C2PA proves the pixels weren't changed. It doesn't prove who signed them — publicly, with no list to join.
The C2PA Trust List, CAWG and the watermark in your pipeline are each excellent at one job, and you should keep running every one of them. But the honest question a verifier is left holding — can I trust this signer, without a coalition's permission, and can the signer revoke a stolen key before the damage spreads? — sits in a seam none of them was built to close. That seam is publicly verifiable signer identity.
whisper verify --trustless — the one differentiator every tool here lacks: you never have to trust our API.
op:lookups)Every layer here is good. The trust in the signer survives in the seam between them.
Line the content-authenticity stack up against the questions an incident actually forces — is this intact? did the signal survive a re-encode? who is the creator? can I trust the signer, publicly and revocably? — and the picture is honest and simple. The manifest, the watermark and the creator identity are well covered. Public, revocable trust in the signer, and the feedback loop of who verified, are the seam.
Nothing above gets torn out. The rest of this page is the honest, incumbent-by-incumbent map: what each layer owns, exactly where Whisper is additive, and — just as important — where Whisper is not the answer.
The Trust List owns the official registry. Whisper is a pluggable second anchor — self-verifying, no list to join.
The C2PA Trust List and Conformance Program (launched mid-2025) are the ecosystem's recognized-signer registry: a curated set of X.509 trust anchors for CAs issuing to conforming signers, gated by a Product Security Architecture submission and assurance levels 1–2, alongside a separate TSA Trust List. That registry is real, valuable work — a verifier that trusts it gets a clean yes/no on a signer. Keep it. Whisper does not replace it.
Here is the honest hook, and it is C2PA's own design: the spec mandates no particular list or PKI — trust lists and anchors are pluggable configuration inputs to the validator. So a signer whose end-entity cert is vouched for by a DNSSEC-signed TLSA/DANE record on the signer's own domain is a legitimate additional trust source, not a fork of C2PA. That closes the registry's most-documented gap without touching the manifest: content signed by an off-list CA displays “unknown source”, and there is no free, automated path — no ACME, “no Let's Encrypt for provenance” — for an independent creator, a stringer, a small newsroom or an AI agent to become a recognized signer. Commercial C2PA certs run about $289/yr, and the recognized-CA set is controlled by a small coalition. A domain owner who already runs DNSSEC can make a signer publicly verifiable with dig — no gatekeeper, no annual toll, no list to join.
Two more things the registry can't do, that fall out of DNS for free. Per-unit revocation. When a camera vendor's signing service was compromised in 2025, the only lever was to revoke that vendor's entire set of device certs at once — coarse, model-wide, and still not fully restored a year on. A per-unit DNSSEC/DANE signer identity lets you revoke one device or one signer in a single call, at DNS-TTL, without dark-ing the fleet — where C2PA revocation is optional OCSP/CRL that a compromised signer can outlive. And a feedback loop. C2PA verification needs no network call — the certs travel in-band — so a signer normally has zero visibility into who checked their content. Because a DANE-anchored signer is resolved in DNS, op:lookups turns every verification into a “who verified my content” signal — a genuinely empty quadrant no incumbent occupies.
"C2PA already has a Web Domain Trust Anchor experiment. Isn't a DNS anchor already covered?"
That experiment points exactly here — and Whisper uses the mechanism it didn't. C2PA's own experimental Web Domain Trust Anchor puts a self-signed cert in an HTTPS /c2pa.json well-known file, and its authors flag domain-takeover and validator-fetches-from-origin privacy as open problems. A DNSSEC-signed TLSA record removes both: the chain is validated to the IANA root with no origin fetch, and the resolution itself is the who-verified signal. One caveat we state plainly: DANE is not yet a formally recognized C2PA conformance anchor — today conformance centers on X.509 and the curated Trust List. We surface it as a complementary identity ecosystem through CAWG, and we're proposing it to the standard. Additive, and honest about its status.
CAWG owns creator identity — and it's already DNS-native. Whisper is the root it's looking for.
The Creator Assertions Working Group's Identity Assertion (v1.2, DIF-ratified 2025-12-15) binds a named human or organisation to a manifest: a credential holder signs a signer_payload that hash-references the manifest's assertions, via cawg.x509.cose (an org X.509 identity) or cawg.identity_claims_aggregation (a W3C VC from an aggregator). This is the layer that answers who created this, and it is genuinely good work. Whisper is complementary — it does not replace CAWG, it roots it.
CAWG is already reaching for DNS. Its ICA issuer is a DID — in real deployment a did:web, which resolves through DNS + HTTPS; and its verifiedIdentities[] carries cawg.web_site, a required URI for a domain the actor controls. But CAWG's own trust model splits into cawg.identity.trusted (chained to a recognized root) versus cawg.identity.well-formed (a valid signature with no root found) — the same “who anchors the root?” problem, which CAWG's docs flag as unresolved and urgent, and which the aggregator path answers by re-centralizing on a provider's did:web.
