PGP and GPG and bcc

[Nicolai Josuttis]

Thanks a lot for all answers regarding my question regarding GPG and bcc.
Allow me to summarize what I learned for both:
- double checking that I understood everything correctly
- documenting this for others
  (I found no place where it is explained;
   therefore also the change in the subject)

In general,
if sending emails encrypted (or in general sending cipher-text)
then the usual approach is that this text contains the identity
of those who should receive the message.
This is to help to find the place where the key for that identity is
stored (note that there might be multiple receivers).

That means:
- In general, adding the "usual key" for a bcc receiver
  would reveal the identity of this receiver.
  Thus, a bcc receiver becomes more or less a cc receiver.
  Or:
  ===
   In general, the concept of BCC is BROKEN
   when sending encrypted emails
   with keys for the bcc recipients.

To deal with that, mailers have multiple options
when users try to send encrypted emails to bcc recipients:

- Don't allow that (or only with strong request for confirmation).

- Don't add keys for bcc recipients at all.
  This probably only makes sense if bcc recipients can use
  one of the other of the keys in the message.

- Don't add the identities for the keys of bcc recipients
  - with GPG you can e.g. use --hidden-recipient instead of --recipient
    (see also --throw-keyids)
  Then, however, recipients might have to try to use their key
  against any of the passed key without identity
  (slows down decryption with multiple bcc recipients).

- Split the email, sending it to each bcc recipient separately.

Note that mailers should take into account not only for
sending bcc to others but also for the common case
where senders (always) bcc to themselves
(using a different but may be secret email address).

-- 
Nico