I personally think it would be nice if any vendor that wants to could submit their public key with a signed message proving they have the corresponding private key.
I think it would be easier to maintain credebility across markets, and especially given the recent churn we've seen.
As of now, it's largely a free for all regarding where to get trustworthy PGP public keys. Just because a vendor has a public key doesn't mean they haven't hijacked someone's account etc. Just a thought.
AM grams wat bruv