How would they look up an attacker's key if you have it in a decentralized environment? If they use your email they would get yours, if your private key is compromised then an attacker could read it, but can't sign on behalf of the store.
How do they know the email address they are looking up is mine?
So lets explore this, I give them a fake email that is in the key server, I get a PGP message, that I can't decrypt and if I can decrypt it I can changed anything cause it is signed. So what is the attack?
No. You give
Mallory your email address, she gives the server
her address. The server encrypts the message with
Mallory's key, she decrypts it, changes is, signs it with
her key, then encrypts it with your key. You then place the order with Mallory, and send the payment to her bitcoin address.
The server doesn't know how to distinguish your key from Mallory's key, and you don't know how to distinguish Mallory's key from the server's key, because that is the problem we are trying to solve.