On Sat, Jan 2, 2016 at 10:38 AM, John Levine <johnl(_at_)taugh(_dot_)com> wrote:
To send to a mailing list, the sender must either have a copy of the list or
the system managing the list must decrypt and re-encrypt the
message. Neither of these is a good fit with the current email architecture.
The former is secure but unwieldy; the latter is reasonably
efficient but breaks the desired end-to-end security.
FYI, the Sympa list manager which is widely used in Europe does the
latter, S/MIME key for the list, and the list software re-encrypts the
messages to the recipients' keys.
Given a choice between trusting the list software and trusting all of
the subscribers, that seems a reasonable way to do it.
Using recryption means that you can meet both properties at once.
It is a very powerful tool and I remember Matt Blaze coming to tell us
about it. We have ignored it for 20 years.