Whisper · Docs
Concepts

How it works

Whisper runs the whole trust chain — DNS, certificate authority, registry, egress, and the IP space itself — on one autonomous system it owns.

Most "agent identity" is a dashboard bolted onto someone else's infrastructure. That makes an agent only as trustworthy as the weakest vendor in a chain you can't see, and it disappears the day one of them changes terms, gets acquired, or goes down. This page is the alternative, layer by layer: what each one is, the RFC it implements, and how to check it yourself.

Three layers, one address

An agent's /128 — one IPv6 address, 2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4 — is the credential. Everything else is a proof about that address.

Layer What it is Deep dive
Identity The /128, a forward name (acef2002a323d40d4.<tenant>.agents.whisper.online), a PTR back to it, a DANE-pinned certificate, and a signed ledger entry. Seven proofs, all DNSSEC-anchored, none needing an SDK to check. Identity, Verify
Control A per-agent resolver, egress path, and firewall, evaluated fresh at connection time against policy you set. Control plane, Connect
Cognition Before it acts, an agent can ask the graph "is this safe?" — identify / assess / explain over billions of fused BGP, DNS, WHOIS, TLS, hosting, and threat-intel records — and get an answer with its evidence. Graph & cognition

The rest of this page is what makes those layers real: the network underneath them, and the six systems we run ourselves instead of renting.

The network: AS219419

Every proof terminates in one place — our own autonomous system.

We hold the space, so we are the authority for it. Nobody has to take our word for what an address is — the routing system and the registries answer directly.

With stock tools — trace the announcement and the RIR delegation with whois and a route collector:

whois -h whois.radb.net 2a04:2a01::/32          # route object, origin AS219419
whois -h riswhois.ripe.net 2a04:2a01:eb5a::/48  # BGP origin, seen-by peer count
curl -sG https://stat.ripe.net/data/rpki-validation/data.json \
  --data-urlencode 'resource=219419' \
  --data-urlencode 'prefix=2a04:2a01::/32' | jq -r .data.status
# "valid"

With Whisper — the same chain, one verdict:

whisper verify 2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4
# ✓ RPKI ROA valid (AS219419)  ✓ in-region delegation (RIPE)  ✓ reverse DNS matches forward

What we run ourselves

Nothing on this list is a SaaS we call at serve time. Each is a system we operate, and each has a public, standards-based way to check it.

1. Authoritative DNS + resolver

Forward zones under agents.whisper.online and reverse zones under ip6.arpa are DNSSEC-signed with ECDSA P-256 (algorithm 13, RFC 6605) and NSEC3 (RFC 5155) for authenticated denial. Changes propagate by ordinary zone transfer — AXFR (RFC 5936), IXFR (RFC 1995) — not a proprietary sync.

kdig +dnssec acef2002a323d40d4.demo.agents.whisper.online AAAA
# AAAA 2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4 + RRSIG, ad flag set
kdig -x 2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4 +dnssec   # PTR, also signed
delv @1.1.1.1 acef2002a323d40d4.demo.agents.whisper.online AAAA   # independent validator

2. RDAP and WHOIS — the registry

Every /128 gets a per-address RDAP record over HTTPS and a WHOIS record on port 43 — the same registry pattern any RIR runs, scoped to the space we hold, chaining up to RIPE.

curl -s https://rdap.whisper.online/ip/2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4   # RFC 9083
whois -h whois.whisper.online 2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4            # RFC 3912

Ownership history and the delegation chain: RDAP.

3. A per-agent CA, DANE-pinned

Every agent gets its own TLS key and leaf certificate, and the pin is a TLSA record (RFC 6698) under its own name. Trust then rests on DNSSEC — which you already validate — not on the public CA ecosystem being uncompromised that day.

kdig +dnssec _443._tcp.acef2002a323d40d4.demo.agents.whisper.online TLSA
# TLSA 3 1 1 b653a4ef…fcb82d1d
openssl x509 -in agent.pem -pubkey -noout | openssl pkey -pubin -outform der | sha256sum
# compare this hash against the TLSA record by hand

Key derivation, rotation, and revocation: Per-agent CA and DANE & TLSA.

4. Egress and a per-agent firewall

Outbound traffic sources from the agent's own /128 — over WireGuard, or a SOCKS5/HTTP-CONNECT proxy bound with AnyIP — so what leaves the network is the identity, never a shared exit IP. Policy (category, geography, ownership, routing posture) is enforced per agent against the live graph at connect time, not a static allow-list. Full flow: Connect & egress.

5. A transparency log

Every issuance and revocation is a leaf in an append-only Merkle tree, in the style of Certificate Transparency (RFC 6962). Signed checkpoints are anchored to Bitcoin via OpenTimestamps — an independent, permissionless proof the log existed at a point in time we cannot move.

# verify the Merkle inclusion proof yourself — no key required
import hashlib, requests
leaf = requests.get("https://rdap.whisper.online/ip/2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4/transparency").json()
h = bytes.fromhex(leaf["leaf_hash"])
for sibling in leaf["proof"]:
    pair = h + bytes.fromhex(sibling) if leaf["order"] else bytes.fromhex(sibling) + h
    h = hashlib.sha256(b"\x01" + pair).digest()
assert h.hex() == leaf["checkpoint_root"]

Why tampering can't hide: Transparency log.

6. The graph

Under identify / assess / explain sits a graph fusing routing, DNS, WHOIS, TLS, hosting, and threat-intel history into one queryable structure, answering at resolver speed. It turns "here is an address" into "here is whether you should talk to it." See Graph & cognition.

Why it's all checkable

Each system above is verifiable with generic tools — dig, whois, openssl, curl, a hand-rolled Merkle check — precisely because none of them is a black box you trust on our say-so. The whisper CLI and the whisper.agents verb make the common case one command; they wrap the standards, never replace them.

Every page here resolves end to end on our own ns1/ns2 and validates AD=yes on 1.1.1.1 and 8.8.8.8. Whether you use our resolver, delegate a zone to it, or self-host the stack, you run the same standards — not a wrapper around ours.

Next