Assuming that's all done properly, I agree. Best case though, some nontrivial % of those keys will be phished.