# Whisper for Content — give every C2PA signer an identity anyone can verify

> You can sign your content with C2PA — but a verifier shows "unknown source"
> unless your signing cert sits on a gate-kept Trust List. The address **is** the
> signer: a DNSSEC/DANE-anchored /128 under your own domain, no list to join,
> revocable at DNS-TTL — plus who-verified analytics. Additive to your Content
> Credentials and CAWG, never a fork.

Your Content Credential is perfect: a `COSE_Sign1` claim signature, your X.509 signer
cert riding in-band (`x5chain`, RFC 9360), tamper-evident. Yet a verifier trusts you only
if that cert is on a gate-kept *Trust List* — or chains to one. Off-list CA? *"Unknown
source."* There is no Let's Encrypt for C2PA: commercial signing certs run ~$289/yr, the
recognized-CA set is a small coalition, and independent creators, small newsrooms and AI
agents are simply locked out. **We give them a signer identity anyone can verify.**

`whisper verify --trustless` — anchored at the IANA DNS root. Our own API is not in the trust path.

- **$12.3B→$40B** — deepfake-enabled fraud, US 2023 → projected 2027 (Deloitte, ~32% CAGR)
- **~74%** — of ~1M new web pages (Apr 2025) carried detectable AI content; synthetic is now the majority
- **~$289/yr** — per commercial C2PA signing cert — and no free, automated path exists
- **a coalition** — governs the recognized-CA set; pay-to-play, "hasn't covered most CAs yet"
- **an entire fleet** — one camera vendor revoked its *whole* set of C2PA device certs after a vuln (2025), unrestored
- **ISO 22144** — the C2PA architecture entering ISO (2025) → procurement + EU AI Act pull provenance into law

---

## The provenance gap, step by step

**This is how a real signer is shown as "unknown source" — and a fake travels clean.**
No zero-day. Just C2PA used exactly as designed — with a Trust List an independent
creator, a small newsroom, or an AI agent can't get onto, and a signing model that gives
no feedback when someone checks.

1. **SIGN** — You emit a `COSE_Sign1` claim signature over a hard binding (`c2pa.hash.data`), your EE signer cert with EKU `c2pa-kp-claimSigning` traveling in-band via `x5chain`. Correct, tamper-evident, complete.
2. **UNKNOWN SOURCE** — A verifier trusts you only if your cert is on an explicit *Trust List* or chains to a listed anchor. Off-list or self-signed content has the *same technical appearance* as a verified org — shown as "unknown source."
3. **THE TOLL** — The recognized-CA set is governed by a small coalition; commercial C2PA certs run `~$289/yr`; there is *no* ACME-style free path. Independent creators, stringers and agents are priced and gated out.
4. **STRIP** — The manifest is embedded metadata (JUMBF); any non-C2PA-aware re-save — *including a screenshot* — erases it, and re-compressing platforms strip even authentic credentials. Provenance is gone.
5. **IMPERSONATE** — Lift a valid identity assertion onto a new asset (brand impersonation — C2PA's own security model concedes it), or a stolen key mints spec-valid manifests until revoked — and revocation via `OCSP`/`CRL` is optional and committee-paced.
6. **BLIND** — C2PA verification needs *no* network call — the certs travel in the manifest. So the signer has *zero* visibility into who verified, where, or how often. No feedback loop, no early warning of abuse.

Two things break at once: an honest signer has no public way to be trusted *off-list*,
and even when trusted, no way to see who checked. Strip it down and it isn't a hundred
problems — it's two structural gaps.

---

## Strip the incident down and it isn't a hundred bugs. It's two.

C2PA does the manifest well. What it leaves open is *who to trust* and *who is checking*.
Neither is a fork of C2PA to fix — both are trust sources the validator already accepts
as pluggable config.

