I agree. All vendors should use an out of band mechanism to publish their PGP keys. It could be as simple as Pastebin or qPaste. If the SR site was compromised, they could replace vendor keys with their own. When vendors viewed their own profiles, they would see their real keys. Everyone else would see the attacker's keys. Then when you PGP encrypt your address, you're really encrypting it to the attacker. They decrypt and get your address. Then they reencrypt it with the vendor's real key, so nobody would suspect a thing.