Glossing over a Critical Security Requirement
as I have noted in the past: the fundamental error here is that HTTPS bypasses the requirement for users to authenticate keys
this requirement is carefully detailed by Phil Zimmerman in his original PGP documentation in the section "Protecting keys from tampering"
HTTPS did not follow his requiremnts and got what they deserved
anyone using PGP ( or by extension x.509 certificates ) should generate their own keypair and sign any certificate that is used in a critical system. it should be noted that MSFT already does this for critical security bulletins .
the IT industry again is guilty of glossing over a critical requirement in favor of convenience
getting hacked ain't gonna be convenient