It even has a fingerprint

15.11.2011 18:18

I was going low on my personal business cards, so I ordered a new batch from Moo. Besides adding some new circuit-porn designs for the back side I also added the fingerprint of my GPG key next to my e-mail address on the front. When I flashed a bunch of cards in Kiberpipa the other day, Brodul pointed me to this policy for business cards of KDE developers that says that GPG fingerprints on the cards give an unprofessional impression.

My new batch of Moo cards

Interesting. After a bit of browsing the opinion on this matter in the open source world seems to be divided. I remember that cards from Red Hat were the first that I saw with the fingerprint displayed. However there's also this interesting complaint that it has only ever been used to mock the owner of the card. They also seem to be popular with Debian developers and people were seen complaining that it has been dropped from Ubuntu's design.

I actually thought for a while whether to add it or not before submitting the design. For instance, it makes the little Moo card much more cluttered and I liked the previous simplicity of three lines with an e-mail and web address. On the other hand I like to promote secure communication and have been consistently cryptographically signing my mail for many years now. So you can also take it as a statement I guess.

Part of why I think sharing your public key in this way is a good idea is because in my opinion trusting keys based on traditional key-signing parties was a big blunder. There you had 10 random people, signing keys based on some government-issued identification. What this does is only to transfer your trust in government ID to trust in the key. Let's not even go to the problem of me not knowing what the official IDs look like in most countries or the fact that I don't necessarily trust your government. You could score a hundred signatures like that and that doesn't help me in knowing whether the key owner is the person behind the face I met here-and-here.

So I am now willing to sign a public key after I spent some time with the person that personally gave me that key. Enough time to convince me that he is who he claims to be. And I encourage other people to do the same when signing my key (a ritual, by the way, a certain social scientist once described as fascinating).

Yes, this method is vulnerable to a social engineering attack. But so is signing a key based on someone's driver's license and I am sure social interaction is harder to fake than a foreign-looking personal identification card. By getting a fingerprinted business card you get a hard-to-undetectably-change hard-copy of the fingerprint, for which you can be reasonably sure that it belongs to the person that gave it to you.

Posted by Tomaž | Categories: Life


So how much time together are we talking about? And do you need confirmation of that person's identity from at least one 3rd party too?

Government provided ID is really just a proxy 3rd party confirmation. Not that this makes it OK or bullet-proof.

I've been living in Ljubljana for almost two decades now and almost nobody who knows me these days has known me before I moved here. Who can tell if I am really Marko?

P.S: Google Mark Kennedy (Guardian wrote A LOT about him)

Add a new comment

(No HTML tags allowed. Separate paragraphs with a blank line.)