# Whisper for Content — a publicly verifiable signer identity on the wire for content provenance. This is content.whisper.online. The marketing story here is told for the content-provenance and newsroom-security team; the /docs library, the console, and the whole system behind it are identical to whisper.online. Read it in full — written so both an agent and a person can act on it. ## The problem it solves A C2PA Content Credential is correct and tamper-evident — a COSE_Sign1 claim signature, the X.509 signer cert riding in-band via x5chain (RFC 9360). Yet a verifier trusts a signer only if that cert sits on a gate-kept Trust List, or chains to one; an off-list signer shows as "unknown source." There is no Let's Encrypt for C2PA — commercial signing certs run ~$289/yr and the recognized-CA set is a small coalition — so independent creators, small newsrooms and AI agents are simply locked out (the trust-list gatekeeping gap). And because C2PA verification makes NO network call — the whole chain travels in the manifest — a signer has zero visibility into who verified their content, where, or how often (the verification- blindness gap). ## The cure — make it an identity problem Give every signer a routable IPv6 /128 (from 2a04:2a01::/32, AS219419) DETERMINISTICALLY derived from the key behind the identifier the manifest ALREADY carries — the C2PA claim- signer's X.509 EE cert with its serial as the domain separator, or the CAWG identity. Published as a DANE/TLSA record under your own DNSSEC-signed domain, RDAP-registered, verifiable trustlessly with `whisper verify --trustless` — anchored at the IANA DNS root, our own API never in the trust path. "Unknown source" becomes "verified by your domain": no Trust- List slot, no ~$289/yr toll, revocable per-signer at DNS-TTL with one op:revoke. And because the anchor resolves through Whisper's own authoritative DNS and RDAP, op:lookups tells you who verified your content, where, and how often — a feedback loop C2PA structurally can't close. Additive to your Content Credentials, your CAWG identity assertion and watermarking; a fork of none. Honest boundary: a DANE/DNSSEC anchor is a legitimate, pluggable trust source — it is NOT official Trust-List membership or a C2PA conformance route (the formal-recognition path is CAWG / did:web), and provenance is origin + history, not a veracity oracle. ## Pages - / Home — the provenance gap, the cure, and the two structural gaps - /provenance-gap The provenance-gap cure, end to end - /platform The three planes + where they fit the pipeline you already run - /for-newsrooms For newsrooms & creators: EU AI Act Art.50 / ISO 22144 / CAWG fit - /compare Honest comparison — additive to C2PA & watermarking, not a replacement - /pricing Flat, predictable pricing - /docs The full technical documentation (identical to whisper.online/docs) ## Verify it yourself (keyless) whisper verify --trustless dig -x # forward-confirmed reverse DNS curl https://whisper.online/verify-identity/ ## Provision (with a Whisper API key) Control plane: POST https://graph.whisper.security/api/query X-API-Key: whisper_live_xxx CALL whisper.agents({op:'connect', args:{tier:'wireguard', identity_public_key:'', # only the PUBLIC key is sent device_id:''}}) # your native identifier as the domain separator # Derives the signer's routable /128 deterministically from its own public key; the # private key never leaves the signer. A first-class typed --signer arg is on the roadmap. # Then op:lookups returns who verified this signer; op:revoke cuts a stolen key off worldwide. Console: https://console.whisper.security ## The operator Operator: Whisper Security (viaGraph B.V.), Amsterdam, NL. Network: AS219419, IPv6-only, RPKI-signed, MANRS-compliant. AS219419 announces 2a04:2a01::/32.