# The platform: one primitive, three planes

> Your fleet doesn't need another cloud enrollment. It needs an identity it can
> prove. One primitive, the address is the identity, expressed as three planes:
> identity, an attribution graph that survives IP rotation, and per-device
> governance, standing on real routable space at AS219419, anchored at the IANA
> root. Our API is never in the trust path.

- **7.44B** nodes in the live attribution graph: BGP, DNS, WHOIS, TLS, hosting, threat intel
- **39.3B** fused relationships across that graph
- **<300ms** attribution answers, kept off the hot path
- **AS219419**: our own autonomous system, real routable space
- **2a04:2a01::/32**: every identity derives from here
- **1→3**: one primitive, three planes, zero new silos

---

## The one primitive

**The address is the identity.** A routable IPv6 **/128** out of
`2a04:2a01::/32` (announced by **AS219419**), deterministically derived from a
key, DNSSEC-anchored, **DANE-EE** pinned, RDAP/WHOIS-registered: re-derivable
and verifiable by anyone with `dig`. Point it at a gateway, a sensor hub, an
industrial controller, or an edge box running models, and "who is this?" stops
being an inference and becomes a fact anyone can check.

## The three planes

1. **Identity**: who is this, provably. The device /128, DNSSEC, DANE-EE, a per-identity CA. The device proves it by signing; no one copies it.
2. **Attribution graph**: who's really behind this. The operator fingerprint across rotating clouds and residential proxies: `identify` · `origins` · `walk` · `history` · `watch` · read-only Cypher.
3. **Device governance**: what may talk to what. Every gateway and edge agent on its own routable address: per-device /128, policy, logs, revoke, default-deny.

### Plane 1 · identity

Derive each device's /128 from the **802.1AR IDevID key** it already holds in
its secure element (ATECC608, SE050, OPTIGA Trust M) or on-chip OTP/PUF
storage, with the **device serial or EUI-64 as the domain separator**. The
private key never leaves the chip; the backend authorizes on the device's
*pinned identity*, and an extracted firmware image with no chip behind it
authenticates to nothing.

- **A per-identity CA, not a shared root.** One deterministically-derived, DANE-EE-pinned leaf per device. Compromise one device and you've compromised *that device*: the one-dump-forges-everything failure mode is structurally removed.
- **The DANCE client-auth model, deployed.** The IETF DANCE work (draft-ietf-dance-client-auth) turns a device's DNS name plus its DANE-TLSA record into the device's TLS *client* credential, designed for MQTT, CoAP and machine-to-machine surfaces. Whisper publishes exactly that for every identity. [The passwordless-device story →](/docs/device-secret-cure)
- **The lineage: CGA, completed.** RFC 3972 (2005) derived an address from a key and stopped there. Whisper adds the missing three: real announced space, an RDAP object per /128, and revocation at DNS-TTL speed.

### Plane 2 · attribution graph

A live internet-infrastructure graph, **7.44B** nodes and
**39.3B** relationships, answering in under 300 ms. Cloud
rotation collapses into one infrastructure genealogy (shared ASN, hosting,
certificate lineage); a residential-proxy swarm collapses on a `JA4/JA3`
client fingerprint that travels with the tooling regardless of the exit. Every
answer returns a reproducible, replayable evidence chain.

### Plane 3 · device governance

An OTA client fetches firmware, a telemetry daemon streams to three clouds, an
edge box calls LLM APIs with a paid key: agents, all of them. Every one
egresses from its own routable /128; every query and connection is logged
per-device (`op:logs`); a graph-first resolver enforces **default-deny** policy
per query; one `revoke` is the kill-switch.

---

## Runs on your silicon: the honest capability map

The verification half is deliberately light: any client with a TLS + HTTPS
stack can call the keyless verify endpoint today. A DoH client itself is tiny
(RFC 8484); the real cost is the TLS engine, roughly **20-60KB of flash** and
**25-63KB of peak RAM** during the handshake. That budget draws the honest
line:

| Device class | Typical parts | On-device Whisper? | The path, honestly labelled |
|---|---|---|---|
| 8-bit MCU | AVR / ATmega328 (Arduino Uno) | **No: no TLS budget** | **Gateway pattern.** The gateway holds the /128 and speaks for the nodes behind it. An ATmega328 does not speak DoH, and we won't pretend it does. |
| Wi-Fi SoC | ESP32 / ESP-IDF | Yes | ESP-IDF ships mbedTLS, and Espressif's own `esp_dns` component already does DoH natively. A packaged Whisper ESP-IDF component is **roadmap**. |
| Cortex-M4/M33 + RTOS | Zephyr · Nordic nRF Connect SDK · STM32Cube | Yes | The TLS budget fits; the DoH client on top is small. A Whisper Zephyr module (also covering nRF Connect) is **roadmap**. Caution: don't start a new design on Arm Mbed OS; its end of life is July 2026. |
| Embedded Linux | Raspberry Pi · Yocto · OpenWrt · Zynq · PolarFire SoC | **Yes, today** | **Shipped.** The `whisper` CLI and control plane run as-is: provision the /128, WireGuard egress from the device's own identity, default-deny policy, per-device logs. |

