[Cryptography] Question regarding Proof of Possession

[Philipp Gühring]

Hi,

I have a question regarding the Proof-of-Possession for certificate
issueing:
If I want to get certificates issued for Encryption-Only keys
(for algorithms that can only be used for encryption, not for digital
signatures, like e.g. El-Gamal)
then my question is, whether Proof-of-Possession is really necessary, or
not.

For signing applications, I am well aware that it would be possible for
Mallory
to exchange the certificates after a signature is done,
so Mallory could modify an existing signature.
But for encryption, I do not have an idea, what kind of attack or problem
someone would be able to do with a certificate that uses someone else´s
public-encryption-only key,
without having the private key to it.
The only area where I have a weak idea about a potential problem is
forensics,
in that it could confuse a a forensic expert,
if the forensic expert finds encrypted data, and then the wrong
certificate,
and thinks that it is actually encrypted to Mallory.
But I do not see much value in such an attack.

Does anyone have any idea or experience for an attack scenario?

Or does anyone agree that it should not be a problem to issue certificates
to any encryption-only public key that has no Proof-of-Possession attached?


Thanks a lot for all feedback and best regards,
Philipp Gühring