FW: [OpenType] RE: [mpeg-OTspec] Re: factual error in the DSIG description in the OT spec.

Levantovsky, Vladimir vladimir.levantovsky at monotype.com
Fri Apr 1 23:04:51 CEST 2016 

Forwarding the email from Greg back to the mpeg-OTspec list that was copied on the original discussion thread.

-----Original Message-----
From: listmaster at indx.co.uk [mailto:listmaster at indx.co.uk] On Behalf Of Greg Hitchcock 
Sent: Friday, April 01, 2016 3:57 PM
To: listmaster at indx.co.uk
Subject: RE: [OpenType] RE: [mpeg-OTspec] Re: factual error in the DSIG description in the OT spec.

Message from OpenType list:


Here is a bit of context of what we were thinking at the time we developed the DSIG table. Note that I have not worked on the DSIG table since 1999, so I won't be able to provide current thinking on some of these topics. 

First off, the primary reason for DSIGs was to establish a trust relationship between the owner of the certificate and the blob of data that we call a font. A scenario that we (me?) suggested during the OpenType Jamboree  (https://www.microsoft.com/typography/jamboree/slides.htm) was only allowing fonts to be installed/used on a system that come from a trusted vendor. For example, a system could be set up to only install fonts with valid a DSIG and from Adobe, all other fonts would return an error at install time. There are clearly points in time over the past few decades where enterprise companies would have liked this option.

To Eric's comments, the format we used also allowed for the concept of authenticated attributes. Our intention in 1998 was to allow authenticated attributes such as, "this font passed font validation", or a "third-party validated the font data and then co-signed the font with their certificate".

The issue of subsetting was being worked on when I was last involved. It involved having a hierarchical description of "chunks" in the font, where individual "chunks" could be removed, but the signature would remain valid.

I appreciate John Hudson's comments, but it is also using a different lens then we had in 1998. Our plans for how to handle the multiple formats was not how things ended up. 
Also, because of the overhead of adding DSIGs, we wanted to encourage their usage by making them required for OpenType. Alas, things change :-) 

GregH

>  From: Ned Holbrook
>  Sent: Wednesday, March 30, 2016 8:42 PM
>  
>  Thank you for the clarification, Eric.
>  
>  > On Mar 30, 2016, at 8:36 PM, Eric Muller <eric.muller at efele.net> wrote:
>  >
>  > Message from OpenType list:
>  >
>  >
>  > On 3/30/2016 11:45 AM, Ned Holbrook wrote:
>  >> You're absolutely right, David: DSIG is indicative of a font’s provenance.
>  >
>  > It's only indicative of the signature provenance, not of the font  
> > provenance. I can take a Monotype font and sign it.
>  >
>  >>  But given that it is an optional table and is unusable in most 
> web font  scenarios, it seems to serve very little purpose in today’s world.
>  >
>  > Even before, it served very little purpose. Without some statement 
> or  > context, you don't know what a signature means . A signature may 
> just  > mean "I saw it" or may mean "I assert it is a well-formed 
> font" or it  > may mean "I assert it is not malicious", or Microsoft 
> may mean "this  > is the version that shipped as part of this 
> product", and you can't  > tell the meaning from the signature alone. 
> This is not very different  > from usual pen-and-paper signatures (in 
> that world, it's typically by  > context that you understand; and 
> certainly my signature and the  > signature of notary on a document 
> have different meanings). AFAIK, no  > font provider has ever made an 
> explicit statement, and there is no  > well-established context.
>  >
>  > Eric.
>  >
>  >
>  > subscribe: opentype-subscribe at indx.co.uk  > unsubscribe: 
> opentype-unsubscribe at indx.co.uk  > messages: opentype-list at indx.co.uk  
> >
>  
>  subscribe: opentype-subscribe at indx.co.uk
>  unsubscribe: opentype-unsubscribe at indx.co.uk
>  messages: opentype-list at indx.co.uk
>  




List archive: http://www.indx.co.uk/biglistarchive/
List settings: http://www.indx.co.uk/biglistarchive/?mode=usersettings

subscribe: opentype-subscribe at indx.co.uk
unsubscribe: opentype-unsubscribe at indx.co.uk
messages: opentype-list at indx.co.uk

More information about the mpeg-otspec mailing list