[Cryptography] distributing fingerprints etc. via QR codes etc.

Tue Sep 9 12:09:34 EDT 2014

On 9/09/2014 03:05 am, Tony Arcieri wrote:
> On Mon, Sep 8, 2014 at 1:27 PM, John Denker <jsd at av8n.com
> <mailto:jsd at av8n.com>> wrote:
> 
>     Let's talk about that.  Yes, it is possible to put contact
>     information and PGP information in QR codes on a business
>     card ... just not in the /same/ QR code AFAICT.  It ends up
>     being slightly non-obvious and slightly inelegant, but it
>     is doable.

It mostly depends on what you are trying to do.  If your worldview is to
distribute PGP keys from person to person, then this above might be
helpful.  But, questions abound...

> The main use case I'd like to see is sharing fingerprints (or keys)
> phone-to-phone. I recently went to a "keysigning party" (not expecting
> much) and left with a ton of paperwork to do, and I hate paperwork. 
> 
> I really wish I could just snag people's key (fingerprints) in QR code form.

Right, which takes us to 'why are you distributing keys?'  Or perhaps,
having done all this, 'what are you going to do with the info?'

Keysigning parties struggle to make meaning of the signature and of the
key.  What does it mean when I sign your key?  In some groups it means
"I saw this person" and in others it means "this person's ID matched
their key ID text fields."  Then in other more sophisticated groups it
means "this person is one of us and is reliable" and there is
documentation to back the semantics of that statement.  Then there is a
variant where the statement is meaningless but imposed, so it also means
whatever you think it to means but you can't test it.

It turns out that this statement is far more key to the question of how
to distribute than the mere tech notions of QR codes or keysigning
parties.  E.g., in my work, I provide 'it' to groups of poor people
working to create investments in Africa.  They know each other in the
group and trust each other already by definition (at some level).

The statement then is something akin to 'we are part of the same group'
therefore we can share.

As there is a server involved (another big assumption/question) then
Alice uploads a packet from her Android (++assumption) containing
'everything' to the server, which is indexed with a short term tag
called an IntroCode: like 'ABCD' which is the first N bits of a hash
over the packet.

She speaks that to Bob, who types it in to his phone.  The phone then
downloads the packet from server citing ABCD, and extracts out the
necessary key info from that packet, and returns a packet via some other
server channel (++assumption) to her newly-found friend.

My assumptions here are: small group, server, android, pre-trust.
Change any of those and my solution might change.

iang

ps; obviously I'd like to do QR and SMS as well, but it's all about
getting the minimum tech that does the maximum delivery in place...