OpenPGP embodies a certify once scheme for messaging. The certification here is when someone determines that the OpenPGP identity they have is the one you originally created. Here are some examples of how that might happen:
- You give them your identity in person.
- They get it from something like a key server and then confirm the fingerprint by scanning a QR code on your phone screen or by reading the fingerprint over a voice call.
They then certify it as legitimate and that is it. They are done. They can then send encrypted messages to you with complete assurance that you are the only one that can decrypt them. They can check the signatures on any of your signed messages with complete assurance that a good signature means that you actually signed it. They store their copy of your OpenPGP identity on their device(s) and there is no way for anyone to interfere with the certification or your identity short of breaking into the device(s). Even if such a break in did occur there would be no way to interfere with the certification or your identity short of getting access to the private key and passphrase. That is because the certification is done as a signature.
A counterexample could be the TLS encryption system most commonly used to protect connections from web browsers to websites. In that case the assurance that a connection to, say,
https://www.example.org is actually to that website is done by one of a hundred or so trusted certification entities. If one of these entities turns to be not trustable then they might make certifications that are malicious1). This might happen at any time and you would not normally be aware of the change. There have been attempts to prevent this sort of interference2) by adding extra functionality and/or requirements to TLS.
The point here is that OpenPGP entirely avoids this type of issue in the first place in a simple and straightforward way.