Whisper · Docs
Content

Content compliance: EU AI Act Article 50, C2PA & ISO 22144

EU AI Act Article 50 is the forcing function: providers must mark AI-generated or manipulated content in a machine-readable way, and C2PA Content Credentials are the leading mechanism for that mark. A verifiable, revocable signer identity strengthens that mark, but it is a feature and a piece of evidence, not a compliance certificate.

This page is the honest map. A C2PA manifest signed by an X.509 cert that a verifier can only trust if it sits on a gate-kept Trust List answers "was this signed?" It does not, on its own, answer "by whom, provably, without a curated allow-list, and can you revoke that signer per-unit?" A routable, DANE-provable, one-call-revocable IPv6 /128 for the signer answers that second question and produces the verification analytics and the tamper-evident issuance trail a standards or procurement reviewer wants as evidence. It is also honest about where it does not fit: it is not Trust-List membership, not a conformity route, and provenance is not truth.

How to read this page. We grade every requirement into one of three verdicts and never blur them. DIRECT-ADDITIVE: Whisper produces evidence that maps to the requirement (as one input, never the whole framework). COMPLEMENTARY: the standard defines the C2PA manifest, its Trust List, or an identity assertion; Whisper is a pluggable trust source alongside it and can DANE-anchor the signer, but does not replace it or grant membership in it. DO-NOT-CLAIM: things a valid signature simply does not prove; we list them so nobody over-claims. The per-standard /// column in the map is the glance grade behind those verdicts.

What every framework is really asking

Read Article 50, the C2PA Trust Model chapter, the CAWG identity assertion and ISO 22144 side by side and the same three questions surface, phrased in four vocabularies:

The first question is C2PA's job, and Whisper never claims otherwise: the "this is AI" assertion lives in the manifest. The second and third are exactly where the C2PA spec names its own dependency: it says trust rests on "an identity ecosystem substantiating that the signing key belongs to the Signer," and it provides the signature format and a curated CA list, not that public ecosystem. A DNSSEC/DANE-anchored, publicly resolvable signer identity is such an ecosystem. That is the whole of Whisper's honest role here.

Three verdicts, stated up front

Before a single row of the map, here's the grading rule: a content-compliance page that claimed to "make you EU AI Act compliant" or "put you on the C2PA Trust List" would be lying. Whisper is a network primitive. Against a given requirement it does exactly one of three things, and we mark which:

grade every requirement honestly, never blur the three Read the requirement what does it ask? DIRECT-ADDITIVE Whisper produces the evidence: one input to your package Art.50(2) marking · Art.50(4) disclosure Recital 133 · verification analytics COMPLEMENTARY a pluggable trust source · DANE-anchors the signer · never replaces it C2PA signer · Trust List · Conformance CAWG 1.2 · ISO 22144 DO-NOT-CLAIM what a signature does not prove: we say it plainly provenance ≠ truth · not detection survives no re-encode · no "compliant"
The honesty rule is the whole point of this page: a network primitive earns a verdict per requirement, and we mark DIRECT-ADDITIVE, COMPLEMENTARY or DO-NOT-CLAIM so a creator, a trust-and-safety reviewer and a procurement officer all read the same thing.

The evidence: real, and shipped

Everything this page grades DIRECT-ADDITIVE rests on primitives that exist and answer today. Each is checkable with dig, curl, or one control-plane call over the public API: POST https://graph.whisper.security/api/query with your X-API-Key.

Shipped & live. The signer-derived /128, op:lookups (who verified your content), one-call revoke, the Merkle transparency log and the attribution graph are in production. The Splunk, Microsoft Sentinel and OpenCTI connectors ship. Everything grouped under roadmap (a STIX/TAXII feed, a first-class typed CLI flag, and any submission into the C2PA Conformance Program) is labelled as such; nothing here is described as working unless you can reproduce it.

