They published it with an precise link to their email address - what were people supposed to conclude from them publishing it - "never use this pgp key unless you've spoken to me in person?" - that... kinda defeats the whole point of publishing a key _and_ the handle by which it's looked up in the same database. If you didn't want that, you'd associate it with something else that wouldn't expect encrypted email - like a name or a GUID and point people there when they need it.

They wrote in the book "me@foo.com: use key" - and then people did. If he wanted different behaviour, he could have published "someoneelse@foo.com" and then they wouldn't use it to email _him_.

In the current world an "email address" is not solely (or sometimes even primarily) for delivering email, but rather an identity or username for various systems, such as for signing git commits. So a key linked to an identity (email address) does not imply in any way that this key is also used or usable for encrypted communication.

> "never use this pgp key unless you've spoken to me in person?"

Well, yes, actually, that is what I would expect. (Well, not necessarily in person, but via a different communication channel, even by unencrypted email.)

I remember when I was first playing around with PGP more than 20 years ago. The usual convention was to talk to the other party first about encrypting your messages, and not to assume that the recipient could receive and decrypt them in all circumstances.

The original PGP idea was a "web of trust", which meant doing key signing parties and you hopefully ending up with a transitive chain of trust to anybody you might want to contact.

Just blindly downloading keys from a keyserver and hoping they're the real thing was not the idea.