# Compare — additive to the C2PA Trust List, CAWG & watermarking, never a replacement

> C2PA proves the pixels weren't changed. It doesn't prove *who signed them — publicly, with no list to join.*
> The C2PA Trust List, CAWG and the watermark in your pipeline are each excellent at one job —
> keep running every one. Whisper is the one layer none of them owns: publicly verifiable
> signer identity, anchored in your own DNSSEC/DANE, revocable per-unit at DNS-TTL, with
> who-verified analytics — and it's additive to all three.

The honest question a verifier is left holding — *can I trust this signer, without a coalition's
permission, and can the signer revoke a stolen key before the damage spreads?* — sits in a seam
none of these layers was built to close. That seam is **publicly verifiable signer identity**.
Whisper is that one layer, and only that. Additive, never a replacement: it anchors the signer
your manifests already reference, and makes the Trust List, CAWG and your watermark sharper.
**The signer is a name anyone can resolve — and no one can forge.**

`whisper verify --trustless` — the one differentiator every tool here lacks: you never have to trust *our* API.

- **4 layers** — the Trust List, CAWG, watermarking & Whisper — additive, never a swap
- **0** — rip-and-replace; Whisper anchors the signer your manifest already names
- **no list** — self-verify a signer via DNSSEC/DANE — no coalition allow-list, no per-cert toll
- **DNS-TTL** — revoke a compromised signer in one call — not a CRL round-trip or a committee
- **who verified** — the empty quadrant — analytics no incumbent provides (`op:lookups`)
- **trustless** — verify a signer without trusting our API — anchored at the IANA root

---

## Every layer here is good. The trust in the signer survives in the seam *between* them.

Line the content-authenticity stack up against the questions an incident actually forces —
*is this intact? did the signal survive a re-encode? who is the creator? can I trust the signer,
publicly and revocably?* — and the picture is honest and simple. The manifest, the watermark and
the creator identity are well covered. Public, revocable trust in the **signer**, and the
feedback loop of who verified, are the seam.

```
① Is the content tamper-evident (who / edits / AI label)?  ──▶  covered — C2PA · Content Credentials (manifest layer)
② Did the signal survive a re-encode or screenshot?        ──▶  covered — watermarking (SynthID · Meta Seal · Digimarc)
③ Who is the human / organisation creator?                 ──▶  covered — CAWG (did:web issuer + cawg.web_site)
④ Trust the signer publicly — no list, revocable,          ──▶  SEAM — Trust List curated & gated · CAWG root often
   and see who verified?                                          unfound · who-verified empty

                             Whisper spans ④ and feeds ① + ③ (surfaced via a CAWG identity assertion)
                             DANE-EE signer · DNS-TTL revoke · op:lookups = who verified
```

Additive by construction: Whisper owns the signer-trust layer no one else does, and hands the
manifest and creator-identity layers a resolvable anchor. Keep C2PA, keep CAWG, keep your
watermark — Whisper closes the one seam they can't reach. Nothing above gets torn out.

---

## The Trust List owns the official registry. Whisper is a pluggable second anchor — self-verifying, no list to join.

The C2PA Trust List and Conformance Program (launched mid-2025) are the ecosystem's
**recognized-signer registry**: a curated set of X.509 trust anchors for CAs issuing to
conforming signers, gated by a Product Security Architecture submission and assurance levels
1–2, alongside a separate TSA Trust List. That registry is real, valuable work — a verifier
that trusts it gets a clean yes/no on a signer. Keep it. Whisper does not replace it.

