I'm not a security expert.... but shouldn't exchange of the public key happen outside the channel of the message (ie. using a public key / certificate authority)? Otherwise, I could fake the message origination: write my own message, encrypt w/ my private key, and then sending you my public key -- you'd never know the message came from me rather than Snowden. (Could also do a more-sophisticated MITM.)

I guess is an opportunistic encryption vs no-encryption scenario, since Snowden was sending his emails anonymously at that time there was no way for him to verify his identity to anyone. However, this was before there was any attention on him and sending his public key inside his first encrypted email would at least offer guarantees of the form: "If this connection is not MITM'ed now, it cannot become MITM'ed in the future". I suppose Snowden would know if there was indiscriminate and automatic mass-interception of GPG at the time (there might be now).

I am also not a crypto expert, but as I understand it: Micah could have also encrypted the email with the key given to him by the 'anonymous mailer', included the hash of that key as part of his message and then signed the whole message with his own key. Since Snowden trusted Micah's key, he could verify the email signature and then check that the included hash matched his own key. A MITM attacker could intercept Snowden's first email and change the key, but then Micah would have hashed the fake key and included that in his email, which the MITM couldn't alter without breaking the signature, then Snowden would have seen the wrong hash on the reply email and know of the presence of the attacker.

Depends on the situation.

An anonymous person contacts you - how do you get their key from a public authority? There is no impersonation attack possible in this case.

Someone claiming to be Edward Snowden contacts you today (now that he is longer anonymous) - in this case yes, the author just including their key would not necessarily be secure.

If you're being contacted by an anonymous person you have no idea who they are in the first place. Since you don't know an anonymous person's identity, how are you supposed to fetch and validate their public key?

The basic idea of public key is to be visible to everybody. I consider the real problem to be "spamming." If you have some site which stores the keys and it has a thousand of different public keys claiming to be from, e.g. "Laura Poitras" you don't know which one is the real one. So the selection of the "real" key between of all of possible keys is something that should be verified independently. Even if you have only one key, you must verify that really that key belongs to the person you want to reach.

Snowden solved it by requesting the public tweet of Lauras's key fingerprint which was enough. Having the match of the fingerprint is enough. It's much smaller than the whole key. For example, if Laura's key is 4096 bits to print it you'd need around 700 letters. But to verify some 4096 bits you have to actually be Laura's key, it's enough that the fingerprint of, for example, 160 bits match: the math magic involved in creating the fingerprint should guarantee you that nobody can create another key and have the same fingerprint.

In the article, the fingerprint used 4 bits per letter, and there were 40 letters, so it was just 160 bits that Snowden used to verify the key.

it should happen offline but many times that is not possible

We're getting there: https://www.mailpile.is

From UI perspective, this is already behind.