On Wed, 23 Sep 2015, Randy Bush wrote:
if i think of it as a form of opportunistic encryption with very weak authentication it seems useful.
right.
but when i want strong authentication i want strong introduction.
So pull the key from DNSSEC, check for sigs. If not good enough, you could also pull the same key from the keyservers (now that you know that's the key you are looking for in the pile of garbage keys on the keyservers) and possibly get more signatures on it. Still not good enough, don't send the email and find some humans. Paul