But I have to consider customer sites patterns with heavy facebook
users seeing tons of fb notifications and see if a simple check can
add to the optimization.
Mike has a point, but I agree that this would be a problem for large
ISPs, where adding 10% more overhead for all Facebook messages would
be something they'd want to avoid. But...
Why is computing the hash a problem? Surely, you'd only compute the
hash once, regardless of how many signatures (dups or not) the message
has. Why ever compute it more than once? And then if the hash
doesn't match, you toss the sig without further processing. If the
hash does match, then you validate the sig.
Then the only optimization that seems to matter is that there's no
value in verifying more than one sig for the same i=... so you see
that you already have a valid sig for i=(_at_)facebookmail(_dot_)com, and you
skip the duplicates that way.
Now the only time there's more overhead is if the hash DOES match, but
the signature still fails to validate. That ought never to be true
for real Facebook mail. (Of course, attackers could put in fake sigs
with valid hash values, as a form of DoS. But we've discussed that
before.)
Shouldn't that work for everything, and be very easy?
Barry
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html