On Sat, Jan 2, 2016 at 10:38 AM, John Levine <johnl@xxxxxxxxx> wrote: >>To send to a mailing list, the sender must either have a copy of the list or the system managing the list must decrypt and re-encrypt the >>message. Neither of these is a good fit with the current email architecture. The former is secure but unwieldy; the latter is reasonably >>efficient but breaks the desired end-to-end security. > > FYI, the Sympa list manager which is widely used in Europe does the > latter, S/MIME key for the list, and the list software re-encrypts the > messages to the recipients' keys. > > Given a choice between trusting the list software and trusting all of > the subscribers, that seems a reasonable way to do it. Using recryption means that you can meet both properties at once. It is a very powerful tool and I remember Matt Blaze coming to tell us about it. We have ignored it for 20 years.