Re: CSS3 @font-face / EOT Fonts from John Daggett on 2008-11-06 (www-style@w3.org from November 2008)

From: John Daggett <jdaggett@mozilla.com>
Date: Wed, 5 Nov 2008 18:05:49 -0800 (PST)
To: Thomas Phinney <tphinney@adobe.com>
Cc: www-style@w3.org
Message-ID: <9278089.220931225937149513.JavaMail.root@cm-mail01.mozilla.org>

Hi Thomas,

> 2) The folks who make the retail fonts want exactly the two kinds of
> protections in question, which requirements are met by EOT and
> apparently by the compromise proposal as well. The minimum requirement
> seems to be: URL info in the font, plus just enough obfuscation that the
> font can't work in Mac or Windows without pre-processing. 

As several others have pointed out, the root string mechanism is
extremely clumsy.  The only thing it serves to prevent is a user taking
a font from one site and using it on another site.  But a user going
that far could just as easily run a PERL script to unwrap the font data
and use it anyways.

Simply inserting site-specific information into the license name record
of each font sold and including a digital signature is a much more
straight forward solution compared to root strings.  Unlicensed usage
would be simple to document and user agents wouldn't be forced into the
role of license cop.  The license information could be displayed as part
of the page information so web authors would understand how to go about
getting a proper license for a given font they come across on another
site.

> > DRM is evil. Easily-circumvented DRM is pointless and evil.
> 
> I believe this isn't DRM, but DRE (and even more so in the new
> "compromise proposal"). But of course calling it DRM makes it easier for
> W3C folks to have a knee-jerk reaction against it.

Whether you call it DRM or DRE I think there are some very real concerns
that the use of root strings would be enough to make this an access
control mechanism covered by DMCA, in which case implementators would be
exposed to potential lawsuits.  Not such a big deal for closed source
vendors doing the right thing but this is a much bigger concern for open
source projects. Nothing would prevent someone from posting a patch that
circumvents the root string restrictions.  Does that make the
organization sponsoring the project liable?  Reasonable folks would of
course say no but lawsuits have been initiated in far more unreasonable
situations.  No one wants to get arrested and thrown in jail while
attending a conference in the States.

Regards,

John Daggett
Mozilla Japan

Received on Thursday, 6 November 2008 02:07:04 UTC