What if you already have an older Debian install, or an older Debian CD (that you already verified/trust by other means)?
There should be a chain of trust from the signing keys used on the old CDs all the way to the signing key used on the new CD, right?
Is there an easy way to check the signing key, given an older Debian CD? (besides booting from it, and checking the new key with gpg)?