content.whisper.online · for newsrooms, AI platforms & camera makers

C2PA proves the pixels weren't changed. It can't tell your reader whether to trust the signer.

Content Credentials are the right idea, done well — a tamper-evident manifest of who, when, and what edits. But two holes stay open: an off-list signer displays "unknown source" unless it buys onto a coalition-curated Trust List (~$289/yr, no ACME, no Let's Encrypt for provenance), and once your content is out you are write-only — zero visibility into who verified it or who's impersonating your byline. Neither hole is a manifest problem. Both are an identity problem.

We close both. Anchor your C2PA / CAWG signer in your own DNSSEC/DANE zone — the address is the signer — so anyone verifies it with dig, no Trust-List slot and no CA fee, revocable worldwide at DNS-TTL; and op:lookups finally shows you who checked. Content Credentials people can actually verify.

whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.

$12.3B→$40B GenAI/deepfake fraud 2023→2027 (~32% CAGR, Deloitte)
0.1% of people correctly told a real from a deepfake (n=2,000, iProov)
2 Aug 2026 EU AI Act Art.50 — machine-readable marking of AI output goes live
~$289/yr per signer cert — and an off-list creator shows "unknown source"
write-only C2PA gives a signer zero view of who verified their content
2025 a camera vendor had to revoke its entire C2PA device-cert set after one vuln

A signed manifest tells you what happened to the bits. It doesn't tell you who to trust — or whether anyone believed you.

The C2PA spec is explicit that its trust rests on "an identity ecosystem substantiating the signing key belongs to the Signer" — and equally explicit that it provides the signature format and a curated CA list, not that public identity ecosystem. Here is exactly where that leaves you.

STRIP

The credential is easily separated

The manifest lives in embedded JUMBF metadata; any non-C2PA-aware resave — including a screenshot — deletes it. The spec concedes it: "a screenshot eliminates any trace of provenance." A durable watermark helps recovery; a signature alone does not.

UNKNOWN SIGNER

Off-list looks identical to malicious

The spec permits self-signed and off-list certs, so an independent's manifest is technically indistinguishable from an impostor's — both render "unknown source." There is no free, ACME-style path to become a recognized signer, and revocation checking is optional.

WRITE-ONLY

You never see who checked

C2PA verification needs no network call — the cert chain travels in-band per RFC 9360 — so a signer has zero visibility into who verified their content, where, or how often. No early warning that your byline is being reused or your credential stripped.

Strip down the whole problem and it isn't a hundred bugs in the format — the format is good. It's two structural gaps in the trust layer around the format, and every provenance program shares both. Close them and Content Credentials become something a reader — or a regulator — can actually act on.

One is a signer you can't verify without a gatekeeper. The other is silence after you publish.

Both are the kind a skeptic names on sight — not a compliance checkbox. Here they are, and here's exactly how each closes without forking C2PA.

Gap 1 · you can't prove the signer without joining someone's list

A conformant validator trusts a signer only if its cert is on an explicit allow-list or chains to a root on a trust-anchors list — a list a small coalition curates and a CA charges to enter. An off-list newsroom, stringer, or agent signs perfectly valid content that still reads "unknown source." The burden shifts to every verifier to somehow resolve who this signer really is.

The answer — a signer anchored in your own DNS. C2PA trust lists and anchors are pluggable config inputs to the validator — so a DNSSEC/DANE anchor is a legitimate alternative trust source, not a fork. Derive your C2PA claim-signer's routable /128 from the signer key it already holds, publish a TLSA (DANE-EE 3 1 1) that pins the end-entity cert in your own DNSSEC-signed zone, and any verifier that consults DANE trusts it with no central list, no gatekeeper, and no annual CA fee. This is the mechanism C2PA's own experimental "Web Domain Trust Anchor" reached for — done with DNSSEC instead of an HTTPS /.well-known/c2pa.json that fails on domain takeover.

C2PA signer key COSE_Sign1 · x5chain serial EKU c2pa-kp-claimSigning private key never leaves you public key + serial /128 2a04:2a01:c0f::515 routable signer identity DNSSEC + DANE-EE A signer anyone can verify whisper verify --trustless no Trust-List slot · no CA fee TLSA 3 1 1 in your own zone op:revoke → gone worldwide at DNS-TTL
The X.509 serial C2PA already carries in every manifest becomes a name the whole internet can check. Whisper anchors that signer to a routable, DNSSEC/DANE-verifiable /128 and gives it the fast, per-signer revocation C2PA leaves optional — without touching the manifest.

"Isn't a DANE-anchored signer just you deciding you're trusted? How is that not a fork of C2PA?"

