On 25 October 2013 08:24, Geoffrey Irving <[email protected]> wrote: > On Fri, Oct 25, 2013 at 5:19 AM, Tom Ritter <[email protected]> wrote: >> Couldn't you just throw the KeyID? That is, specify it as all 0's >> (like gpg's --throw-keyid option). this won't kind the fact that it's >> encrypted to 6 keys, but it will hide what those Key IDs are. > > This isn't very secure: the message still amounts to a proof that it > was encrypted for the given recipients. If you suspect who they are, > now you know for sure.
I don't think so. If I have a message encrypted to 6 thrown Key IDs, AND I have the 6 public keys AND I have 1 private key - I still don't know that the message was encrypted to _those_ six keys, I only know that it was encrypted _to_ six keys, one of which I know because I have the private key for it. The only way to determine a message was encrypted to a public key, if the KeyID is thrown, is if you possess the private key. And if the threat model includes protecting against an adversary who has the message, and a recipient's private key, and you want to make the recipient be able to deny it was encrypted to them.... you're going to have a hard time of it. And if the threat model also includes obscuring how _many_ recipients got the message, then throwing Key IDs is problematic. -tom _______________________________________________ http://openpgpjs.org Subscribe/unsubscribe: http://list.openpgpjs.org
