[mpeg-OTspec] Re: factual error in the DSIG description in the OT spec.

[Levantovsky, Vladimir]

Dear Hin-Tak,

Thank you for your contributions and active participation in OFF-related discussions. While I agree with you that DSIG table hasn't seen much use and often comes in the way when webfonts need to be altered (e.g. subsetted for a particular content) - the deprecation of the table shouldn’t be taken lightly and we should definitely consider implications of doing so _if_ there are certain contingencies where various implementations might rely on presence of certain tables to enable advanced layout functionality. 

I consider any changes to DSIG table (either editorial or functional or deprecation) to be a major change that is definitely needed and is likely to be a benefit but I am not sure if we can do so within a scope of the current ballot comments and definitely not until we have heard from MS and other major stakeholders. The change like this might be much more suitable as part of the next major revision of the spec that is expected to be initiated later this year.

I'd like to ask all interested parties to express their views on the DSIG table functionality and share their experiences (either negative or positive) with using it.

Thank you,
Vladimir


-----Original Message-----
From: Hin-Tak Leung [mailto:htl10 at users.sourceforge.net] 
Sent: Thursday, April 14, 2016 6:01 PM
To: mpeg-OTspec at yahoogroups.com; opentype-list at indx.co.uk; mstwsite at microsoft.com; Levantovsky, Vladimir
Subject: RE: [mpeg-OTspec] Re: factual error in the DSIG description in the OT spec.

Dear Vlad,

For the mid-term future, seeing as DSIG is little used, and not useful for web fonts which are seen as increasingly important, it would be nice to explicitly deprecating DSIG tables (that some vintage of MS Windows' rendering behavior depends on its presence is a bit unfortunate - perhaps a paragraph about 'if the font is for this purpose, ....' in the 'recommended practice' section); or for somewhat longer future, to come up with a new format that's compatible with sub-setting and web font usage. I think acertaining the origin/authorship/copyright status of a font is a good thing, we just need to find a new format which can do that, while surviving sub-setting and web font usage.

For the short-term, the Microsoft folks had been somewhat quiet on this matter... it would be nice to confirm the disagreement between the spec and the most widely-used MS implementation (not the 'only' as Adam Twardoch kindly pointed out), and come to an addendum in the spec - either remove the 4th step in the procedure of 5 in the spec slightly to match it, or add a sentence about the most widely used implementation does not quite do what the spec says.

Regards,
Hin-Tak

--------------------------------------------
On Tue, 29/3/16, Levantovsky, Vladimir
<Vladimir.Levantovsky at monotype.com> wrote:

 Thank you Hin-Tak for
 reporting the issue and for providing additional details.
 
 
 I think it makes perfect
 sense to revisit the concept of the DSIG in general. We  might want to consider few options:
 1)
 update the spec to match the behavior of the only existing  implementation;
 2) review the existing
 algorithm to see if it makes sense to revisit it and define  another format - I remember seeing reports of multiple  vulnerabilities;
 3) reconsider the whole
 approach to signing the fonts. 
 
<snipped>