### Gap 1 · the trust-list gatekeeping gap

An off-list signer cannot be publicly trusted — you must join a curated list or pay a CA,
and there is no open, domain-owner-controlled way to make a signer verifiable. C2PA's own
experimental *Web Domain Trust Anchor* tried a self-signed cert in an HTTPS `/c2pa.json`
file — not DNSSEC — and flagged domain-takeover and privacy as open problems.

**The answer — identity.** Bind the claim-signer's EE cert to the signer's *own*
forge-proof **/128** — `device_id` = the cert **serial** (already in every manifest) or
the **CAWG identity** — published as a **DANE/TLSA** record under your DNSSEC-signed
domain. Any verifier resolves it with `dig`: no list to join, no gatekeeper, no ~$289/yr
toll, revocable per-unit at DNS-TTL. And it is honestly *additive*: C2PA does **not
mandate any particular trust list** — trust lists and anchors are pluggable config inputs
to the validator, so a DANE/DNSSEC anchor is a legitimate alternative trust source, never
a fork.

```
signed asset ──▶ C2PA verifier ──▶ Official Trust List ──▶ off-list CA → "unknown source"
(COSE_Sign1,      (no network      └▶ DANE/DNSSEC anchor  ──▶ TLSA under your own domain
 x5chain,          call to read       (additive, not a         → VERIFIED: signed by
 EE cert in-band)   the manifest)      fork; you control it)      newsroom.example
```

> **"So a signer no coalition CA will touch — an independent creator, a small newsroom, an AI agent — can be publicly trusted without joining a list or paying ~$289/yr?"**
> Yes. Their signer cert's serial (or CAWG identity) anchors to a DNSSEC/DANE record under
> a domain *they* control. Any verifier resolves it trustless from the IANA root — and one
> call revokes it at DNS-TTL, not a CRL round-trip or a committee.

### Gap 2 · the verification-blindness gap

Because a C2PA verifier makes *no network call* — the whole chain travels in the manifest
— the signer has zero visibility into who verified their content. The only network events
C2PA generates are optional `OCSP`/`CRL` and the `RFC 3161` timestamp. From the signer's
side, provenance is *write-only*: no telling where your content travelled, who checked it,
or where the credential was stripped.

**The answer — lookups.** Anchor the signer in DNS and the blindness inverts. When a
verifier resolves and DANE-validates that anchor, it generates `AAAA`/`TLSA`/`RDAP`
lookups against Whisper's authoritative servers — so `op:lookups` becomes **"who verified
my content, where, how often."** A verification-analytics stream C2PA *structurally*
cannot provide, and a clean early warning when someone starts enumerating or impersonating
your signer.

> **"Doesn't this just make me an official C2PA trust anchor? And does a signature mean the content is *true*?"**
> No on both — and we say so plainly. A DANE anchor is a *legitimate, additive* pluggable
> trust source, *not* official Trust-List membership and *not* a C2PA conformance route;
> the formal-recognition path runs through **CAWG** (the `signer_payload.sig_type`
> extension point + `did:web`). And provenance is origin + history, *not* veracity: a
> genuine signer can sign false or staged content, and Whisper is *not* a deepfake
> detector. What we add is a publicly verifiable signer, DNS-TTL revocation, and
> who-verified analytics — accountability, not a truth oracle.

Gap 1 is trust made public. Gap 2 is the feedback loop no one else has. Here's the
root-cause cure for both.

---

## The root-cause cure · identity

**Give every signer an identity anyone can verify — and no one can forge.** Stop treating
"unknown source" as a paperwork problem and make it an *identity* problem. Whisper has one
primitive: **the address is the signer.**

A routable IPv6 **/128** out of `2a04:2a01::/32` (announced by **AS219419**),
deterministically derived from a key, DNSSEC-anchored, **DANE-EE** pinned,
RDAP/WHOIS-registered — re-derivable and verifiable by anyone with `dig`. `whisper verify
--trustless` checks it against the IANA root; *our own API is not in the trust path.*

