You shouldn't have to join a trust list to be believed. Your content needs a signer anyone can verify.
Provenance tooling stacks up — a manifest here, a watermark there, a curated CA list you pay to join — and none of it answers the one question a reader actually has: can I trust who signed this, without asking a gatekeeper? Whisper isn't another trust list. It's one primitive — the address is the identity — expressed as three planes that plug into the C2PA pipeline you already run.
dig. That one primitive becomes three planes — a publicly verifiable signer identity, an attribution graph that names the operator across rotating egress, and see-and-govern — who verified your content — standing on real routable space at AS219419, anchored at the IANA root. Our API is never in the trust path.
whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.
Everything below derives from one line: the address is the identity.
A routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with dig.
Most provenance tooling starts from a credential embedded in the file and asks a curated list whether to trust the signer. Whisper starts from the other end: it gives the signer an identity that is its address, cryptographically bound to the key already in its C2PA claim-signer certificate, and publicly verifiable without trusting any list. Point it at a claim signer, a newsroom, a camera, or an AI agent that signs its own outputs, and "who signed this?" stops being a question for a gatekeeper and becomes a fact anyone can check with dig. Three products fall out of that one primitive — not three integrations you wire together, three faces of the same address. And all three are additive to C2PA: the manifest stays yours, the signer simply becomes publicly verifiable.
One address, three jobs: who signed this, who's really behind that, and who's verifying it.
Signer identity answers who signed this, provably — without a list to join. The attribution graph answers who's really behind a rogue signer or scraper that rotates. See-and-govern answers who verified your content — the write-only loop C2PA leaves open — and lets you govern and revoke. Each plane is useful alone; together they fill the identity, revocation and analytics holes every content-credential deployment shares.
A signer anyone can verify in DNS — not a certificate you pay a coalition to bless.
This is the plane that closes C2PA's sharpest gap: a valid manifest proves the bits weren't changed, but whether to trust the signer has no universal public answer — it lives in a curated CA list you pay to join, with revocation that's optional and committee-paced. Anchor the signer in the one namespace everyone already trusts.
Point the primitive at signers. Derive each signer's /128 from the key already in its C2PA claim-signer X.509 certificate, with the signer cert serial (or the CAWG identity) as the domain separator. The private key never leaves the signer; the address is a one-way function of its public half and that serial. Then publish a TLSA record — a DANE-EE pin of that same key — under the signer's own DNSSEC-signed domain. Because C2PA does not mandate any particular PKI — trust lists and trust anchors are pluggable configuration inputs to the validator — that DANE record is a legitimate trust anchor, self-verifying by anyone, with no list to join, no coalition gatekeeper, and no annual per-cert toll — no "Let's Encrypt for provenance" to pay — for a stringer or an independent newsroom.
TLSA record on the signer's own domain, so a validator resolves trust in DNS — no central list, no CA phone-home — and one op:revoke pulls the signer worldwide at DNS-TTL. Honest status: DANE/DNSSEC is a complementary, pluggable identity source; it is not yet a formally recognized C2PA conformance anchor — surfaced via CAWG and proposed to the standard, never "already approved.""C2PA already signs the manifest and ships a Trust List. Why isn't that enough?"
Because the manifest proves the pixels, not the signer — and today the signer's trust rests on a curated CA list. An off-list signer displays "unknown source"; there is no free, automated path (no "Let's Encrypt for provenance") for an independent creator or small newsroom, and revocation is optional and cache-heavy. Whisper anchors the same signer's key under its own DNSSEC domain, so any verifier trusts it with no list, and revocation is a DNS op at TTL speed. The manifest stays yours — this is additive.
