Asking for their public key lets you encrypt messages that only their private key can decrypt, and verify signatures they create. It doesn't by itself prove their real identity, you still need to verify the key's authenticity (e.g. via fingerprint comparison or a trusted keyserver) to avoid impersonation or man-in-the-middle attacks.
I think what I’ve gathered is that the person I replied to is going with a TOFU model of key security (trust on first use), or is just seeking to avoid plaintext passwords in slack messages and is treating the key as disposable for the one-time encryption of the password.
Presumably they must trust that the user messaging them on slack is indeed who they say they are and is in control of the account.
If I’ve understood correctly, this seems like one of those cases where PGP is adding quite little security to the system, and may be preventing the implementation of more secure systems if it is providing a false sense of security.
But it’s probably just someone doing their best in a system beyond their control.
Like I have said in another comment, the question of identity verification makes no sense in this context. The identity verification problem is orthogonal to the encryption scheme.
That is an extremely weird argument. They aren't separable concerns. If you have a trusted identity in place you could use a password-protected AES ZIP file for all the encryption matters.
> I think I'm missing something, how does asking for their public key improve security or verify their identity?
OK, so this was the question. My response should have been "it does not necessarily verify their identity". I mentioned some of the mechanisms for identity verification in the other thread.
