On Sat, Jan 2, 2016 at 2:25 AM, <l.wood@xxxxxxxxxxxx> wrote: > > "If Alice wants to encrypt the message for a group of people, she has to encrypt the message for every member of the group." > > really? not encrypt the message to a random key, then encrypt that key separately to each member? much less processing... That is how it is done under the covers, yes. But that is the sort of optimization that I assume everyone knows. With standard S/MIME or PGP, the final message has a decryption blob for every recipient. So if you are sending to the IETF list, there are three consequences: 1) The sender has to know the entire recipient list 2) Every message sent reveals the entire recipient list 3) The recipient list cannot be expanded after the message is sent Using the recryption approach, the sender only encrypts the message once, to the key corresponding to the group (or security label if you want to think of it that way). So messages don't disclose anything about the other list members. This isn't just better security, it is a lot easier to implement because senders don't need extraneous information. It is also more manageable because a member added to the list after the fact can read all the messages in the archive. This really is the way to do Content Rights Management and we should use it to lock down every word processor and spreadsheet document. Imagine being able to configure your information environment so hat all your files are encrypted by default but you have access to them from any machine you configured for access in the past or add in the future.