content.whisper.online · the platform

You shouldn't have to join a trust list to be believed. Your content needs a signer anyone can verify.

Provenance tooling stacks up — a manifest here, a watermark there, a curated CA list you pay to join — and none of it answers the one question a reader actually has: can I trust who signed this, without asking a gatekeeper? Whisper isn't another trust list. It's one primitive — the address is the identity — expressed as three planes that plug into the C2PA pipeline you already run.

Derive a signer's identity once from the key already in its C2PA claim-signer cert; verify it anywhere with dig. That one primitive becomes three planes — a publicly verifiable signer identity, an attribution graph that names the operator across rotating egress, and see-and-govern — who verified your content — standing on real routable space at AS219419, anchored at the IANA root. Our API is never in the trust path.

whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.

7.44B nodes in the live attribution graph — BGP, DNS, WHOIS, TLS, hosting, threat intel
39.3B fused relationships across that graph
AS219419 our own autonomous system — real routable space
DANE a signer anchor under your own DNSSEC zone — no trust list to join
op:lookups who verified your content — the write-only loop, finally closed
1→3 one primitive, three planes, zero new silos

Everything below derives from one line: the address is the identity.

A routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with dig.

Most provenance tooling starts from a credential embedded in the file and asks a curated list whether to trust the signer. Whisper starts from the other end: it gives the signer an identity that is its address, cryptographically bound to the key already in its C2PA claim-signer certificate, and publicly verifiable without trusting any list. Point it at a claim signer, a newsroom, a camera, or an AI agent that signs its own outputs, and "who signed this?" stops being a question for a gatekeeper and becomes a fact anyone can check with dig. Three products fall out of that one primitive — not three integrations you wire together, three faces of the same address. And all three are additive to C2PA: the manifest stays yours, the signer simply becomes publicly verifiable.

One address, three jobs: who signed this, who's really behind that, and who's verifying it.

Signer identity answers who signed this, provably — without a list to join. The attribution graph answers who's really behind a rogue signer or scraper that rotates. See-and-govern answers who verified your content — the write-only loop C2PA leaves open — and lets you govern and revoke. Each plane is useful alone; together they fill the identity, revocation and analytics holes every content-credential deployment shares.

one address-is-identity primitive, expressed as three planes Signer identity who signed this, provably — anchored in your own DNS, no trust list to join signer /128 · DNSSEC · DANE-EE · did:web Attribution graph who's really behind this — the operator behind a rogue signer or scraper, across rotating egress identify · origins · walk · variants · history · Cypher See & govern who verified your content — and what a signing agent may talk to op:lookups · policy · firewall · revoke — default-deny THE ADDRESS IS THE IDENTITY AS219419 · 2a04:2a01::/32
Three planes on one primitive. Nothing here is a bolt-on connector — each plane is the same address answering a different question, so the signer identity, the attribution and the analytics all agree by construction. All three sit on top of the C2PA manifest your tools already produce; none of them touches the manifest's hard binding or the hashed bytes.

A signer anyone can verify in DNS — not a certificate you pay a coalition to bless.

This is the plane that closes C2PA's sharpest gap: a valid manifest proves the bits weren't changed, but whether to trust the signer has no universal public answer — it lives in a curated CA list you pay to join, with revocation that's optional and committee-paced. Anchor the signer in the one namespace everyone already trusts.

Point the primitive at signers. Derive each signer's /128 from the key already in its C2PA claim-signer X.509 certificate, with the signer cert serial (or the CAWG identity) as the domain separator. The private key never leaves the signer; the address is a one-way function of its public half and that serial. Then publish a TLSA record — a DANE-EE pin of that same key — under the signer's own DNSSEC-signed domain. Because C2PA does not mandate any particular PKI — trust lists and trust anchors are pluggable configuration inputs to the validator — that DANE record is a legitimate trust anchor, self-verifying by anyone, with no list to join, no coalition gatekeeper, and no annual per-cert toll — no "Let's Encrypt for provenance" to pay — for a stringer or an independent newsroom.

