- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Sun, 5 Jul 2009 21:31:08 -0500
- To: John Daggett <jdaggett@mozilla.com>
- Cc: John Hudson <tiro@tiro.com>, www-font@w3.org
On Sun, Jul 5, 2009 at 6:16 PM, John Daggett<jdaggett@mozilla.com> wrote: > If user agents implement same-origin restrictions on fonts and support > some form of compressed data format for TrueType/OpenType fonts, simple > hot-linking won't work and the fonts won't be usable as normal desktop > fonts, at least initially. If font vendors include per-sale information > identifying the site for which a font is licensed in the font metadata, > detecting unlicensed usage on other sites should be easy to identify by > an automated process. Neither of these are ironclad but should at least > prevent casual misuse. Specifically, since all of the proposed formats are still TTF/OTF at their core (though possible compressed/wrapped/obfuscated), and TTF/OTF can be arbitrarily extended with new informative tables without screwing up older unaware clients, you can put whatever information you want into a font file. For example, you could add in the font name, purchaser's name, and a unique serial number identifying the sale. To prevent tampering, sign all of it with your private key. Anyone can then verify the information with your public key (which you can even put into the font metadata next to all the other data), but they can't change it short of breaking the basis of all modern cryptography (and then you've got a lot more to worry about than people infringing on your copyright). It's a *reliable* form of fingerprinting, and I can think of a few ways to make it even more reliable (add a checksum, signed with your public key, so that you can verify that the info table hasn't been lifted from another legally purchased font). And it doesn't require a single browser vendor to lift a finger to achieve it. You'd just need someone to write a tool that can add this info easily. ~TJ
Received on Monday, 6 July 2009 02:32:12 UTC