A signer-derived /128 identity

A C2PA claim signer is an X.509 end-entity cert (the only kind the spec allows for signing), and it already holds a key. Whisper derives a deterministic IPv6 /128 from that key's public SubjectPublicKeyInfo, with the signer's identifier as the domain separator: the signer cert serial for a tool/device signer, or a CAWG identity for an org/creator. The address is tenant-bound (unlinkable across signers to an outsider), DNSSEC-anchored, DANE-EE 3 1 1 pinned, and RDAP-registered. Re-deriving from the same key and identifier yields the same /128; the private key never leaves the signer, only its public SPKI is an input, and there is nothing new to store that a scraper could steal to forge it.

# Provision a signer identity from the key it already holds (control plane, live).
# identity_public_key is the base64 SPKI of the C2PA claim-signer's EE key.
CALL whisper.agents({op:'connect', args:{
  tier:'wireguard',
  identity_public_key:'<base64 SPKI of the signer key>',
  device_id:'0A1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D'   // the C2PA signer cert serial
}}) YIELD op, ok, status, result, error RETURN op, ok, status, result, error
# -> deterministic /128 + a WireGuard config. Same key + serial -> same /128 (idempotent).
#    A different serial on the same tenant -> 409; a non-string device_id -> 400. Never a 500.

0A1B…4C5D is a placeholder cert serial. No real signer or CA is implied. The device_id argument is generic: pass the signer cert serial, a CAWG identity, or the cawg.web_site URI of the org that controls the domain. A first-class --signer CLI flag is on the roadmap; provision via the control-plane call above today, which is live. To publish the DANE/TLSA record under your own DNSSEC-signed domain, so a verifier reads "signed by press.example-news.org", use the shipped BYOD flow (op:'domain' then op:'verify').

Who verified your content: op:lookups

C2PA verification needs no network call: the signer's cert chain travels in-band in the COSE header (x5chain, RFC 9360), so a signer normally has zero visibility into who checked their content. The only network events are OCSP/CRL and the TSA. That flips the moment the signer identity is DNS/DANE-anchored: a verifier that confirms your DANE-pinned signer resolves your PTR/AAAA/TLSA records (and may hit your RDAP object), and op:lookups surfaces exactly those resolutions. It is a capability C2PA structurally cannot give a signer: who verified my content, and when.

# Reverse observability: WHO resolved this signer's PTR/AAAA/TLSA, or hit its RDAP object
CALL whisper.agents({op:'lookups', args:{agent:'2a04:2a01:c2::51', window:'30d'}})
curl -s https://whisper.online/ip/2a04:2a01:c2::51/lookups | jq   # same view, keyless

# The signer's OWN outbound activity, if it is a live signing agent: per-event records
CALL whisper.agents({op:'logs',    args:{agent:'2a04:2a01:c2::51', kind:'conn', from:'-24h'}})

One-call, per-unit revoke

Containment is a single call. A C2PA-signing device fleet learned the cost of coarse revocation the hard way in 2025, when a camera vendor had to suspend its authenticity service and revoke its entire set of C2PA device certs after a security flaw: a fleet-wide off-switch, not a per-unit one. Whisper's revoke tears down one signer's /128, its PTR and its DANE record worldwide at DNS-TTL speed, and the teardown is provable with the same public tools that proved the identity.

CALL whisper.agents({op:'revoke', args:{agent:'2a04:2a01:c2::51'}})
# after the TTL:
dig -x 2a04:2a01:c2::51 +short                          # -> empty
curl -s https://whisper.online/verify-identity/2a04:2a01:c2::51   # -> {"is_whisper_agent": false}

The attribution graph

When a manifest carries a signer you distrust (an impostor cert claiming to be a wire service, a suspicious host distributing "signed" fakes), turning that into "known-bad" or "clean" is a read-only query against the public graph API. Attribution survives IP rotation because it fingerprints the operator and the tooling (ASN and hosting genealogy for cloud rotation, a JA4/JA3 client fingerprint for a residential-proxy swarm), not the ephemeral egress IP.

curl -s https://graph.whisper.security/api/query \
  -H "X-API-Key: whisper_live_xxx" \
  --data-urlencode "q=CALL whisper.identify('185.220.101.1')"
# -> what the address is, who operates it, threat-intel reputation, relationships:
#    a reproducible, replayable JSON evidence chain a fact-check desk or a court dossier can replay.

