W3C home > Mailing lists > Public > www-font@w3.org > April to June 2010

Re: WebFonts WG discussions

From: Thomas Phinney <tphinney@cal.berkeley.edu>
Date: Fri, 7 May 2010 11:09:06 -0700
Message-ID: <y2sf49ae6ac1005071109j3e371bc6r3608153b9cda0a90@mail.gmail.com>
To: Matt Colyer <matt@typekit.com>
Cc: Jonathan Kew <jonathan@jfkew.plus.com>, "Tab Atkins Jr." <jackalmage@gmail.com>, "Levantovsky, Vladimir" <Vladimir.Levantovsky@monotypeimaging.com>, Erik van Blokland <erik@letterror.com>, "www-font@w3.org" <www-font@w3.org>
On Fri, May 7, 2010 at 10:08 AM, Matt Colyer <matt@typekit.com> wrote:
> Ahh, now I understand what you want to do.What I think you want is
> cyptographic file signing (like the DSIG table, which didn't ever really
> take off).http://www.microsoft.com/typography/otspec/dsig.htm
> That way a WOFF file could be guaranteed to be unmodified by the original
> author and no one (unless they got your private key) could properly resign
> the file (but a checksum as previously pointed out could be easily
> recalculated).
> However this would require alot of effort to create a web of trust for
> foundry certificates.Assuming all of this did work, what should happen if a
> file wasn't properly signed? What should happen if it was signed but not by
> a trusted entity?
> I think the most difficult part of this is creating a user experience that
> effectively used the signing information without causing a disruption to the
> average web user. The Firefox 3 SSL warning page has had to deal with
> similar
> Thoughts?
> -Matt

One minor issue with DSIGs for desktop fonts, moving to the web, is
that the DSIG is an extra ~4K to the file size.

If one is concerned about keeping file size down, adding *another*
DSIG seems like a bad idea. A tiny checksum is a different matter.



"I've discovered the worst place to wander while arguing on a
hands-free headset."  http://xkcd.com/736/
Received on Friday, 7 May 2010 18:09:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:37:34 UTC