[Freedombox-discuss] the FreedomBox 'bump' challenge

[stefano@maffulli.net (Stefano Maffulli)]

On Tue, 2011-06-14 at 15:46 -0400, anarcat wrote:
> What monkeysign currently does is to display a qrcode representing your
> PGP fingerprint, then it also tries to read the other's fingerprint. The
> it should try to go through a key signature protocol the usual way,
> although that part still has to be implemented, IIRC.

awesome! this sounds very close to the idea I described.

> I haven't been able to successfully store and read a complete public key
> material on a qrcode, so right now only the fingerprint is stored.

What kind of problems did you have? Is it a matter of space or something
else? IIRC a vcard can store a complete gpg public key: have you tried
putting the key there? The advantage of using a vcard is that, once you
scan the qrcode you can get not just your contact's email and names, but
also SIP address, web url and other things. Plus you can easily store
them on the phone's addressbook. 

> We haven't considered trust in this scenario, since the whole idea was
> to sign keys. Also, it assumes internet access as it downloads the key,
> so the web of trust should just propagate through that...

I think a prototype may assume all of this and we can add more
functionalities later on. Signing the keys on a mobile phone seems
complicated though: do people trust putting a signing key on a phone?

> The latest code of monkeysign should be available here:
> 
> git://git.monkeysphere.info/monkeysign

I'm playing with it, thanks.

/stef