I've noticed a lot of users of Tor use PGP. With it you can encrypt or sign a message. However how do we know a key is real? What would stop me from creating a new key pair and uploading it to the key servers? And from there spoofing identity?