Vernon Schryver wrote: > > > From: Ed Gerck <egerck@xxxxxxx> > > > > If a complete stranger is the sender of an incoming message, then > > > crypto keys are irrelevant to determining the message is unsolicited > > > bulk. > > > > No. In PGP, for example, I accept a key based on who signed it and > > when. If I can trust the signer(s), I may use a key from a stranger. > > That sounds like the old "authentication solves spam" hope. It was > wrong before SMTP-AUTH and it is still wrong. If the sender is a > stranger, then by the definition of "stranger" you can know nothing > more than that the key works. It seems that you're not a PGP user. A signed PGP key has more useful information than just the key value. PGP keys can and should be signed by the key-holder and by one or more introducer(s). If you can trust those signer(s) as introducer(s), you may use a key from a stranger. BTW, this has nothing to do with "authentication solves spam". Spam is a complex problem that can only be solved by an array of measures where, IMO, PK encryption is more useful than PK signatures. > > > The PGP mantra that a good key does not imply that the sender or the > > > message is good applies here. > > > > Define "good key" and you'll define what the key is good for. > > The ancient PGP mantra refers to keys that "work," as in the results > of decoding using the indicated public keys yield a valid messages. No, this is not how PGP keys should be accepted and considered "good". Of course, since the rules of PGP are user-centric, you may define whatever you want as "good keys".