Hey all,
I've been reading about it but wanted to get a crowdsourced opinion on adding GPG information to business cards. The fingerprint is LOOONG but probably the most accurate way to identify yourself, alongside your email address. What about Key ID's? Are they too easily forged on key servers?
I want to make sure I am recommending the best practise before rolling it out to the whole team.
I kind of geek out when I see someone has their GPG fingerprint on their card. Mine has my full fingerprint as well.
We've been seeing a small trend of forged short IDs lately, and while it's unlikely to affect most folks, it's probably wise to have the whole fingerprint, given a choice… The hope is that they can confirm your key with precision, after all.
I've got my full GPG fingerprint on the back of my card, as well as the link gellman.us/pgp, which offers several means of verification and alternative secure contacts. That also lets me update the contacts when needed. Most people don't care and don't really look at that stuff. People who do care appreciate the thoroughness.
With respect to forged short IDs and keyserver confusion in general, you may want to point potential correspondents towards this key server:
They verify key submissions, before publishing your key, by emailing you a link that is encrypted with your public key, thereby verifying that you control the email address and the private key.
This key server doesn't federate with other key servers or use the web of trust, so it's bad for core infrastructure developers who sign code and rely on the web of trust.
However, it's a much cleaner and more secure experience for people who just want to write emails, since their verification process eliminates the forged key problem.
Standard disclaimer: I am not affiliated with Mailvelope. My opinions are my own.
You want to recommend the full fingerprint, as this is what someone will use to verify ownership when they get around to looking up your key on this or that keyserver. You also want to make sure that if you are circulating a card with a fingerprint on it that the key can be found on all the main keyservers, or the point is kind of moot.
The purpose of the long fingerprint on the card is only so that when you personally hand your card to someone else, they will have de facto "careful checking" by the fact you gave it to them in person.
It's also kind of a nice conversation starter about pgp when someone asks "what is that?"