From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric S Fraga Subject: Re: org-crypt & multiple recipients Date: Tue, 27 Oct 2015 14:20:30 +0000 Message-ID: <874mhcz93l.fsf@ucl.ac.uk> References: <562D6820.9070203@cmdln.org> <87a8r66mcc.fsf@pinto.chemeng.ucl.ac.uk> <87611u9e8f.fsf@univ-nantes.fr> <874mhdc1pm.fsf@pinto.chemeng.ucl.ac.uk> <562E82BC.1080101@cmdln.org> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51059) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zr57E-0006Ij-4H for emacs-orgmode@gnu.org; Tue, 27 Oct 2015 10:20:49 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Zr579-0003Lq-Tt for emacs-orgmode@gnu.org; Tue, 27 Oct 2015 10:20:43 -0400 Received: from mail-db3on0115.outbound.protection.outlook.com ([157.55.234.115]:12672 helo=emea01-db3-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zr579-0003Ig-KZ for emacs-orgmode@gnu.org; Tue, 27 Oct 2015 10:20:39 -0400 In-Reply-To: <562E82BC.1080101@cmdln.org> (Nick Anderson's message of "Mon, 26 Oct 2015 14:45:00 -0500") List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org Sender: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org To: Nick Anderson Cc: Org Mode List , =?utf-8?Q?Gr=C3=A9goire?= Jadi On Monday, 26 Oct 2015 at 14:45, Nick Anderson wrote: [...] > But I guess I don't understand why there would have to be a header for > each recipient (other than current implementation limitations with > org-crypt). > > Currently the CRYPTKEY property identifies the email address or KEY that > you want to encrypt for. If I have multiple of the same property the one > that is listed first seems to be used. > > What if there were a CRYPTKEYS property that took a space separated list > of keys or emails? The logic, AFAIK, is that the main text is encrypted with a so-called session key. The key for this is then encrypted for each recipient using their public key and only they can decrypt (with their private key) this element, called a header. Therefore, if you have multiple recipients, you need multiple headers, i.e. multiple copies of the session key each encrypted for a single recipient. I hope this makes sense. No matter how you do it, encrypting some text for multiple recipients using PKI requires multiple copies of something, whether the original text or a key used to encrypt that text. -- : Eric S Fraga (0xFFFCF67D), Emacs 25.0.50.2, Org release_8.3.2-209-gba4d33