So, I guess more or less “everybody” has gotten a mail from pgp.com asking them to verify it so it can be included in their Global Directory. (Which I guess is just a glorified, web-based keyserver which spams you every six months.) However, I decided to actually click the verify link, and was very much surprised with the directions on the page after the confirm page:
To ensure that your PGP software trusts keys verified by this directory, you must download and trust this directory’s Verification Key.
Download the Verification Key
After downloading, import the Verification Key into your PGP software. Then, sign the key with your key and mark it as Trusted. Please see the documentation for your PGP software for specific instructions on trusting a key.
What? They want me to mark a random key downloaded off some random web page as trusted and sign it? I wonder what crack they have been smoking.