Vernon Schryver wrote:
From: Ed Gerck <egerck(_at_)nma(_dot_)com>
If a complete stranger is the sender of an incoming message, then
crypto keys are irrelevant to determining the message is unsolicited
No. In PGP, for example, I accept a key based on who signed it and
when. If I can trust the signer(s), I may use a key from a stranger.
That sounds like the old "authentication solves spam" hope. It was
wrong before SMTP-AUTH and it is still wrong. If the sender is a
stranger, then by the definition of "stranger" you can know nothing
more than that the key works.
It seems that you're not a PGP user. A signed PGP key has more useful
information than just the key value. PGP keys can and should be signed
by the key-holder and by one or more introducer(s). If you can trust
those signer(s) as introducer(s), you may use a key from a stranger.
BTW, this has nothing to do with "authentication solves spam". Spam is a
complex problem that can only be solved by an array of measures where,
IMO, PK encryption is more useful than PK signatures.
The PGP mantra that a good key does not imply that the sender or the
message is good applies here.
Define "good key" and you'll define what the key is good for.
The ancient PGP mantra refers to keys that "work," as in the results
of decoding using the indicated public keys yield a valid messages.
No, this is not how PGP keys should be accepted and considered "good".
Of course, since the rules of PGP are user-centric, you may define
whatever you want as "good keys".