The cryptographic component of the camera would be manufactured without a private key in place. Instead, there’s a write-only memory section that any number of third parties can write their private keys to. That way, we can rely on existing legally trusted institutions like notaries, and nobody should be able to extract too much rent.
This raises the question of how the notary can know that the “cryptographic component” in front of them isn’t some scammer’s usb stick. Require each cryptographic component to have many compartments, each of which is separate from the others. Breaking the seal on one is to wipe its memory, but not its architecture. Given a supposed cryptographic component, the notary randomly selects a few compartments to destructively verify their architecture. The remaining compartments are told one fresh private key each, and the notary publishes (and signs with his personal private key) that whoever can authenticate himself with at least x of these particular public keys is a trusted camera. To produce fake images, an adversary would have to have subverted at least x compartments that the notary didn’t destructively verify. A component can be shipped around to a few notaries so long as nobody breaks enough compartments that fewer than any notary’s x are left.
Of course, “Don’t roll your own crypto.” says all of this is to be interpreted as conjecture.
The cryptographic component of the camera would be manufactured without a private key in place. Instead, there’s a write-only memory section that any number of third parties can write their private keys to. That way, we can rely on existing legally trusted institutions like notaries, and nobody should be able to extract too much rent.
This raises the question of how the notary can know that the “cryptographic component” in front of them isn’t some scammer’s usb stick. Require each cryptographic component to have many compartments, each of which is separate from the others. Breaking the seal on one is to wipe its memory, but not its architecture. Given a supposed cryptographic component, the notary randomly selects a few compartments to destructively verify their architecture. The remaining compartments are told one fresh private key each, and the notary publishes (and signs with his personal private key) that whoever can authenticate himself with at least x of these particular public keys is a trusted camera. To produce fake images, an adversary would have to have subverted at least x compartments that the notary didn’t destructively verify. A component can be shipped around to a few notaries so long as nobody breaks enough compartments that fewer than any notary’s x are left.
Of course, “Don’t roll your own crypto.” says all of this is to be interpreted as conjecture.