A Whisper DNSSEC-anchored domain identity slots straight into that seam, two ways. A first-class did:web root: your own DNSSEC-signed domain becomes a did:web issuer that verifiers trust through DNS, so you can run your own ICA issuer rather than lean on a third-party aggregator. And a DANE binding: DANE-bind cawg.web_site.uri and the cawg.x509.cose org cert to your domain, and a verifier turns well-formed but unrooted into trusted — with no S/MIME CA in the path. CAWG carries the creator's name; Whisper makes the domain behind it publicly, independently resolvable.
"If CAWG already has did:web and cawg.web_site, what does Whisper add?"
The anchor those fields resolve to, under your control. A did:web that resolves over plain HTTPS inherits every domain-takeover and CA-trust weakness of the web PKI; a cawg.web_site URI is only as trustworthy as whatever roots it. Anchor both in your own DNSSEC-signed zone with a DANE binding and the trust decision no longer routes through a coalition list or a provider aggregator — it routes through the DNS root you already trust. Same CAWG assertion, a root the verifier can check trustlessly.
Watermarking owns the thing a DANE-anchored signature honestly doesn't: surviving a re-encode.
Digimarc, Truepic's durable path, SynthID-class marks (Google SynthID, Meta Seal / Video Seal) and C2PA's durable Content Credentials solve a problem signatures can't touch: an invisible pixel or audio signal that survives a screenshot, a re-encode, or a platform re-compress — exactly the events that strip a C2PA manifest, which is embedded metadata (JUMBF) that any non-C2PA-aware resave deletes. This is a different layer, it is essential, and Whisper does not do it.
Two honest boundaries, stated plainly. A watermark answers “did this survive re-encode” and, for the AI-origin marks, “did this come out of a generator” — but a SynthID-class signal carries no verifiable creator identity, no edit history, no timestamp, and no revocation; it marks origin, not who. Whisper answers “who signed, provably and revocably” — and honestly does not re-anchor a signal that has been re-encoded past the point its manifest survives. The two are strictly complementary: pair a durable watermark (the soft binding that recovers a stripped manifest) with a DANE-anchored signer (the trust the recovered manifest still needs), and you have both survivability and public signer trust. OpenAI already dual-marks C2PA + SynthID for this exact reason; Whisper is the signer-trust layer underneath both.
Four layers, side by side — including the rows where the honest answer is not Whisper.
A comparison you can trust is one that shows where you don't win. Whisper owns the signer-trust column; it is a dash on re-encode survival, on purpose. Read it as an adjacency map, not a scoreboard.
| Capability | C2PA Trust List | CAWG | Watermarking | Whisper |
|---|---|---|---|---|
| Recognized-signer registry (the official allow-list) | ✓ | — | — | additive pluggable anchor |
| Self-verify a signer with no gatekeeper & no per-cert fee | — | partial | — | ✓ |
| Per-unit revocation at DNS-TTL, one call | — | — | — | ✓ |
“Who verified my content” analytics (op:lookups) | — | — | — | ✓ |
| Survives a manifest-stripping re-encode / screenshot | — | — | ✓ | — |
| Human / organisation creator identity | — | ✓ | — | ✓ via CAWG did:web |
Honest caveat on row 1: a DANE anchor is a legitimate pluggable trust source (C2PA mandates no particular PKI), not today a formally recognized C2PA conformance anchor — we surface it via CAWG and are proposing it to the standard.
Read down the columns and the division of labour is clean: the Trust List owns the official registry; CAWG owns creator identity; watermarking owns re-encode survival; and Whisper owns self-verify without a gatekeeper, per-unit revocation, and who-verified. Four owners, one stack, zero overlap you have to rip out.
"So what, precisely, do I buy Whisper for — in one sentence?"
For the signer-trust column, and nothing you already run. C2PA proves a manifest was signed; Whisper makes the signer publicly, independently verifiable in DNS — the identity ecosystem the C2PA spec says trust rests on but doesn't itself provide — so your machine-readable mark is anchored to a real, resolvable, revocable identity, with no curated allow-list required.
Every registry and feed here, you must trust. Ours, you don't have to.
Two tiers, by design. No key: anyone can re-derive and verify a signer's identity against the IANA DNS root, with our own API deliberately outside the trust path. Your key: anchor the signer your manifests already reference, see who verified it, and revoke a compromised key worldwide.
# keyless — re-derive and verify any C2PA signer's identity, trustless
$ whisper verify --trustless 2a04:2a01:c0::5
✓ DNSSEC chain valid to the IANA root
✓ DANE-EE (TLSA 3 1 1) vouches for C2PA signer cert serial 3F:2A:…:C0
✓ RDAP: identity registered under AS219419 · 2a04:2a01::/32
signer: VERIFIED — no Trust List joined, and our own API was never trusted
# the signer is a name anyone can resolve — reverse DNS names it
$ dig -x 2a04:2a01:c0::5 +short
signer-3f2a.c2pa.newsroom.example.