The read-only verbs (identify, origins, walk, variants, history) run the same way, over an infrastructure-and-threat-intelligence graph of billions of nodes.

The map, at a glance

Each row is a framework or standard, what it asks, a glance fit grade, our verdict, and the shipped evidence behind it. Read the verdict column first: it is the load-bearing part. Fit legend:  strong ·  partial ·  stretch ·  not applicable.

Framework · requirement What it asks for Fit Verdict Whisper evidence (shipped)
EU AI Act Art.50(2): provider marking Mark AI-generated / manipulated output in a machine-readable, interoperable, robust format DIRECT-ADDITIVE A C2PA-signed output is a machine-readable mark; a public DNSSEC/DANE signer anchor advances the interoperable/robust bar
EU AI Act Art.50(4): deployer disclosure Disclose deepfakes and AI-generated public-interest text DIRECT-ADDITIVE A publicly verifiable signer proves who disclosed what, when; op:lookups evidences the disclosure was checked downstream
EU AI Act Recital 133 Names acceptable techniques, incl. "cryptographic methods for proving provenance"; detection accessible to the public DIRECT-ADDITIVE Cryptographic provenance is an enumerated technique; a public DNS/DANE anchor is exactly the "accessible to the public" verification path
C2PA claim signer (COSE_Sign1 / x5chain) An X.509 EE cert; trust anchors are pluggable validator config COMPLEMENTARY Derive the EE signer's /128 from its key; DANE-anchor it as a legitimate alternative trust source: additive, never a fork
C2PA Trust List + Conformance A C2PA-managed list of X.509 anchors; assurance levels 1/2 via a security submission COMPLEMENTARY A pluggable anchor today; a Conformance submission and the CAWG signer_payload.sig_type route are proposed, not Trust-List membership
CAWG Identity Assertion 1.2 Bind a human/org creator; did:web issuer + cawg.web_site URI are DNS-native COMPLEMENTARY A DNSSEC-anchored domain is a first-class did:web root; DANE-bind the cawg.x509.cose cert to turn "well-formed" into "trusted"
ISO 22144 (DIS): Content credentials Standardises the C2PA architecture into procurement / regulatory language COMPLEMENTARY ¹ Raises demand for accessible signer identity; the same DANE-anchored signer serves an ISO-22144-framed procurement
US: NO FAKES / COPIED / FTC Digital-replica right; provenance-standard direction; impersonation liability (bills + a rule) COMPLEMENTARY Attributable signed provenance aids takedown/licensing and a defensible "what we did/didn't emit" record: softer, still emerging
Provenance = truth N/A DO-NOT-CLAIM A signature proves who + integrity, never that a claim is true: a valid sig can sit on a photographed deepfake-on-a-screen
Deepfake detection N/A DO-NOT-CLAIM Whisper is not a classifier; it anchors the signer, it does not judge the pixels
Surviving a manifest-stripping re-encode N/A DO-NOT-CLAIM Signing cannot prevent stripping (that is watermarking / soft-binding's job); analytics can only hint at it
"Makes you Art.50 / C2PA compliant" N/A DO-NOT-CLAIM The AI Act is technology-neutral and its harmonised standards are still being written: we "evidence/strengthen", never "guarantee"

¹ ISO/DIS 22144 is a draft, pre-publication, derived from C2PA 2.1; some sources cite the final designation as ISO/IEC 22144. Verify ISO vs ISO/IEC against the ISO catalogue before quoting it in a procurement document. See the caveats below.

