content.whisper.online · C2PA signer identity & provenance

You can sign your content with C2PA — but a verifier shows “unknown source.”

Your Content Credential is perfect: a COSE_Sign1 claim signature, your X.509 signer cert riding in-band (x5chain, RFC 9360), tamper-evident. Yet a verifier trusts you only if that cert sits on a gate-kept Trust List — or chains to one. Off-list CA? “Unknown source.” There is no Let’s Encrypt for C2PA: commercial signing certs run ~$289/yr, the recognized-CA set is a small coalition, and independent creators, small newsrooms and AI agents are simply locked out.

The address is the signer. Bind the C2PA claim-signer’s EE cert — device_id = its serial, or the CAWG identity — to a routable, DNSSEC-anchored /128 derived from the signer’s own key and published as a DANE/TLSA record under your DNSSEC-signed domain. Self-verifying — no trust-list slot, no gatekeeper, no annual CA fee, revocable per-unit at DNS-TTL.

whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.

$12.3B→$40B deepfake-enabled fraud, US 2023 → projected 2027 (Deloitte, ~32% CAGR)
~74% of ~1M new web pages (Apr 2025) carried detectable AI content — synthetic is now the majority
~$289/yr per commercial C2PA signing cert — and no free, automated path exists
a coalition governs the recognized-CA set — pay-to-play, “hasn’t covered most CAs yet”
an entire fleet one camera vendor revoked its whole set of C2PA device certs after a vuln (2025), unrestored
ISO 22144 the C2PA architecture entering ISO (2025) → procurement + EU AI Act pull provenance into law

This is how a real signer is shown as “unknown source” — and a fake travels clean.

No zero-day. Just C2PA used exactly as designed — with a Trust List an independent creator, a small newsroom, or an AI agent can’t get onto, and a signing model that gives no feedback when someone checks.

01 · SIGN

You emit a Content Credential

A COSE_Sign1 claim signature over a hard binding (c2pa.hash.data), your EE signer cert with EKU c2pa-kp-claimSigning traveling in-band via x5chain. Correct, tamper-evident, complete.

02 · UNKNOWN SOURCE

Off-list = untrusted

A verifier trusts you only if your cert is on an explicit Trust List or chains to a listed anchor. Off-list or self-signed content has the same technical appearance as a verified org — shown as “unknown source.”

03 · THE TOLL

Pay the coalition, or vanish

The recognized-CA set is governed by a small coalition; commercial C2PA certs run ~$289/yr; there is no ACME-style free path. Independent creators, stringers and agents are priced and gated out.

04 · STRIP

A screenshot deletes it

The manifest is embedded metadata (JUMBF); any non-C2PA-aware re-save — including a screenshot — erases it, and re-compressing platforms strip even authentic credentials. Provenance is gone.

05 · IMPERSONATE

Lift an identity, or steal a key

Lift a valid identity assertion onto a new asset (brand impersonation — C2PA’s own security model concedes it), or a stolen key mints spec-valid manifests until revoked — and revocation via OCSP/CRL is optional and committee-paced.

06 · BLIND

You never see who checked

C2PA verification needs no network call — the certs travel in the manifest. So the signer has zero visibility into who verified, where, or how often. No feedback loop, no early warning of abuse.

Two things break at once: an honest signer has no public way to be trusted off-list, and even when trusted, no way to see who checked. Strip it down and it isn’t a hundred problems — it’s two structural gaps. Close both and both failures lose their ground.

Strip the incident down and it isn’t a hundred bugs. It’s two.

C2PA does the manifest well. What it leaves open is who to trust and who is checking. Neither is a fork of C2PA to fix — both are trust sources the validator already accepts as pluggable config.

Gap 1 · the trust-list gatekeeping gap

An off-list signer cannot be publicly trusted — you must join a curated list or pay a CA, and there is no open, domain-owner-controlled way to make a signer verifiable. C2PA’s own experimental Web Domain Trust Anchor tried a self-signed cert in an HTTPS /c2pa.json file — not DNSSEC — and flagged domain-takeover and privacy as open problems.

The answer — identity. Bind the claim-signer’s EE cert to the signer’s own forge-proof /128device_id = the cert serial (already in every manifest) or the CAWG identity — published as a DANE/TLSA record under your DNSSEC-signed domain. Any verifier resolves it with dig: no list to join, no gatekeeper, no ~$289/yr toll, revocable per-unit at DNS-TTL. And it is honestly additive: C2PA does not mandate any particular trust list — trust lists and anchors are pluggable config inputs to the validator, so a DANE/DNSSEC anchor is a legitimate alternative trust source, never a fork.

the same signed asset — two trust sources, both pluggable into the validator Signed asset COSE_Sign1 · x5chain claim-signer EE cert, in-band C2PA verifier no network call to read the manifest Official Trust List off-list CA · not on the list unknown source locked out / pay the toll DANE / DNSSEC anchor TLSA under your own domain no list · additive, not a fork dig / resolve VERIFIED signed by newsroom.example C2PA does not mandate a list — the DANE anchor is a legitimate pluggable trust input the domain owner controls
C2PA leaves the trust source pluggable. The official Trust List answers “unknown source” for an off-list signer; a DANE/DNSSEC record under the signer’s own domain answers “verified” — additive, never a fork.

