- From: Thomas Phinney <tphinney@cal.berkeley.edu>
- Date: Fri, 7 May 2010 11:09:06 -0700
- To: Matt Colyer <matt@typekit.com>
- Cc: Jonathan Kew <jonathan@jfkew.plus.com>, "Tab Atkins Jr." <jackalmage@gmail.com>, "Levantovsky, Vladimir" <Vladimir.Levantovsky@monotypeimaging.com>, Erik van Blokland <erik@letterror.com>, "www-font@w3.org" <www-font@w3.org>
On Fri, May 7, 2010 at 10:08 AM, Matt Colyer <matt@typekit.com> wrote: > Ahh, now I understand what you want to do. What I think you want is > cyptographic file signing (like the DSIG table, which didn't ever really > take off). http://www.microsoft.com/typography/otspec/dsig.htm > That way a WOFF file could be guaranteed to be unmodified by the original > author and no one (unless they got your private key) could properly resign > the file (but a checksum as previously pointed out could be easily > recalculated). > However this would require alot of effort to create a web of trust for > foundry certificates. Assuming all of this did work, what should happen if a > file wasn't properly signed? What should happen if it was signed but not by > a trusted entity? > I think the most difficult part of this is creating a user experience that > effectively used the signing information without causing a disruption to the > average web user. The Firefox 3 SSL warning page has had to deal with > similar >issues http://www.pcworld.com/businesscenter/article/150215/debating_the_firefox_ssl_certificate.html > Thoughts? > -Matt One minor issue with DSIGs for desktop fonts, moving to the web, is that the DSIG is an extra ~4K to the file size. If one is concerned about keeping file size down, adding *another* DSIG seems like a bad idea. A tiny checksum is a different matter. Regards, T -- "I've discovered the worst place to wander while arguing on a hands-free headset." — http://xkcd.com/736/
Received on Friday, 7 May 2010 18:09:40 UTC