W3C home > Mailing lists > Public > www-style@w3.org > November 2008

Re: CSS3 @font-face / EOT Fonts

From: Aryeh Gregor <Simetrical@gmail.com>
Date: Fri, 7 Nov 2008 13:00:47 -0500
Message-ID: <7c2a12e20811071000l130b617ds33d2ea44f20f4867@mail.gmail.com>
To: "Tab Atkins Jr." <jackalmage@gmail.com>
Cc: "Lachlan Hunt" <lachlan.hunt@lachy.id.au>, "Thomas Phinney" <tphinney@adobe.com>, "www-style@w3.org" <www-style@w3.org>

On Fri, Nov 7, 2008 at 12:23 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
> This does nothing more than give us honest developers busy work while making
> the font foundries have warm fuzzy feelings knowing their fonts are 'safe',
> when they are anything but no matter *what* we do (short of
> cryptographically signing the fonts...).

Cryptographically signing the fonts wouldn't do anything except
reliably indicate that you claim they belong to you (or otherwise
endorse their contents somehow, depending on the semantics of the
signature).  Anyone could still remove the signature at any time, or
replace it with their own, so it provides no safety.  Nothing will as
long as users have full control over their machines: you need working,
effective chains of trust from the hardware level up to have any kind
of security that a hacker can't break with a little effort.
Thankfully, we don't seem likely to get that anytime soon.
Received on Friday, 7 November 2008 18:01:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 2 May 2016 14:27:41 UTC