Comment Re:No NO NO! (Score 1) 255
Exchanging keys over the longer-term communications medium makes it very easy to mount a man-in-the-middle attack. If you're concerned about such attacks, you need some trusted medium for key verification (or exchange) so that you and your communications partner know that each is using the same key as the other. Back in the 1990s, that medium was often key signing parties, where trust in someone's photo ID was backed up by using the social network (hey, Bob, is this really Charlie Doe?). Using a certificate authority is another way to do it... if you actually have good reason to trust both the particular CA and the chain of custody for what you think is the CA's public key.