RE: WebFonts WG discussions from Levantovsky, Vladimir on 2010-05-07 (www-font@w3.org from April to June 2010)

From: Levantovsky, Vladimir <Vladimir.Levantovsky@MonotypeImaging.com>
Date: Fri, 7 May 2010 09:59:15 -0400
To: Matt Colyer <matt@typekit.com>
CC: Erik van Blokland <erik@letterror.com>, "www-font@w3.org" <www-font@w3.org>
Message-ID: <7534F85A589E654EB1E44E5CFDC19E3D020819F79C@wob-email-01.agfamonotype.org>

Hi,

Sorry for a delayed response. The reason I proposed to consider adding checksum is because the WOFF file contains extended and private metadata fields that are currently can be easily discarded - one can simply cut them, zero-out related offset/length values in the WOFF header and modify the WOFF length. I realize that adding checksum isn't going to be a strong protection against willful modifications, the same could be done with the checksum present, but it would require a bit of an effort (to write the code to recalculate the checksum).

I wouldn't say that the checksum is absolutely necessary but it seems to make sense to have it.

Regards,
Vlad




From: matt@smallbatchinc.com [mailto:matt@smallbatchinc.com] On Behalf Of Matt Colyer
Sent: Tuesday, May 04, 2010 12:35 PM
To: Levantovsky, Vladimir
Cc: Erik van Blokland; www-font@w3.org
Subject: Re: WebFonts WG discussions

On Tue, May 4, 2010 at 7:17 AM, Levantovsky, Vladimir <Vladimir.Levantovsky@monotypeimaging.com<mailto:Vladimir.Levantovsky@monotypeimaging.com>> wrote:
Hi Erik,

A short answer is - it would not affect this ability at all.
The long answer: the proposed checksum will be calculated based on the WOFF data including Header, Table Directory and extended and private metadata fields, and will be set to equal the difference between the calculated value and the checkSumAdjustment of the original font encapsulated in the WOFF as a payload. In order for UA to verify the integrity of WOFF data it will need to calculate the checksum for WOFF data and match its value against the 'checkSumAdjustment' field of downloaded 'head' table (this is the only table UA would have to download, but it would have to do it anyway, and the table size is small). Once UA downloaded the 'head' table and verified the integrity of WOFF data, the UA can proceed and download any desired selection of specific tables, the same way that you could do it now.

I am interested to hear why a checksum is considered necessary/beneficial in WOFF. Since fonts will be served over HTTP which itself is served over TCP, the data is guaranteed not to be corrupted through transmission.

-Matt


From: Erik van Blokland [mailto:letterror@gmail.com<mailto:letterror@gmail.com>] On Behalf Of Erik van Blokland
Sent: Tuesday, May 04, 2010 4:01 AM
To: Levantovsky, Vladimir
Cc: www-font@w3.org<mailto:www-font@w3.org>
Subject: Re: WebFonts WG discussions

Vlad,

On 3 mei 2010, at 17:40, Levantovsky, Vladimir wrote:

This approach would allow user agents to verify the integrity of WOFF data fields and match it against the font 'checkSumAdjustment' encoded as part of the font 'head' table [3]. The suggested approach would *not* require decompressing the whole font to calculate checksum, and  would preserve the ability of UA to selectively decompress font tables to only retrieve portions of font data as needed.

How would this checksum affect the ability of the UA to download only specific tables?

Erik

Received on Friday, 7 May 2010 14:00:53 UTC