<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">Si,</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">
I am tentatively with Esfahbod here. I am trying to understand what harm would come from future apps treating all TTFs as "OpenType." It's not like the presence of a DSIG guaranteed any other functionality whatsoever in a TTF. Or am I missing something?</div>
<div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">You might say, well, it tells people there is a DSIG. But it doesn't even do that: we know that OT-CFF fonts without DSIGs, and TTFs with dummy DSIGs got treated the same as TTFs with real DSIGs. So I don't see the value there.</div>
<div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">(As a user, I care about the CFF/TTF distinction sometimes. But not this.)</div>
<div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">T</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, May 16, 2014 at 3:19 PM, Terence Dowling <a href="mailto:terry@tdowling.com">terry@tdowling.com</a> [mpeg-OTspec] <span dir="ltr"><<a href="mailto:mpeg-OTspec@yahoogroups.com" target="_blank">mpeg-OTspec@yahoogroups.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div style="background-color:#fff">
<span> </span>
<div>
<div>
<div>
<p>OK, So we must deal with the legacy of "as-built" rather than "as-designed".<br>
<br>
Therefore I suggest that wording (wordsmiths welcome) be added to the<br>
DSIG table documentation:<br>
<br>
==================<br>
<br>
"DSIG was originally intended to provide some assurance of the<br>
provenance and integrity of a font object.<br>
<br>
Implementations have so compromised this feature such that<br>
DSIG no longer offers any protection and its only remaining<br>
value is that some implementations use the presence of this<br>
table to differentiate between "legacy TrueType" and "OpenType".<br>
<br>
As a result, no font processor may reject or otherwise devalue a<br>
font with a DSIG that does not validate properly or promote a<br>
font with a DSIG that does validate."<br>
<br>
==================<br>
<br>
Again, prudence suggests (requires?) that we provide clear notice<br>
that there is no longer any integrity benefit provided by DSIG.<br>
<br>
In an environment of security challenges (including fonts as a threat<br>
vector), can we do less?<br>
<br>
It seems unfortunate that there has been no clear enumeration of<br>
products/versions that use a presence test for DSIG that would guide<br>
font production testing.<br>
<br>
Terence Dowling<br>
</p>
</div>
<div style="color:#fff;min-height:0"></div>
</div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><font style="background-color:rgb(255,255,255)" face="verdana, sans-serif"><span style="line-height:18px">On paper books and ebooks: “</span><span style="color:rgb(0,0,0);white-space:pre-wrap">Paper books are the packaging that books come in</span><span style="line-height:18px">.”</span><span style="line-height:18px"><br>
</span><span style="border:0px;margin:0px;padding:0px">—Cory Doctorow</span></font></div>
</div>