That one constantly perplexes me. The GPG signature, or X.509 even, means nothing in the message. But if you go to the trouble of putting it in there, then I can actually run checks.

Conversely....I can see the argument not to. Uploading 50,000 1-character name mismatch to bank encryption keys would definitely happen.