**Point it at signers.** Derive each signer's /128 from the public key behind the
identifier the manifest *already* carries: the C2PA claim-signer's **X.509 EE cert** (EKU
`c2pa-kp-claimSigning`, OID `1.3.6.1.4.1.62558.2.1`) with its **serial as the domain
separator**, or the **CAWG identity** (the `did:web` issuer / `cawg.web_site.uri` that's
already DNS-native). The private key never leaves the signer — a secure element, an
in-camera module, an HSM, an agent's keystore; the address is a one-way function of its
public half and that identifier. No new artifact in the manifest — you anchor the signer
it already references.

```
claim-signer key ──pubkey + cert serial──▶  /128  ──DNSSEC+DANE-EE──▶  a signer anyone can verify
(EE cert · CAWG id ·                        2a04:2a01:c0d::5e2         whisper verify --trustless
 SE / HSM, private                          routable identity          no Trust-List slot required
 key never leaves)                                                     op:revoke → gone at DNS-TTL
```

What becomes true the moment you do this:

- **"Unknown source" becomes "verified by your domain."** Off-list is no longer a dead end — any verifier resolves the DANE record under the domain you control.
- **Cross-org trust with no shared list.** A newsroom verifies a *different* org's signer with no private allow-list in common — a shared DNS root is the only anchor either side needs.
- **A stolen key stops fast.** One `op:revoke` and `dig -x` returns nothing, verify returns false — the exposure window shrinks from "until OCSP, if ever" to minutes. It bounds the damage; it can't un-sign what was minted before.
- **Per-unit, not per-model.** When a whole device fleet's certs had to be revoked at once, that was per-model blast radius. A per-signer /128 revokes *one* unit worldwide and leaves the rest verifiable.

**Attaches to what you already ship — it does not replace it.** Whisper complements the
Content Credential you already emit — the C2PA manifest, the **CAWG identity assertion**,
the `RFC 3161` TSA countersignature, the in-camera secure element and durable content
credentials / watermarking. It is the publicly verifiable, DNSSEC/DANE-anchored layer *on
top*, anchoring the signer at the DNS/transport boundary — no bespoke trust store to push,
and revocation at DNS-TTL instead of a committee-paced list removal. You can even DANE-pin
the very signer cert your pipeline already uses.

**Honest boundary — additive, not official.** A DANE/DNSSEC anchor is a *legitimate,
pluggable* trust source for a validator — it is **not** membership on the official C2PA
Trust List and **not** a C2PA conformance route. The formal-recognition path runs through
**CAWG** — surface the Whisper-anchored domain identity as a `did:web` issuer or via the
`signer_payload.sig_type` extension point — and we're proposing DANE to the standard as a
complementary identity ecosystem. We describe the client and the public protocol, and we
don't claim "C2PA-approved."

**The cert serial is the public fingerprint — the /128 is its cryptographic
counterpart.** The serial flows in-band in every manifest via `x5chain`; that's useful for
interop but it's not a secret. The /128 is bound to the signer's key *and* the serial — so
the serial alone yields nothing. You cannot go serial → /128 without the key, there is no
enumerable directory, and RDAP/reverse-DNS return the registry object, never a creator's
whereabouts. Because the derivation is **tenant-bound**, the same signer under two
publishers yields two unrelated /128s — no one can link a creator across outlets. Offer
org- or domain-level anchoring and pseudonymity, so a journalist or whistleblower is never
forced to dox.

**Lifecycle, end to end.** Signer key → in-life signing → incident `revoke`. A key
rotation re-keys to a new /128 and revokes the old; a change of outlet is one `revoke` and
a re-register to the new owner. Compromise one signer and you've compromised *that
signer*, not the whole coalition. And nothing is issued in the dark: every mint and every
revoke lands in a public, Bitcoin-anchored [transparency log](/docs/content-compliance).
*Honest status:* tamper-evident, Ed25519-signed and OpenTimestamps-anchored today —
independent witnessing is the next step.

