I don't want to sound pedantic, and maybe I'm missing something, but how is one to verify that you are really who you say you are? Anyone can whip up a website with a phonenumber, say they're "Dan York", create a gpg key, and refer people to that website.

Maybe they were just paranoid, but the people who told me how to use GPG/PGP also told me to only sign some person's key if you actually met them in person, with some kind of proof that they are who they say they are (photo-id). Or maybe by checking the key fingerprint over the phone if you know the person, and his or her voice.

If I'd sign people without properly checking, the result would be that when people notice this, they'd simply adjust the trust they assign to my key, so that it wouldn't "weigh" as much in the trust calculations.