- From: Raph Levien <raph@google.com>
- Date: Mon, 29 Jun 2015 08:38:33 -0700
- To: Ken Lunde <lunde@adobe.com>
- Cc: Cosimo Lupo <cosimo.lupo@daltonmaag.com>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>
- Message-ID: <CAFQ67bPchfuc6pDo7_hzh6A+ogPJyMWP1+VTRp4kTdLJhzS37Q@mail.gmail.com>
There are a number of sub-processes other than the glyf transformation that do not guarantee bit-identical lossless compression. Table order was mentioned by the original poster, but there's also padding, and possibly other subtle details. Supporting DSIG on CFF-only fonts would be technically possible but would be a fairly major change to the format, and doesn't really further the use case (web fonts, where signature checking is not deployed). I think the original poster might want find that just using a high quality lossless compression algorithm on the OpenType font meets the requirements. Raph On Mon, Jun 29, 2015 at 7:53 AM, Ken Lunde <lunde@adobe.com> wrote: > Cosimo Lupo. > > I was thinking along the lines of processes (encoding/decoding) that don't > treat the entire font resource as a single entity. I defer to the expertise > of you and others with regard to this particular concern. > > -- Ken > > > On Jun 29, 2015, at 7:18 AM, Cosimo Lupo <cosimo.lupo@daltonmaag.com> > wrote: > > > > Ken, > > If the transform is indeed loss-less, then the output is bitwise > identical to the original and the DSIG will still verify. > > > > > > > > > > On Mon, Jun 29, 2015 at 2:00 PM, Ken Lunde <lunde@adobe.com> wrote: > > > > Cosimo Lupo, > > > > Pardon the possible naïve question, but wouldn't any transformation of > the font resource, including non-lossy ones, render the digital signature > in the 'DSIG' table invalid? I sense a security concern/issue here. > > > > Regards... > > > > -- Ken > > > > > On Jun 29, 2015, at 5:30 AM, Cosimo Lupo <cosimo.lupo@daltonmaag.com> > wrote: > > > > > > Hello, > > > > > > The issue of WOFF2 encoder dropping DSIG table for CFF as well as TTF > fonts the was discussed again in fontTools forum: > > > > > > https://github.com/behdad/fonttools/issues/306#issuecomment-116605139 > > > > > > Chris asked me to re-raise the issue here as well. > > > > > > You may recall, back in March, I proposed to keep the DSIG table at > least for CFF fonts, since these don’t undergo lossy transforms as TTF do. > > > > > > In his reply, Vladimir was concerned about the possibility that table > reordering might occur on either the encoding side (as it’s still the case > with reference and OTS implementation), or on the decoding side (to comply > with the OFF recommendations). > > > > > > As for the encoder, implementations could be easily modified to allow > keeping the original table order. Similarly, on the decoding end, the > latest WOFF2 spec use “must sort” only with reference to the sfnt table > directory, not the table data order. > > > > > > From Adam’s comments in fontTools forum, I gather the reasons for > dropping the DSIG in WOFF2 are not simply technical ones. > > > I personally don’t have a strong opinion on the matter, so I’ll leave > that to you. > > > > > > Cheers, > > > > > > — > > > Cosimo Lupo > > > > > > > >
Received on Monday, 29 June 2015 15:39:06 UTC