# who really operates a suspicious host behind a rotating CDN — the graph API, with your key
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
-H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"203.0.113.10\")"}'
operator: <fingerprinted> · seen across AWS / GCP / Azure
# anchor the C2PA signer your manifests ALREADY reference — pass its cert serial as device_id
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
identity_public_key:'<base64 SPKI of the signer key>',
device_id:'3F2A9C04F8911D39A0C0305E82C3301'}})" # device_id = the C2PA signer cert serial
→ identity 2a04:2a01:c0::5 DNSSEC + DANE-EE live · did:web + cawg.web_site bound
# who verified my content — the empty quadrant no manifest can fill (op:lookups)
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" \
--data-urlencode "q=CALL whisper.agents({op:'lookups', args:{identity:'2a04:2a01:c0::5'}})"
312 verifications · 47 RDAP · top: a fact-check desk, 2 platforms at ingest
# a signing key leaked — revoke it worldwide in one call, at DNS-TTL (not a CRL round-trip)
$ whisper kill --revoke 2a04:2a01:c0::5
✓ TLSA/DANE pin withdrawn · PTR gone · logged to the public transparency log
And the on-mission door: a signer identity for AI agents. An AI tool that marks its output with c2pa.actions (c2pa.created) and an IPTC digitalSourceType of trainedAlgorithmicMedia still faces the open question C2PA doesn't answer — who signed it, and can I trust that signer? Give the agent a Whisper-anchored, DNSSEC/DANE-verifiable, revocable identity derived from its own key, and it gets trusted-signer status with no Trust-List slot and no CA fee — the one thing agent stacks can't otherwise get. The agent's identity is the C2PA signer identity. See sign · verify · who-verified →
Whisper is one layer, done well. It sits beside these — not over them.
Naming the boundary is the point: it's how you know exactly what you're buying, and what to keep buying elsewhere. We do not create the manifest, we do not embed the watermark, and we are not a truth oracle.
We don't create the Content Credential
The C2PA manifest — the assertions, the hard binding (c2pa.hash.data), the edit history, the AI-generated assertion Art.50 marking needs — is built and signed by CAI / Content Credentials tooling. Whisper anchors the signer that manifest already references. Always additive to C2PA, never instead of it.
We don't embed the watermark
Durability against re-encode and screenshot — SynthID, Meta Seal, Digimarc, durable Content Credentials — is a pixel and soft-binding problem, and it's a good one to own. Whisper anchors identity, not the signal in the bits. Run a durable watermark for recovery; run Whisper for signer trust.
We're not a truth oracle or deepfake detector
Provenance is origin and history, not veracity — a genuine signer can sign a photographed deepfake-on-a-screen, and an absent credential isn't proof of fakery. Whisper adds accountability: the liar is publicly named and revocable. Pair it with detection; don't ask it to be one.
We don't build manifests, embed watermarks, or judge truth, and we don't pretend to. Whisper is the publicly verifiable signer-identity layer — the one seam on this page every incumbent leaves open — and it's honest about being exactly that.
No new silo. Mapped to the standards you already cite. Priced so you can say yes.
The additive posture isn't just tidy architecture — it's what makes the buy defensible. Nothing you already run gets torn out; one line item closes the signer seam and feeds everything else.
A feed, not another console
Findings land as a machine-readable feed into the tools you own — the Splunk connector (signed JSON → CEF / ECS) ships today; Microsoft Sentinel, OpenCTI and STIX 2.1 over TAXII are on the roadmap. Zero analysts babysitting a new pane of glass.
Speaks your compliance language
Maps to EU AI Act Article 50(2) machine-readable marking — Recital 133 names “cryptographic methods for proving provenance” as an accepted technique, “accessible to the public,” which a public DNSSEC/DANE anchor answers directly — and to ISO/IEC 22144 Content Credentials. Evidences and strengthens; never “guarantees compliance.” See the map →
Nothing issued in the dark
Every signer identity minted and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable trail for a regulator. Honest status: tamper-evident today; independent witnessing is the next step. The audit trail →
Flat, forecastable pricing
Per-signer, per-year and flat — not per-verification, not usage-metered. No “no Let's Encrypt for provenance” toll for stringers and independents: one anchor covers your signers. Clear ROI in one revoke instead of a fleet-wide cert reset. See pricing →
Additive & availability-safe
It rides existing DNS/IPv6 and adds no inline chokepoint in your publishing path. The verify plane is built to fail open — a Whisper outage never blocks a signature; checks degrade to your existing Trust-List anchors. Anycast on AS219419, no single node in the path.
A vendor built to outlast the question
Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. Keyless to prove today, then POC → pilot → enterprise on real infrastructure.
"Additive sounds safe — but is it just another dependency I can't remove later?"
The opposite — it's the lowest switching cost on the page. The core claim (this address is that signer) is verifiable trustlessly against the IANA root, so you can audit it without trusting us at all; the verify plane fails open, so our uptime never gates a signature; and because it's additive, your manifests, your CAWG assertions and your watermark keep working if you walk away. Additive means low switching cost in both directions — the safest way to start.
Keep your stack. Anchor the signer.
Whisper is the publicly verifiable signer-identity layer that sits on top of the Trust List, CAWG and the watermark you already use — additive, mapped to your standards, flat to price. Keyless to try, one call to anchor, one more to revoke.
Or run whisper verify --trustless right now — our API isn't in the trust path.