Here is the honest hook, and it is C2PA's own design: the spec **mandates no particular list or
PKI** — trust lists and anchors are *pluggable configuration inputs to the validator*. So a
signer whose end-entity cert is vouched for by a **DNSSEC-signed TLSA/DANE record on the signer's
own domain** is a legitimate *additional* trust source, not a fork of C2PA. That closes the
registry's most-documented gap without touching the manifest: content signed by an off-list CA
displays "unknown source", and there is no free, automated path — no ACME, "no Let's Encrypt for
provenance" — for an independent creator, a stringer, a small newsroom or an AI agent to become a
recognized signer. Commercial C2PA certs run about **$289/yr**, and the recognized-CA set is
controlled by a small coalition. A domain owner who already runs DNSSEC can make a signer
publicly verifiable with `dig` — no gatekeeper, no annual toll, no list to join.

```
C2PA manifest (COSE_Sign1 · x5chain, RFC 9360)
  └─ EE signer cert in-band · serial 3F:2A:…:C0
        │  who signed?
        ├─▶ Path A · today — the curated Trust List
        │     is the CA on the coalition allow-list? · ~$289/yr · assurance levels 1–2 · gated
        │     revocation: optional OCSP / CRL · per-model · off-list → "unknown source"
        │
        └─▶ Path B · additive — self-verify via DANE
              _c2pa.signer.example  TLSA 3 1 1 …   (the signer's own DNSSEC zone vouches for the serial)
              no list · no CA fee · verify with dig · op:revoke → gone at DNS-TTL · op:lookups = who verified
              surfaced to C2PA via a CAWG identity assertion

   Any verifier — both anchors are pluggable — whisper verify --trustless
```

The signer cert serial already travels in every conformant manifest. Whisper anchors that same
serial under the signer's own DNSSEC/DANE — an additional pluggable trust source that self-verifies
with no list, revokes at DNS-TTL, and is surfaced to C2PA through a CAWG identity assertion.

Two more things the registry can't do, that fall out of DNS for free. **Per-unit revocation.**
When a camera vendor's signing service was compromised in 2025, the only lever was to revoke that
vendor's *entire* set of device certs at once — coarse, model-wide, and still not fully restored a
year on. A per-unit DNSSEC/DANE signer identity lets you revoke *one* device or *one* signer in a
single call, at DNS-TTL, without dark-ing the fleet — where C2PA revocation is optional OCSP/CRL a
compromised signer can outlive. And **a feedback loop.** C2PA verification needs no network call —
the certs travel in-band — so a signer normally has *zero* visibility into who checked their
content. Because a DANE-anchored signer *is* resolved in DNS, `op:lookups` turns every verification
into a "who verified my content" signal — a genuinely empty quadrant no incumbent occupies.

> **"C2PA already has a Web Domain Trust Anchor experiment. Isn't a DNS anchor already covered?"**
> That experiment points exactly here — and Whisper uses the mechanism it didn't. C2PA's own
> experimental Web Domain Trust Anchor puts a self-signed cert in an HTTPS `/c2pa.json`
> well-known file, and its authors flag domain-takeover and validator-fetches-from-origin privacy
> as *open problems*. A DNSSEC-signed TLSA record removes both: the chain is validated to the IANA
> root with no origin fetch, and the resolution itself is the who-verified signal. One caveat we
> state plainly: **DANE is not yet a formally recognized C2PA *conformance* anchor** — today
> conformance centers on X.509 and the curated Trust List. We surface it as a complementary
> identity ecosystem through CAWG, and we're proposing it to the standard. Additive, and honest
> about its status.

---

## CAWG owns creator identity — and it's already DNS-native. Whisper is the root it's looking for.

The Creator Assertions Working Group's Identity Assertion (v1.2, DIF-ratified 2025-12-15) binds a
named human or organisation to a manifest: a credential holder signs a `signer_payload` that
hash-references the manifest's assertions, via `cawg.x509.cose` (an org X.509 identity) or
`cawg.identity_claims_aggregation` (a W3C VC from an aggregator). This is the layer that answers
*who created this*, and it is genuinely good work. Whisper is complementary — it does not replace
CAWG, it *roots* it.

CAWG is already reaching for DNS. Its ICA `issuer` is a **DID — in real deployment a `did:web`**,
which resolves through DNS + HTTPS; and its `verifiedIdentities[]` carries **`cawg.web_site`**, a
required URI for a domain the actor controls. But CAWG's own trust model splits into
`cawg.identity.trusted` (chained to a recognized root) versus `cawg.identity.well-formed` (a valid
signature with *no root found*) — the same "who anchors the root?" problem, which CAWG's docs flag
as *unresolved and urgent*, and which the aggregator path answers by re-centralizing on a
provider's `did:web`.

