[MPEG-OTSPEC] DSIG spec issue

Terence Dowling terry at tdowling.com
Wed Aug 26 02:24:12 CEST 2020


I'm one of the original specifiers of DSIG and I can tell you with
certainty that the "as-implemented"
code is entirely worthless. Nobody actually thoroughly checks all of the
components of a digital signature.
Signature authorities are vulnerable to compromise and an actual check
is computationally
significant. A thorough check requires internet access (revocation lists
etc.) and reading the whole font file.
Further, I know of no actual commercial implementations that reject
fonts because of malformed 'head'
table entries. Further, many fonts were built using the Apple sample
code which has a number of
substantive issues (processor endian specific, integer word size
specific, and  field overun when
tables are not multiples of 4 bytes in length). At this point DSIG is
irrevocably "security theater" and
should be removed. An invalid illusion of security is worse than no
security.

Terence Dowling
Adobe 1991-2010

On 8/25/2020 15:08, Peter Constable wrote:
>
> There’s an issue that was opened against the DSIG chapter of the OT
> spec regarding the spec for calculating signature hashes.
>
>  
>
> https://github.com/MicrosoftDocs/typography-issues/issues/455
>
>  
>
> This is not a new issue, having been raised at least as early as 2016,
> and I’m pretty sure earlier than that. It was raised in this list (its
> earlier version) by Hin-Tak Leung in November 2016.
>
>  
>
> https://lists.aau.at/pipermail/mpeg-otspec/2016-November/000835.html
>
>  
>
> I want to let people here know that, in triaging OT spec issues, I’ve
> marked this as P1 as it’s an important issue with implementations
> being blocked. I’ve asked relevant people at Microsoft for
> clarification, and suggested one or other of the courses of action
> that Cosimo Lupo proposed on this list
> (https://lists.aau.at/pipermail/mpeg-otspec/2016-December/000837.html):
> either provide an interoperable spec, or else deprecate DSIG once and
> for all.
>
>  
>
>  
>
>  
>
> Peter
>
>
> _______________________________________________
> mpeg-otspec mailing list
> mpeg-otspec at lists.aau.at
> https://lists.aau.at/mailman/listinfo/mpeg-otspec


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.aau.at/pipermail/mpeg-otspec/attachments/20200825/81e1fa53/attachment.html>


More information about the mpeg-otspec mailing list