Posting a contact link (and switching accounts to respond from an unposted account) seems like the best way of securely contacting strangers, essentially an elaborate trust-on-first-use.
I don’t find anything fishy in being asked to contact someone by e-mail. And posting a PGP key as well as an e-mail address is also not something I would think is fishy. Deltachat’s invite links and QR codes are an easy-use way of doing this, and I only wish they were more decentralized (say, by making the domain that of the Chatmail server) and standardized, so that all servers and mailclients could use them.
But as Cyrneko says, humans can’t reasonably be expected to remember keys, or even fingerprints. The app must therefore look them up, using a short memorable index. We are back at either
- looking up keys on keyservers
- trust-on-first-use, which is what Autocrypt is designed for
- scanning keys in person
- manually exchanging key files (.asc or VCard)
4a. including downloading them from keyservers and sending them in plaintext, even over horribly insecure networks
Currently 3&4 are in Deltachat, 1&2 are deliberately omitted.