ways to ensure that GPG public key belongs to right person in business to business communication

[Martin T]

Hi,

let's say that Alice from company A and Bob from company B need to
exchange some private data with each other. Alice and Bob need to
encrypt data just that one time, they do not belong to web-of-trust,
but both company A and company B websites are trusted by certification
authority, secure and available only over TLS. This gives a first
option where both Alice and Bob ask their IT departments to publish
their public keys on the company website so Alice can get Bobs public
key over TLS from company B website and the other way around. Or when
for example website of company B is not trusted by CA, then Alice can
pick up the phone, call the customer-support of the company B and ask
for Bob and then ask Bob to send her an e-mail with a public key and
verify the fingerprint of the public key over a phone? Are there
better(easier to use or more secure) ways to ensure that GPG public
key belongs to right person in business to business communication?


thanks,
Martin