Bootstrapping OpenPGP keys from the web (updated wiki chapter)
What in case you want to totally stay anonymous or have no trust path to a OpenPGP key?
Some people just write an unencrypted mail to the recipient and ask them to send their public key. The recipient will most likely either send its public key or at least its fingerprint.
This works against passive attacks. An observer wouldn’t know what they have been talking about in the following encrypted mails. This totally fails against active attacks. A man-in-the-middle could replace the recipient’s key with its own malicious key. The sender would use the wrong key, the man-in-the-middle would decrypt the message, read it, and re-encrypt it with the legit key and forward it to the recipient. Neither sender nor recipient would ever find out that their messages are being read by an adversary. – This is the whole reason, why the trust model path and key signing is recommended in the first place.