- From: Cosimo Lupo <cosimo.lupo@daltonmaag.com>
- Date: Mon, 29 Jun 2015 06:18:13 -0700 (PDT)
- To: "Ken Lunde" <lunde@adobe.com>
- Cc: public-webfonts-wg@w3.org
- Message-Id: <1435583893017.45b4b35e@Nodemailer>
Ken, If the transform is indeed loss-less, then the output is bitwise identical to the original and the DSIG will still verify. On Mon, Jun 29, 2015 at 2:00 PM, Ken Lunde <lunde@adobe.com> wrote: > Cosimo Lupo, > Pardon the possible naïve question, but wouldn't any transformation of the font resource, including non-lossy ones, render the digital signature in the 'DSIG' table invalid? I sense a security concern/issue here. > Regards... > -- Ken >> On Jun 29, 2015, at 5:30 AM, Cosimo Lupo <cosimo.lupo@daltonmaag.com> wrote: >> >> Hello, >> >> The issue of WOFF2 encoder dropping DSIG table for CFF as well as TTF fonts the was discussed again in fontTools forum: >> >> https://github.com/behdad/fonttools/issues/306#issuecomment-116605139 >> >> Chris asked me to re-raise the issue here as well. >> >> You may recall, back in March, I proposed to keep the DSIG table at least for CFF fonts, since these don’t undergo lossy transforms as TTF do. >> >> In his reply, Vladimir was concerned about the possibility that table reordering might occur on either the encoding side (as it’s still the case with reference and OTS implementation), or on the decoding side (to comply with the OFF recommendations). >> >> As for the encoder, implementations could be easily modified to allow keeping the original table order. Similarly, on the decoding end, the latest WOFF2 spec use “must sort” only with reference to the sfnt table directory, not the table data order. >> >> From Adam’s comments in fontTools forum, I gather the reasons for dropping the DSIG in WOFF2 are not simply technical ones. >> I personally don’t have a strong opinion on the matter, so I’ll leave that to you. >> >> Cheers, >> >> — >> Cosimo Lupo
Received on Monday, 29 June 2015 13:18:41 UTC