[nmcfarl]

I'm not sure the general public needs the level of trust you are describing. The have an email address somehow, from a Facebook chat, business card, or spam mail - and that's the level of trust in identity they are currently comfortable with.

Adding a key exchange with the identity they have - the person handing out biz cards could be lieing about his identity, but if someone else spoofs his key, he will not be able to read the email which will still end up in his inbox, not the spoofers. So now the spoofer needs to control this guys whole box to read and delete the emails, or else he'll be detected. At this point if your box is compromised, pgp isn't providing security. ;)

On the whole it sounds easier to impersonate biz card guy, than to just spoof his real email address and provide a fake pgp key.

(And as for unsolicited mails identity being trusted - Nigerian spam does still work, but the message has gotten through, even to the general populace - people know there is no assurance that identities are real. We just need to NOT undermine that distrust when adding pgp. )