<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>Vladimir,</div>
<div>Your comments about the DSIG table are a solid summary of points that have been raised about this in the past, and I agree they are fairly compelling.</div>
<div><br>
</div>
<div>The primary purpose of the DSIG is to verify when the font is unchanged since being signed. I don’t know whether (potentially maliciously) modified fonts are still a concern, so I’d be curious to see what Microsoft has to say on this point, in light of
the various steps they’ve taken over the years to bolster security around fonts. </div>
<div><br>
</div>
<div>You’ll recall that a secondary purpose of the table has been to indicate to Windows that a font was OpenType and not Type 1. There could certainly be better heuristics for that function, but it’s too late to change old Oses. That said, perhaps they’re
old enough to not be a point of concern today. I’m not sure at what point (if ever) this behavior changed; perhaps someone can enlighten me.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE">
<div>
<div>-- </div>
<div>David Lemon</div>
</div>
<div>Sr Manager, Type Development</div>
<div>Adobe</div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>"<a href="mailto:mpeg-OTspec@yahoogroups.com">mpeg-OTspec@yahoogroups.com</a>" <<a href="mailto:mpeg-OTspec@yahoogroups.com">mpeg-OTspec@yahoogroups.com</a>> on behalf of "'Levantovsky, Vladimir'
<a href="mailto:vladimir.levantovsky@monotype.com">vladimir.levantovsky@monotype.com</a> [mpeg-OTspec]" <<a href="mailto:mpeg-OTspec-noreply@yahoogroups.com">mpeg-OTspec-noreply@yahoogroups.com</a>><br>
<span style="font-weight:bold">Reply-To: </span>Vladimir Levantovsky <<a href="mailto:vladimir.levantovsky@monotype.com">vladimir.levantovsky@monotype.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, March 29, 2016 at 7:01 AM<br>
<span style="font-weight:bold">To: </span>Hin-Tak Leung <<a href="mailto:htl10@users.sourceforge.net">htl10@users.sourceforge.net</a>>, "<a href="mailto:mpeg-OTspec@yahoogroups.com">mpeg-OTspec@yahoogroups.com</a>" <<a href="mailto:mpeg-OTspec@yahoogroups.com">mpeg-OTspec@yahoogroups.com</a>>,
"<a href="mailto:opentype-list@indx.co.uk">opentype-list@indx.co.uk</a>" <<a href="mailto:opentype-list@indx.co.uk">opentype-list@indx.co.uk</a>>, "<a href="mailto:mstwsite@microsoft.com">mstwsite@microsoft.com</a>" <<a href="mailto:mstwsite@microsoft.com">mstwsite@microsoft.com</a>><br>
<span style="font-weight:bold">Subject: </span>RE: [mpeg-OTspec] Re: factual error in the DSIG description in the OT spec.<br>
</div>
<div><br>
</div>
<div>
<div>
<div>Thank you Hin-Tak for reporting the issue and for providing additional details.
</div>
<div><br>
</div>
<div>I think it makes perfect sense to revisit the concept of the DSIG in general. We might want to consider few options:</div>
<div>1) update the spec to match the behavior of the only existing implementation;</div>
<div>2) review the existing algorithm to see if it makes sense to revisit it and define another format - I remember seeing reports of multiple vulnerabilities;</div>
<div>3) reconsider the whole approach to signing the fonts. </div>
<div><br>
</div>
<div>The vast majority of valid uses where the font data travels either embedded in a document or as a web font resource involves preprocessing steps such as subsetting and compression that invalidate the signature. Compression algorithms such as MicroType
Express used as part of EOT format or the new WOFF2 that in parts is based on MTX and shares the same concepts of content-aware preprocessing and compression produce font files that are 100% functional match to the original but the output font file is not
a binary match to the input font file (even if only a simple step of font table reordering was applied). As a result, the DSIG would be invalidated in all of those cases (and WOFF2 recommends removing it when a font is compressed). Having a data block that
is declared a secure signature but in fact provides no assurance of security and interferes with valid uses of a font is IMHO counter-productive since it creates a false sense of security and no real protection.
