W3C home > Mailing lists > Public > www-font@w3.org > July to September 2009

Re: The other party in all this

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Sun, 5 Jul 2009 21:31:08 -0500
Message-ID: <dd0fbad0907051931x32f1d5cjf853b67149ff2f92@mail.gmail.com>
To: John Daggett <jdaggett@mozilla.com>
Cc: John Hudson <tiro@tiro.com>, www-font@w3.org
On Sun, Jul 5, 2009 at 6:16 PM, John Daggett<jdaggett@mozilla.com> wrote:
> If user agents implement same-origin restrictions on fonts and support
> some form of compressed data format for TrueType/OpenType fonts, simple
> hot-linking won't work and the fonts won't be usable as normal desktop
> fonts, at least initially.  If font vendors include per-sale information
> identifying the site for which a font is licensed in the font metadata,
> detecting unlicensed usage on other sites should be easy to identify by
> an automated process.  Neither of these are ironclad but should at least
> prevent casual misuse.

Specifically, since all of the proposed formats are still TTF/OTF at
their core (though possible compressed/wrapped/obfuscated), and
TTF/OTF can be arbitrarily extended with new informative tables
without screwing up older unaware clients, you can put whatever
information you want into a font file.

For example, you could add in the font name, purchaser's name, and a
unique serial number identifying the sale.  To prevent tampering, sign
all of it with your private key.  Anyone can then verify the
information with your public key (which you can even put into the font
metadata next to all the other data), but they can't change it short
of breaking the basis of all modern cryptography (and then you've got
a lot more to worry about than people infringing on your copyright).

It's a *reliable* form of fingerprinting, and I can think of a few
ways to make it even more reliable (add a checksum, signed with your
public key, so that you can verify that the info table hasn't been
lifted from another legally purchased font).  And it doesn't require a
single browser vendor to lift a finger to achieve it.  You'd just need
someone to write a tool that can add this info easily.

~TJ
Received on Monday, 6 July 2009 02:32:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 11 June 2011 00:14:02 GMT