A Whisper DNSSEC-anchored domain identity slots straight into that seam, two ways. **A first-class
`did:web` root:** your own DNSSEC-signed domain becomes a `did:web` issuer that verifiers trust
through DNS, so you can run your *own* ICA issuer rather than lean on a third-party aggregator. And
**a DANE binding:** DANE-bind `cawg.web_site.uri` and the `cawg.x509.cose` org cert to your domain,
and a verifier turns `well-formed but unrooted` into `trusted` — with no S/MIME CA in the path.
CAWG carries the creator's name; Whisper makes the domain behind it publicly, independently
resolvable.

> **"If CAWG already has did:web and cawg.web_site, what does Whisper add?"**
> The anchor those fields resolve *to*, under your control. A `did:web` that resolves over plain
> HTTPS inherits every domain-takeover and CA-trust weakness of the web PKI; a `cawg.web_site` URI
> is only as trustworthy as whatever roots it. Anchor both in your own DNSSEC-signed zone with a
> DANE binding and the trust decision no longer routes through a coalition list or a provider
> aggregator — it routes through the DNS root you already trust. Same CAWG assertion, a root the
> verifier can check trustlessly.

---

## Watermarking owns the thing a DANE-anchored signature honestly doesn't: surviving a re-encode.

Digimarc, Truepic's durable path, SynthID-class marks (Google SynthID, Meta Seal / Video Seal) and
C2PA's durable Content Credentials solve a problem signatures can't touch: an invisible pixel or
audio signal that **survives a screenshot, a re-encode, or a platform re-compress** — exactly the
events that strip a C2PA manifest, which is embedded metadata (JUMBF) that any non-C2PA-aware resave
deletes. This is a different layer, it is essential, and Whisper does not do it.

Two honest boundaries, stated plainly. A watermark answers "did this survive re-encode" and, for
the AI-origin marks, "did this come out of a generator" — but a SynthID-class signal carries *no
verifiable creator identity, no edit history, no timestamp, and no revocation*; it marks origin, not
*who*. Whisper answers "who signed, provably and revocably" — and honestly does *not* re-anchor a
signal that has been re-encoded past the point its manifest survives. The two are strictly
complementary: pair a durable watermark (the soft binding that *recovers* a stripped manifest) with
a DANE-anchored signer (the trust the recovered manifest still needs), and you have both
survivability *and* public signer trust. OpenAI already dual-marks C2PA + SynthID for this exact
reason; Whisper is the signer-trust layer underneath both.

**Where we are candid about scope.** Whisper does not stop a screenshot or a heavy re-encode from
separating a credential — it improves *recovery* odds by anchoring a resolvable signer identity
beside a durable soft binding, but a determined stripper still wins; survivability is a probability,
not a guarantee. It does not make signed content *true* (provenance is origin and history, never
veracity), and it is not a deepfake detector (an absent credential is not proof of fakery). It
raises the value of signed-authentic content and names the accountable signer; it does not flag
unsigned-synthetic. That's the watermark's and the detector's job — run them alongside.

---

## Four layers, side by side — including the rows where the honest answer is *not Whisper*.

A comparison you can trust is one that shows where you *don't* win. Whisper owns the signer-trust
column; it is a dash on re-encode survival, on purpose. Read it as an adjacency map, not a scoreboard.

| Capability | C2PA Trust List | CAWG | Watermarking | Whisper |
|---|---|---|---|---|
| Recognized-signer registry (the official allow-list) | ✓ | — | — | additive pluggable anchor |
| Self-verify a signer with no gatekeeper & no per-cert fee | — | partial | — | ✓ |
| Per-**unit** revocation at DNS-TTL, one call | — | — | — | ✓ |
| "Who verified my content" analytics (`op:lookups`) | — | — | — | ✓ |
| Survives a manifest-stripping re-encode / screenshot | — | — | ✓ | — |
| Human / organisation creator identity | — | ✓ | — | ✓ via CAWG did:web |

