# Whisper for Embedded: device identity on the wire for embedded systems. This is embed.whisper.online (embedded.whisper.online is a courtesy alias that redirects here). The marketing story here is told for embedded-systems makers, device platforms and product-security teams; the /docs library, the console, and the whole system behind it are identical to whisper.online. Read it in full: written so both an agent and a person can act on it. ## The problem it solves Embedded devices authenticate with what manufacturing could afford: a default password, a shared API key in firmware, a fleet-wide certificate, at best a per-device X.509 cert anchored in one vendor's cloud console. Every one is a copyable artifact: dump one unit's flash and you hold a genuine credential for the whole product line. The impostor passes auth (OWASP broken authentication / BOLA: the credential authenticates a claim, never the device), rotates egress across clouds and residential proxies so the last IP means nothing, and the per-device cloud identity is verifiable only inside that tenant, revoked via CRL/OCSP that verifiers soft-fail past, and mortal: when Google Cloud IoT Core retired (Aug 2023), console-anchored fleets had to re-home their identity. ## The cure: make it an identity problem Give every device a routable IPv6 /128 (from 2a04:2a01::/32, AS219419) DETERMINISTICALLY derived from the IEEE 802.1AR IDevID key already sealed in its secure element (ATECC608 / NXP SE050 / OPTIGA Trust M / on-chip OTP), with the device serial or EUI-64 as the domain separator. DNSSEC-anchored, DANE-EE pinned, RDAP-registered, verifiable trustlessly with `whisper verify --trustless`; the device proves control by signing with the key that never leaves the chip. This is the IETF DANCE client-auth model (a device's DNS name + DANE-TLSA as its TLS client credential) deployed on real address space, with the CGA (RFC 3972) lineage made routable, registered and revocable. One owner-thrown revoke retires an identity worldwide at DNS-TTL speed. Additive to 802.1AR, BRSKI (RFC 8995), Matter DAC, cloud DPS and the X.509 mTLS a device cloud already runs; complements them, never replaces. ## Honest capability tiers (never over-claimed) - 8-bit AVR (ATmega328 / Arduino Uno): NOT on-device (no TLS budget); the gateway holds the /128 and speaks for the nodes behind it. - ESP32 / ESP-IDF: yes; espressif's esp_dns component does DoH natively today. A packaged Whisper ESP-IDF component is roadmap. - Cortex-M4/M33 + RTOS (Zephyr / nRF Connect SDK / STM32Cube): yes; TLS costs ~20-60KB flash + 25-63KB handshake RAM; the DoH client is tiny (RFC 8484). A Whisper Zephyr module is roadmap. (Mbed OS is EOL July 2026; avoid.) - Embedded Linux (Pi / Yocto / OpenWrt / Zynq / PolarFire SoC): shipped today; whisper CLI + control plane + WireGuard /128 egress work as-is. ## Pages - / Home: the problem, the cure, and the two structural gaps - /device-identity-crisis The device-secret crisis, end to end, and the identity cure - /platform The three planes + the honest capability map + stack fit - /for-device-makers For product security: SOC + SIEM fit, EU CRA / 62443 / EN 303 645 / 802.1AR - /compare Honest comparison: cloud DPS, Matter, SPIFFE, secure elements - /pricing Flat, predictable per-device pricing - /docs The full technical documentation (identical to whisper.online/docs) ## Verify it yourself (keyless) whisper verify --trustless dig -x # forward-confirmed reverse DNS curl https://whisper.online/verify-identity/ ## Provision (with a Whisper API key) Control plane: POST https://graph.whisper.security/api/query CALL whisper.agents({op:'connect', args:{tier:'wireguard', identity_public_key:'', ...}}) Console: https://console.whisper.security ## The operator Operator: Whisper Security (viaGraph B.V.), Amsterdam, NL. Network: AS219419, IPv6-only, RPKI-signed, MANRS-compliant. AS219419 announces 2a04:2a01::/32.