Maps to **EU AI Act Art.50** machine-readable marking and **Recital 133**'s enumerated
"cryptographic methods for proving provenance," to **ISO 22144**, and to **CAWG** —
delivered as a network primitive, not a compliance binder. [See the compliance
map →](/for-newsrooms)

---

## The surface no one else has · see & govern

**See who verified your content — a loop C2PA structurally can't close.** An identity
anyone can verify is also an identity you can *watch*. Because a DNS/DANE-anchored signer
resolves through Whisper's own authoritative DNS and RDAP, every verification leaves a
trace — and the signer sees exactly who looked, where, and how often.

```
signed content ──▶ verifiers ──AAAA·TLSA·RDAP──▶ Whisper auth DNS + RDAP ──op:lookups──▶ the signer
in the wild        (platform,   (each resolve                                            who · where ·
                    newsroom,     leaves a trace)                                          how often
                    fact-checker)
```

- **Who verified this is a query.** `op:lookups` returns who resolved or RDAP-queried a signer's identity — where your content travelled, where credentials were checked, and an early warning that someone is enumerating or impersonating your signer.
- **Catch the impostor cert.** The attribution graph (`CALL whisper.identify`, **7.44B** nodes) back-traces a controller reusing a lifted identity assertion or a stolen signing key across rotating clouds — evidence-grade and replayable.
- **Give your AI agents a signer identity.** *The direction:* an agent that signs its own C2PA claim (+ a CAWG identity assertion) with a Whisper-anchored, revocable /128 gets trusted-signer status *without* a Trust-List slot — the one thing agent stacks can't get today. First-class typed `--signer` support is on the roadmap.
- **Per-signer firewall, budget, revoke.** `op:firewall` allow/deny by host, cidr or port; `op:budget` caps an agent-signer's traffic; `op:revoke` cuts a compromised signer off worldwide in one call — the control plane, not just the identity.

The same *address-is-the-signer* primitive that anchors a newsroom's byline also anchors
the AI agents that will soon sign their own outputs under Art.50 — per-agent /128,
per-agent logs, default-deny egress, one `revoke`. From day one.

---

## Prove it in 60 seconds · no account

Two tiers, by design. **No key:** anyone can verify a signer's identity, resolve it, and
back-trace an impostor — trustless, anchored at the IANA root. **Your key:** bind a signer
to the cert serial it already carries, govern it, revoke it worldwide.

```sh
# keyless — re-derive and verify any signer's identity, trustless
$ whisper verify --trustless 2a04:2a01:c0d::5e2
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the claim-signer's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the signer — reverse DNS names it
$ dig -x 2a04:2a01:c0d::5e2 +short
  signer-3f2504e0.newsroom.example.whisper.online.

# who really operates a controller reusing a lifted identity assertion — a CALL whisper.identify()
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"185.42.x.x\")"}'
  operator:  <fingerprinted> · same tooling across 3 clouds, 1 residential swarm
  reused identity assertion seen on 12 unrelated assets → 1 operator
```

```sh
# bind a signer to the C2PA cert serial it already carries, and govern it
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the signer key>',
       device_id:'3F2504E04F8911D39A0C0305E82C3301'}})"   # device_id = the signer cert serial
  → identity 2a04:2a01:c0d::5e2   DNSSEC + DANE live · TLSA published under newsroom.example
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" \
    --data-urlencode "q=CALL whisper.agents({op:'lookups', args:{address:'2a04:2a01:c0d::5e2'}})"   # who verified my content, where, how often
$ whisper kill --revoke 2a04:2a01:c0d::5e2   # stolen key → gone worldwide, at DNS-TTL
```

Prove your content → <https://console.whisper.security/sign-up> · Read the [docs](/docs).

