[antnisp]

I was under the impression that you can have your key signed by a generally trusted CA.

[technion]

GPG has no central CAs, but relies on a "web of trust" situation. In reality, there's no one central that everyone trusts, so unless the keys are signed by some individual you personally trust, you're down to being reliant on getting valid keys.