CAWG is already DNS-native — meet it there. CAWG's Identity Assertion binds a named creator or organization, and its issuer is a did:web — which resolves through DNS + HTTPS — while cawg.web_site.uri is a required domain the actor controls. So a Whisper DNSSEC-anchored domain is a first-class did:web issuer root: run your own identity-claims issuer that verifiers trust through DNS rather than a third-party aggregator, and DANE-bind cawg.web_site.uri and the cawg.x509.cose org cert to your domain — turning CAWG's own "well-formed but unrooted" verdict into "trusted" with no S/MIME CA. CAWG's docs flag signer trust lists as an unresolved, urgent problem; a public DNSSEC/DANE anchor is a clean open answer.
op:revoke distrusts that unit at DNS-TTL — per-unit, not per-model. One deterministically-derived leaf per signer, DANE-EE pinned, never a shared intermediate: compromise one key and you've compromised that signer, not the trust store.Attaches to what you already ship — the C2PA SDK and CAI tools, the claim-signer cert, CAWG, in-camera signing — as the publicly verifiable, DNSSEC/DANE-anchored layer on top. Anchor the signer, not the pixels. Standards mapping →
Name the operator behind a rogue signer — because it fingerprints infrastructure, not the exit IP.
When a stolen key mints spec-valid manifests, an impostor lifts your identity assertion onto new content, or a scraper harvests likeness across rotating clouds and residential proxies, the last IP tells you nothing. This plane names the operator, not the exit.
A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — pulls two levers, kept honestly separate. For cloud rotation it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy. For a residential-proxy swarm — where a subscriber IP gives an infra graph nothing to grab — a JA4/JA3 client fingerprint travels with the tooling regardless of the exit and collapses the swarm to one operator. The egress IP is the one thing this plane never relies on.
"When an impersonation ring rotates residential proxies and fresh cloud IPs, can you actually attribute it — or just rate-limit an IP and move on?"
Track them. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm. Every answer returns a reproducible, replayable JSON evidence chain your trust & safety desk, your fact-checkers and a regulator can hand around.
identify(ip)
Who really operates a host that's serving spoofed manifests — even behind a CDN, across any cloud.
origins(prefix) + walk(node,depth)
Cluster rotating IPs behind a scraper or a rogue signer into one infrastructure genealogy.
variants(domain) + watch
Catch a typosquat newsroom domain before it signs, and set a standing sentinel with a history timeline.
read-only Cypher
Express "one source resolving N distinct signer identities in a window" as a query your agent runs — not a ticket your desk files.
Additive to your trust & safety and fact-checking workflow — the same fingerprints power external attack-surface mapping and impersonation-domain discovery. See the full back-trace →
See who verified your content — the loop every other provenance layer leaves open.
C2PA verification needs no network call: the signer cert travels in the manifest, so once your content is out you have zero visibility into who checked it. Anchor the signer in DNS/DANE and that changes — every validator that resolves your anchor leaves a trace you can read.
Who verified this is a query
op:lookups returns who resolved or RDAP-queried a signer's identity — the DNS/TLSA/RDAP checks a validator makes against your anchor. The analytics C2PA structurally can't provide, and an early warning that someone is enumerating or impersonating your signer.
See where a credential was stripped
Correlate verification lookups with the attribution graph to spot where your content travelled and where the manifest died — a strip is a signal, not a silence. Complements durable soft-binding; it doesn't recover the pixels.
Govern what a signing agent may reach
op:policy default-deny, op:firewall allow/deny by host, cidr or port, op:budget caps and a kill-switch — for the agents and pipelines that sign on your behalf. Egress governance, per identity.
Sign-outputs for AI agents
An agent signs its own C2PA claim (and a CAWG identity assertion) under a Whisper-anchored, revocable identity derived from its existing key — trusted-signer status without a Trust-List slot or CA fee. Highest ceiling, least mature — forward-looking, not yet a shipped product surface.
The same address-is-identity primitive that makes a newsroom signer verifiable also governs the AI agents your content pipeline is about to run — per-agent /128, per-agent logs, default-deny egress, one revoke. From day one.
The three planes drop into the tools your provenance pipeline already runs — at the signer-identity and DNS boundary, never inside the manifest.
Whisper anchors the signer, not the bits. Each row below is an integration onto a system you already operate — the device-identity /128 derived from a signer's public key + its serial as device_id is the one capability that is shipped and live today. Every one is additive: it complements whatever produces and signs the manifest, and it never touches the hard binding, the hashed bytes, or the pixel watermark.
