It may be also useful to not only write issuer’s account’s name (or better special custom string) under generated QR (this was discussed in another topic), but also add ‘Valid thru …’ date and time to the generated image.
1 Like
The caption should maybe be optional. We could even lightly encrypt the QR code with a shared-secret question, if it comes to be needed.
If the secretis short - it’s false protection.
If it will be long string - usual users will not enter it right, and unusual ones will ask devs to show this secret as QR code … 
It looks like you’ve reinvented securejoin. 
The problem is not that there is no shared secret (the QR code already contains a shared secret) but the fact we reuse the same shared secret with multiple contacts, which can lead to identity confusion or even the vulnerability to impersonation which is discussed above in this thread.
The only way to currently use QR codes “securely” is reset the code after every scan, but this is not always practical due to current limitations, for example you would need to make every new contact wait until the last person who scanned your code finishes establishing contact with you, because you can only have one valid QR code at any time, and there is no “context” associated with the QR code to help you identify a new contact when they establish contact.
I was thinking more of disguising the QR code as not-a-Deltachat-QR-code. 
Not needed in most contexts, and certainly not to be done yet.
Now I understand. That’s an interesting idea which could be useful in some cases but I don’t think it solves the problems discussed above.
1 Like