[mpeg-OTspec] Re: factual error in the DSIG description in the OT spec.

[Hin-Tak Leung]

Dear Vlad,

For the mid-term future, seeing as DSIG is little used, and not useful for web fonts which are seen as increasingly important, it would be nice to explicitly deprecating DSIG tables (that some vintage of MS Windows' rendering behavior depends on its presence is a bit unfortunate - perhaps a paragraph about 'if the font is for this purpose, ....' in the 'recommended practice' section); or for somewhat longer future, to come up with a new format that's compatible with sub-setting and web font usage. I think acertaining the origin/authorship/copyright status of a font is a good thing, we just need to find a new format which can do that, while surviving sub-setting and web font usage.

For the short-term, the Microsoft folks had been somewhat quiet on this matter... it would be nice to confirm the disagreement between the spec and the most widely-used MS implementation (not the 'only' as Adam Twardoch kindly pointed out), and come to an addendum in the spec - either remove the 4th step in the procedure of 5 in the spec slightly to match it, or add a sentence about the most widely used implementation does not quite do what the spec says.

Regards,
Hin-Tak

--------------------------------------------
On Tue, 29/3/16, Levantovsky, Vladimir 
<Vladimir.Levantovsky at monotype.com> wrote:

 Thank you Hin-Tak for
 reporting the issue and for providing additional details.
 
 
 I think it makes perfect
 sense to revisit the concept of the DSIG in general. We
 might want to consider few options:
 1)
 update the spec to match the behavior of the only existing
 implementation;
 2) review the existing
 algorithm to see if it makes sense to revisit it and define
 another format - I remember seeing reports of multiple
 vulnerabilities;
 3) reconsider the whole
 approach to signing the fonts. 
 
<snipped>