Bill seems to be saying that they do, in fact, require *some* kind of access control:
http://lists.w3.org/Archives/Public/www-font/2009JulSep/0771.html
Although even his clarification isn't as clear as I would like.
Bill, can you answer this question: if I put a null-rootstring Ascender EOT font on my public server, does Ascender consider me to be compliant with the font license, or not?
Rob
--
Yes, it may pay to get this clear. However, this is a bit of a contradiction with one of the main arguments against rootstrings: their practical usability. If they’re so hard and/or expensive to manage in practice, then they’re not an attractive way for users to comply with such a bit of license. We can’t say EOT’s rootstrings are practically undeployable then turn around and say that well, EOTL will just use rootstrings for all that massive installed base that checks them.
So whether this can work may come down to the license language. If it requires same-origin check then the installed base benefit is hugely offset.