the trust decision a C2PA validator makes — resolved in DNS, no list to join C2PA claim signer COSE_Sign1 · x5chain · EE cert device_id = cert serial private key stays with the signer public key + serial /128 2a04:2a01:c2a::51e signer identity DNSSEC + DANE-EE TLSA under your own zone _c2pa.press.example-news … 3 1 1 self-verifying · no list to join our API not in the trust path A validator resolves the zone → signer TRUSTED whisper verify --trustless op:revoke → signer distrusted worldwide at DNS-TTL the off-switch a curated CA list + optional OCSP never gave you
The signer cert already travels in the manifest (COSE x5chain, verified with no network call). Whisper pins that same key under a DNSSEC-signed TLSA record on the signer's own domain, so a validator resolves trust in DNS — no central list, no CA phone-home — and one op:revoke pulls the signer worldwide at DNS-TTL. Honest status: DANE/DNSSEC is a complementary, pluggable identity source; it is not yet a formally recognized C2PA conformance anchor — surfaced via CAWG and proposed to the standard, never "already approved."

"C2PA already signs the manifest and ships a Trust List. Why isn't that enough?"

Because the manifest proves the pixels, not the signer — and today the signer's trust rests on a curated CA list. An off-list signer displays "unknown source"; there is no free, automated path (no "Let's Encrypt for provenance") for an independent creator or small newsroom, and revocation is optional and cache-heavy. Whisper anchors the same signer's key under its own DNSSEC domain, so any verifier trusts it with no list, and revocation is a DNS op at TTL speed. The manifest stays yours — this is additive.

CAWG is already DNS-native — meet it there. CAWG's Identity Assertion binds a named creator or organization, and its issuer is a did:web — which resolves through DNS + HTTPS — while cawg.web_site.uri is a required domain the actor controls. So a Whisper DNSSEC-anchored domain is a first-class did:web issuer root: run your own identity-claims issuer that verifiers trust through DNS rather than a third-party aggregator, and DANE-bind cawg.web_site.uri and the cawg.x509.cose org cert to your domain — turning CAWG's own "well-formed but unrooted" verdict into "trusted" with no S/MIME CA. CAWG's docs flag signer trust lists as an unresolved, urgent problem; a public DNSSEC/DANE anchor is a clean open answer.

The cert serial is the public index — the /128 is its cryptographic counterpart. A signer cert serial is a known, structured value that flows through every manifest; that's fine for interoperability but it isn't a secret. The /128 is bound to the signer's key as well as the serial, so the serial alone yields nothing: you cannot go serial → /128 without the key, there is no enumerable directory, and RDAP/reverse-DNS return the registry object, never the content's whereabouts. Because the derivation is tenant-bound, the same signer under two publishers yields two unrelated /128s.
Per-unit revocation — the off-switch a whole-fleet cert recall lacked. A camera vendor recently suspended its authenticity service and had to revoke its entire set of C2PA device certificates after a vulnerability — every unit in the field distrusted at once. Derive a per-device /128 from each unit's existing hardware signing key, DANE-anchor it, and one op:revoke distrusts that unit at DNS-TTL — per-unit, not per-model. One deterministically-derived leaf per signer, DANE-EE pinned, never a shared intermediate: compromise one key and you've compromised that signer, not the trust store.
Honest scope — additive to C2PA, never instead of it. Whisper does not create the manifest or embed a watermark — the tamper-evident hashed manifest, the edit history, the durable soft-binding and in-camera capture are done well by the incumbents and stay theirs. A signature proves who + integrity, not truth: a genuine signer can sign staged or misleading content, so this is accountability and attribution, not a veracity oracle. It is not a deepfake detector — absence of a credential is not proof of fakery. And DANE/DNSSEC anchoring is not yet a formally recognized C2PA conformance trust anchor; we position it as a complementary identity ecosystem surfaced via CAWG and proposed to the standard. What Whisper adds is the missing piece C2PA's own spec names as a dependency: "an identity ecosystem substantiating that the signing key belongs to the signer."

Attaches to what you already ship — the C2PA SDK and CAI tools, the claim-signer cert, CAWG, in-camera signing — as the publicly verifiable, DNSSEC/DANE-anchored layer on top. Anchor the signer, not the pixels. Standards mapping →

Name the operator behind a rogue signer — because it fingerprints infrastructure, not the exit IP.

When a stolen key mints spec-valid manifests, an impostor lifts your identity assertion onto new content, or a scraper harvests likeness across rotating clouds and residential proxies, the last IP tells you nothing. This plane names the operator, not the exit.

