Thanks for the post. There is someone with a quite legitimate reason to sign a newly generated public key with "Norman Hardy" in the user id string but without my my e-mail address. He is one of the several other Norman Hardy's in the U.S. I could include a very short biography which would fix that ambiguity. I only send secrets to people that I have some reason to trust. I gain trust sometimes from having met someone in person and talked for a few hours. If I get a business card with a key finger print and e-mail address (or URL) then I am safe from such spoofing as described in your post. Her name plays no role in the transaction. If I trust her because you recommended her to me, then perhaps I can get a fingerprint and URL from you. Again I need no name. In both of these cases the URL is merely a convenience. If she moves her web page, a search engine will soon find it given a part of the finger print included in the web page. Unless the attacker has compromised the search engine, I need merely send mail enciphered by her public key to the e-mail address given in each web page claiming to own the public key. Only she will be able to read the mail. Recommendation: Put URL & finger print on business cards. Include URL and finger print in recommendations. To send a secure message to some whose URL & trusted print you have: Check the URL for a public key whose print matches the trusted print. If that fails use a search engine for a better URLs. Send mail to each e-mail address found on a web page passing the test. Recommendations should include a little text about what things the designee should trusted with. Programs like PGP that follow trust chains should display the text from each recommendation in the chain.