Bcc, embedded recipients, and knowledge of other recipient certificates
* To the extent that spare certificates are included in the message, each generated copy of the message should include certificates for the sender and for each named recipient. Certificates for Bcc'ed recipients are not included in any message.
So here is another possible leak. Earlier text said certificates could be omited if one knew for sure the parties already knew each other's certificate. So if the sender and recipient know each other's certificate, but the sender doesn't know if the Bcc:ed recipient knows the (openly) recipients certificate, it must not add the certificate or else the Bcc: to "someone" becomes exposed to the recipient. I think the bullet point is better reframed as "Any Bcc:ed recipient MUST NOT be taken into consideration when determining which certificates to include along the message.".
Another approach to avoid this leak would be to revert 0c4a6240 and simply provide a uniform rule.