OpenPGP keys might be authentic or counterfeit

To send an encrypted OpenPGP message, you need to obtain the recipient's public key. Once you have obtained it, you also need to decide if you want to accept it.

The reason is that Thunderbird cannot automatically decide if a key is authentic or a counterfeit key.

It is very easy to create a key in someone else's name and their email address. A person with malicious intentions could create a key that contains the name and the email address of your friend Bob and send it to you. If someone else but Bob has created the key, it is a counterfeit key.

If you use a counterfeit key in Bob's name, you might believe that you have a confidential conversation with Bob, because you are using email encryption, while in reality the message is readable by the malicious person who has created the counterfeit key in Bob's name.

This is called a Monster-in-the-Middle-Attack (MITM).

To avoid that you accidentally use a counterfeit key, Thunderbird will never use someone's key automatically. Thunderbird will always require that you make the decision if you accept a key as authentic.

It's your decision how much work you want to invest in checking that a key is authentic or counterfeit.

If you have casual conversations with a correspondent, and you consider the contents of your message not very sensitive, you could decide to make a key as accepted without checking it in detail.

However, if you intend to exchange critical information, and your liberty or your life depends on the information to remain confidential, you should carefully verify that you are using an authentic key. You can do this by viewing the details of a key, and then use a communication channel other than email to talk to your correspondent. Then each of you should view the details of the other person's key and look at the fingerprint that is shown. (A fingerprint is a kind of checksum.)

To explain that in more detail, if Alice and Bob wants to ensure they use each other's correct keys, they would perform the verification in two step. In a first step, Alice would open the details of her own personal key, by finding it either in the OpenPGP key manager, or using the End-To-End Encryption tab in account settings. Bob would open the details of the key he has obtained, and that claims to be in Alice's name. Then Alice should read out the fingerprint she sees on the screen for her own key, and Bob should listen and compare it with the fingerprint that is shown on his screen for the key that is in Alice' name. If the information fully matches, then Bob has verified Alice's key, and can click the checkbox that says "Yes, I've verified in person this key has the correct fingerprint".

As the second step, Alice and Bob should repeat the process by viewing Bob's key. Bob should open the details of his own key, and Alice should open the key she has obtained and claims to be in Bob's name. Then Bob should read the fingerprint he sees on screen for his own key, and Alice should listen and compare it with the information she sees shown for Bob's key. If it fully matches, then Alice has verified Bob's key, and can click the checkbox that says "Yes, I've verified in person this key has the correct fingerprint".