DIRECT-ADDITIVE: EU AI Act Article 50

Where Article 50 asks a question the shipped primitives help answer, Whisper is a concrete input to your evidence, never the whole obligation. The Act is technology-neutral: it names goals and enumerates techniques, and leaves the "how" to harmonised standards and the AI Office's Code of Practice, both still being drafted through 2026. Read every claim below as "strengthens/evidences," not "satisfies."

the mark lives in the manifest: Whisper anchors who signed it AI output image · audio video · text C2PA manifest c2pa.created digitalSourceType: trainedAlgorithmicMedia the machine-readable "this is AI" mark Signed under a Whisper-anchored signer /128 · DNSSEC · DANE-EE the "who signed it" layer Public verify mark + signer, anyone Recital 133 · accessible to the public Whisper never asserts "this is AI": that assertion is the manifest's; a bare signature proves only WHO + integrity. op:lookups → who verified this output, and where the disclosure was checked
Article 50's machine-readable mark is the C2PA manifest's digitalSourceType assertion; Whisper anchors the signer of that manifest so the mark is bound to a real, publicly resolvable identity: the interoperable, public verification path Recital 133 describes.

Article 50(2): machine-readable marking of AI output

Art.50(2) obliges providers of generative-AI systems to ensure outputs are "marked in a machine-readable format and detectable as artificially generated or manipulated," with solutions "effective, interoperable, robust and reliable as far as technically feasible." A C2PA Content Credential (a COSE_Sign1 claim signature over assertions that include a hard binding to the asset bytes) is exactly such a machine-readable mark, and the "this is AI" content is the manifest's c2pa.created action plus a digitalSourceType of trainedAlgorithmicMedia. What Whisper adds sits on the interoperable / robust half of that bar: when the signer is anchored in public DNSSEC/DANE, any verifier can confirm the signer with no gatekeeper and no CA phone-home. That's a more open, more robust verification path than a curated allow-list. See Sign agent outputs for a signing tool or agent that signs its own C2PA claim under a Whisper-anchored identity.

The honest limit. A bare signature proves who signed and that the bytes are intact. It does not, by itself, declare content AI-generated. The "this is AI" claim must ride in the C2PA manifest's assertion; Whisper anchors the signer under it. We never present the signature as the AI mark.

Recital 133: an enumerated technique

Recital 133 is the most quotable line for this page. It lists acceptable techniques "such as watermarks, metadata identifications, cryptographic methods for proving provenance and authenticity of content, logging methods, fingerprints…" and says detection methods should be "made accessible… to enable the public to effectively distinguish AI-generated content." Cryptographic provenance is therefore an enumerated technique, and "accessible to the public" is precisely what a public DNSSEC/DANE anchor plus keyless verification answers, versus a private, curated allow-list a member of the public cannot consult. This is the strongest honest alignment on the page; it is still alignment with a recital (interpretive guidance), not a binding conformity test.

Article 50(4): deployer disclosure, made provable

Art.50(4) requires deployers to disclose deepfakes and AI-generated text published to inform the public on matters of public interest. A publicly verifiable signer turns that disclosure into a durable, non-repudiable record: who disclosed what, and when. It's anchored to a resolvable identity rather than a claim in a CMS. And because verification of a DANE-anchored signer generates lookups, op:lookups gives you evidence the disclosure was actually checked downstream.

# A signer proves its disclosure identity to a regulator or platform: keyless, no shared secret
whisper verify --trustless 2a04:2a01:c2::51
✓ DNSSEC chain valid to the IANA root   ✓ DANE-EE (TLSA 3 1 1) matches the signer's key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32   identity: VERIFIED (our API never trusted)

# Evidence the disclosure was checked downstream: who resolved the signer, and when
curl -s https://whisper.online/ip/2a04:2a01:c2::51/lookups | jq

Out of scope, by design: Art.50(1) (AI-interaction disclosure) and Art.50(5) (timing/manner of delivery) are not identity-signer requirements, and we do not map to them. Timeline: the Act entered into force 1 Aug 2024; Art.50 applies 2 Aug 2026; a provisional legacy grace (to ~2 Dec 2026 for models already on the market) is under discussion in the 2026 AI Omnibus. Treat it as a short reprieve to watch, not settled law. Fines under Art.99 reach €15M or 3% of worldwide turnover.

