Re: [O] org-crypt & multiple recipients
On Monday, 26 Oct 2015 at 14:45, Nick Anderson wrote: [...] > But I guess I don't understand why there would have to be a header for > each recipient (other than current implementation limitations with > org-crypt). > > Currently the CRYPTKEY property identifies the email address or KEY that > you want to encrypt for. If I have multiple of the same property the one > that is listed first seems to be used. > > What if there were a CRYPTKEYS property that took a space separated list > of keys or emails? The logic, AFAIK, is that the main text is encrypted with a so-called session key. The key for this is then encrypted for each recipient using their public key and only they can decrypt (with their private key) this element, called a header. Therefore, if you have multiple recipients, you need multiple headers, i.e. multiple copies of the session key each encrypted for a single recipient. I hope this makes sense. No matter how you do it, encrypting some text for multiple recipients using PKI requires multiple copies of something, whether the original text or a key used to encrypt that text. -- : Eric S Fraga (0xFFFCF67D), Emacs 25.0.50.2, Org release_8.3.2-209-gba4d33
Re: [O] org-crypt & multiple recipients
On 10/26/2015 06:24 AM, Eric S Fraga wrote: > On Monday, 26 Oct 2015 at 10:21, Grégoire Jadi wrote: >> GPG supports multiple-recipient with --recipient > > I stand corrected! Thanks. Interesting hybrid encryption approach. > > However, although the main text is not copied, the header (which has the > session key, as it is called, used to encrypt the main text) is so there > will need to be a structure which has the multiple headers, one for each > recipient, in the org file. Thanks for the link describing the multiple-recipient handling, good read. But I guess I don't understand why there would have to be a header for each recipient (other than current implementation limitations with org-crypt). Currently the CRYPTKEY property identifies the email address or KEY that you want to encrypt for. If I have multiple of the same property the one that is listed first seems to be used. What if there were a CRYPTKEYS property that took a space separated list of keys or emails?
Re: [O] org-crypt & multiple recipients
On Monday, 26 Oct 2015 at 10:21, Grégoire Jadi wrote: > GPG supports multiple-recipient with --recipient I stand corrected! Thanks. Interesting hybrid encryption approach. However, although the main text is not copied, the header (which has the session key, as it is called, used to encrypt the main text) is so there will need to be a structure which has the multiple headers, one for each recipient, in the org file. -- : Eric S Fraga (0xFFFCF67D), Emacs 24.5.1, Org release_8.3beta-1229-ge900eb
Re: [O] org-crypt & multiple recipients
Eric S Fraga writes: > On Sunday, 25 Oct 2015 at 18:39, Nick Anderson wrote: >> I was playing with org-crypt today and it's pretty nifty. >> >> While encrypting things for myself is the primary use case, I have other >> team members that also use org-mode. It occurred to me that it would be >> neat if I could specify a list of users to encrypt a node for. Then we >> could share an org file and a node could be decrypted by individual. > > This is fundamentally difficult with a public key encryption system: you > would have to have separate copies of the encrypted text, one for each > recipient? > > Maybe you could have a separate private/public key pair that is shared > for group work instead? GPG supports multiple-recipient with --recipient See https://stackoverflow.com/questions/597188/encryption-with-multiple-different-keys/23725786#23725786 And the answer below explains how GPG/PGP does to not have to copy the text for each recipient. https://stackoverflow.com/questions/597188/encryption-with-multiple-different-keys/28206835#28206835 Best, -- Grégoire Jadi signature.asc Description: PGP signature
Re: [O] org-crypt & multiple recipients
On Sunday, 25 Oct 2015 at 18:39, Nick Anderson wrote: > I was playing with org-crypt today and it's pretty nifty. > > While encrypting things for myself is the primary use case, I have other > team members that also use org-mode. It occurred to me that it would be > neat if I could specify a list of users to encrypt a node for. Then we > could share an org file and a node could be decrypted by individual. This is fundamentally difficult with a public key encryption system: you would have to have separate copies of the encrypted text, one for each recipient? Maybe you could have a separate private/public key pair that is shared for group work instead? -- : Eric S Fraga (0xFFFCF67D), Emacs 24.5.1, Org release_8.3beta-1229-ge900eb
[O] org-crypt & multiple recipients
I was playing with org-crypt today and it's pretty nifty. While encrypting things for myself is the primary use case, I have other team members that also use org-mode. It occurred to me that it would be neat if I could specify a list of users to encrypt a node for. Then we could share an org file and a node could be decrypted by individual.