W3C home > Mailing lists > Public > www-font@w3.org > July to September 1996

Re: Protecting WebFonts

From: <lee@sq.com>
Date: Thu, 22 Aug 96 15:37:51 EDT
Message-Id: <9608221937.AA05345@sqrex.sq.com>
To: gdr@cataneo.bitstream.com, www-font@w3.org, michael@cascadilla.com
> >2. Having a full URL for the font might tempt some less than upright net
> >denizens to try to get the font directly from its Web server. To prevent
> >the outright advertisement of the location of a font, the font URL
> >reference should be restricted to *only* relative URLs, not fully
> >qualified URLs.

The browser will resolve these automatically -- that's no help from the
security point of view.  However, I do suggest that in *addition* to
other form of encryption, the server name used to fetch the font be used as
part of the encryption key.  In that way, if someone copies a font, they
won't be able to use it.  If the URL was forced to be relative, or (better)
in the same 2nd level domain as the referring document (the same algorithm
that Netscape uses for cookies woul dbe appropriate), you would not be able
to point your style sheet at a font that someone else had paid for.

> >3. The browser itself must enforce a policy that prevents *any* font
> >from being downloaded from a Web server different than the one
> >originating the Web page the font request is in.

I agree with this.  By itself, it is easily circumvented, but in conjunction
with the simple additional encryption I suggested, this would prevent
`casual piracy'.

> >5. If a browser downloads a font and keeps it in its cache, the font
> >*must* be encrypted (with strong encryption, like RSA or PGP).
Again, if the font is encrypted in a way that involves its URL, as well
as the OpenType wrapper's encryption, the browser can simply store the
(insecure) byte stream it fetched over the network.

>>  When the browser retrieves a
> >SECURE font, it should use the SSL security mechanisms
Well, then people in a corporate environment using a firewall probably can't
see the font at all.  Worse, SSL isn't in all browsers, and there are
problems with exporting SSL-aware code from the USA.  However, you could
simply use an SSL URL to do this; no attribute is needed.

> Here's a variant, which addresses the actual rights of the font's copyright
> holder.  The only acceptable font references in a web page should be refs
> to the font distributor's server (or whoever holds the copyright to that
> font).  That server can then send out copies if the copyright holder wants
> to.  Adobe and Bitstream can give away their fonts, and I can choose not
> to give away mine.  And you don't give end-users the false impression that
> somehow they have the right to distribute copies themselves.

So all of Adobe's fonts are accessible for free over the web, for screen
and print use???  No, that won't work.
Also, like server-side rendering, this has a severe performance penalty --
even at only a couple of million hits a day, Adobe's twenty new high-end
SPARCserver systems (that they don't have right now) would be on their knees,
as would the Californian internet backbone.  And every web access in Europe
or Down Under would fetch 20K or 100K from California... which would be a
bandwidth disaster.  Of course, if the fonts were available from the vendor's
sites for free, as your suggestion implies (or with a registration number
that I can copy), people could make ftp mirrors all round the world, and
font picracy would cease to be an issue :-)

>  And all of Bitstream's
> protesting that they want to give away their fonts
I haven't heard them make any such statement.  In order to use their
TrueDoc system, you have to have a copy of the font in the first place;
whether the resulting TruDoc font is of high enough quality, and whether it
can be extracted from the transmitted document, those are different questions.
As far as I can tell, TrueDoc does not encourage giving fonts away any
more than Acrobat :-) -- if anything, considerably less.

> I'm very concerned about the erosion of perceived value in fonts.  That
> destroys the market for future fonts.
This (I think) is a common error.  If the price becomes 1/10th of today's
prices, but you sell 1,000 times more, you will be very happy.


Liam Quin, SoftQuad Inc    | lq-text freely available Unix text retrieval
lee@sq.com +1 416 239 4801 | FAQs: Metafont fonts, OPEN LOOK UI, OpenWindows
SGML: http://www.sq.com/   |`Consider yourself... one of the family...
The barefoot programmer    | consider yourself... At Home!' [the Artful Dodger]
Received on Thursday, 22 August 1996 15:43:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:37:29 UTC