> It's even easier to do, because you don't have to trick a CA in creating a duplicate key. In some ways it's easier with PGP, yes. But in some ways relying on a possibly-hostile CA is worse: if the software doesn't…
The problem with that method is the recipient of your mail is still relying on that CA to validate your public key. The CA could (willingly or under duress) sign some other public key and claim it's yours, then use that…
> It's even easier to do, because you don't have to trick a CA in creating a duplicate key. In some ways it's easier with PGP, yes. But in some ways relying on a possibly-hostile CA is worse: if the software doesn't…
The problem with that method is the recipient of your mail is still relying on that CA to validate your public key. The CA could (willingly or under duress) sign some other public key and claim it's yours, then use that…