[mpeg-OTspec] Proposed update of the 'head' table flags

[David Lemon]

Terry,
Things are pretty close to (A) at this point. There is no check in any normal workflow that validates DSIGs, and this has led to a proliferation of fonts with bogus DSIG tables. Adobe is doing valid tables and I suspect other major developers are too, but the great majority of smaller shops are not. And nobody wants to be the one to make all those fonts stop working.

The only reason DSIGs persist at all is that some Microsoft products use the tables' presence as a flag to indicate a font is OpenType, turning on support for layout tables. So actually getting rid of the table would require a change in those products. (That does seem like the easier outcome to me. I am disappointed with the non-use of the table, but I think that's a lost battle.)
thanks,
David L

-----Original Message-----
From: mpeg-OTspec at yahoogroups.com [mailto:mpeg-OTspec at yahoogroups.com] 
Sent: Wednesday, May 14, 2014 3:42 PM
To: mpeg-OTspec at yahoogroups.com
Subject: Re: [mpeg-OTspec] Proposed update of the 'head' table flags

Security nerd here (and CFF co-designer).

It is my strong opinion that DSIG should either be deprecated or honored. You should choose the outcome for the standard.

A situation in which DSIG is present but an invalid signature is to be accepted (for whatever reason) provides only security theater and helps no-one but the malicious attacker.

Please choose either:

A) DSIG is deprecated and shall not be considered or processed.
or
B) A font with an invalid DSIG shall be rejected without further processing.

Terry Dowling.
Retired former employee of Adobe and Google (with a significant number of relevant font rendering related patents).



------------------------------------

Yahoo Groups Links