Re: The other party in all this

Thomas Phinney wrote:
> On Sun, Jul 5, 2009 at 9:25 PM, John Hudson<tiro@tiro.com> wrote:
>> Tab Atkins Jr. wrote:
>>
>>> For example, you could add in the font name, purchaser's name, and a
>>> unique serial number identifying the sale.  To prevent tampering, sign
>>> all of it with your private key.  Anyone can then verify the
>>> information with your public key [...]
> 
> Although this is fine as far as it goes, it does NOT "prevent
> tampering." Remember, the font is not encrypted, just signed. Somebody
> deletes the signature and the custom data, and it's untraceable which
> customer the font came from.

Encryption is used to make something secret from some other party. A web
font is designed to be available to anybody accessing a web page that
uses the font. As a result, if encryption is used, anybody must be able
to decrypt the font. Why use encryption at all if anybody must be able
to decrypt it (that is, the decryption key must be public)?

You bring up the problem that somebody could extract the actual font
data (shapes, kerning, other stuff) and save that data as another font
file sans the original licensing information. I hope that you understand
that there's no way that it can be prevented as long as all that data
must be made available to anybody. Either you make that data available
to anybody (and it can be copied) or you don't distribute that data as a
web font. The actual encoding (the "font format") does not change this fact.

The best you can do is to attach a digitally signed license to a font
and declare that (1) a font without such license is not legally
licensed. However, the declaration (1) cannot effectively be part of the
font file because the file can be changed and any declaration can be
changed or removed.

Copying of data cannot be prevented if anybody is able to access the
data. Sure, it has been tried. See DRM systems for an example. Perpetual
moving machines have been also tried. Both are equally valid targets.

-- 
Mikko