[mpeg-OTspec] Proposed update of the 'head' table flags

Terence Dowling terry at tdowling.com
Thu May 15 00:41:52 CEST 2014

Security nerd here (and CFF co-designer).

It is my strong opinion that DSIG should either be
deprecated or honored. You should choose the outcome
for the standard.

A situation in which DSIG is present but an invalid signature
is to be accepted (for whatever reason) provides only security
theater and helps no-one but the malicious attacker.

Please choose either:

A) DSIG is deprecated and shall not be considered or processed.
B) A font with an invalid DSIG shall be rejected without further processing.

Terry Dowling.
Retired former employee of Adobe and Google (with a significant number
of relevant font rendering related patents).

More information about the mpeg-otspec mailing list