Interesting ideas here. I agree that a simpler mechanism to share contact info has a lot of potential.
One potential drawback is the possibility of a hostile key mirror enabling spam, but I’m not aware that anything like this has happened yet and it’s probably premature to worry about.
Another question to consider is trust design, like in the thread here:
For some people’s threat model, the convenience of an online key lookup can outweigh the potential for impersonation, and techniques like key mirroring can reduce this risk further.
I get you, but sometimes it can make sense to have a public account, for example if you’re representing a business or organization and you want the general public to be able to contact you, in which case it’s not always necessary to verify the other person’s identity. In this scenario, a “trust on first use” model seems sufficient to me. It’s still better than other options which might be available to the public, like sending an unencrypted email or using WhatsApp.
However, the app should still encourage users to scan contacts’ QR code at the first opportunity.
While there is an analogy here about the verification happening invisibly in the background, in the Debian example you already have the key on your device, so it’s a bit different. If we want an analogy for the key exchange problem, the question is not how to securely install a package once we already have Debian installed, but how can we securely install Debian itself starting from scratch?
Yes, I think it has been possible for some time. Just import it into a chat like you would with any file, and the vcard will appear in the chat.
If you export your contacts from your keyring into .asc format you can then use the .asc to vcard app by @r10s to convert them into vcards and manually import them. However there’s nothing fully automated that I’m aware of.