It isn't a fork — it's a config input C2PA already supports. Trust lists and trust anchors are pluggable inputs to a conformant validator; a DNSSEC/DANE anchor is a legitimate alternative source, surfaced through a CAWG identity assertion and consumable exactly like any other. The reader's trust roots in the IANA DNS root, not in us. Honest limit: DANE is not yet a formally recognized C2PA conformance anchor — we position it as a complementary identity ecosystem, never as "C2PA-approved."

Gap 2 · after you publish, you're blind — and impersonable

Once content leaves you, provenance is write-only. You cannot see who verified it, where it travelled, or where the credential got stripped — and an attacker can lift your valid identity assertion onto a new asset to falsely wear your brand. C2PA's own security model names this brand-impersonation risk; nothing in the format gives you a feedback loop.

The answer — reverse observability + the graph. Because your signer's name resolves through Whisper's own authoritative DNS and RDAP, op:lookups returns who resolved or validated your signer — the TLSA/AAAA/RDAP checks a verifier makes — turning provenance into a two-way channel: a verification-analytics stream and an early warning that someone is enumerating or impersonating your byline. And when a suspicious host is reusing your identity assertion, the attribution graph — 7.44B nodes, 39.3B relationships of fused BGP, DNS, WHOIS, TLS and hosting — fingerprints the operator across rotating clouds and residential proxies and hands you a reproducible evidence chain for a takedown.

the loop C2PA leaves open — a signer never learns who checked Your signer DANE-anchored /128 signed asset DANE-aware verifiers opt in any validator that consults DANE DNS · TLSA · RDAP lookups against Whisper authoritative op:lookups → who verified where · how often · impostor caught Attribution graph host reusing your assertion → 1 operator provenance becomes a two-way channel
Everyone else's provenance is write-only. Standard C2PA validation is offline — but any verifier that opts into your DANE trust source resolves your signer through Whisper's DNS, and op:lookups turns that resolution into a signal you can read: who checked it, and who's wearing your byline without permission.

"C2PA verification is offline by design — the certs travel in the manifest. So how could you possibly know who verified my content?"

Because your signer's identity is online even though the manifest is offline. The manifest still verifies with no network call — that's unchanged. But when a validator checks your DANE-anchored signer, it resolves DNS/TLSA/RDAP records that live on our authoritative servers, and op:lookups reports exactly those. It's a capability C2PA structurally can't offer — and the honest early-warning you've never had.

Gap 1 makes your signer trustable off any list. Gap 2 makes it observable. Both ride your existing Content Credentials untouched — now here's who tends to move first, and exactly where we do and don't fit.

Four people carry this problem — and each one buys the same primitive for a different reason.

Different triggers, different vocabulary, one mechanism underneath: the address is the signer. Find your seat.

A · Newsroom · publisher · press-freedom org

Trigger: the AI-image flood and the liar's dividend; major wire services and publishers are already adopting Content Credentials through the CAI and Project Origin; you want Content Credentials that verify without a coalition gatekeeper or a ~$289/yr per-cert tax on your stringers.

Lead: a verifiable, revocable byline/org signer anchored on your own domain — readers verify "signed by signer.newsroom.example" straight from DNS, no Trust-List slot, no annual CA fee, and verification analytics show where your content travelled and where credentials were stripped.

You say: provenance · chain of custody · Content Credentials · first-mile capture · "how we verified this" · source protection · Project Origin.

B · AI platform · agent maker

Trigger: EU AI Act Art.50(2) obliges you to mark generative output machine-readable and detectable-as-AI by 2 Aug 2026, with the digitalSourceType = trainedAlgorithmicMedia assertion — and Recital 133 names "cryptographic methods for proving provenance" as an accepted technique.

Lead: sign your outputs' C2PA claim (plus a CAWG identity assertion) with a DANE-anchored identity derived from the agent's existing key — trusted-signer status without a Trust-List slot or CA fee. Honest split: the DANE-anchored signer identity + DNS-TTL revocation is shipped & live today; a first-class sign-outputs tool that emits the C2PA/CAWG claim for you is on the roadmap.

You say: synthetic-content marking · detectable-as-AI · durable vs soft binding · provenance signal · output attribution · IPTC digitalSourceType.

C · Camera · device maker

Trigger: in-camera Content Credentials are now table-stakes (Leica/Sony/Nikon/Canon, first native smartphone) and newsroom procurement requires them — but the 2025 mass-revocation incident, where a vendor had to pull its entire device-cert set after one vuln, exposed how brittle a per-model root is.

Lead: per-unit revocable device signer identities derived from each device's hardware key — so a single compromised unit is one DNS op:revoke, not a fleet-wide suspension. Per-unit trust, one identity plane across the fleet, interoperable by construction (open DNS/DANE, not a proprietary silo).

You say: point-of-capture · hard binding · secure element · certificate lifecycle · firmware attestation · per-unit vs per-model.