COMPLEMENTARY: alongside C2PA, never a fork

The C2PA ecosystem defines the manifest, its Trust List, and the CAWG identity assertion. Whisper does not, and must not claim to, be any of those. It complements them: it fills C2PA's own stated dependency on an identity ecosystem, it is a legitimate pluggable trust source (the spec makes trust lists and anchors config inputs to the validator, so a DANE/DNSSEC anchor is an alternative source, not a fork), and where a certificate is in play it can DANE-anchor it under a DNSSEC-signed domain.

two pluggable trust sources: one gate-kept, one self-verifying C2PA manifest COSE_Sign1 · x5chain claim signature + hard binding The signer EE cert · serial C2PA Trust List gate-kept · ~$289/yr · small coalition off-list → "unknown source" Whisper DANE anchor TLSA under your DNSSEC domain self-verifying · no gatekeeper · per-unit revoke Verifier trusts the signer the Whisper path emits op:lookups → who verified your content
C2PA lets a validator plug in any trust source. The gate-kept Trust List leaves off-list signers reading "unknown source"; a DANE anchor under the signer's own DNSSEC-signed domain is self-verifying, needs no coalition slot or annual fee, and is revocable per-unit: a complementary source, not a competing standard.

C2PA Trust List & Conformance Program

A C2PA verifier trusts a signer if its cert is on an explicit allowed list or chains to a trust anchor on a configured list. Crucially, C2PA does not mandate any particular list or PKI: trust lists and anchors are pluggable configuration inputs to the validator. That is the honest hook: a DANE/DNSSEC anchor is a legitimate alternative trust source, not a modification of C2PA. The official C2PA Trust List and Conformance Program (launched mid-2025) is a C2PA-managed list of X.509 anchors gated by a Product Security Architecture submission and assurance levels. And it is where the ecosystem's "no Let's Encrypt for C2PA" gap bites: no free, automated path exists for an independent creator, a small newsroom, or an AI agent to get a recognized cert; commercial signing certs run about $289/yr; the recognized-CA set is a small coalition.

Where we honestly stand. A Whisper-anchored signer is a pluggable trust source today, and it slots into CAWG's already-DNS-native identifiers (below). It is not official C2PA Trust-List membership, and this page never says it is. A Conformance-Program submission and a CAWG signer_payload.sig_type for a DANE-anchored credential are proposed: a route we are pursuing with the standard, labelled roadmap, never presented as approved.

CAWG Identity Assertion 1.2

CAWG's Identity Assertion (v1.2, DIF-ratified 2025-12-15) binds a human or organisation creator (distinct from the tool/device claim signer) by having a credential holder sign a signer_payload that hash-references the manifest's assertions, via signer_payload.sig_type. Two of its identifiers are already DNS-native, which is where Whisper fits cleanly:

For CAWG, device_id is the CAWG identity itself. This is the seam a DNSSEC/DANE signer slots into with the least friction: an org identity you own, resolvable by anyone, revocable in one call.

ISO 22144, Authenticity of information: Content credentials

The C2PA 2.1 architecture is being standardised as ISO 22144, "Authenticity of information: Content credentials," currently at ISO/DIS (draft, pre-publication). That matters commercially: an ISO number pulls Content Credentials into procurement and regulatory language, dovetails with the AI Act's marking goal, and raises demand for an accessible signer identity: the same DANE-anchored signer serves an ISO-22144-framed procurement unchanged. Because the standard is still a draft, we cite it as forthcoming and flag one thing to verify: some sources give the final designation as ISO/IEC 22144. Confirm ISO vs ISO/IEC against the ISO catalogue before quoting a clause number in a contract.

