The problem with that method is the recipient of your mail is still relying on that CA to validate your public key. The CA could (willingly or under duress) sign some other public key and claim it's yours, then use that key to impersonate you, and even trick recipients into using that public key to encrypt emails intended for you. That would form the basis of a man-in-the-middle attack.
It's unlikely to work if you've already been communicating using the real public key (depending on how the software handles new keys), but for new recipients in particular, it's possible.
that's possible with PGP, too, if you don't verificate key in person. E.g. "hey Alice, I lost my passphrase, please use the attached key or ID xxxx on one of the keyservers"
It's even easier to do, because you don't have to trick a CA in creating a duplicate key.
> It's even easier to do, because you don't have to trick a CA in creating a duplicate key.
In some ways it's easier with PGP, yes.
But in some ways relying on a possibly-hostile CA is worse: if the software doesn't really give the user any visibility of key changes, then the impersonator won't even need to social-engineer the recipient with "whoops I lost my key". Instead, the duped recipient will just see "Signed by Big Trusted CA" with a shiny green padlock, and will think everything is fine, even though the key under the hood has changed.
