One call. One true answer.
Here's how we keep it that simple.
$ curl -s https://rdap.whisper.online/verify-identity/2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478 | jq '{is_whisper_agent,dane_ok,jws_ok}'
{
"is_whisper_agent": true,
"dane_ok": true,
"jws_ok": true
}
That is the whole identity check, keyless, from any terminal. dane_ok: true is the part that matters: the agent's key is pinned in DNSSEC-signed DNS, so the answer is already on the wire. Nothing to call. No certificate authority to trust but the record itself. Nothing on your critical path that can go down, because the proof lives in the DNS, not in us.
No terminal? run it in your browser for the same keyless verdict, as JSON.
We hold this ground ourselves, and we tend it.
/128 answers all three.Eight windows anyone can look through. No trust in us. None.
Built on the internet's own standards: reverse DNS, forward DNS, DANE/TLSA, RDAP, WHOIS, a single keyless full-chain check, the friendly name that resolves to the same agent — and a public transparency ledger that wrote it all down. Each one a stock tool a careful engineer already trusts. The DANE record is DNSSEC-signed; the ad flag comes back on 1.1.1.1 and 8.8.8.8 alike.
This is the agent's key, written into signed DNS itself, so no certificate authority sits between you and the proof:
$ dig +short TLSA _443._tcp.ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
3 1 1 9EC1EF18A1F15E5480A0FC3C8D6E9690B2CCF1A7FA7146201940F28C 422BB47D
dig wraps the long digest, so the final group prints on its own; it is one value. check it on a resolver you already trust.
And the friendly name you call it by resolves to that same agent, in signed DNS, so even the name on the door checks out:
$ dig +short CNAME scout.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
check it on a resolver you already trust.
The eighth window is the ledger itself. Every identity we mint is written into a public transparency log in the RFC 6962 lineage — Merkle tiles you can fetch, an Ed25519-signed checkpoint, anchored to Bitcoin via OpenTimestamps. One curl reads the signed head of the log:
$ curl -s https://whisper.online/checkpoint
whisper.online/ledger
64
B66DTSD3Eq5OYm29c8oVMuDuVjbTgsokKEk4sdyRiKU=
— whisper.online/ledger ijpd8I14cmGnMp9HajPjCRadLGL8Bs+E8weqY/EiPQd3lvnxC7hT6eMyGVJFImQfCIPc1O6jyDid9cEjABz1II+7aw4=
Origin, tree size, root hash, signature — captured live; the tree only grows. The signing key is not taken on faith either: it is published in DNSSEC-signed DNS at _whisper-ledger.whisper.online, so even the log's own key chains to the IANA root.
And one command walks all eight windows at once, anchored at the IANA DNSSEC root — with the Whisper API explicitly not trusted:
$ whisper verify --trustless 2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478
CHECK RESULT TRUST DETAIL
dnssec pass DNSSEC-root AAAA, PTR and TLSA(3 1 1) all DNSSEC-validated to the IANA root; address <-> fqdn consistent
dane pass DNSSEC-root served leaf SPKI-SHA256 == TLSA pin; DNS-SAN=ae3b051ff3bf7f478...agents.whisper.online, IP-SAN=2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478; issuer "Whisper Agent Identity Issuing CA"
transparency pass DNSSEC-root root signature verified; 1 event(s), root_hash bound; 1 ledger leaf/leaves included (RFC-6962)
identity_doc pass DNSSEC-root JWS verified against the DNSSEC-anchored key; address/fqdn/tlsa claims match the DNSSEC-validated facts
whisper: ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online is CRYPTOGRAPHICALLY PROVEN — trust anchor: DNSSEC root (IANA anchor) + DANE-EE + DNSSEC-anchored transparency/ledger keys -- Whisper API NOT trusted
The CLI is open source, MIT, at github.com/whisper-sec/whisper-cli — read exactly what it checks, then run it. The full verbatim run, with every field, is on the connect page.
Don't trust us — check the log.
Identity claims are committed to a tamper-evident log so a record cannot be changed after the fact without detection. A Merkle transparency log in the RFC 6962 lineage, served as C2SP tlog-tiles with signed-note checkpoints; periodic anchoring via OpenTimestamps to Bitcoin, so checkpoints carry an independent timestamp no one — including us — can backdate. Entries are opaque, salted commitments, so a record can be crypto-shredded: privacy and tamper-evidence at the same time.
The ledger's signing key, like the identity key, is published DKIM-style in DNSSEC-signed DNS — so the log verifies from the same root the DNS does:
$ dig _whisper-ledger.whisper.online TXT +dnssec @1.1.1.1
;; flags: qr rd ra ad
_whisper-ledger.whisper.online. 300 IN TXT "v=whisper1; k=ed25519; n=whisper.online/ledger; p=MCowBQYDK2VwAyEApyTBKL3bSJO7kBbdw4FqJsjREW23jNP07HybKByIabg="
One honest word on where this stands: the log is tamper-evident and signed today; independent witnesses are being recruited. The checkpoint format is the open C2SP standard any witness can co-sign, and we co-sign back — anyone who runs a witness makes the log mutually, independently verifiable. Until then, the Bitcoin anchor is the independent clock.
The full wiring — tiles, consistency proofs, the signed revocation status-list, crypto-shredding and Art. 17 — is on under the hood. What it buys a security team — audit-grade transparency, a kill-switch whose effect is publicly provable — is on trust; why we build at this layer at all is on why.
Three ways to give your agents a home, from moving into ours to building on your own land.
A home can be one you move into, one you put your own name on, or one you build on your own land. All three are real, all three run on the same signed ground.
Move in.
Your agents live under our roof, at agents.whisper.online, on our network and in our registry. We hold the name and we hold the ground, both ours to keep safe, on 2a04:2a01::/32 over AS219419. You operate nothing. The fastest way home.
Your name on the door, our land underneath.
Bring your own domain, and your agents mount under it, DNSSEC-signed, so a name like scout.acme.com is theirs. The network and the registry that vouch for them stay ours to keep. Your name out front, our ground holding it up.
Your own land.
The whole home runs on your network, under your name, on your ground, end to end. We build it with you and keep it tended, the same way we tend our own home.
Whichever you pick, it is the same home, and your agents will not know the difference. They just know they are home.
The people who built it have done this before.
Built by a team that has spent years keeping core internet infrastructure running, and we are building this one the same way, to last. The proof is on the wire, not on a page: every agent record links straight up to RIPE's own record for 2a04:2a01::/32, on AS219419, ground we hold and sign ourselves. The rules that bind it, and the live public record, are open on our own registry, nic.whisper.online.
The engine underneath is ours, written here, not BIND, not a rented SaaS. We did that on purpose: a home you own outright is a home no one else can quietly change the locks on. The same care runs through how an agent is kept safe on the way out. Before it connects, it asks the live graph who really runs a host, from inside its own address. That check is built into the home, not bolted on. Want it named down to the RFC? See what one line sets in motion →
Meet the people behind it over at whisper.security.
Operator. Whisper Security (viaGraph B.V.), Amsterdam · AS219419.
On ground we hold ourselves.
One autonomous system, AS219419, IPv6-only, RPKI-signed, MANRS. One address range, 2a04:2a01::/32, every agent's /128 carved from space we hold. One DNS, whisper.online, DNSSEC-signed end to end. We hold this ground ourselves, and we tend it, so the home stays the home you moved into.