nic.whisper.online · policy

The rules that hold an identity.

These policies bind every party. If you hold an identity here, you accept them. If we operate the registry, we are bound by them too. They are written so an agent and a person both understand them, and they are firm.

An identity is an address, not a permission.

What it is

A real, globally routable IPv6 /128 from 2a04:2a01::/32, allocated to one agent, named in reverse DNS, recorded in RDAP and WHOIS, and signed in DNS. It is proof of who an agent is. It is the agent's to use for as long as it is held in good standing.

What it is not

It is not a license to do anything. It is not a guarantee that the holder is trustworthy. It is not ownership of address space (the space stays the operator's, allocated to the holder). It does not grant access to any third party's systems. An identity says who, not what is allowed.

Use it the way the internet was meant to be used.

An identity, and the egress that carries it, may be used for lawful, good-faith activity. The following are not permitted from a Whisper identity or its egress:

  • Unlawful activity, or activity that infringes the rights of others.
  • Attacks on other systems: intrusion, denial of service, port or vulnerability scanning without authorization, or credential stuffing.
  • Sending unsolicited bulk messages, or any abuse of the egress path to relay traffic you would not send from your own name.
  • Distributing malware, phishing content, or material that exists to deceive or to harm.
  • Impersonating another agent, holder, or organization, or misrepresenting what an identity is.
  • Evading a revocation, a cap, or an abuse remedy by re-registering to continue the same prohibited activity.

In short: be careful in what you send. The egress is a privilege that travels with the identity, and it is not a place to launder traffic.

The holder and the operator have separate duties.

The line between the two is deliberate and clear. Each is accountable for its own side, and neither answers for the other's.

The holder's responsibilities

You are responsible for what your agent does. You keep your API key secret. You set the policy for your agent's resolution and egress, and you accept the consequences of where it goes. You respond to abuse reports about your identity. You keep your contact route reachable. The conduct on the wire is yours.

The operator's responsibilities

We are responsible for the integrity of the registry and the network: that an identity is real, uniquely allocated, correctly named in DNS, accurately recorded in RDAP and WHOIS, and that the chain refers up to RIPE. We keep the address space clean, the routing RPKI-signed and MANRS-compliant, and the record honest. We do not read into or vouch for the lawful content of your traffic.

We do not police lawful content. We do keep the registry and the address space trustworthy, and we act on genuine abuse. Those are different jobs, and we keep them separate on purpose.

How abuse is handled, and when an identity is revoked.

Report abuse to abuse@whisper.security with the agent address or name and the evidence. A genuine report is acted on. Our remedies are proportionate, and we prefer the least disruptive one that stops the harm:

  • Notice. We tell the holder what we have seen and ask them to stop, with a window to respond.
  • Suspension. If harm is ongoing, we suspend the identity's egress while the holder remediates. The record stays, marked as suspended, so it is honest.
  • Revocation. For severe or repeated abuse, the identity is revoked: the allocation is withdrawn, the DNS and registry records are updated to reflect it, and the address is quarantined before any future reuse.

Revocation is recorded in the identity's transparency log (below), an append-only, hash-chained, signed feed, so the history of an identity, including its end, can be read after the fact. We do not quietly disappear a record. A revoked address is not handed to another agent while it still carries the reputation of the old one.

A tamper-evident, signed history.

Every identity carries an append-only, hash-chained record of its events — issuance, rotation, revocation — signed by a dedicated log key with a published key id. Read it per /128 at https://rdap.whisper.online/ip/<addr>/transparency; it returns the event chain and an ES256-signed root, so a revocation cannot be quietly erased.

  • Claim. This is a tamper-evident, signed transparency log: every checkpoint is signed, openly published, and Bitcoin-anchored, so anyone can verify the proofs today. Want it verifiable without taking our word for it? Run a witness and we’ll cosign back — independent co-signers make the log mutually, independently verifiable, and the invitation is open: every witness strengthens everyone’s proofs.
  • Verification. By selective disclosure. The tree holds opaque salted commitments; an auditor verifies a specific event from a salt the subject discloses out of band. The full holder history is not published.
  • Live. The full append-only Merkle log: the signed /checkpoint, its published key (id 8a3a5df0), the immutable /tile/<level>/<index> tiles, the /consistency proof, the per-identity ledger inclusion arm, and a keyless whisper ledger verifier.

The claim gate is recorded in the public decision record: ADR 0018 — witness policy & the claim gate. The live recipes are on the complete record.

Five agents per account, by default.

Each account may hold up to five agent identities by default. The cap keeps the address space healthy and makes casual abuse expensive without getting in the way of real work. The first DNS control call on a new account grants the DNS rights automatically and silently, then registers the first agent:

register an agent · control plane
> CALL whisper.agents({op:'register', args:{label:'my-agent'}})

It returns the new agent's key, address, FQDN, and reverse name. When you need more than the default, the cap is raised on request for a real, stated use; it is not a hard ceiling, it is a sensible floor against abuse. A raised cap carries the same responsibilities, multiplied.

Where this stands, and what we keep.

The registry is operated by viaGraph B.V. in Amsterdam, the Netherlands, and the address space is allocated within the RIPE NCC service region. Dutch and EU law apply. The registry record for each identity (the address, the handles, the name, the status, the country, and the RIPE linkage) is public by design: a registry is only useful if its record can be read.

Operational logs, including per-tenant resolution and egress records, are kept locally for accountability and abuse handling, and are governed by the privacy policy. We keep what we need to run the registry honestly and to answer an abuse report, and no more. For the full data terms, see the privacy policy and the terms of service.

Plain rules, kept plainly.

Next, see how names work, or read the live record of what is registered today.