A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — pulls two levers, kept honestly separate. For cloud rotation it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy. For a residential-proxy swarm — where a subscriber IP gives an infra graph nothing to grab — a JA4/JA3 client fingerprint travels with the tooling regardless of the exit and collapses the swarm to one operator. The egress IP is the one thing this plane never relies on.

what the last IP tells you — a rotating, meaningless egress Rogue signer / scraper · impostor AWS eu-central 3.68.x.x GCP europe-w4 34.90.x.x Azure westeu 20.61.x.x residential-proxy swarm 71.x · Comcast 82.x · KPN 99.x · Orange JA4-identical tooling infra genealogy JA4 fingerprint One operator ASN + hosting genealogy + JA4 / JA3 fingerprint evidence chain → T&S desk what the graph sees — one operator
Attribution survives rotation because it tracks the infrastructure and the tooling, not the ephemeral egress IP. Whether a rogue signer mints spec-valid manifests from fresh cloud IPs or a scraper harvests likeness through a residential swarm, the last IP is the one thing this plane never relies on.

"When an impersonation ring rotates residential proxies and fresh cloud IPs, can you actually attribute it — or just rate-limit an IP and move on?"

Track them. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm. Every answer returns a reproducible, replayable JSON evidence chain your trust & safety desk, your fact-checkers and a regulator can hand around.

identify(ip)

Who really operates a host that's serving spoofed manifests — even behind a CDN, across any cloud.

origins(prefix) + walk(node,depth)

Cluster rotating IPs behind a scraper or a rogue signer into one infrastructure genealogy.

variants(domain) + watch

Catch a typosquat newsroom domain before it signs, and set a standing sentinel with a history timeline.

read-only Cypher

Express "one source resolving N distinct signer identities in a window" as a query your agent runs — not a ticket your desk files.

Additive to your trust & safety and fact-checking workflow — the same fingerprints power external attack-surface mapping and impersonation-domain discovery. See the full back-trace →

See who verified your content — the loop every other provenance layer leaves open.

C2PA verification needs no network call: the signer cert travels in the manifest, so once your content is out you have zero visibility into who checked it. Anchor the signer in DNS/DANE and that changes — every validator that resolves your anchor leaves a trace you can read.

Who verified this is a query

op:lookups returns who resolved or RDAP-queried a signer's identity — the DNS/TLSA/RDAP checks a validator makes against your anchor. The analytics C2PA structurally can't provide, and an early warning that someone is enumerating or impersonating your signer.

See where a credential was stripped

Correlate verification lookups with the attribution graph to spot where your content travelled and where the manifest died — a strip is a signal, not a silence. Complements durable soft-binding; it doesn't recover the pixels.

Govern what a signing agent may reach

op:policy default-deny, op:firewall allow/deny by host, cidr or port, op:budget caps and a kill-switch — for the agents and pipelines that sign on your behalf. Egress governance, per identity.

Sign-outputs for AI agents

An agent signs its own C2PA claim (and a CAWG identity assertion) under a Whisper-anchored, revocable identity derived from its existing key — trusted-signer status without a Trust-List slot or CA fee. Highest ceiling, least mature — forward-looking, not yet a shipped product surface.

The same address-is-identity primitive that makes a newsroom signer verifiable also governs the AI agents your content pipeline is about to run — per-agent /128, per-agent logs, default-deny egress, one revoke. From day one.

The three planes drop into the tools your provenance pipeline already runs — at the signer-identity and DNS boundary, never inside the manifest.

Whisper anchors the signer, not the bits. Each row below is an integration onto a system you already operate — the device-identity /128 derived from a signer's public key + its serial as device_id is the one capability that is shipped and live today. Every one is additive: it complements whatever produces and signs the manifest, and it never touches the hard binding, the hashed bytes, or the pixel watermark.

