Someone asked a similar question a week or two ago. The threat isn't just that SR would change the key. A vendor's account could be compromised through a phishing attack. In fact, this has actually happened. The solution to this problem is to distribute your public key as widely as possible and through many independent channels. Make sure all your customers have your key. Some of them will be able to verify your identity. The vendor who got phished had to prove his identity by posting a signed message to the forum and waiting for a former customer to verify it.