• Asetru@feddit.org
    link
    fedilink
    arrow-up
    9
    ·
    1 day ago

    If you’re running a public service, you should have a key that’s trusted by a CA anyway. So why couldn’t you, especially for qr codes that link to an https site, embed a signature in that qr code that verifies that the person that owns parkyourcar.com’s private key also created the code you just scanned? Just like signed pdfs?

      • Caedarai@reddthat.com
        link
        fedilink
        arrow-up
        1
        ·
        12 hours ago

        Well, because it won’t be signed by a trusted CA for that task. Like if CAs had a category of certificate issuance that applied here (the standardisation issue) then it would be easy to spot a fake (which wouldn’t be correctly signed). Alternatively, you could take the European approach of having everything government related (like public street parking, though Europe mostly uses apps for that, not signed QR codes) rely on government entities and those in turn on a national set of government CAs.

        • Aux@feddit.uk
          link
          fedilink
          English
          arrow-up
          1
          ·
          7 hours ago

          That doesn’t make any sense. How would you know if something should or should not be signed? You wouldn’t.

          • Caedarai@reddthat.com
            link
            fedilink
            arrow-up
            1
            ·
            2 minutes ago

            If it becomes standard for public parking to be signed, everyone would know. If payment QR codes in general start being signed, your payment app might even know. Lastly there could even be signage by the code to help novices.