User experience of --hidden-recipient encryption

[Bjarni Runar Einarsson]

Hello GnuPG-users!

I am (still) working on Mailpile, and it was brought to my
attention that if I send encrypted mail with folks in the BCC
line, the fact that they got a copy is leaked unless:

a) I use --hidden-recipient  
b) I send them their own separate copy of the mail, encrypted only to them  

I am trying to chose between these options (see issue
https://github.com/mailpile/Mailpile/issues/1561 ).

Using --hidden-recipient is more efficient and easier to
implement, but I wonder how this is handled on the receiving end?
If the user only has one public/private key pair, I assume the
experience isn't too bad, GnuPG will just make a guess. But if
the user has multiple keys, do they have to enter the passphrase
for each in succession, as gpg tries to guess how to decrypt?

How does this work in practice? Is --hidden-recipient a decent
user experience for the recipient?

Also, if I go with a), does that leak the fact that there were
hidden recipients? Does it leak how many?

Thanks,
 - Bjarni
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Encryption key for Bjarni Runar Einarsson.asc
Type: application/pgp-keys
Size: 24204 bytes
Desc: not available
URL: </pipermail/attachments/20160129/f56a967f/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP Digital Signature
URL: </pipermail/attachments/20160129/f56a967f/attachment-0001.sig>