Comment Re:The chain of trust is broken. (Score 1) 110
To do that, the attacker would also need to be able to intercept mail sent towards the real person. You can sign a key without using mail, but that's not what is done during usual keysigning, and asking an innocent person to do so would raise a suspicion. Yeah, intercepting mail is possible if you're resourceful enough, especially without DANE, but that's quite a hoop to jump through. This usually implies an organization, and with that resources, it's simpler for the attacker to find a bunch of shadier people to sign that fake key.