D · Stock library · marketplace · platform

Trigger: Art.50 deployer duties, label/remove statutes, and Google bringing C2PA verify into Search and Chrome push verification to your ingest — while the trust-list equity gap makes you penalize legitimate small and independent signers you'd rather recognize.

Lead: verify signer identity at ingest — publicly, at scale, with a DNS-resolvable anchor and no private allow-list — and get the who-verified analytics C2PA can't provide. Extend the trust list past the whitelist and detect the strip.

You say: trust & safety · at-scale verification · soft/hard bindings · manifest validation · trust list · false-positive rate.

A fifth seat too: the fact-checker or evidentiary desk that needs to resolve a claimed signer in public DNS in seconds — not just read a manifest — and catch the impostor cert. Everyone verifies keyless; only the signer needs a key.

The strongest thing we can say is also the most honest one: we fill C2PA's own stated dependency, and nothing more.

Over-claiming here is the credibility trap, so we draw the line for you before a red-teamer does. Three tiers: what we do today, what we complement, and what we will not claim.

● Direct — additive, today

An additive, pluggable C2PA trust anchor: your signer's EE cert pinned via DANE in your own DNSSEC zone, consumable as a validator config input. And a CAWG path — run your own did:web ICA issuer and DANE-bind cawg.web_site + the cawg.x509.cose org cert to your domain. We anchor the signer your manifest already references.

◐ Complementary — evidence, not a route

EU AI Act Art.50 support: a public cryptographic provenance anchor is a named technique (Recital 133) and advances the interoperable/robust/public bar — as a feature and evidence, never a conformity route. ISO 22144 procurement: an accessible public signer identity helps you meet the language — not a certification.

✕ We do not claim

Not official C2PA Trust-List membership. Not a C2PA-conformance or EU-AI-Act-conformity route. Provenance ≠ truth, and we are not a deepfake detector. We do not survive a manifest-stripping re-encode. Each one, spelled out below.

ClaimStatusWhat it means — and its limit
Additive, pluggable C2PA trust anchor (DANE-EE)● DIRECTC2PA trust anchors are pluggable validator inputs; a DNSSEC/DANE anchor is a legitimate alternative source, not a fork. Shipped & live.
CAWG did:web issuer + cawg.web_site DANE-bind● DIRECTRun your own ICA issuer and bind the domain identity CAWG already carries. The primitive is live; a turnkey issuer tool is on the roadmap.
EU AI Act Art.50 marking support◐ COMPLEMENTARYA named technique (Recital 133) and public-verifiability evidence — advances the bar. Not a conformity route; the AI-generated assertion lives in the manifest, we anchor the signer.
ISO 22144 procurement fit◐ COMPLEMENTARYAccessible public signer identity helps satisfy procurement language as Content Credentials enter it. Not a certification.
Official C2PA Trust-List membership✕ NOT CLAIMEDWe are not on the coalition-curated Trust List; we are a complementary, domain-owner-controlled trust source you choose to consult.
A C2PA-conformance / EU-AI-Act-conformity guarantee✕ NOT CLAIMEDTechnology-neutral. We evidence and strengthen; no product "makes you compliant."
Provenance = truth · a deepfake detector✕ NOT CLAIMEDA signature proves who + integrity, not veracity and not "this is AI." Absence of a credential ≠ fakery — pair with watermarking/detection.
Survives a screenshot / manifest-stripping re-encode✕ NOT CLAIMEDA re-encode separates the credential. We improve recovery odds and detect the strip via analytics, but can't prevent it — that's a durable watermark's job.

The one-sentence version: C2PA proves a manifest was signed; we make the signer publicly, independently verifiable in DNS — the identity layer C2PA depends on but doesn't provide — so your Art.50(2) machine-readable mark is anchored to a real, resolvable identity, no curated allow-list required. See the full comparison →

Three planes on one primitive — and all three exit into the Content Credentials pipeline you already run.

The primitive is one line: the address is the signer — a routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), DNSSEC-anchored, DANE-EE pinned, verifiable by anyone with dig. Point it at your signer and you get identity, analytics, and governance — no new silo, and the manifest stays yours.

Signer identity signer /128 · DNSSEC · DANE-EE · bound to the C2PA cert serial — who signed, provably C2PA · CAWG · did:web Verification analytics op:lookups — who verified your content, where, how often — the write-only loop, closed 7.44B nodes · DNS·TLSA·RDAP Egress governance per-signer /128 · policy · firewall · budget · revoke — what may talk to what, and one off-switch default-deny · DNS-TTL THE ADDRESS IS THE SIGNER AS219419 · 2a04:2a01::/32 Your manifest C2PA · CAWG assertion Verifier tools contentcredentials.org · Chrome Transparency log RFC 6962 · Bitcoin-anchored
Three planes on one primitive — all three exit into the Content Credentials pipeline you already run, not a new silo. Whisper never creates the manifest or embeds a watermark; it anchors the signer they reference and adds the analytics and revocation they lack.

