good at its layer. None binds them into a single, verifiable answer to "what may I do with this?"
What openclearance does, and doesn't
The Clearance Manifest adds no new licence and no new rights vocabulary to the pile. It composes the ones that already exist. Through one JSON-LD context it binds Creative Commons and RightsStatements.org (status), schema.org and Dublin Core (description and provenance), and W3C PROV (the determination event), and adds just one original thing: a thin clearance layer that translates "what the rights say" into "what you may do," as binary, auditable answers.
- Commercial reproduction yes / no
- Derivatives yes / no
- Attribution required yes / no
Each answer carries its basis: the rule and the input that produced it, so a person or an agent can check the reasoning, not just the verdict.
It carries the determination; it does not make the law
An external authority, a museum or an engine, decides; the manifest carries that decision, immutably and auditably, in a tamper-evident envelope aligned to C2PA. A manifest is emitted for cleared and non-cleared works alike: a deny is a valid answer, not an error.
Compose, don't reinvent. Everything that already works keeps working; openclearance is the thin layer that makes them answer one question together.
Integrity that travels with the work
A manifest's integrity is defined over bytes, the way DSSE, JWS, COSE, and C2PA all define it. The default Tier 0 envelope is keyless and byte-exact: it carries the payload as its exact UTF-8 JSON string alongside a SHA-256 over those exact bytes, so any consumer can recompute the hash and confirm nothing changed in transit. No signing keys, no canonicalization library, no canonicalization attack surface.
Signed tiers build on the same payload. Tiers 1 and 2 carry it as a C2PA assertion and add a signature, which lets the manifest support authenticity claims where a commercial use needs them. The payload is unchanged across tiers; only the envelope around it grows.
Tier 1 is now live on Open Museum. Its
attested works carry a Tier-1 delegated-attestor envelope: the manifest is signed on behalf of
the source institution that made the determination, under a did:web:open-museum.art
identity, and anyone can verify it. Verification is fail-closed: a tampered or actor-mismatched
signature is rejected, never quietly downgraded to an unsigned record. What the signature attests
is deliberately narrow: that Open Museum faithfully carried the institution's CC0 or public-domain
determination, bound to an accountable identity. It is not an independent re-verification
of the rights, and not a claim that a reproduction is original. Works that are not yet
attested remain Tier 0 — integrity only.
The keyless reference engine, open-museum-mcp, emits Tier 0 and holds no signing keys; the Tier-1 attestation is added by Open Museum's signing service over the same byte-exact payload. The engine remains a strict, fail-closed rights gate: any signal that is missing, ambiguous, or not affirmatively permissive resolves to a deny. The v0.1 clearance answer is unchanged — three reuse verdicts (commercial reproduction, derivatives, attribution) over CC0 and public-domain works.