32

I'm going to print some business cards, and along with my email address I was thinking of putting my PGP ID on it as well.

After doing some research I found that using the short ID is not a good idea.

What is the best way of doing this - or should I forget about it?

SPRBRN
  • 7,449
  • 6
  • 35
  • 37
  • https://duckduckgo.com/?q=link+shorteners –  Oct 12 '14 at 19:44
  • 1
    Other than the slight possibility of a collision, why is the short ID a bad idea? – user3244085 Oct 12 '14 at 20:14
  • You could skip business cards entirely and use a **[NFC ring](http://nfcring.com/)** – LateralFractal Oct 13 '14 at 07:34
  • 2
    Check out http://keybase.io – kmoe Oct 13 '14 at 11:29
  • @LateralFractal - Really cool, that NFC ring. My phone has NFC. But I don't see that as a solution right now. I know keybase.io and it has the advantage of simple urls, but I don't trust them with my private keys. – SPRBRN Oct 13 '14 at 13:01
  • 4
    related: ["Is there a standard for printing a public key as a barcode?"](http://security.stackexchange.com/questions/16209/is-there-a-standard-for-printing-a-public-key-as-a-barcode). – David Cary Oct 13 '14 at 13:42

7 Answers7

25

Considering that your public key is only usable by a computer1; you can remove clutter from your business card by having all electronic data accessible online and referred to by a QR code.

The link could refer to a vCard file stored on, say, a public Dropbox. As the vCard format can store any business or contact information including OpenPGP keys.


Alternately a high resolution QR code could store the entire public key on the back of your business card. Which has certain security advantages.

1. Hand ciphers notwithstanding.

LateralFractal
  • 5,173
  • 18
  • 41
  • 2
    Such a high resolution QR code would require a business card foldable multiple times. I was able to put a revocation certificate on a printer sheet, but I wouldn't bet for a whole key on a business card. – Jens Erat Oct 13 '14 at 07:12
  • 1
    @JensErat A version 40 QR code with low error correction could store about 2,900 bytes of information; this would fit a public key. Your main problem might be that whilst a version 40 QR code would be crisp with the high quality printing used for business cards, mobile phones might not focus successfully on the card at any other than point blank range closer than the minimum focus distance of the camera. – LateralFractal Oct 13 '14 at 07:25
  • 2
    A URL link to your vCard would only need a much smaller/coarse QR code. Which is probably for the best; as articles suggest that the error rate increases with larger codes such that lighting conditions, contrast and focal distance become impractical for normal mobile phone cameras reading very large QR codes. – LateralFractal Oct 13 '14 at 07:32
  • @LateralFractal a few years ago I worked on something on Android using QR codes around v13 in size (~400 bytes); and even printed ~3.5" on a side we had trouble getting anything below a flagship level device to read them reliably. Cameras are better now; but I'm still skeptical of them being able to read that much off a business card sized code. – Dan Is Fiddling By Firelight Oct 13 '14 at 13:18
  • @DanNeely Did it have a decent quiet zone? It's a QR code killer that is often overlooked. Although, yes, I'm thinking v40's are generally intended for specialised laser barcode readers in UPS trucks. *Much* higher fidelity. Oh, and low-end Android phone often lacked auto-focus for their camera. Only my most recent mid-range phone bothered to include the feature. – LateralFractal Oct 13 '14 at 13:25
  • @LateralFractal we printed with ~6 modules of quiet zone vs the 4 minimum in the spec. We never experimented to see if a larger one might've helped (didn't know it was a factor before today). – Dan Is Fiddling By Firelight Oct 13 '14 at 13:38
  • 1
    Uh, this recommendation is absurd. The whole point of the PGP key is to verify your cryptographic signature. Until you can do that, the webserver could be easily MITM'd! – Luke-Jr Feb 17 '16 at 04:18
  • @Luke-Jr You are referring to an obtuse scenario. An edge case where the routing to the location you store your eBusiness card has itself been subverted; equivalently exposes pretty much every PGP key server on the net to same weakness. As both those servers and your cloud drive rely on the same conventional X.509 commercial trust tree; instead of any truly deep _six-degrees-of-kevin-bacon_ trust web of face-to-face encounters. – LateralFractal Feb 17 '16 at 04:35
  • @Luke-Jr, agreed. The QR code could equally well take the user to a site that attempts to exploits their device, without necessarily involving a MITM. Trusting QR codes given to you by people who you don't know terribly well is not a great idea. IMO, Jens Erat's answer is much better than this one, from a security perspective. – sampablokuper Jan 29 '19 at 04:38
18

I'd recommend putting your OpenPGP key's fingerprint in textual form and as QR code on your business card.

To do so, you would create an URI with OPENPGP4FPR as scheme and your OpenPGP fingerprint in all caps as data. Then use something like qrencode to create a QR code of the resulting String. Apps like OpenKeychain on Android will understand this.