*Honest caveat on row 1: a DANE anchor is a legitimate pluggable trust source (C2PA mandates no
particular PKI), **not** today a formally recognized C2PA conformance anchor — we surface it via
CAWG and are proposing it to the standard.*

Read down the columns and the division of labour is clean: **the Trust List owns the official
registry**; **CAWG owns creator identity**; **watermarking owns re-encode survival**; and **Whisper
owns self-verify without a gatekeeper, per-unit revocation, and who-verified**. Four owners, one
stack, zero overlap you have to rip out.

> **"So what, precisely, do I buy Whisper for — in one sentence?"**
> For the signer-trust column, and nothing you already run. C2PA proves a manifest was signed;
> Whisper makes the signer publicly, independently verifiable in DNS — the identity ecosystem the
> C2PA spec says trust *rests on* but doesn't itself provide — so your machine-readable mark is
> anchored to a real, resolvable, revocable identity, with no curated allow-list required.

---

## Every registry and feed here, you must trust. Ours, you don't have to.

Two tiers, by design. **No key:** anyone can re-derive and verify a signer's identity against the
IANA DNS root, with our own API deliberately outside the trust path. **Your key:** anchor the signer
your manifests already reference, see who verified it, and revoke a compromised key worldwide.

```sh
# keyless — re-derive and verify any C2PA signer's identity, trustless
$ whisper verify --trustless 2a04:2a01:c0::5
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA 3 1 1) vouches for C2PA signer cert serial 3F:2A:…:C0
  ✓ RDAP: identity registered under AS219419 · 2a04:2a01::/32
  signer: VERIFIED — no Trust List joined, and our own API was never trusted

# the signer is a name anyone can resolve — reverse DNS names it
$ dig -x 2a04:2a01:c0::5 +short
  signer-3f2a.c2pa.newsroom.example.

# who really operates a suspicious host behind a rotating CDN — the graph API, with your key
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"203.0.113.10\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
```

```sh
# anchor the C2PA signer your manifests ALREADY reference — pass its cert serial as device_id
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the signer key>',
       device_id:'3F2A9C04F8911D39A0C0305E82C3301'}})"   # device_id = the C2PA signer cert serial
  → identity 2a04:2a01:c0::5   DNSSEC + DANE-EE live · did:web + cawg.web_site bound

# who verified my content — the empty quadrant no manifest can fill (op:lookups)
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" \
    --data-urlencode "q=CALL whisper.agents({op:'lookups', args:{identity:'2a04:2a01:c0::5'}})"
  312 verifications · 47 RDAP · top: a fact-check desk, 2 platforms at ingest

# a signing key leaked — revoke it worldwide in one call, at DNS-TTL (not a CRL round-trip)
$ whisper kill --revoke 2a04:2a01:c0::5
  ✓ TLSA/DANE pin withdrawn · PTR gone · logged to the public transparency log
```

**And the on-mission door: a signer identity for AI agents.** An AI tool that marks its output with
`c2pa.actions` (`c2pa.created`) and an IPTC `digitalSourceType` of `trainedAlgorithmicMedia` still
faces the open question C2PA doesn't answer — *who signed it, and can I trust that signer?* Give the
agent a Whisper-anchored, DNSSEC/DANE-verifiable, revocable identity derived from its *own* key, and
it gets trusted-signer status with no Trust-List slot and no CA fee — the one thing agent stacks
can't otherwise get. The agent's identity *is* the C2PA signer identity.
[See sign · verify · who-verified →](/docs/content-recipes)

---

## Whisper is one layer, done well. It sits beside these — not over them.

Naming the boundary is the point: it's how you know exactly what you're buying, and what to keep
buying elsewhere. We do not create the manifest, we do not embed the watermark, and we are not a
truth oracle.