| Surface / standard you run | Where a plane plugs in — signer /128 · attribution graph · see-and-govern | Complements — does not replace |
|---|---|---|
| C2PA claim signer (COSE_Sign1 · x5chain · C2PA SDK / CAI tools) · shipped & live | Signer identity. Derive the /128 from the public key in the claim-signer EE cert; publish a DANE/TLSA pin under the signer's DNSSEC zone; the cert serial is the device_id. A globally resolvable, RDAP-registered, DANE-verifiable signer bound to the exact key the manifest already references. |
Complements the manifest + COSE signature — C2PA still binds the bits and carries the chain in-band; Whisper anchors who signed, off-list. |
| C2PA Trust List + Conformance Program (curated CA anchors) | Signer identity. A DANE anchor under the signer's own domain is a pluggable trust-anchor config input — it recognizes legitimate independent and small signers the curated list doesn't cover, without joining it, and answers C2PA's own "Web Domain Trust Anchor" experiment with DNSSEC instead of an HTTPS-fetched well-known file. | Complements the Trust List — additive, never a fork. Honest: not yet a recognized conformance anchor; surfaced via CAWG and proposed to the standard. |
| CAWG Identity Assertion (did:web issuer · cawg.x509.cose · cawg.web_site.uri) | Signer identity. A Whisper DNSSEC domain is a first-class did:web issuer root; DANE binds cawg.web_site.uri and the cawg.x509.cose org cert to your domain — turning CAWG's "well-formed but unrooted" into "trusted" with no S/MIME CA. device_id = the CAWG identity. |
Complements CAWG — Whisper supplies the DNS-native issuer anchor CAWG's own docs call an unresolved, urgent problem; it doesn't define the assertion. |
| In-camera / newsroom signing (Leica · Sony · Nikon · Canon · secure element) | Signer identity + see-and-govern. Derive a per-unit /128 from the device's existing hardware signing key and DANE-anchor it under the maker's domain — per-unit revocation survives a CA/key incident, and op:lookups shows who verified captures from that unit. |
Complements the hardware birth-certificate — does not replace the secure element; anchor the fleet, not the sensor. Per-unit, not per-model. |
| Durable Content Credentials / watermarking (SynthID · Meta Seal · Digimarc soft binding) | Attribution graph + see-and-govern. When a credential is stripped on re-encode or screenshot, op:lookups analytics show where it was stripped and the attribution graph names the stripper or scraper. |
Complements watermarking — the durable soft binding recovers the manifest; Whisper anchors the signer and the analytics, never the pixel signal. |
| Generative-AI output marking (Art.50(2) · c2pa.actions · digitalSourceType trainedAlgorithmicMedia) | Signer identity (sign-outputs). An agent signs its own C2PA claim under a Whisper-anchored, revocable provider identity → a trusted, revocable signer without a Trust-List slot or CA fee — the machine-readable mark bound to a real, resolvable identity. | Complements the AI-generated assertion in the manifest — which declares "AI"; Whisper anchors who signed. Honest: sign-outputs-for-agents is forward-looking. |
Read together, these are what the EU AI Act Article 50 (machine-readable marking, applicable 2 Aug 2026) leans on, and what Recital 133 names outright — "cryptographic methods for proving provenance and authenticity of content," made "accessible to the public." A public DNSSEC/DANE anchor plus open verification analytics is exactly that public, accessible layer a private curated list can't be — technology-neutral and interoperable by construction. Whisper anchors the signer; the AI-generated claim rides in the manifest. Compliance mapping →
Five things you can't stand up overnight — and a competitor can't clone from a slide.
A platform is only as durable as what sits underneath it. Whisper's three planes rest on five load-bearing pillars, each a real, checkable fact rather than a claim on a roadmap.
Real routable space, not a namespace we invented
AS219419 and 2a04:2a01::/32 are announced to the global routing table. You cannot allocate verifiable identities from address space you don't hold and can't announce — which is why this can't be reproduced with a database and a domain.
A graph you accrete, not one you query once
7.44B nodes and 39.3B relationships of BGP, DNS, WHOIS, TLS, hosting and threat intel, built over years. Attribution across rotation is only as good as the history behind it, and history is the one thing you can't buy this afternoon.
A signer anchor the domain owner controls
One deterministically-derived leaf per signer — DANE-EE pinned under your own DNSSEC zone, never a shared intermediate. The single-CA-breach failure mode that has burned provenance before is removed by construction, and no coalition decides who may be verifiable.