You can show you fingerprint with:

gpg --fingerprint <email|keyid>

For example:

$ gpg --fingerprint flo@geekplace.eu
pub   rsa2048/0x8CAC2A9678548E35 2010-07-13 [expires: 2016-06-06]
     Key fingerprint = 1357 B018 65B2 503C 1845  3D20 8CAC 2A96 7854 8E35
...
sub   rsa2048/0x933A3EA0850A0B28 2010-07-13

Look for Key fingerprint value

Key fingerprint = 1357 B018 65B2 503C 1845  3D20 8CAC 2A96 7854 8E35

This is the value you want to give to your peers. You could easily put it on your business card in text form. I would suggest to prefix it with 'OpenPGP' and to keep the spaces for easier readability:

John Doe
Senior Expert

john.doe@example.org
OpenPGP: 1357 B018 65B2 503C 1845 3D20 8CAC 2A96 7854 8E35

But I also recommend additionally creating a QR code with your OpenPGP key's fingerprint. To do so, we first remove all the whitespace from your fingerprint's value, which yields:

1357B01865B2503C18453D208CAC2A9678548E35

Then create the URI by prefixing OPENPGP4FPR: (which stands for OpenPGP v4 Fingerprint).

OPENPGP4FPR:1357B01865B2503C18453D208CAC2A9678548E35

Finally use qrencode to create the QR code. Here we use PNG as output format but qrencode is also able to create SVG, ASCII or UTF8 output.

qrencode -t PNG 'OPENPGP4FPR:1357B01865B2503C18453D208CAC2A9678548E35' \
    > myopenpgpfpr.png

Which results in:

My OpenPGP fingerprint as QRcode

Flow
  • 335
  • 3
  • 7
  • 4
    This is by far the best answer: the QR code is small enough to fit on a business card, OpenKeyChain imports the key instantly and suggests to confirm the key (which is the goal of the QR code: you have normally just met the person in real life). – Futal Nov 27 '18 at 13:20
  • @Futal, it is a decent answer, but not the *best* answer, because it does not allow for people who lack QR code readers. – sampablokuper Jan 27 '19 at 20:44
  • 2
    It is trivial to add the fingerprint as pure textual content. I've attempted to clarify the answer on that. Hope it helps. – Flow Jan 27 '19 at 21:55
  • Am I understanding correctly that this just encodes the fingerprint, and then the actual key is downloade by (e.g.) OpenKeyChain from the public keyservers? If so, this might be good to clarify that you also have to still upload your key to the keyservers for this to work. – Matthijs Kooijman Aug 08 '20 at 13:04
  • @MatthijsKooijman You are right that this is not the whole key, just its fingerprint. This is what the question explicitly asked about and people usually do not expect that your whole key is there (because your public key material is somewhat dynamic). It is also prominently mentioned in the first sentence of the answer. – Flow Aug 10 '20 at 13:23
15

I've put the whole fingerprint on my cards, but highlighted the short ID (being the last eight characters of the fingerprint). It's at the other's side to verify correctly.

Regarding putting a link on a business card; consider the possible use cases. The normal way of fetching a key is through the key server network; and for doing so no URL is needed: Either people (mail clients) search for your mail address (UID), which will already contained on your card anyway, or they fetch it by entering the fingerprint or ID - and hopefully verify against the whole fingerprint, or at least long ID.

Sadly there's nothing like a URI scheme for OpenPGP, something like hkp://[keyserver]/fingerprint would provide a way to have an actual link which can be designated to an OpenPGP client application, and at the same time point to an (optional) preferred key server.

Upcoming, but not yet widely spread: put your OpenPGP key (possibly after stripping images and incoming certifications) on a NFC token. I know some applications exist to read them (eg. OpenKeychain, though I don't know whether there's an (possible informal) standard behind.

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
  • There are solutions for hosting/referring OpenPGP-keys with DNS, but the clients need to enable it. For three known ways of setting it up in DNS, I recommend [reading](http://www.gushi.org/make-dns-cert/HOWTO.html) do the client can retrieve the key based on the e-mailaddress. – hspaans Oct 13 '14 at 00:18
5

Put your whole key as qr-code on it, see near the end of this discussion, search for "monkeysign":

http://www.gossamer-threads.com/lists/gnupg/users/64465

user58488
  • 51
  • 1
3

Two ways I can think of

  1. Submit your key to a public key server like pgp.mit.edu/. On your business card you can provide the link with the unique id that you are given. I don't know exactly how you should word it, but it is just an idea.

  2. You could put your key on a webpage and provide the link to that webpage. This might, of course, mean that you would need your own domain (unless you can find a way to put it on someone else's website ... like your Stack Exchange profile or something like that).

Thomas
  • 3,861
  • 4
  • 22
  • 26
  • I see that you can create a link directly to your key, with the following format: https://pgp.mit.edu/pks/lookup?op=get&search=0xB1234567890ABCDE. I could create a QR code for this URL and use that. I don't want to link to my website, as I can't guarantee uptime. This is a business card, but this is not for business, it's for personal use. – SPRBRN Oct 13 '14 at 12:59
  • 1
    @SPRBRN: I had thought about suggesting a QR code, but not all would be able to read it. – Thomas Oct 13 '14 at 14:10
1

You can put a link to your PGP and other information by simply linking to your website itself. What I do is actually have a link on my card that says: mysite.com/cv the cv page is a nice (enough) page that has my CV (resume) both online and pdf as well as a few other things. You can always update your CV & contact info there and there is the added bonus of statistics...

Alternatively, you can always use the QR code (either of the PGP key or a url to your PGP key).

Matthew Peters
  • 3,622
  • 4
  • 21
  • 39
1

You can certainly use one of the publicly available keyservers; I would recommend the pool of SKS keyservers, since this will help distribute our load. A QR code can encode the link to your key, and it's easy to use an online generator.

Alternatively, keep your eye on a service such as keybase.io. A number of folks have invites now...