- **We don't create the Content Credential.** The C2PA manifest — the assertions, the hard binding (`c2pa.hash.data`), the edit history, the AI-generated assertion Art.50 marking needs — is built and signed by CAI / Content Credentials tooling. Whisper anchors the *signer* that manifest already references. Always additive to C2PA, never instead of it.
- **We don't embed the watermark.** Durability against re-encode and screenshot — SynthID, Meta Seal, Digimarc, durable Content Credentials — is a pixel and soft-binding problem, and it's a good one to own. Whisper anchors identity, not the signal in the bits. Run a durable watermark for recovery; run Whisper for signer trust.
- **We're not a truth oracle or deepfake detector.** Provenance is origin and history, not veracity — a genuine signer can sign a photographed deepfake-on-a-screen, and an absent credential isn't proof of fakery. Whisper adds *accountability*: the liar is publicly named and revocable. Pair it with detection; don't ask it to be one.

We don't build manifests, embed watermarks, or judge truth, and we don't pretend to. Whisper is the
publicly verifiable signer-identity layer — the one seam on this page every incumbent leaves open —
and it's honest about being exactly that.

---

## No new silo. Mapped to the standards you already cite. Priced so you can say yes.

The additive posture isn't just tidy architecture — it's what makes the buy defensible. Nothing you
already run gets torn out; one line item closes the signer seam and feeds everything else.

- **A feed, not another console.** Findings land as a machine-readable feed into the tools you own — the **Splunk** connector (signed JSON → CEF / ECS) ships today; **Microsoft Sentinel**, OpenCTI and STIX 2.1 over TAXII are on the roadmap. Zero analysts babysitting a new pane of glass.
- **Speaks your compliance language.** Maps to **EU AI Act Article 50(2)** machine-readable marking — Recital 133 names "cryptographic methods for proving provenance" as an accepted technique, "accessible to the public," which a public DNSSEC/DANE anchor answers directly — and to **ISO/IEC 22144** Content Credentials. Evidences and strengthens; never "guarantees compliance." [See the map →](/for-newsrooms)
- **Nothing issued in the dark.** Every signer identity minted and every revoke lands in a public, append-only **RFC 6962 Merkle transparency log**, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable trail for a regulator. *Honest status:* tamper-evident today; independent witnessing is the next step. [The audit trail →](/docs/content-compliance)
- **Flat, forecastable pricing.** Per-signer, per-year and flat — not per-verification, not usage-metered. No "no Let's Encrypt for provenance" toll for stringers and independents: one anchor covers your signers. Clear ROI in one `revoke` instead of a fleet-wide cert reset. [See pricing →](/pricing)
- **Additive & availability-safe.** It rides existing DNS/IPv6 and adds **no inline chokepoint** in your publishing path. The verify plane is built to **fail open** — a Whisper outage never blocks a signature; checks degrade to your existing Trust-List anchors. Anycast on AS219419, no single node in the path.
- **A vendor built to outlast the question.** Real routable address space (**AS219419**), run by people who ran the internet's regional address registry and operated one of its root DNS servers. Keyless to prove today, then POC → pilot → enterprise on real infrastructure.

> **"Additive sounds safe — but is it just another dependency I can't remove later?"**
> The opposite — it's the lowest switching cost on the page. The core claim (this address is that
> signer) is verifiable trustlessly against the IANA root, so you can audit it without trusting us
> at all; the verify plane fails open, so our uptime never gates a signature; and because it's
> additive, your manifests, your CAWG assertions and your watermark keep working if you walk away.
> *Additive* means low switching cost in both directions — the safest way to start.

---

## Keep your stack. Anchor the signer.

Whisper is the publicly verifiable signer-identity layer that sits on top of the Trust List, CAWG
and the watermark you already use — additive, mapped to your standards, flat to price. Keyless to
try, one call to anchor, one more to revoke.

Prove your content → <https://console.whisper.security/sign-up> · [For newsrooms →](/for-newsrooms)

Or run `whisper verify --trustless` right now — our API isn't in the trust path.

---

*Whisper for Content · Publicly verifiable signer identity for Content Credentials · AS219419 · 2a04:2a01::/32*
*© viaGraph B.V. (dba Whisper Security)*