Nothing issued in the dark

Every signer identity minted and every revocation lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable issuance and revocation trail a regulator or a court can replay. Honest status: tamper-evident and Bitcoin-anchored today; independent external witnessing is the next step, and we already speak the C2SP witness protocol so any third party can co-sign.

Govern what a signer may reach

A per-signer /128 with a graph-first resolver and source-bound egress enforces default-deny — allow the timestamp authority and your ledger endpoint, block the rest — with op:firewall, op:budget caps, and op:revoke to cut a compromised signing service off worldwide in one call.

Sign-outputs, honestly staged

Today: derive a DANE-anchored signer /128 from your generator's or agent's own key and pin it — a trusted-signer identity with no Trust-List slot. On the roadmap: a first-class sign-outputs tool that emits the C2PA claim with digitalSourceType = trainedAlgorithmicMedia plus a CAWG identity assertion, so Art.50(2) marking rides your Whisper identity end to end.

Additive & availability-safe

It rides existing DNS/IPv6 and adds no chokepoint in your signing path. If a verifier authorizes against the DANE/verify path, that plane is built to fail open — a Whisper outage degrades to the anchors you already ship, never a false "invalid." Anycast on AS219419, no single node in the path.

Don't take our word for it — our API isn't in the trust path.

Two tiers, by design. No key: anyone resolves a signer's identity and back-traces an impostor — trustless, anchored at the IANA root. Your key: anchor your signer on your own domain, see who verified it, and revoke a compromised one worldwide.

verify a signer — keyless · attribute an impostor — graph API
# keyless — resolve and verify a newsroom's C2PA signer identity, trustless
$ whisper verify --trustless signer.newsroom.example
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA 3 1 1) pins the C2PA claim-signer EE cert
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  signer: VERIFIED — no C2PA Trust-List slot, no CA phone-home

# the serial your manifest carries → its DANE-anchored pin, in the signer's OWN zone
$ dig +short TLSA _443._tcp.signer.newsroom.example
  3 1 1 5f2b9c…e41   ; the claim-signer EE cert, DNSSEC-signed by the newsroom

# who really operates a host reusing your identity assertion — the public graph API
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"203.0.113.9\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / a residential swarm
  evidence chain: signed · replayable — hand it to a takedown desk unchanged
anchor, watch & revoke your signer — with your key
# anchor your C2PA signer identity on your OWN domain, from the key it already holds
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of your C2PA signer key>',
       device_id:'5F2B9C0A4E11D7…'}})"   # device_id = the signer cert serial
  → identity 2a04:2a01:c0f::515   DNSSEC + DANE-EE (TLSA 3 1 1) live
# publish the TLSA pin + point cawg.web_site at this name — off-list signer, now publicly verifiable
$ whisper logs 2a04:2a01:c0f::515 --lookups          # op:lookups — WHO verified your content
  1,284 validations · 37 countries · 2 checks from a host not on your allow-list ⚠
$ whisper policy set --default deny --allow tsa.example,ledger
$ whisper revoke 2a04:2a01:c0f::515                     # a compromised signer, gone worldwide at DNS-TTL
# a first-class `whisper sign-outputs --c2pa` (emits the claim + CAWG assertion) — on the roadmap

The manifest, the edit history, the watermark, the in-camera capture — all done well. We anchor the one thing they leave open.

C2PA/CAI build a tamper-evident manifest; watermarking (SynthID, Meta Seal) adds an AI-origin signal that survives a screenshot. Both are necessary and neither is what we do — Whisper does not create the manifest or embed the watermark. We anchor the signer those manifests already reference, publicly and off any list, and we close the two quadrants nobody else occupies: signer trust the domain owner controls, and the feedback loop that shows who verified your content.

C2PA / CAI provenanceWatermarking (SynthID / Seal)Whisper
Tamper-evident manifest (who · edits · tools)additive
Invisible signal surviving a screenshot / re-encode
Publicly verifiable signer — no central Trust List
Cross-org signer trust without joining a list
Signer revocation at DNS-TTL, one call
Who verified your content (analytics)write-onlywrite-only

Depth on top of the Content Credentials you already emit — it makes an off-list signer publicly verifiable, gives it an off-switch, and turns verification into a signal you can read. It doesn't replace C2PA, and it doesn't add a console your team babysits. See the full comparison →

Content Credentials people can actually verify.

Anchor your C2PA / CAWG signer in your own DNSSEC/DANE zone — publicly verifiable, revocable at DNS-TTL, with the who-verified loop C2PA never closed. Additive to your manifest, never a replacement. Keyless to try, one call to anchor, one more to revoke.

Or run whisper verify --trustless right now.