[mseebach]

No. You absolutely must confirm the key of people you correspond with. An internal CA in your organisation could achieve this, but the "trust a random list of CAs" model of security is fragile, and must be considered compromised in the face of an adversary like the NSA (or any government in a country where a CA on your trusted list is located).

[joshuak]

Well either you trust the CA system or you don't. If you do then receiving a s/mime signature, that your OS thinks is valid because of the root certificates that it accepts, then you can trust it "transparently".

If you don't trust the CA system, well then the web is a very scary place for you because it's all built on that and email is probably the least of your concerns.

The CAs are generally not "a random list", but rather a publicly accepted and accredited CA. Just like your https cert.

[andrewflnr]

No. Degrees of trust are allowed, and you can choose to do different things in different contexts (browsing vs email) depending on the likelihood and likely damage of betrayal.

[indeyets]

That's exactly the reason, why "DANE" approach is developed now, to replace CAs use for HTTPS

https://tools.ietf.org/wg/dane/ http://www.internetsociety.org/articles/dane-taking-tls-auth...