If you never sent them your public key, then there was never a way for you to decrypt their messages. I would hope that a vendor would have figured out PGP enough to ask for your public key, maybe that's not the case. There's a notable vendor on SR right now getting rave reviews, and I was very close to ordering from him, but when I imported his key I realized it was only 1024 bits. Red flag. Who knows how good the rest of his security is. I never ordered. Sometimes you have to lose a few battles in order to win the war.