> But I have to consider customer sites patterns with heavy facebook > users seeing tons of fb notifications and see if a simple check can > add to the optimization.
Mike has a point, but I agree that this would be a problem for large ISPs, where adding 10% more overhead for all Facebook messages would be something they'd want to avoid. But... Why is computing the hash a problem? Surely, you'd only compute the hash once, regardless of how many signatures (dups or not) the message has. Why ever compute it more than once? And then if the hash doesn't match, you toss the sig without further processing. If the hash does match, then you validate the sig. Then the only optimization that seems to matter is that there's no value in verifying more than one sig for the same i=... so you see that you already have a valid sig for [email protected], and you skip the duplicates that way. Now the only time there's more overhead is if the hash DOES match, but the signature still fails to validate. That ought never to be true for real Facebook mail. (Of course, attackers could put in fake sigs with valid hash values, as a form of DoS. But we've discussed that before.) Shouldn't that work for everything, and be very easy? Barry _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