Surface / standard you run Where a plane plugs in — signer /128 · attribution graph · see-and-govern Complements — does not replace
C2PA claim signer (COSE_Sign1 · x5chain · C2PA SDK / CAI tools) · shipped & live Signer identity. Derive the /128 from the public key in the claim-signer EE cert; publish a DANE/TLSA pin under the signer's DNSSEC zone; the cert serial is the device_id. A globally resolvable, RDAP-registered, DANE-verifiable signer bound to the exact key the manifest already references. Complements the manifest + COSE signature — C2PA still binds the bits and carries the chain in-band; Whisper anchors who signed, off-list.
C2PA Trust List + Conformance Program (curated CA anchors) Signer identity. A DANE anchor under the signer's own domain is a pluggable trust-anchor config input — it recognizes legitimate independent and small signers the curated list doesn't cover, without joining it, and answers C2PA's own "Web Domain Trust Anchor" experiment with DNSSEC instead of an HTTPS-fetched well-known file. Complements the Trust List — additive, never a fork. Honest: not yet a recognized conformance anchor; surfaced via CAWG and proposed to the standard.
CAWG Identity Assertion (did:web issuer · cawg.x509.cose · cawg.web_site.uri) Signer identity. A Whisper DNSSEC domain is a first-class did:web issuer root; DANE binds cawg.web_site.uri and the cawg.x509.cose org cert to your domain — turning CAWG's "well-formed but unrooted" into "trusted" with no S/MIME CA. device_id = the CAWG identity. Complements CAWG — Whisper supplies the DNS-native issuer anchor CAWG's own docs call an unresolved, urgent problem; it doesn't define the assertion.
In-camera / newsroom signing (Leica · Sony · Nikon · Canon · secure element) Signer identity + see-and-govern. Derive a per-unit /128 from the device's existing hardware signing key and DANE-anchor it under the maker's domain — per-unit revocation survives a CA/key incident, and op:lookups shows who verified captures from that unit. Complements the hardware birth-certificate — does not replace the secure element; anchor the fleet, not the sensor. Per-unit, not per-model.
Durable Content Credentials / watermarking (SynthID · Meta Seal · Digimarc soft binding) Attribution graph + see-and-govern. When a credential is stripped on re-encode or screenshot, op:lookups analytics show where it was stripped and the attribution graph names the stripper or scraper. Complements watermarking — the durable soft binding recovers the manifest; Whisper anchors the signer and the analytics, never the pixel signal.
Generative-AI output marking (Art.50(2) · c2pa.actions · digitalSourceType trainedAlgorithmicMedia) Signer identity (sign-outputs). An agent signs its own C2PA claim under a Whisper-anchored, revocable provider identity → a trusted, revocable signer without a Trust-List slot or CA fee — the machine-readable mark bound to a real, resolvable identity. Complements the AI-generated assertion in the manifest — which declares "AI"; Whisper anchors who signed. Honest: sign-outputs-for-agents is forward-looking.

Read together, these are what the EU AI Act Article 50 (machine-readable marking, applicable 2 Aug 2026) leans on, and what Recital 133 names outright — "cryptographic methods for proving provenance and authenticity of content," made "accessible to the public." A public DNSSEC/DANE anchor plus open verification analytics is exactly that public, accessible layer a private curated list can't be — technology-neutral and interoperable by construction. Whisper anchors the signer; the AI-generated claim rides in the manifest. Compliance mapping →

Five things you can't stand up overnight — and a competitor can't clone from a slide.

A platform is only as durable as what sits underneath it. Whisper's three planes rest on five load-bearing pillars, each a real, checkable fact rather than a claim on a roadmap.

what a point solution can't replicate AS219419 our own AS + real routable 2a04:2a01::/32 can't hand out space you don't hold The graph 7.44B nodes, years accreted BGP·DNS·WHOIS ·TLS·JA4 — not spun up overnight Signer anchor DANE under your own zone — no list to join one leaf per signer — no shared root RDAP · WHOIS every /128 a real registered object public account- ability, not a self- asserted claim DNSSEC anchored at the IANA root — not at us our API is never in the trust path FIVE LOAD-BEARING PILLARS — ONE PLATFORM
None of these is a feature you configure — they're properties of real address space, an accreted graph, and open, root-anchored standards. That's the difference between a platform and a plug-in.

Real routable space, not a namespace we invented

AS219419 and 2a04:2a01::/32 are announced to the global routing table. You cannot allocate verifiable identities from address space you don't hold and can't announce — which is why this can't be reproduced with a database and a domain.

A graph you accrete, not one you query once

7.44B nodes and 39.3B relationships of BGP, DNS, WHOIS, TLS, hosting and threat intel, built over years. Attribution across rotation is only as good as the history behind it, and history is the one thing you can't buy this afternoon.

