I placed an order with a vendor I've been using for over a year now last night. About an hour after I placed the order they sent me a message saying to encrypt my address with the key on their website. Thing is, the key I used and have always was found on their website when I placed my first order. Is it normal for a vendor to change their PGP key after a while, or should I not re-encrypt my address?
I wouldn't normally be suspicious, but the vendor did use the same return address on the last three or four orders I placed with them, and I know that's a way a lot of vendors get caught so I'm a little suspicious.
Verify their public key, check out grams.