mail client implementations problem? bcc and encrypting to multiple recipients

[sen_ml@xxxxxxxxxxx]

through some testing of existing mail clients, Terje Elde
<terje@xxxxxxxx>, other members of the pgp-users@xxxxxxxxxxxxxxxx
mailing list, and i have noticed that bcc-ed recipient key id
information can be leaked to non-bcc-ed recipients.

it's probably obvious what the problem is, but for the sake of clarity:

  for the purposes of sending a message to a group of recipients, some 
  mail clients create a single encrypted message body which is sent
  out to all recipients, including bcc-ed recipients.

  since this means that each recipient receives a message containing a 
  public key encrypted session key packet for each recipient, each recipient
  is able to tell who all of the recipients were (assuming no use of
  speculative key ids) -- or at least all key ids.

  even if speculative key ids were to be used, a recipient would likely
  be able to tell that there were other recipients than those implied
  in the headers of a message.  also, afaik, nai pgp doesn't support
  speculative key ids, so in terms of interroperability it's not a great
  option at this point.

we've found 5 mail clients that suffer this problem so far, so it
seems like it may be a common implementation "choice".

[ we have also received reports that at least a couple of mail clients
actually encrypt to each recipient separately and thus do not suffer
this problem. ]