Re: What constitutes protection [was: About using CORS] from John Hudson on 2010-05-04 (public-webfonts-wg@w3.org from May 2010)

From: John Hudson <tiro@tiro.com>
Date: Mon, 03 May 2010 21:22:00 -0700
To: Anne van Kesteren <annevk@opera.com>
CC: public-webfonts-wg@w3.org
Message-ID: <4BDFA0E8.9030307@tiro.com>

Anne van Kesteren wrote:

> I understand where you are coming from, but I don't believe that 
> policing the Web will work. Even with a new format. It also seems 
> counter and lacks in understanding as to how the Web operates. I cannot 
> help but think of the media conglomerates trying to persuade our 
> government to be allowed to see if the packets users are transferring 
> contain copyrighted material.

Please try harder not to think of such things, because like most other 
attempts at parallels or analogies it creates a false impression of what 
fonts are (tools, not media), the people who make fonts (mostly small 
design studios or individual type designers), and how fonts are used on 
the web (web hosted typesetting applets, not media files). May I 
recommend that we think about fonts, not about things we think might be 
analogous? In my experience, there's nothing quite like fonts.

With regard to 'policing the Web', I did not use that phrase. What I 
referred to was policing our licenses, and in order to do that in the 
new environment of web served fonts it helps immensely if we and our 
customers are able easily to distinguish web-licensed fonts from 
existing non-web-licensed fonts.

Now, perhaps we can move forward. I'm interested to know your thoughts, 
Anne, in light of Håkon's recent comment:

 It's still open whether the specification
 should say anything about SOR, and -- if so --
 what technologies to use. CORS is one option...

Let's assume, for the sake of discussion, that the WOFF spec is going to 
say something about SOR. What are the options, and what are their pros 
and cons from various perspectives. At the moment I am agnostic on the 
subject of SOR in WOFF because it isn't something I understand beyond 
the basic security principle, and would like to get a better grasp of 
this topic.

I understand the business argument in terms of providing some method 
that makes it easy for font users to comply with licenses that require 
them to take reasonable steps to limit use of a web served to sites 
owned by that user. That seems to me worthwhile, but I'd like to know 
what you think the options are.

JH

Received on Tuesday, 4 May 2010 04:22:39 UTC