Registry-anchored and root-anchored
Every /128 is a real RDAP/WHOIS object, and the whole chain validates through DNSSEC to the IANA root. whisper verify --trustless checks a signer without trusting Whisper — public accountability and a trust anchor you already run.
"Provenance startups come and go, and DANE-for-C2PA isn't a recognized conformance anchor yet — why bet on this?"
It's infrastructure, and it's built by people who ran the internet's plumbing. Real routable address space at AS219419, run by a team that operated one of the internet's regional address registries and one of its root DNS servers. The moat is real space, an accreted graph and open standards — not a slide — and DANE is a complementary identity ecosystem surfaced via CAWG, honestly labelled, not "already approved." You can verify every claim on this page yourself, today, keyless.
Exercise all three planes yourself — our API isn't in the trust path.
Two tiers, by design. No key: verify a signer's identity — the identity plane, trustless, anchored at the IANA root. Your key: back-trace a suspicious host across any cloud, anchor a signer, read who verified your content, revoke a compromised signer worldwide.
# plane 1 — re-derive and verify any signer's identity, trustless
$ whisper verify --trustless 2a04:2a01:c2a::51e
✓ DNSSEC chain valid to the IANA root
✓ DANE-EE (TLSA) leaf matches the claim-signer's key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32
signer: VERIFIED — no trust list consulted, our API never trusted
# the address is the signer — reverse DNS names it
$ dig -x 2a04:2a01:c2a::51e +short
signer-a1b2c3d4.press.example-news.whisper.online.
# plane 2 — with your key, attribute who really operates a host serving spoofed manifests
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
-H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"185.242.x.x\")"}'
operator: <fingerprinted> · seen across AWS / GCP / Azure
residential swarm collapsed by JA4: same tooling, 37 exit IPs → 1 operator
# plane 1 — bind a signer to the C2PA cert it already carries
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
identity_public_key:'<base64 SPKI of the claim-signer key>',
device_id:'a1b2c3d4e5f60718293a4b5c6d7e8f90'}})" # device_id = the C2PA signer cert serial
→ signer 2a04:2a01:c2a::51e DNSSEC + DANE-EE (TLSA 3 1 1) live
# plane 3 — who verified your content (op:lookups), then govern the signing agent
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'lookups', args:{identity:'2a04:2a01:c2a::51e', since:'24h'}})"
42 verifications · 6 countries · 3 from a host also seen stripping credentials
$ whisper policy set --default deny --allow ingest.example-news.com,c2pa.org
$ whisper kill --revoke 2a04:2a01:c2a::51e # compromised signer, gone worldwide at DNS-TTL
Three planes, and all three exit into the pipeline you already run — not a new silo.
Feeds your tools, not another console
A machine-readable feed: the Splunk connector ships today. Findings arrive as a signed, replayable JSON evidence chain you can hand a regulator, mapped to CEF and ECS fields. Microsoft Sentinel, OpenCTI and STIX 2.1 over TAXII export are on the roadmap.
Nothing signed in the dark
Every signer mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable issuance trail for your Art.50 evidence. Honest status: tamper-evident today; independent witnessing is the next step.
Speaks your compliance language
Maps to EU AI Act Art.50 / Recital 133 and ISO/IEC 22144 Content Credentials, surfaced via C2PA and CAWG. Technology-neutral — it evidences and strengthens your marking obligation, it never "guarantees compliance." See the map →
Additive & verify-safe
It rides existing DNS/IPv6 and adds no new artifact to the manifest. If a validator checks the DANE/verify path, that plane is built to fail open — a Whisper outage never blocks verification; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.
One signer identity, every surface
Derived from the key already in the signer — no second PKI, no annual per-cert toll, no re-issuing the fielded fleet. Whether it's a camera, a newsroom desk, or an AI agent, it's one verifiable /128 any reader can check. Pseudonymous by construction where a journalist or whistleblower needs it — anchor at org/domain level.
A vendor that will still be here
Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. POC → pilot → enterprise, keyless to start. See the comparison →
One primitive. Three planes. Prove who signed your content.
A publicly verifiable signer identity anchored in your own DNS, an attribution graph that survives IP rotation, and who-verified-your-content analytics — additive to C2PA and CAWG, mapped to Art.50, no trust list to join. Keyless to try, one call to anchor, one more to revoke.
Or run whisper verify --trustless right now.