Sure, but we have key servers for distributing the actual keys. You would only need the fingerprint in the QR code.

Kind of defeats the point - how do you know you're downloading the private key you scanned?

While someone might have their business cards replaced, it's a lot easier just to send a different key to someone.

"Kind of defeats the point - how do you know you're downloading the private key you scanned?"

Assuming that "private key" is a typo (you download public keys), you can just check the fingerprint of the key against the fingerprint you were given. That is easily automated.

This puts us back in the same kind of problem that was being complained about though - keyservers, publishing keys etc.

Not really. The problem is not about publishing keys or key servers, but with the cumbersome process of having to enter a hexadecimal string (and having to check an even longer string). The point of using QR codes is to simplify things: the user just scans a QR code, and the key is fetched and assumed to be valid (i.e. no need for the user to check fingerprints).

I thought a QR code could be effectively any size - I certainly remember a Japanese billboard that used shadows etc.

A QR code can have ~4000 chars of a-z and ~3000 Latin1 iirc

so with my limited gpg knowledge that handles my public key quite happily.

would be interested on the business card front though