I wouldn't want to trust just the secretary of the other org. However, with public keys (HTTPS, PGP, SSH, anything else similar), it's good for the information on "how to verify" the key to be widely disseminated. For example, the org could put its key fingerprint, and a screenshot of the same as used in common applications, on an indexable part of its HTTPS-protected public website. An individual could put his PGP key fingerprint on his (paper) business card, as fine-print on his resume or CV, and in his e-mail signature. The secretary should be able to say what the key is, and how to verify that.