Arvel Hathcock wrote:
and the question is left at whether same-body/different-header
messages are actually sent. I am saying that they are.
Right, it's very common isn't it? Doesn't this mailing list do it?
I believe this mailing list sends the same message (including the same
header fields) to everyone, so one signature calculation would suffice
for all. Only the envelope addresses differ per recipient.
The place where body-hash provides a performance advantage applies is
when the same body is sent multiple times but the signed header fields
(most commonly To:) are customized for the recipient. I get some
newsletters like that, too (although not all of them that look the same
actually are the same because embedded links often have per-user
tracking features added). Another approach for that is to not sign the
To: address, but I'm not sure that's a really good idea, since an
attacker could then replay a signed message to me with:
To: "Insert objectionable spam here" <fenton(_at_)cisco(_dot_)com>
The extent to which this optimization actually helps is open for
debate. As Hector points out in a subsequent message, I notice that
there is a trend toward more per-recipient customization of messages, in
order to better personalize them, in addition to the customization of
link addresses I mentioned above.
NOTE WELL: This list operates according to