“So a signer no coalition CA will touch — an independent creator, a small newsroom, an AI agent — can be publicly trusted without joining a list or paying ~$289/yr?”

Yes. Their signer cert’s serial (or CAWG identity) anchors to a DNSSEC/DANE record under a domain they control. Any verifier resolves it trustless from the IANA root — and one call revokes it at DNS-TTL, not a CRL round-trip or a committee.

Gap 2 · the verification-blindness gap

Because a C2PA verifier makes no network call — the whole chain travels in the manifest — the signer has zero visibility into who verified their content. The only network events C2PA generates are optional OCSP/CRL and the RFC 3161 timestamp. From the signer’s side, provenance is write-only: no telling where your content travelled, who checked it, or where the credential was stripped.

The answer — lookups. Anchor the signer in DNS and the blindness inverts. When a verifier resolves and DANE-validates that anchor, it generates AAAA/TLSA/RDAP lookups against Whisper’s authoritative servers — so op:lookups becomes “who verified my content, where, how often.” A verification-analytics stream C2PA structurally cannot provide, and a clean early warning when someone starts enumerating or impersonating your signer.

“Doesn’t this just make me an official C2PA trust anchor? And does a signature mean the content is true?”

No on both — and we say so plainly. A DANE anchor is a legitimate, additive pluggable trust source, not official Trust-List membership and not a C2PA conformance route; the formal-recognition path runs through CAWG (the signer_payload.sig_type extension point + did:web). And provenance is origin + history, not veracity: a genuine signer can sign false or staged content, and Whisper is not a deepfake detector. What we add is a publicly verifiable signer, DNS-TTL revocation, and who-verified analytics — accountability, not a truth oracle.

Gap 1 is trust made public. Gap 2 is the feedback loop no one else has. Here’s the root-cause cure for both.

Give every signer an identity anyone can verify — and no one can forge.

Stop treating “unknown source” as a paperwork problem and make it an identity problem. Whisper has one primitive: the address is the signer.

A routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with dig. whisper verify --trustless checks it against the IANA root; our own API is not in the trust path.

Point it at signers. Derive each signer’s /128 from the public key behind the identifier the manifest already carries: the C2PA claim-signer’s X.509 EE cert (EKU c2pa-kp-claimSigning, OID 1.3.6.1.4.1.62558.2.1) with its serial as the domain separator, or the CAWG identity (the did:web issuer / cawg.web_site.uri that’s already DNS-native). The private key never leaves the signer — a secure element, an in-camera module, an HSM, an agent’s keystore; the address is a one-way function of its public half and that identifier. No new artifact in the manifest — you anchor the signer it already references.

Claim-signer key EE cert · CAWG id · SE / HSM never leaves the signer private key sealed public key + cert serial /128 2a04:2a01:c0d::5e2 routable identity DNSSEC + DANE-EE A signer anyone can verify whisper verify --trustless no Trust-List slot required op:revoke → gone worldwide at DNS-TTL
The signer cert serial already rides in every manifest via x5chain — a good identifier trapped behind a gate-kept list. Whisper binds it to a routable, publicly verifiable /128 and gives it the fine-grained off-switch optional OCSP/CRL never delivered.

“Unknown source” becomes “verified by your domain”

Off-list is no longer a dead end. Any verifier resolves the DANE record under the domain you control — no list to join, no CA invoice, no coalition.

Cross-org trust with no shared list

A newsroom verifies a different org’s signer with no private allow-list in common — a shared DNS root is the only anchor either side needs.

A stolen key stops fast

One op:revoke and dig -x returns nothing, verify returns false — the exposure window shrinks from “until OCSP, if ever” to minutes. It bounds the damage; it can’t un-sign what was minted before.

Per-unit, not per-model

When a whole device fleet’s certs had to be revoked at once, that was per-model blast radius. A per-signer /128 revokes one unit worldwide and leaves the rest verifiable.