Two tiers everywhere, per Postel's Law: the **keyless verify surface**
(verify-identity, RDAP, DANE, reverse-DNS) is reachable from anything with TLS
today; the **control plane and routed /128 egress** unlock with your key, live
today on Linux-class devices and gateways, with the MCU-native SDKs shipping as
labelled roadmap items. [The full integration matrix →](/docs/embedded-integrations)

---

## Fits the stack you already run

| Surface you run | Where a plane plugs in | Complements, does not replace |
|---|---|---|
| Secure element / TPM (ATECC608, SE050, OPTIGA, OTP) · **shipped & live** | **Identity.** Derives the routable /128 from the non-exportable IDevID key; publishes a DANE-verifiable, RDAP-registered name bound to it. | The hardware root of trust: it makes an un-routable key resolvable and verifiable. |
| Azure IoT Hub + DPS | **Identity + attribution.** Devices keep enrolling exactly as they do; each also carries a /128 verifiable *outside* the tenant. | DPS enrollment and the hub's X.509 auth. |
| AWS IoT Core (fleet provisioning, JITP/JITR) | **Identity + attribution.** The AWS cert authorizes into AWS; the /128 is the out-of-tenancy identity a third party checks with `dig`. | Fleet provisioning; Whisper never touches the AWS policy or shadow model. |
| Matter (DAC + the CSA DCL) | **Identity.** The DAC proves provenance at commissioning, inside the fabric; the /128 is the same device's operational, internet-facing identity for its whole service life. | DAC/DCL attestation; Whisper issues no Matter credentials. |
| MQTT brokers & device APIs | **Identity + governance.** The DANCE pattern: the broker checks the client's DANE-TLSA pin instead of a password list. The MQTT-DANCE recipe is roadmap; the TLSA records it checks are published today. | The broker's own auth. |
| LPWAN / gateway concentrators | **Identity + egress governance.** One provable /128 per gateway with default-deny egress. | LoRaWAN's OTAA keys; Whisper anchors the gateway↔cloud boundary above them. |

---

## The moat: five load-bearing pillars

1. **AS219419**: our own AS and real routable `2a04:2a01::/32`. You can't hand out space you don't hold.
2. **The graph**: **7.44B** nodes accreted over years. History is the one thing you can't buy this afternoon.
3. **A per-identity CA**: one leaf per device, no shared root; blast radius is one.
4. **RDAP · WHOIS**: every /128 a real registered object; public accountability.
5. **DNSSEC**: anchored at the IANA root, not at us. `whisper verify --trustless` checks an identity without trusting Whisper.

> **"IoT platforms get retired and strand their fleets. Will this still verify in fifteen years?"**
> The identity's anchors are public DNS, DNSSEC at the IANA root, and registered
> address space: internet infrastructure, not a product console, run by people
> who operated the internet's regional address registry and one of its root DNS
> servers. Verify every claim yourself, today, without an account.

---

## Prove it in 60 seconds · no account

```sh
# plane 1: re-derive and verify any device's identity, trustless
$ whisper verify --trustless 2a04:2a01:1c0::e51d
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED, and our own API was never trusted

# plane 2: with your key, attribute who really operates a host
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
```

```sh
# plane 1 + 3: provision and govern, with your key
$ export WHISPER_API_KEY=whisper_live_xxx
# --serial/--from-secure-element are on the roadmap; today provisioning is the live control-plane call (see docs)
$ whisper register --serial 04D0C85F3A1B --from-secure-element
  → identity 2a04:2a01:1c0::e51d   DNSSEC + DANE live
$ whisper policy set --default deny --allow ota.example-maker.com,telemetry.example-maker.com
$ whisper logs --identity 2a04:2a01:1c0::e51d --tail
$ whisper revoke 2a04:2a01:1c0::e51d
```

Bring your devices home → <https://console.whisper.security/sign-up> · [Docs](/docs) · [Compare →](/compare)

---

*Whisper for Embedded · Identity on the wire for every device · AS219419 · 2a04:2a01::/32*
*© viaGraph B.V. (dba Whisper Security)*