A signer anchor the domain owner controls

One deterministically-derived leaf per signer — DANE-EE pinned under your own DNSSEC zone, never a shared intermediate. The single-CA-breach failure mode that has burned provenance before is removed by construction, and no coalition decides who may be verifiable.

Registry-anchored and root-anchored

Every /128 is a real RDAP/WHOIS object, and the whole chain validates through DNSSEC to the IANA root. whisper verify --trustless checks a signer without trusting Whisper — public accountability and a trust anchor you already run.

"Provenance startups come and go, and DANE-for-C2PA isn't a recognized conformance anchor yet — why bet on this?"

It's infrastructure, and it's built by people who ran the internet's plumbing. Real routable address space at AS219419, run by a team that operated one of the internet's regional address registries and one of its root DNS servers. The moat is real space, an accreted graph and open standards — not a slide — and DANE is a complementary identity ecosystem surfaced via CAWG, honestly labelled, not "already approved." You can verify every claim on this page yourself, today, keyless.

Exercise all three planes yourself — our API isn't in the trust path.

Two tiers, by design. No key: verify a signer's identity — the identity plane, trustless, anchored at the IANA root. Your key: back-trace a suspicious host across any cloud, anchor a signer, read who verified your content, revoke a compromised signer worldwide.

verify a signer — no key · attribute — one API call
# plane 1 — re-derive and verify any signer's identity, trustless
$ whisper verify --trustless 2a04:2a01:c2a::51e
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the claim-signer's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  signer: VERIFIED — no trust list consulted, our API never trusted

# the address is the signer — reverse DNS names it
$ dig -x 2a04:2a01:c2a::51e +short
  signer-a1b2c3d4.press.example-news.whisper.online.

# plane 2 — with your key, attribute who really operates a host serving spoofed manifests
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"185.242.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 37 exit IPs → 1 operator
anchor a signer + read who verified it — with your key
# plane 1 — bind a signer to the C2PA cert it already carries
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the claim-signer key>',
       device_id:'a1b2c3d4e5f60718293a4b5c6d7e8f90'}})"   # device_id = the C2PA signer cert serial
  → signer 2a04:2a01:c2a::51e   DNSSEC + DANE-EE (TLSA 3 1 1) live
# plane 3 — who verified your content (op:lookups), then govern the signing agent
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'lookups', args:{identity:'2a04:2a01:c2a::51e', since:'24h'}})"
  42 verifications · 6 countries · 3 from a host also seen stripping credentials
$ whisper policy set --default deny --allow ingest.example-news.com,c2pa.org
$ whisper kill --revoke 2a04:2a01:c2a::51e   # compromised signer, gone worldwide at DNS-TTL

Three planes, and all three exit into the pipeline you already run — not a new silo.

Feeds your tools, not another console

A machine-readable feed: the Splunk connector ships today. Findings arrive as a signed, replayable JSON evidence chain you can hand a regulator, mapped to CEF and ECS fields. Microsoft Sentinel, OpenCTI and STIX 2.1 over TAXII export are on the roadmap.

Nothing signed in the dark

Every signer mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable issuance trail for your Art.50 evidence. Honest status: tamper-evident today; independent witnessing is the next step.

Speaks your compliance language

Maps to EU AI Act Art.50 / Recital 133 and ISO/IEC 22144 Content Credentials, surfaced via C2PA and CAWG. Technology-neutral — it evidences and strengthens your marking obligation, it never "guarantees compliance." See the map →

Additive & verify-safe

It rides existing DNS/IPv6 and adds no new artifact to the manifest. If a validator checks the DANE/verify path, that plane is built to fail open — a Whisper outage never blocks verification; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.

One signer identity, every surface

Derived from the key already in the signer — no second PKI, no annual per-cert toll, no re-issuing the fielded fleet. Whether it's a camera, a newsroom desk, or an AI agent, it's one verifiable /128 any reader can check. Pseudonymous by construction where a journalist or whistleblower needs it — anchor at org/domain level.

A vendor that will still be here

Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. POC → pilot → enterprise, keyless to start. See the comparison →

One primitive. Three planes. Prove who signed your content.

A publicly verifiable signer identity anchored in your own DNS, an attribution graph that survives IP rotation, and who-verified-your-content analytics — additive to C2PA and CAWG, mapped to Art.50, no trust list to join. Keyless to try, one call to anchor, one more to revoke.

Or run whisper verify --trustless right now.