Re: [mpeg-OTspec] Re: DSIG

Simon Daniels MSFT iloveverdana at hotmail.com
Sat May 17 04:30:31 CEST 2014 

Thanks guys, 


Agree the current specification results in confusion to users, but any proposed changes should not add to that confusion. We need to consider the impact to users whose fonts may suddenly change their designation as well as what users can expect an OpenType font to provide moving forward.


Cheers, Si 






Sent from Windows Mail





From: mpeg-OTspec at yahoogroups.com
Sent: ‎Friday‎, ‎May‎ ‎16‎, ‎2014 ‎3‎:‎28‎ ‎PM
To: mpeg-OTspec at yahoogroups.com




  





Si,




I am tentatively with Esfahbod here. I am trying to understand what harm would come from future apps treating all TTFs as "OpenType." It's not like the presence of a DSIG guaranteed any other functionality whatsoever in a TTF. Or am I missing something?




You might say, well, it tells people there is a DSIG. But it doesn't even do that: we know that OT-CFF fonts without DSIGs, and TTFs with dummy DSIGs got treated the same as TTFs with real DSIGs. So I don't see the value there.




(As a user, I care about the CFF/TTF distinction sometimes. But not this.)




T







On Fri, May 16, 2014 at 3:19 PM, Terence Dowling terry at tdowling.com [mpeg-OTspec] <mpeg-OTspec at yahoogroups.com> wrote:

 
  



OK, So we must deal with the legacy of "as-built" rather than "as-designed".

Therefore I suggest that wording (wordsmiths welcome) be added to the
DSIG table documentation:

==================

"DSIG was originally intended to provide some assurance of the
provenance and integrity of a font object.

Implementations have so compromised this feature such that
DSIG no longer offers any protection and its only remaining
value is that some implementations use the presence of this
table to differentiate between "legacy TrueType" and "OpenType".

As a result, no font processor may reject or otherwise devalue a
font with a DSIG that does not validate properly or promote a
font with a DSIG that does validate."

==================

Again, prudence suggests (requires?) that we provide clear notice
that there is no longer any integrity benefit provided by DSIG.

In an environment of security challenges (including fonts as a threat
vector), can we do less?

It seems unfortunate that there has been no clear enumeration of
products/versions that use a presence test for DSIG that would guide
font production testing.

Terence Dowling







-- 

On paper books and ebooks: “Paper books are the packaging that books come in.”
—Cory Doctorow


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.aau.at/pipermail/mpeg-otspec/attachments/20140517/aff02dc6/attachment.html>

More information about the mpeg-otspec mailing list