A good way to check if does the right thing is to make sure it does not depend on the security of DNS. Is this the case? (I'm still trying to find out.)
From that document:
"destination.com retrieves Alice's public key from mailhost.com by using a webfinger lookup over SSL."
So it looks to me that the system's security depends on the attacker not having compromised DNS such that the relying party's query of mailhost.com is intercepted. Depending on the implementation doing this "over SSL" provides some additional security over unchecked reliance on DNS, but given how frequently keys roll, it may not be that much in practice.
Apparently, it does not do what I hoped it would. Assertions are about ownership of an email address, not about control of the private part of a key pair.
That's essentially what this is... with a verification service and web based UI to help bootstrap it.