DO-NOT-CLAIM: what a signature does not prove

The most useful rows on a compliance page are often the ones a vendor omits. These are the claims a valid signature does not support. We state them plainly so nobody plans against an over-claim, and so a skeptical reviewer trusts the rest of the page:

Nothing signed in the dark: the transparency-log audit trail

Every identity mint and every revocation lands in a public, append-only Merkle transparency log (RFC 6962 tlog-tiles), with Ed25519-signed C2SP checkpoints, each root anchored to Bitcoin via OpenTimestamps. For a regulated content operation that is something a database row cannot give: a non-repudiable answer to "when was this signer commissioned, and when was it revoked," provably not back-dated, provably in order. It pairs naturally with C2PA's own tamper-evidence (the hard binding) and with Art.50(4)'s disclosure trail.

# A signer's ordered lifecycle (issuance, any rotations, revocation), keyless
curl -s https://whisper.online/ip/2a04:2a01:c2::51/transparency | jq

# The signed log checkpoint + its Bitcoin anchor: the tamper-evidence root
curl -s https://whisper.online/checkpoint
# -> a C2SP signed note; the root is OpenTimestamps-anchored to Bitcoin

Honest status. The log is tamper-evident, Ed25519-signed and Bitcoin-anchored today, but it is not yet independently witnessed (our two authoritative nodes co-signing is availability, not independence). It already speaks the C2SP tlog-witness protocol, so an external witness can co-sign; until one does, treat the guarantee as tamper-evident, not third-party-attested. It is GDPR-compatible: leaves are salted opaque commitments with selective disclosure, so erasing the salt renders a leaf's meaning unrecoverable while the proofs stay valid, which matters when a signer identity touches a real person.

Evidence you can hand a standards or procurement reviewer

The point of every primitive above is that the reviewer does not have to trust Whisper. Each artifact is reproducible from the internet's own records with stock tools: the same --trustless walk any resolver could run. A signer-identity evidence bundle for an Art.50 file, a C2PA vendor assessment, or an ISO-22144-framed procurement looks like this, and every line is checkable without an account:

# SIGNER IDENTITY: genuine and current, verified to the IANA root (no Whisper API trusted)
whisper verify --trustless 2a04:2a01:c2::51

# THE MARK: the address is the signer; forward-confirmed reverse DNS names it
dig -x 2a04:2a01:c2::51 +short
signer-0a1b2c3d.press.example-news.org.

# VERIFICATION ANALYTICS (Art.50(4)): who checked this signer, and when
CALL whisper.agents({op:'lookups', args:{agent:'2a04:2a01:c2::51', window:'90d'}})

# NON-REPUDIATION: the timestamped lifecycle leaf (commissioned, rotated, revoked)
curl -s https://whisper.online/ip/2a04:2a01:c2::51/transparency

# CONTAINMENT: revoke one compromised signer worldwide, at DNS-TTL, provably
CALL whisper.agents({op:'revoke', args:{agent:'2a04:2a01:c2::51'}})

And because a signing tool or agent can bind its forge-proof /128 and sign its outputs under it, and can have its egress governed (default-deny policy, firewall and budget for a live signing agent), the reviewer gets the full arc a lifecycle assessment expects: a signer that is issued, verifiable by anyone, watchable, governable, and retired on revoke.

Verification analytics & export

The evidence above is pullable now via op:lookups, op:logs and the graph API, and it exports to Splunk today as signed, replayable JSON mapped to CEF / ECS fields, useful for a platform running verification at ingestion scale. Broader connectors are on the roadmap, labelled honestly so nobody plans against vapour:

Destination Status
Splunk (signed JSON → CEF / ECS) Shipped
Microsoft Sentinel connector Shipped
OpenCTI Shipped
STIX 2.1 / TAXII feed Roadmap
C2PA Conformance submission · CAWG sig_type route Roadmap · proposed

Until the roadmap items land, the same records are already reachable: the exports are a convenience layer over evidence you can pull today.

What this is, and is not

Whisper anchors one thing: the identity of the signer at the DNS/transport boundary. It is deliberate about what it does not touch.

Everything described as working is checkable, today, with dig, curl and one control-plane call. Everything on the roadmap is labelled as such. That is the whole contract of this page.

Next