After verifying an email address I got this:

After downloading, import the Verification Key into your PGP software. Then, sign the key with your key and mark it as Trusted. Please see the documentation for your PGP software for specific instructions on trusting a key.

In other words: they expect you to trust them based on the X.509 certificate they present... I hope people realize that with the inclusion of dozens of CAs in common browsers etc. this totally subverts the idea of a web of trust. -Hein