---

## Where Whisper fits

**C2PA proves the pixels weren't changed. Whisper proves *who* signed them — anchored in
open DNSSEC/DANE, with no central trust list to join.** C2PA and Content Credentials carry
the tamper-evident manifest — who, when, which tools, which edits — and they do it well;
we don't recreate them. Watermarking (SynthID, Meta Seal) embeds an invisible AI-origin
signal that survives a screenshot — a different job, marking origin, not identity, and
also not ours. Whisper adds the one layer none of them own: a publicly verifiable signer
identity anchored in open DNSSEC/DANE (no central Trust List), plus who-verified
analytics. Additive to all of them; a fork of none.

| | C2PA / Content Credentials | Watermarking (SynthID / Meta Seal) | Whisper |
|---|---|---|---|
| Tamper-evident manifest (who / how / edits) | ✓ | — | *additive* |
| Invisible signal that survives a screenshot / re-encode | — | ✓ | — |
| **Publicly verifiable signer identity**, no central trust list | — | — | ✓ |
| Signer revocation at DNS-TTL, one call | — | — | ✓ |
| **Verification analytics** — who verified your content | — | — | ✓ |

It attaches to the manifest you already emit — DANE-pin the very signer cert your C2PA
pipeline already uses — and lands as a machine-readable feed into your SIEM: the **Splunk**
connector ships today, with **Microsoft Sentinel**, OpenCTI and STIX 2.1/TAXII on the
roadmap. It doesn't replace your Content Credentials, and it doesn't solve
metadata-stripping — that's watermarking's job, complementary, out of our scope. [See the
full comparison →](/compare)

---

## Built for the people who have to sign off

**Additive to your pipeline. Mapped to your standards. Availability-safe by
construction.** Three planes on one primitive — signer identity, verification analytics,
egress governance — and all three exit into the pipeline you already run, not a new silo.

- **Turnkey Art.50 evidence.** Sign under a publicly-resolvable identity and you advance **Art.50(2)**'s "interoperable, robust, reliable" bar — the exact **Recital 133** technique ("cryptographic methods for proving provenance"), made *accessible to the public* via open DNS. *Honest:* the AI-generated declaration rides in the C2PA manifest (`digitalSourceType`, e.g. `trainedAlgorithmicMedia`); Whisper anchors the signer, it doesn't make you compliant. [See the map →](/for-newsrooms)
- **Nothing issued in the dark.** Every identity mint and every revoke lands in a public, append-only **RFC 6962 Merkle transparency log**, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable issuance trail for a disclosure duty or an ICC evidentiary dossier. *Honest status:* tamper-evident today, independent witnessing is the next step.
- **Additive & availability-safe.** It rides existing DNS/IPv6 and adds **no chokepoint** to your signing pipeline. Verification degrades to your existing anchors if a Whisper node is slow, and it's anycast on AS219419 — no single node in the path, built to fail open.
- **One identity fabric, every signer.** Derived from the key already behind the signer — a newsroom's org cert, an in-camera secure element, a stringer's laptop, an agent's keystore. No second PKI, no per-cert tax, no re-issuing the fielded fleet: one verifiable /128 anyone can check.
- **Flat, predictable pricing.** Per-signer/year and flat — not per-cert, not per-verification. Against the ~$289/yr per-cert coalition toll, it's a line item you can forecast, and it brings your stringers and independents in from the cold. [See pricing →](/pricing)
- **A vendor that will still be here.** Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. POC → pilot → enterprise, keyless to start.

---

## Give every signer an identity anyone can verify.

The address is the signer — a DNSSEC/DANE-anchored /128 under your own domain, no
Trust-List slot, no ~$289/yr toll, revocable worldwide in one call — plus who-verified
analytics C2PA can't provide. Additive to your Content Credentials, never a fork. Keyless
to try, one call to provision, one more to revoke.

Prove your content → <https://console.whisper.security/sign-up> · [For newsrooms →](/for-newsrooms)

Or run `whisper verify --trustless` right now.

---

*Whisper for Content · A publicly verifiable signer identity on the wire for content provenance · AS219419 · 2a04:2a01::/32*
*© viaGraph B.V. (dba Whisper Security)*
