now is the time to forget the whimpering child, become the warrior
7.7. Validity of public keys
Importing a public key from a keyserver is quick and easy, but it does not guarantee that the key really purports to the person specified as the user ID.
After all, anybody could have uploaded that key.
Furthermore, if you received someone's public key via email, you should reflect on the fact that there is an inherent security problem in using the same channel (e-mail) both for key distribution and for the exchange of messages secured by that key. Theoretically, an attacker that is able to compromise the channel can replace the public key in transit with a rogue public key of a key pair he created himself (man-in-the-middle attack). The attacker can now intercept the message that was encrypted with the rogue public key, and decrypt it since he owns the companion private key.
A solution to this problem is to check the public key's fingerprint with the key owner through a different channel. You may phone the key owner and have him read the key fingerprint to you. If the fingerprint does not match, you both know that the key was replaced in transit.
This procedure is safe but cumbersome whenever, as is almost always the case, you do not know personally the key owner or if you have several keys in your public keyring. This problem was therefore firstly addressed in PGP by developing a trust delegation model called Web of Trust.