In the case of a properly implemented nym->address system, a MITM attack couldn't spoof an address because he can't forge a signature. This would work especially well if a nym's pubkeys were registered in a system like Namecoin.
Exactly all the communications can be signed with a Bitcoin address publicly know to be associated with the intended user. This can involve a directory look-up service but just move the MITM problem... So the most simple solution is to add the public signing address that the user directly grab from the website of the merchant to his own trust list on the client software. Or by extension an self identifying address scheme that i am currently working on...
