Re:Time to evaluate existing checking mechanism (Score 1)

If you can trust your Phonebook, you might call the Sendmail consortium and get them to verify the fingerprint of Eric's PGP key, since he signs the key used to sign the distribution.

You only have to do this once (unless Eric get him self a new key that isn't signed with the old one). .. and for the CA thingy, it hasn't proven to be good idea.