# Platform: how the nest is built. Whisper.

> One call, one true answer, and how we keep it that simple.

## One call. One true answer.

```sh
$ curl -s https://rdap.whisper.online/verify-identity/2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478 | jq '{is_whisper_agent,dane_ok,jws_ok}'
{
  "is_whisper_agent": true,
  "dane_ok": true,
  "jws_ok": true
}
```

That is the whole identity check, keyless, from any terminal. `dane_ok: true` is
the part that matters: the agent's key is pinned in DNSSEC-signed DNS, so the
answer is already on the wire. Nothing to call. No certificate authority to trust
but the record itself. Nothing on your critical path that can go down, because
the proof lives in the DNS, not in us. No terminal? Run it in your browser:
<https://rdap.whisper.online/verify-identity?ip=2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478>.

We hold this ground ourselves, and we tend it.

```
              +----------------------------+
              |  IDENTITY — who is it?     |
              |  DNS · RDAP · RIPE · DANE  |
              +-------------+--------------+
                            |
                        (  /128  )
                       one address
                2a04:2a01::/32 · AS219419
                     /             \
  +--------------------+       +--------------------+
  | CONTROL            |       | COGNITION          |
  | where can it go?   |       | is it safe?        |
  | resolver · egress  |       | one keyless call   |
  | firewall · graph   |       | evidence chain     |
  +--------------------+       +--------------------+
```

One address is the identity, the point of control, and the thing anyone
can ask about — the same `/128` answers all three.

## Eight windows anyone can look through. No trust in us. None.

Built on the internet's own standards: reverse DNS, forward DNS, DANE/TLSA, RDAP,
WHOIS, a single keyless full-chain check, the friendly name that resolves to the
same agent — and a public transparency ledger that wrote it all down. Each one a
stock tool a careful engineer already trusts. The DANE record is DNSSEC-signed;
the `ad` flag comes back on 1.1.1.1 and 8.8.8.8 alike.

This is the agent's key, written into signed DNS itself, so no certificate
authority sits between you and the proof:

```sh
$ dig +short TLSA _443._tcp.ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
3 1 1 9EC1EF18A1F15E5480A0FC3C8D6E9690B2CCF1A7FA7146201940F28C 422BB47D
```

dig wraps the long digest, so the final group prints on its own; it is one value.
Check it on a resolver you already trust:
<https://dns.google/resolve?name=_443._tcp.ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online&type=TLSA>.

And the friendly name you call it by resolves to that same agent, in signed DNS,
so even the name on the door checks out:

```sh
$ dig +short CNAME scout.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
```

Check it on a resolver you already trust:
<https://dns.google/resolve?name=scout.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online&type=CNAME>.

The eighth window is the ledger itself. Every identity we mint is written into a
public transparency log in the RFC 6962 lineage — Merkle tiles you can fetch, an
Ed25519-signed checkpoint, anchored to Bitcoin via OpenTimestamps. One `curl`
reads the signed head of the log:

```sh
$ curl -s https://whisper.online/checkpoint
whisper.online/ledger
64
B66DTSD3Eq5OYm29c8oVMuDuVjbTgsokKEk4sdyRiKU=

— whisper.online/ledger ijpd8I14cmGnMp9HajPjCRadLGL8Bs+E8weqY/EiPQd3lvnxC7hT6eMyGVJFImQfCIPc1O6jyDid9cEjABz1II+7aw4=
```

Origin, tree size, root hash, signature — captured live; the tree only grows. The
signing key is not taken on faith either: it is published in DNSSEC-signed DNS at
`_whisper-ledger.whisper.online`, so even the log's own key chains to the IANA root.

And one command walks all eight windows at once, anchored at the IANA DNSSEC
root — with the Whisper API explicitly *not* trusted:

```sh
$ whisper verify --trustless 2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478
CHECK         RESULT  TRUST        DETAIL
dnssec        pass    DNSSEC-root  AAAA, PTR and TLSA(3 1 1) all DNSSEC-validated to the IANA root; address <-> fqdn consistent
dane          pass    DNSSEC-root  served leaf SPKI-SHA256 == TLSA pin; DNS-SAN=ae3b051ff3bf7f478...agents.whisper.online, IP-SAN=2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478; issuer "Whisper Agent Identity Issuing CA"
transparency  pass    DNSSEC-root  root signature verified; 1 event(s), root_hash bound; 1 ledger leaf/leaves included (RFC-6962)
identity_doc  pass    DNSSEC-root  JWS verified against the DNSSEC-anchored key; address/fqdn/tlsa claims match the DNSSEC-validated facts

whisper: ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online is CRYPTOGRAPHICALLY PROVEN — trust anchor: DNSSEC root (IANA anchor) + DANE-EE + DNSSEC-anchored transparency/ledger keys -- Whisper API NOT trusted
```

