On Wed, 23 Sep 2015, Simon Josefsson wrote:
The good news is that this should be observable by the user. That is,
he should be able to query the domain for his own public key and
compare.
The user can't detect it reliably, I believe, at least not until we have
something like a Certificate Transparency project for DNSSEC data.
While that is on the horizon after the trans working group finishing up
their core bis document, your statement is not entirely correct.
Users have keyrings, and they can store keys previously seen or used in
their key ring. We are talking about end to end encryption without an
intermediate CA here. The CT model defends against bad CAs because TLS
clients don't log and store all EE certs of all TLS servers. But openpgp
users do keep the keys of those they send encrypted emails to in their
local keyring.
Paul