This concern is not part of the Blockcerts scope currently, but it is an important concern. Here ere are some practical ideas for the short and long term.
Issuers can publish their public keys, making them known to the community, particularly over time. Perhaps registry services will emerge that make this knowledge more convenient. In the cases of school-systems, often the issuers and verifiers interact so much, the keys will be well known.
Issuers could start issuing from a Decentralized Identity Profile (DID) like Blockstack or UPort. The more these DIDs are used, the more reliable their reputation becomes. I can imagine this reputation someday becoming part of the verification process or a separate smart-contract.
Other ideas? Please share!
This is definitely an important issue to will require a more convenient solutions long term.