</div>
<div><br>
</div>
<div>I don’t have any grudge against DSIG but in my personal opinion having a tool that serves little purpose isn’t practical - I am willing and ready to be proven wrong and be convinced otherwise.</div>
<div><br>
</div>
<div>Thank you,</div>
<div>Vladimir</div>
<div><br>
</div>
<div><br>
</div>
<div>-----Original Message-----</div>
<div>From: <a href="mailto:mpeg-OTspec@yahoogroups.com">mpeg-OTspec@yahoogroups.com</a> [<a href="mailto:mpeg-OTspec@yahoogroups.com">mailto:mpeg-OTspec@yahoogroups.com</a>] On Behalf Of Hin-Tak Leung
<a href="mailto:htl10@users.sourceforge.net">htl10@users.sourceforge.net</a> [mpeg-OTspec]</div>
<div>Sent: Monday, March 28, 2016 6:59 PM</div>
<div>To: <a href="mailto:mpeg-OTspec@yahoogroups.com">mpeg-OTspec@yahoogroups.com</a>;
<a href="mailto:opentype-list@indx.co.uk">opentype-list@indx.co.uk</a>; <a href="mailto:mstwsite@microsoft.com">
mstwsite@microsoft.com</a></div>
<div>Subject: [mpeg-OTspec] Re: factual error in the DSIG description in the OT spec.</div>
<div><br>
</div>
<div>Just reposting. Maybe I should reword the issue a bit: the problem is that, for nearly 20 years, there is only one implementation of the signing tool, and one implementation of the checking tool, both from Microsoft. And they agrees with each other, but
not with the words of the spec. Since too many fonts had already been signed (in a different way from what the words of the OT spec says), it would seem necessary to change the spec to match how the Microsoft tool behaves.</div>
<div><br>
</div>
<div>--------------------------------------------</div>
<div>On Tue, 8/3/16, Hin-Tak Leung <<a href="mailto:htl10@users.sourceforge.net">htl10@users.sourceforge.net</a>> wrote:</div>
<div></div>
<div>Since we are on correcting the spec,</div>
<div>here is another issue with</div>
<div>the DSIG description in </div>
<div></div>
<div><a href="https://www.microsoft.com/typography/otspec/dsig.htm">https://www.microsoft.com/typography/otspec/dsig.htm</a></div>
<div></div>
<div>as well as the ISO/IEC 14496:22 2015 pdf.</div>
<div></div>
<div>The "4. Zero out the file checksum in the head table." </div>
<div>in the "Format 1: For whole fonts, with either TrueType outlines and/or CFF data:"</div>
<div> should be removed. i.e. it should read:</div>
<div></div>
<div><quote></div>
<div>1 . If there is an existing DSIG table in the font,</div>
<div></div>
<div> 1. Remove DSIG table from font.</div>
<div> 2. Remove DSIG table entry from sfnt Table Directory.</div>
<div> 3 . Adjust table offsets as necessary.</div>
<div> 4. Add the usFlag (reserved, set at 1 for now) to the stream of bytes </quote></div>
<div></div>
<div>because there is only one implementation of the signing tool, from Microsoft, for many years, and that's how it behaves, and that's how all the signed fonts in the past 15+ years look like.</div>
<div>The spec needs to be corrected to match how the one and only signing implementation behaves.</div>
<div></div>
<div>The new DSIG check ( <a href="https://github.com/HinTak/Font-Validator/blob/master/DSIGInfo/DSIGInfo.cs">
https://github.com/HinTak/Font-Validator/blob/master/DSIGInfo/DSIGInfo.cs</a></div>
<div>),</div>
<div>which re-implements and replaces the not-opened MS wintrust based mssipotf.dll COM server in Microsoft's Font Validator and the MS signing tool, behaves like the MS signing tool, not the written spec.</div>
<div></div>
<div>I tried implementing as how the spec was written and was stuck not verifying known-well-signed fonts for some time, until Cosimo Lupo of Dalton Maag Ltd tipped me about that error in the spec. The credits go to one of his</div>
<div>(unnamed) colleagues in Dalton Maag for discovering this.</div>
<div></div>
<div></div>
<div>Note also in some rare cases, ttc's hashes are mis-calculated by my new implementation:
</div>
<div><a href="https://github.com/HinTak/Font-Validator/issues/4#issuecomment-161325775">https://github.com/HinTak/Font-Validator/issues/4#issuecomment-161325775</a></div>
<div><a href="https://github.com/HinTak/Font-Validator/issues/4#issuecomment-193967387">https://github.com/HinTak/Font-Validator/issues/4#issuecomment-193967387</a></div>
<div></div>
<div></div>
<div></div>
<div><br>
</div>
<div><br>
</div>
<div>------------------------------------</div>
<div>Posted by: Hin-Tak Leung <<a href="mailto:htl10@users.sourceforge.net">htl10@users.sourceforge.net</a>></div>
<div>------------------------------------</div>
<div><br>
</div>
<div><br>
</div>
<div>------------------------------------</div>
<div><br>
</div>
<div>Yahoo Groups Links</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>------------------------------------</div>
<div>Posted by: "Levantovsky, Vladimir" <<a href="mailto:Vladimir.Levantovsky@monotype.com">Vladimir.Levantovsky@monotype.com</a>></div>
<div>------------------------------------</div>
<div><br>
</div>
<div><br>
</div>
<div>------------------------------------</div>
<div><br>
</div>
<div>Yahoo Groups Links</div>
<div><br>
</div>
<div><*> To visit your group on the web, go to:</div>
<div> <a href="http://groups.yahoo.com/group/mpeg-OTspec/">http://groups.yahoo.com/group/mpeg-OTspec/</a></div>
<div><br>
</div>
<div><*> Your email settings:</div>
<div> Individual Email | Traditional</div>
<div><br>
</div>
<div><*> To change settings online go to:</div>
<div> <a href="http://groups.yahoo.com/group/mpeg-OTspec/join">http://groups.yahoo.com/group/mpeg-OTspec/join</a></div>
<div> (Yahoo! ID required)</div>
<div><br>
</div>
<div><*> To change settings via email:</div>
<div> <a href="mailto:mpeg-OTspec-digest@yahoogroups.com">mpeg-OTspec-digest@yahoogroups.com</a>
</div>
<div> <a href="mailto:mpeg-OTspec-fullfeatured@yahoogroups.com">mpeg-OTspec-fullfeatured@yahoogroups.com</a></div>
<div><br>
</div>
<div><*> To unsubscribe from this group, send an email to:</div>
<div> <a href="mailto:mpeg-OTspec-unsubscribe@yahoogroups.com">mpeg-OTspec-unsubscribe@yahoogroups.com</a></div>
<div><br>
</div>
<div><*> Your use of Yahoo Groups is subject to:</div>
<div> <a href="https://info.yahoo.com/legal/us/yahoo/utos/terms/">https://info.yahoo.com/legal/us/yahoo/utos/terms/</a></div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</span>
</body>
</html>