Attaches to what you already ship — it does not replace it. Whisper complements the Content Credential you already emit — the C2PA manifest, the CAWG identity assertion, the RFC 3161 TSA countersignature, the in-camera secure element and durable content credentials / watermarking. It is the publicly verifiable, DNSSEC/DANE-anchored layer on top, anchoring the signer at the DNS/transport boundary — no bespoke trust store to push, and revocation at DNS-TTL instead of a committee-paced list removal. You can even DANE-pin the very signer cert your pipeline already uses.
Honest boundary — additive, not official. A DANE/DNSSEC anchor is a legitimate, pluggable trust source for a validator — it is not membership on the official C2PA Trust List and not a C2PA conformance route. The formal-recognition path runs through CAWG — surface the Whisper-anchored domain identity as a did:web issuer or via the signer_payload.sig_type extension point — and we’re proposing DANE to the standard as a complementary identity ecosystem. We describe the client and the public protocol, and we don’t claim “C2PA-approved.”
The cert serial is the public fingerprint — the /128 is its cryptographic counterpart. The serial flows in-band in every manifest via x5chain; that’s useful for interop but it’s not a secret. The /128 is bound to the signer’s key and the serial — so the serial alone yields nothing. You cannot go serial → /128 without the key, there is no enumerable directory, and RDAP/reverse-DNS return the registry object, never a creator’s whereabouts. Because the derivation is tenant-bound, the same signer under two publishers yields two unrelated /128s — no one can link a creator across outlets. Offer org- or domain-level anchoring and pseudonymity, so a journalist or whistleblower is never forced to dox.
Lifecycle, end to end. Signer key → in-life signing → incident revoke. A key rotation re-keys to a new /128 and revokes the old; a change of outlet is one revoke and a re-register to the new owner. Compromise one signer and you’ve compromised that signer, not the whole coalition. And nothing is issued in the dark: every mint and every revoke lands in a public, Bitcoin-anchored transparency log. Honest status: tamper-evident, Ed25519-signed and OpenTimestamps-anchored today — independent witnessing is the next step.

Maps to EU AI Act Art.50 machine-readable marking and Recital 133’s enumerated “cryptographic methods for proving provenance,” to ISO 22144, and to CAWG — delivered as a network primitive, not a compliance binder. See the compliance map →

See who verified your content — a loop C2PA structurally can’t close.

An identity anyone can verify is also an identity you can watch. Because a DNS/DANE-anchored signer resolves through Whisper’s own authoritative DNS and RDAP, every verification leaves a trace — and the signer sees exactly who looked, where, and how often.

Signed content out in the wild platform · ingestion check newsroom · verify desk reader · fact-checker AAAA·TLSA·RDAP Whisper auth DNS + RDAP registry op:lookups The signer who · where · how often write-only provenance becomes a two-way loop — the one thing C2PA's no-network-call design can't give you
Every DANE-validated verification generates DNS/TLSA/RDAP lookups — so op:lookups turns write-only provenance into a feedback loop: who verified your content, where it travelled, where credentials got checked.

Who verified this is a query

op:lookups returns who resolved or RDAP-queried a signer’s identity — where your content travelled, where credentials were checked, and an early warning that someone is enumerating or impersonating your signer.

Catch the impostor cert

The attribution graph (CALL whisper.identify, 7.44B nodes) back-traces a controller reusing a lifted identity assertion or a stolen signing key across rotating clouds — evidence-grade and replayable.

Give your AI agents a signer identity

The direction: an agent that signs its own C2PA claim (+ a CAWG identity assertion) with a Whisper-anchored, revocable /128 gets trusted-signer status without a Trust-List slot — the one thing agent stacks can’t get today. First-class typed --signer support is on the roadmap.

Per-signer firewall, budget, revoke

op:firewall allow/deny by host, cidr or port; op:budget caps an agent-signer’s traffic; op:revoke cuts a compromised signer off worldwide in one call — the control plane, not just the identity.

The same address-is-the-signer primitive that anchors a newsroom’s byline also anchors the AI agents that will soon sign their own outputs under Art.50 — per-agent /128, per-agent logs, default-deny egress, one revoke. From day one.

Don’t take our word for it — our API isn’t in the trust path.

Two tiers, by design. No key: anyone can verify a signer’s identity, resolve it, and back-trace an impostor — trustless, anchored at the IANA root. Your key: bind a signer to the cert serial it already carries, govern it, revoke it worldwide.

verify & attribute — no key required
# keyless — re-derive and verify any signer's identity, trustless
$ whisper verify --trustless 2a04:2a01:c0d::5e2
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the claim-signer's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the signer — reverse DNS names it
$ dig -x 2a04:2a01:c0d::5e2 +short
  signer-3f2504e0.newsroom.example.whisper.online.

