[mpeg-OTspec] Re: DSIG

Thomas Phinney tphinney at cal.berkeley.edu
Sat May 17 00:28:09 CEST 2014


I am tentatively with Esfahbod here. I am trying to understand what harm
would come from future apps treating all TTFs as "OpenType." It's not like
the presence of a DSIG guaranteed any other functionality whatsoever in a
TTF. Or am I missing something?

You might say, well, it tells people there is a DSIG. But it doesn't even
do that: we know that OT-CFF fonts without DSIGs, and TTFs with dummy DSIGs
got treated the same as TTFs with real DSIGs. So I don't see the value

(As a user, I care about the CFF/TTF distinction sometimes. But not this.)


On Fri, May 16, 2014 at 3:19 PM, Terence Dowling
terry at tdowling.com[mpeg-OTspec]
<mpeg-OTspec at yahoogroups.com> wrote:

> OK, So we must deal with the legacy of "as-built" rather than
> "as-designed".
> Therefore I suggest that wording (wordsmiths welcome) be added to the
> DSIG table documentation:
> ==================
> "DSIG was originally intended to provide some assurance of the
> provenance and integrity of a font object.
> Implementations have so compromised this feature such that
> DSIG no longer offers any protection and its only remaining
> value is that some implementations use the presence of this
> table to differentiate between "legacy TrueType" and "OpenType".
> As a result, no font processor may reject or otherwise devalue a
> font with a DSIG that does not validate properly or promote a
> font with a DSIG that does validate."
> ==================
> Again, prudence suggests (requires?) that we provide clear notice
> that there is no longer any integrity benefit provided by DSIG.
> In an environment of security challenges (including fonts as a threat
> vector), can we do less?
> It seems unfortunate that there has been no clear enumeration of
> products/versions that use a presence test for DSIG that would guide
> font production testing.
> Terence Dowling

On paper books and ebooks: “Paper books are the packaging that books come in
—Cory Doctorow
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.aau.at/pipermail/mpeg-otspec/attachments/20140516/9c18b8df/attachment.html>

More information about the mpeg-otspec mailing list