> Then, get in touch with me by some secure means and confirm that <snip>
I think rather that "secure" it might be better to say "using some other means of authentication". "Authentication" can mean a lot of things, with the method depending on the level of security required (a phone call to quote the fingerprint may be sufficient where you would recognise the persons voice and the data being transferred is not critical), but it definitely means "through a different channel. I mention this because a friend/colleague use to send his GPG public key to people via email, and then placed his key fingerprint in his .sig, in the belief that this would enhance security (not to mention his geek-cred). A five minute explanation of the principle of a man-in-the-middle attack, followed by a swift bat upside the head with a copy of "Applied Cryptography" seemed to do the trick, and he sheepishly removed it. This same person is now contracting out his services as, among other things, a "security expert". Caveat Emptor, Steve
