Mention SDK trust list for test certs in docs

[crandmck]

Per Maurice:

The Rust SDK ships with trust list for the test certificates. It can be found at: https://github.com/contentauth/c2pa-rs/tree/main/sdk/tests/fixtures/certs/trust.

You can use this with c2patool to configure the trust support. You can also use your own trust list if required. See: https://opensource.contentauthenticity.org/docs/c2patool/#using-the-temporary-contentcredentialsorg--verify-trust-settings

We need to clarify the diff between the Verify trust list and the SDK trust list you mentioned. Currently, docs don't even mention the SDK trust list or explain how to use it (except for c2patool).

If we explain the sample certs they may as well know how to use the trust list via c2patool. The one issue we need to figure out is how/when we want to expose the settings APIs. There are still in flux but that is how you would do it with the SDK.

[mauricefisher64]

There is nothing special about trust lists, the one used by Verify or the the ones included in the SDK. It is just a set of certs you are willing to trust. We supply that list for our test certs so users can verify their test assets using c2patool. Verify uses a list we made up today but will be some other list tomorrow. Other companies can and will have other trust lists.

[crandmck]

Right but we don't explain that anywhere other than in the context of Verify.

We don't say that you can set up a trust list using the SDK.

Other companies can and will have other trust lists.

And how do they know how to set up their trust list if we don't explain it?

[crandmck]

NOTE: This is not exposed in the Rust SDK yet. Once it is, need to document.