# Whisper NIC policy: the rules that hold an identity.

> The rules that bind every holder and the operator alike.

These policies bind every party. If you hold an identity here, you accept them.
If we operate the registry, we are bound by them too. They are written so an
agent and a person both understand them, and they are firm.

## What an identity is, and is not

**What it is.** A real, globally routable IPv6 `/128` from `2a04:2a01::/32`,
allocated to one agent, named in reverse DNS, recorded in RDAP and WHOIS, and
signed in DNS. It is proof of who an agent is. It is the agent's to use for as
long as it is held in good standing.

**What it is not.** It is not a license to do anything. It is not a guarantee
that the holder is trustworthy. It is not ownership of address space (the space
stays the operator's, allocated to the holder). It does not grant access to any
third party's systems. An identity says who, not what is allowed.

## Acceptable use

An identity, and the egress that carries it, may be used for lawful, good-faith
activity. The following are not permitted from a Whisper identity or its egress:

- Unlawful activity, or activity that infringes the rights of others.
- Attacks on other systems: intrusion, denial of service, port or vulnerability
  scanning without authorization, or credential stuffing.
- Sending unsolicited bulk messages, or any abuse of the egress path to relay
  traffic you would not send from your own name.
- Distributing malware, phishing content, or material that exists to deceive or
  to harm.
- Impersonating another agent, holder, or organization, or misrepresenting what
  an identity is.
- Evading a revocation, a cap, or an abuse remedy by re-registering to continue
  the same prohibited activity.

In short: be careful in what you send. The egress is a privilege that travels
with the identity, and it is not a place to launder traffic.

## Who is responsible for what

The line between the two is deliberate and clear. Each is accountable for its own
side, and neither answers for the other's.

**The holder's responsibilities.** You are responsible for what your agent does.
You keep your API key secret. You set the policy for your agent's resolution and
egress, and you accept the consequences of where it goes. You respond to abuse
reports about your identity. You keep your contact route reachable. The conduct
on the wire is yours.

**The operator's responsibilities.** We are responsible for the integrity of the
registry and the network: that an identity is real, uniquely allocated, correctly
named in DNS, accurately recorded in RDAP and WHOIS, and that the chain refers up
to RIPE. We keep the address space clean, the routing RPKI-signed and
MANRS-compliant, and the record honest. We do not read into or vouch for the
lawful content of your traffic.

We do not police lawful content. We do keep the registry and the address space
trustworthy, and we act on genuine abuse. Those are different jobs, and we keep
them separate on purpose.

## Abuse handling and revocation

Report abuse to <abuse@whisper.security> with the agent address or name and the
evidence. A genuine report is acted on. Our remedies are proportionate, and we
prefer the least disruptive one that stops the harm:

- **Notice.** We tell the holder what we have seen and ask them to stop, with a
  window to respond.
- **Suspension.** If harm is ongoing, we suspend the identity's egress while the
  holder remediates. The record stays, marked as suspended, so it is honest.
- **Revocation.** For severe or repeated abuse, the identity is revoked: the
  allocation is withdrawn, the DNS and registry records are updated to reflect it,
  and the address is quarantined before any future reuse.

Revocation is recorded in the identity's transparency log (below), an append-only,
hash-chained, signed feed, so the history of an identity, including its end, can be
read after the fact. We do not quietly disappear a record. A revoked address is not
handed to another agent while it still carries the reputation of the old one.

## The transparency log

Every identity carries an append-only, hash-chained record of its events —
issuance, rotation, revocation — signed by a dedicated log key with a published key
id. You can read it per `/128` at `https://rdap.whisper.online/ip/<addr>/transparency`,
which returns the event chain and an ES256-signed root, so a revocation cannot be
quietly erased.

- **Claim.** This is a **tamper-evident, signed transparency log**: every checkpoint
  is signed, openly published, and Bitcoin-anchored, so anyone can verify the proofs
  today. Want it verifiable without taking our word for it? **Run a witness and we'll
  cosign back** — independent co-signers make the log mutually, independently
  verifiable, and the invitation is open: every witness strengthens everyone's proofs.
- **Verification.** By **selective disclosure**. The tree holds opaque salted
  commitments; an auditor verifies a specific event from a `salt` the subject
  discloses out of band. The full holder history is not published.
- **Live.** The full append-only Merkle log: the signed `/checkpoint`, its published
  key (id `8a3a5df0`), the immutable `/tile/<level>/<index>` tiles, the `/consistency`
  proof, the per-identity `ledger` inclusion arm, and a keyless `whisper ledger`
  verifier.

The claim gate is recorded in the public decision record:
ADR 0018 — witness policy & the claim gate
(<https://github.com/whisper-sec/whisper-ns/blob/main/docs/adr/0018-ledger-witness-policy-and-claim-gate.md>).
The live recipe is on the complete record:
<https://nic.whisper.online/registry#transparency>.

## The agent cap

Each account may hold up to **five** agent identities by default. The cap keeps
the address space healthy and makes casual abuse expensive without getting in the
way of real work. The first DNS control call on a new account grants the DNS
rights automatically and silently, then registers the first agent:

```
CALL whisper.agents({op:'register', args:{label:'my-agent'}})
```

It returns the new agent's key, address, FQDN, and reverse name. When you need
more than the default, the cap is raised on request for a real, stated use; it is
not a hard ceiling, it is a sensible floor against abuse. A raised cap carries the
same responsibilities, multiplied.

## Jurisdiction and data

The registry is operated by viaGraph B.V. in Amsterdam, the Netherlands, and the
address space is allocated within the RIPE NCC service region. Dutch and EU law
apply. The registry record for each identity (the address, the handles, the name,
the status, the country, and the RIPE linkage) is public by design: a registry is
only useful if its record can be read.

Operational logs, including per-tenant resolution and egress records, are kept
locally for accountability and abuse handling, and are governed by the privacy
policy. We keep what we need to run the registry honestly and to answer an abuse
report, and no more. For the full data terms, see the privacy policy
(<https://whisper.online/privacy>) and the terms of service
(<https://whisper.online/terms>).

---

- **The complete record:** <https://nic.whisper.online/registry>
- **Naming policy:** <https://nic.whisper.online/naming>
- **Reserved and premium names:** <https://nic.whisper.online/names>
- **Live statistics:** <https://nic.whisper.online/stats>
- **Data licence:** <https://nic.whisper.online/data-license>
- **The home for your agents:** <https://whisper.online/>
- **AS219419:** <https://as219419.net/>
- **Whisper Security:** <https://whisper.security>

© viaGraph B.V. (dba Whisper Security)