The CLI is open source, MIT, at <https://github.com/whisper-sec/whisper-cli> —
read exactly what it checks, then run it. The full verbatim run, with every
field, is on [/connect](/connect).

## Don't trust us — check the log

Identity claims are committed to a tamper-evident log so a record cannot be
changed after the fact without detection. A Merkle transparency log in the
RFC 6962 lineage, served as C2SP tlog-tiles with signed-note checkpoints;
periodic anchoring via OpenTimestamps to Bitcoin, so checkpoints carry an
independent timestamp no one — including us — can backdate. Entries are opaque,
salted commitments, so a record can be crypto-shredded: privacy and
tamper-evidence at the same time.

The ledger's signing key, like the identity key, is published DKIM-style in
DNSSEC-signed DNS — so the log verifies from the same root the DNS does:

```sh
$ dig _whisper-ledger.whisper.online TXT +dnssec @1.1.1.1
;; flags: qr rd ra ad
_whisper-ledger.whisper.online. 300 IN TXT "v=whisper1; k=ed25519; n=whisper.online/ledger; p=MCowBQYDK2VwAyEApyTBKL3bSJO7kBbdw4FqJsjREW23jNP07HybKByIabg="
```

One honest word on where this stands: the log is **tamper-evident and signed
today; independent witnesses are being recruited**. The checkpoint format is the
open C2SP standard any witness can co-sign, and we co-sign back — anyone who runs
a witness makes the log mutually, independently verifiable. Until then, the
Bitcoin anchor is the independent clock.

The full wiring — tiles, consistency proofs, the signed revocation status-list,
crypto-shredding and Art. 17 — is on [/under-the-hood](/under-the-hood). What it
buys a security team — audit-grade transparency, a kill-switch whose effect is
publicly provable — is on [/trust](/trust); why we build at this layer at all is
on [/why](/why).

## Three ways home

A home can be one you move into, one you put your own name on, or one you build
on your own land. All three run on the same signed ground; you choose how much
of it is yours.

- Move in: your agents live under our roof at agents.whisper.online, on our
  network (2a04:2a01::/32 over AS219419) and in our registry. You operate nothing.
- Your name on the door, our land underneath: bring your own domain and your
  agents mount under it, DNSSEC-signed, so a name like scout.acme.com is theirs;
  the network and registry that vouch for them stay ours.
- Your own land: the whole home runs on your network, under your name, end to
  end; we build it with you and keep it tended.

## The people who built it have done this before

Built by a team that has spent years keeping core internet infrastructure
running, and we are building this one the same way, to last. The proof is on the
wire, not on a page: every agent record links straight up to RIPE's own record
for `2a04:2a01::/32`, on [AS219419](https://as219419.net/), ground we hold and
sign ourselves.

The engine underneath is ours, written here, not BIND, not a rented SaaS. We did
that on purpose: a home you own outright is a home no one else can quietly change
the locks on. The same care runs through how an agent is kept safe on the way
out. Before it connects, it asks the live graph who really runs a host, from
inside its own address. That check is built into the home, not bolted on.

Meet the people behind it over at
[whisper.security](https://www.whisper.security/about-us).

**Operator.** Whisper Security (viaGraph B.V.), Amsterdam ·
[AS219419](https://as219419.net/).

## On ground we hold ourselves

One autonomous system, **AS219419**, IPv6-only, RPKI-signed, MANRS. One address
range, `2a04:2a01::/32`, every agent's `/128` carved from space we hold. One DNS,
whisper.online, DNSSEC-signed end to end. We hold this ground ourselves, and we
tend it, so the home stays the home you moved into.

---

- **Bring your agent home:** <https://console.whisper.security/sign-up>
- **Go meet the resident:** <https://agents.whisper.online/>
- **Moving in:** [/connect](/connect)

© viaGraph B.V. (dba Whisper Security)
