On Monday, 26 Oct 2015 at 14:45, Nick Anderson wrote: [...]
> But I guess I don't understand why there would have to be a header for > each recipient (other than current implementation limitations with > org-crypt). > > Currently the CRYPTKEY property identifies the email address or KEY that > you want to encrypt for. If I have multiple of the same property the one > that is listed first seems to be used. > > What if there were a CRYPTKEYS property that took a space separated list > of keys or emails? The logic, AFAIK, is that the main text is encrypted with a so-called session key. The key for this is then encrypted for each recipient using their public key and only they can decrypt (with their private key) this element, called a header. Therefore, if you have multiple recipients, you need multiple headers, i.e. multiple copies of the session key each encrypted for a single recipient. I hope this makes sense. No matter how you do it, encrypting some text for multiple recipients using PKI requires multiple copies of something, whether the original text or a key used to encrypt that text. -- : Eric S Fraga (0xFFFCF67D), Emacs 25.0.50.2, Org release_8.3.2-209-gba4d33