Actually, I've been thinking about this, and how do we *really* know that *anyone's* keys are actually theirs? I'm new to this list and have been collecting some of the keys from people who post with PGP signatures, but even at that, I never certify them myself because I am not 100% absolutely certain that the key in question belongs to that person. After all, what if some clever hacker dropped in and replaced someone's .plan file, or edited their index.html file? There's no real way to be absolutely certain.
This is exactly what the web of trust is about. The fact is that you can't trust the Keyservers (they were never designed to be trusted); you can't trust .plan files; you can't trust index.html files. However you can trust signatures made by trusted keys. That is why the web of trust works. For example, I've met in person with a lot of people and we've signed each others' keys. We've used various methods to "prove" identity. Sometimes it's been a long time of personal interactions (close friends). Sometimes it's been a number of certifying documents, IDs, etc. Sometimes it's been a piece of knowledge that I know the other has but no one else has. The point is that once I'm attached to the web of trust I have a means to verify other keys. I can set up a CA that way (MIT has one) -- there is a keysigner that will use out-of-band means to verify the identity of a user and then use that to sign a PGP key in that person's name.
How certain are we that the keyservers are 100% bulletproof? Hell, I could call Joe Schmoe up and say "tell me your fingerprint", but how do I *really* know I'm talking to Joe unless I knew him before getting his signature?
As I said already, the keyservers are not bulletproof. In fact, they were never designed to be trusted. They were designed to be an untrusted key distribution system. The end-user is still supposed to verify the signatures on they keys received from the keyserver. As for calling up Joe Schmoe, how did you get his number? Did you look it up in a phone book? Call directory assistance? These are other means of identification, too. You just need to look at it from a different angle. -derek