# who really operates a controller reusing a lifted identity assertion — a CALL whisper.identify()
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"185.42.x.x\")"}'
  operator:  <fingerprinted> · same tooling across 3 clouds, 1 residential swarm
  reused identity assertion seen on 12 unrelated assets → 1 operator
provision & govern — with your key
# bind a signer to the C2PA cert serial it already carries, and govern it
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the signer key>',
       device_id:'3F2504E04F8911D39A0C0305E82C3301'}})"   # device_id = the signer cert serial
  → identity 2a04:2a01:c0d::5e2   DNSSEC + DANE live · TLSA published under newsroom.example
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" \
    --data-urlencode "q=CALL whisper.agents({op:'lookups', args:{address:'2a04:2a01:c0d::5e2'}})"   # who verified my content, where, how often
$ whisper kill --revoke 2a04:2a01:c0d::5e2   # stolen key → gone worldwide, at DNS-TTL

C2PA proves the pixels weren’t changed. Whisper proves who signed them — anchored in open DNSSEC/DANE, with no central trust list to join.

C2PA and Content Credentials carry the tamper-evident manifest — who, when, which tools, which edits — and they do it well; we don’t recreate them. Watermarking (SynthID, Meta Seal) embeds an invisible AI-origin signal that survives a screenshot — a different job, marking origin, not identity, and also not ours. Whisper adds the one layer none of them own: a publicly verifiable signer identity anchored in open DNSSEC/DANE (no central Trust List), plus who-verified analytics. Additive to all of them; a fork of none — the manifest stays theirs, the signer becomes publicly verifiable.

C2PA / Content CredentialsWatermarking (SynthID / Meta Seal)Whisper
Tamper-evident manifest (who / how / edits)additive
Invisible signal that survives a screenshot / re-encode
Publicly verifiable signer identity, no central trust list
Signer revocation at DNS-TTL, one call
Verification analytics — who verified your content

It attaches to the manifest you already emit — DANE-pin the very signer cert your C2PA pipeline already uses — and lands as a machine-readable feed into your SIEM: the Splunk connector ships today, with Microsoft Sentinel, OpenCTI and STIX 2.1/TAXII on the roadmap. It doesn’t replace your Content Credentials, and it doesn’t solve metadata-stripping — that’s watermarking’s job, complementary, out of our scope.

See the full comparison →

Additive to your pipeline. Mapped to your standards. Availability-safe by construction.

Signer identity /128 · DNSSEC · DANE-EE · bound to the claim-signer cert serial — who signed, provably C2PA · CAWG · did:web Verification analytics op:lookups + attribution graph — who verified your content, and who's impersonating it 7.44B nodes · DNS·TLSA·RDAP Egress governance per-signer /128 · policy · lookups · firewall · budget · revoke — what may talk to what default-deny THE ADDRESS IS THE SIGNER AS219419 · 2a04:2a01::/32 Your pipeline C2PA + CAWG · watermarking Machine-readable Splunk · Merkle log · CEF / ECS Your standards EU AI Act Art.50 · ISO 22144
Three planes on one primitive — and all three exit into the pipeline you already run, not a new silo.

Turnkey Art.50 evidence

Sign under a publicly-resolvable identity and you advance Art.50(2)’s “interoperable, robust, reliable” bar — the exact Recital 133 technique (“cryptographic methods for proving provenance”), made accessible to the public via open DNS. Honest: the AI-generated declaration rides in the C2PA manifest (digitalSourceType); Whisper anchors the signer, it doesn’t make you compliant. See the map →

Nothing issued in the dark

Every identity mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable issuance trail for a disclosure duty or an ICC evidentiary dossier. Honest status: tamper-evident today, independent witnessing is the next step.

Additive & availability-safe

It rides existing DNS/IPv6 and adds no chokepoint to your signing pipeline. Verification degrades to your existing anchors if a Whisper node is slow, and it’s anycast on AS219419 — no single node in the path, built to fail open.

One identity fabric, every signer

Derived from the key already behind the signer — a newsroom’s org cert, an in-camera secure element, a stringer’s laptop, an agent’s keystore. No second PKI, no per-cert tax, no re-issuing the fielded fleet: one verifiable /128 anyone can check.

Flat, predictable pricing

Per-signer/year and flat — not per-cert, not per-verification. Against the ~$289/yr per-cert coalition toll, it’s a line item you can forecast, and it brings your stringers and independents in from the cold. See pricing →

A vendor that will still be here

Real routable address space (AS219419), run by people who ran the internet’s regional address registry and operated one of its root DNS servers. POC → pilot → enterprise, keyless to start.

Give every signer an identity anyone can verify.

The address is the signer — a DNSSEC/DANE-anchored /128 under your own domain, no Trust-List slot, no ~$289/yr toll, revocable worldwide in one call — plus who-verified analytics C2PA can’t provide. Additive to your Content Credentials, never a fork. Keyless to try, one call to provision, one more to revoke.

Or run whisper verify --trustless right now.