Spec is unclear what to do when recipients are anonymous

[jacklund]

At one point, the spec for encryption states:

The recipient public key is the recipient's long-term NaCl public encryption key. This field may be null, when the recipients are anonymous.

However, later on it says,

For each recipient, encrypt the payload key using crypto_box with the recipient's public key, the ephemeral private key, and the nonce saltpack_recipsbXXXXXXXX. XXXXXXXX is 8-byte big-endian unsigned recipient index, where the first recipient is index zero. Pair these with the recipients' public keys, or null for anonymous recipients, and collect the pairs into the recipients list.

It's unclear how you're supposed to encrypt the payload key with the recipient's public key if the public key field is null, i.e., if the recipient is anonymous.

[oconnor663]

We might be able to use clearer language here. Here's how I break it down:

For each recipient, encrypt the payload key using crypto_box with the recipient's public key...

That is, for both visible and anonymous recipients, use their real public key to encrypt the payload key. (As you noticed, if we did anything else, they'd never be able to read the message.)

Pair these with the recipients' public keys, or null for anonymous recipients, and collect the pairs into the recipients list.

After doing the encryption above, pair each secretbox with the public key it was encrypted for. Except in this case, for the anonymous recipients, just put a null in the pair instead of their real public key. (If we put their real public key there, they wouldn't be anonymous anymore.)

[jacklund]

Ah, that makes more sense, thanks for the clarification!!