[mpeg-OTspec] proposing DSIG update, again.

Peter Constable petercon at microsoft.com
Fri Jan 13 07:50:43 CET 2017 

Hi, Hin-Tak.

I'm afraid I can't comment yet on timelines. It's not a good situation to have our tool out of conformance with the spec, and so I'd like to see that resolved sooner than later. But I'm still investigating and waiting on info from some people who have been out on vacation.

We'll take the request for a cross-platform tool into consideration, but that would be a much lower priority for us at this time than resolving the non-conformance issue.


Peter

-----Original Message-----
From: Hin-Tak Leung [mailto:htl10 at users.sourceforge.net] 
Sent: Thursday, January 12, 2017 9:21 PM
To: Basit Ali <alib at microsoft.com>; Greg Hitchcock <gregh at microsoft.com>; Typography Site Comments <mstwsite at microsoft.com>; Peter Constable <petercon at microsoft.com>
Cc: VladimirLevantovsky <vladimir.levantovsky at monotype.com>; mpeg-OTspec at yahoogroups.com; OpenType List <opentype-list at indx.co.uk>; Cosimo Lupo <cosimo.lupo at daltonmaag.com>
Subject: RE: [mpeg-OTspec] proposing DSIG update, again.

Hi  Peter,

Apologies for being a pain - may I ask of the schedule/plan and timescale at which fixing mssipotf.dll may happen, or revisiting the idea of changing the spec?

The reason I am asking is that, at some point I'd like to revisit some of the issues with the new re-implementation of the DSIG verification part of FontVal 2.0 :

https://github.com/HinTak/Font-Validator/issues/4
'DSIG remaining issues.'

That being #4 (and therefore one of the earliest still-open issue), will probably be a blocking issue to v2.1, if v2.1 is to happen at all.

Also, since you mentioned fixing mssipotf.dll - which perhaps means that Microsoft will be allocating engineering resource in this area. Since signature verification is closely related to the process of signing, I wonder if your engineer might like to contribute to another devel idea - a cross-platform implementation of the font signing tool:

https://github.com/Microsoft/Font-Validator/issues/44
FontVal -based DSIG signing tool

and/or commission me to work in that direction. We should take this part of discussion off the list if you wish to discuss further.

Hin-Tak

--------------------------------------------
On Mon, 9/1/17, Peter Constable <petercon at microsoft.com> wrote:

 Hin-Tak: 
    
 It is a deadline, but not
 the last deadline for the 4th edition. I would  like to investigate this further before making any spec  changes. It may be an option for us to fix mssipotf.dll,  which might be a better approach than changing
  the spec after over a decade. 
    
    
 Peter 
    
 From:
 mpeg-OTspec at yahoogroups.com
 [mailto:mpeg-OTspec at yahoogroups.com]
 On Behalf Of Hin-Tak Leung
 htl10 at users.sourceforge.net [mpeg-OTspec]
 
 Sent: Monday, January 9, 2017 1:49 PM
 
 Subject: [mpeg-OTspec] proposing DSIG update,  again. 
 
 Hi all,
  
 It is another deadline for RFC for OT spec 4th edition  tomorrow. May I propose once again the following change be
 made:
  
 Referring to:
 
 http://www.microsoft.com/typography/otspec/dsig.htm
 
 - Remove "4. Zero out the file checksum in the head  table." and 
 
 - Renumbering "5. Add the usFlag (reserved, set at 1  for now) to the stream of bytes" to 4.
 
 The reason for change is that, this is how we understand  Microsoft's signing/verification module, the most widely  used implementation, works.
  
 I don't know who at Microsoft is supposed to be in  charge of mssipotf.dll - the font signing/verfication  wintrust module.
 
 Ali seems to have access to the most current binaries, and  Greg seems to be generally involved with font-related matter  at the deep coding level. Could we at least identify  somebody or the team at Microsoft who is "in charge  of" mssipotf.dll (if there is indeed
  such a party) to corroborate the suggestion above?
  
 Hin-Tak

More information about the mpeg-otspec mailing list