W3C home > Mailing lists > Public > www-style@w3.org > November 2008

RE: CSS3 @font-face / EOT Fonts - new compromise proposal

From: Levantovsky, Vladimir <Vladimir.Levantovsky@MonotypeImaging.com>
Date: Mon, 10 Nov 2008 17:34:17 -0500
Message-ID: <E955AA200CF46842B46F49B0BBB83FF2767B32@wil-email-01.agfamonotype.org>
To: "Tab Atkins Jr." <jackalmage@gmail.com>
Cc: <www-style@w3.org>
Hello Tab,


	From: Tab Atkins Jr. [mailto:jackalmage@gmail.com] 
	Sent: Monday, November 10, 2008 12:49 PM
	To: Levantovsky, Vladimir
	Cc: Philip TAYLOR; Mikko Rantalainen; www-style@w3.org
	Subject: Re: CSS3 @font-face / EOT Fonts - new compromise
	I attempted to separate that part from the rest of my response
specifically because it isn't a "factual and to the point" objection.
It's a philosophical/political objection, as I said.  On a political
level, though, many are unwilling to trust content producers to not
restrict our rights.  That is, after all, precisely what DRM does in
other mediums, and the various copyright lobbies in America often make
statements to the effect that Fair Use isn't valid.
	I'm not trying to insult you or the font vendors specifically.
It's just that history shows that when DRM comes into play, some will
abuse it to remove legally-allowed rights. 
	 Okay, I think we had enough of political discussions, let's try
to focus on real issues (whether technical or not).

			On a technical level, we've been over the topic
before that no form of DRM will ever stop piracy.  Pirates will rip any
content out of its DRM shell, but they weren't going to pay for it
anyway.  Regular users, who *would* pay for it (if offered at a
reasonable price, of course) are the ones who suffer from the
transactional cost of dealing with DRM at regular intervals, and from
the loss of legally-granted rights (such as the right to make backup
copies of your DVDs, in that medium and in the US (I'm not sure what
copyright law says in other countries)).
			Agree. But let's be honest - what I am proposing
is not DRM. Same origin restriction makes perfect sense if you want to
protect the resources you use for your website, and if, for whatever
reason, you do want to allow these resources to be linked elsewhere -
all you need to do is to negotiate a proper license for it.

	Well, there's two things here.  The first is the simple question
of why fonts *require* Access Control, when every other resource on the
web gets along fine without it.   
	Typical font licenses allow you to use a font for any and all
intended purposes. It may allow font embedding but would have a clause
that prohibits production of derivative works and/or unauthorized
distribution. When it comes to using fonts on the web, font vendors are
concerned (based on prior history of wide-spread font piracy) that
allowing making fonts available on the web without any technical means
to restrict their scope of use would ultimately create a situation when
a legitimate licensee would violate the license without even knowing it
(if you have no way to control who gets the font and how they are going
to use it).
	For the sake of example only, EOT solves this problem by
introducing root strings where you may list all sites that belong to
you. The intent is to give you - the web author - technical means to
fulfill the conditions of your font license. And, if your license
allowed unlimited distribution (let's say you bought the font outright
and you are now the sole owner of it), you wouldn't need any
restrictions, unless you decide that you are not going to share this
font with anyone else.
	I'd attempt to summarize this as follows: font vendors would
like to see a font embedding/linking mechanism that provides technical
means (such as domain binding or same-origin restrictions or similar) to
apply restrictions of the scope of use for a font resource, according to
a particular license for that font. It makes them very uncomfortable to
allow font linking or embedding on the web, if they know that such
mechanism is not in place.
	 Don't get me wrong - I love the idea of Access Controls solely
to replace the myriad half-baked measures to prevent hotlinking and
bandwidth leaching.  However, that's an optional measure taken by people
who expressly wish it.  Making browsers refuse to recognize linked fonts
*unless* they are same-origin restricted is forcing *all* of us to jump
through hoops for the benefit of the *some* that wish it.  Font
foundries can require in their license terms that users of their fonts
implement Access Controls without browsers requiring *everyone* to do
	 Access Control was proposed as an alternative to root strings
in EOT. I believe font vendors would be okay with it if they are
convinced it will work.


			For widespread piracy of a font to even be
*possible*, it requires the font to be located and downloaded first by
someone knowledgeable in such matters.  At that point obfuscation isn't
an issue - the person who located and downloaded the file can strip it
off and distribute the font in a vanilla manner.  It has been explicitly
stated by you that decompressors will be available standalone.
			In other words, obfuscation has *no* effect on
the vast majority of web users, and *no* effect on the majority of the
toolchain.  The only people it affects are web authors, and the only
place where it shows up is when we authors have to do some special thing
to get the font to work when we link it (run it through a compressor,
set up our server to spit out appropriate headers, etc.).  (Of course,
it also affects browser makers, who have to implement the
decompression.)  The pirate being chased by these proposals is a
boogeyman; you'd have to employ *real* DRM to get anywhere near the
appropriate target, and then you run into the same problems that every
other medium that utilizes DRM has - namely, that DRM doesn't prevent

	 In this particular case, the proposed *obfuscation* mechanism
is simply a specialized and efficient compression technique that can be
easily implemented (you have the spec and source code examples) and has
its own value for many actors on the web. In an attempt to estimate what
the *value* might be I came up with the following numbers:
	As of October 2008, the number of websites in the world was
~182.2 mil. (http://news.netcraft.com/archives/web_server_survey.html) I
also assumed that:
	- this number won't grow (duh :)
	- only 50% of websites will ever use font embedding;
	- that each website will only use a single embedded font, and
	- the average size and compression ratios for embedded font
would be similar to Verdana (font sizes: .ttf = 137KB, .zip = 81KB, .eot
= 58KB);
	- the average number of hits per website will be 1000 per day,
	- the content of each website will be duplicated at least three
times (development, production, Google cache).
	Here are the gain results comparing only two options -
zip-compressed fonts vs. MTX-compressed fonts:
	server storage size savings ~ 6 terabytes
	annual bandwidth usage savings ~ 730 petabytes of traffic.
	All these gains for a one-time expense of implementing
compression/decompression - pretty good ROI if you asked me. And it will
make font vendors happy as well - everybody wins big time!
Received on Monday, 10 November 2008 22:34:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 2 May 2016 14:27:41 UTC