I have recently reported a security problem to email@example.com. Being reasonably paranoid, I sent an S/MIME-encrypted and -signed mail with the detailed description. A few hours later, I got the non-encrypted confirmation back that my mail had been received, a nice case number and the (given) name of the case manager. And my entire mail. TOFU (or how I just learned in the Wikipedia article »jeopardy-style«). Why did I bother to install their S/MIME certificate and the complete certificate chain again?