[mpeg-OTspec] MD5 is no more considered secure
Levantovsky, Vladimir
vladimir.levantovsky at monotypeimaging.com
Thu Dec 17 22:09:41 CET 2009
DSIG is an optional table in the OT/OFF font, the primary reason for its inclusion is to provide a certain level of assurance that the font file has not been tampered with. Even though MD5 may no longer be considered secure, I am not sure if the security in its strict sense would be required and/or necessary here. However, any changes to this part may (and probably will) affect many existing implementations.
Regards,
Vlad
> -----Original Message-----
> From: mpeg-OTspec at yahoogroups.com [mailto:mpeg-OTspec at yahoogroups.com]
> On Behalf Of Manlio Perillo
> Sent: Thursday, December 17, 2009 11:47 AM
> To: mpeg-OTspec at yahoogroups.com
> Cc: opentype-migration-list at indx.co.uk
> Subject: [mpeg-OTspec] MD5 is no more considered secure
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi.
>
> In the specification for the DSIG table, page 90 in the Open Font
> Format
> specification, there is this item:
>
> 2. Hash the full stream of bytes using a secure one-way hash (such as
> MD5) to create the content dig
>
>
> Well, MD5 is *no more* considered secure:
> http://en.wikipedia.org/wiki/MD5
>
>
> Although MD5 is used just as an example, I propose that the text of the
> specification should be changed, and another hash algorithm used.
>
>
> Regards Manlio
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAksqYGcACgkQscQJ24LbaUTOCACcDoKRAOv1jXdUkv6Q9jKDFy+F
> fcoAoJhLY9OhkAXZ0+U5zBtFEHceD5sI
> =bqdx
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------
>
> Yahoo! Groups Links
>
>
>
More information about the mpeg-otspec
mailing list