> I suppose if their email is already compromised, that could be a problem, but this would require both the Key directory and the email account to be compromised.

How does the key directory get the keys, and how does it ensure that the keys are valid? Traditionally, key servers accepted any keys that were uploaded to them, and told people to verify them before trusting them. Some key servers will try to verify keys ... by emailing you. But, of course, if an attacker has compromised your email account, that doesn't help much.

With WKD, you contact the domain that owns your email account (e.g. if you are something at emailprovider.com, you would fetch the key from emailprovider.com). But if someone compromises emailprovider.com, then they could just serve the wrong key.

One of the goals of end-to-end encryption is that you don't want your service providers to be able to read your things. Both of the existing systems are vulnerable to attacks from your service provider (either if they become malicious, or have a rogue employee) unless you verify the key in some other way.

There is OpenPGP Web Key Directory, or key servers. One of the issues is that unless you trust the server that you're querying (and if you're doing PGP, you should probably not be inclined to blindly trust servers), you need to verify that the key actually belongs to the other users.

Google calls it "Client-side encryption" and distinguishes it from "end-to-end encryption". It works differently from what most people would expect from end-to-end encryption. From their support entry:

> How is CSE different from end-to-end (e2e) encryption? > > With end-to-end encryption (e2e), encryption and decryption always occur on the source and destination devices (such as on mobile phones for instant messaging). Encryption keys are generated on the client, so as an administrator, you don't have control over the keys on the clients and who can use them. In addition, you don't have visibility into which content users have encrypted. > > With client-side encryption (CSE), encryption and decryption also always occur on the source and destination devices, which in this case are the clients' browsers. However, with CSE, clients use encryption keys that are generated and stored in a cloud-based key management service, so you can control the keys and who has access to them. For example, you can revoke a user's access to keys, even if that user generated them. Also, with CSE, you can monitor users' encrypted files.

(emphasis added)

One main practical difference is that organization admins seem to have access to the keys, and so can read everything.