Re: WebFonts WG discussions from Mikko Rantalainen on 2010-05-10 (www-font@w3.org from April to June 2010)

From: Mikko Rantalainen <mikko.rantalainen@peda.net>
Date: Mon, 10 May 2010 10:51:35 +0300
To: "www-font@w3.org" <www-font@w3.org>
Message-ID: <4BE7BB07.20108@peda.net>
Tab Atkins Jr. wrote:
> On Fri, May 7, 2010 at 11:35 AM, Levantovsky, Vladimir 
> <Vladimir.Levantovsky@monotypeimaging.com> wrote:
>> On Friday, May 07, 2010 12:08 PM Tab Atkins Jr. wrote:
>>> On Fri, May 7, 2010 at 6:59 AM, Levantovsky, Vladimir wrote:
>>>> I realize that adding checksum isn’t going to be a strong
>>>> protection against willful modifications, the same could be
>>>> done with the checksum present, but it would require a bit of
>>>> an effort (to write the code to recalculate the checksum).
>>> I believe that, by the time people are reaching into the file to
>>> cut out tables and modify several values, recalculating a 
>>> checksum is trivial.  The operations and abilities required to do
>>> so are basically the same.
>>> 
>> Well, the key difference here is that I can discard metadata fields
>>  and zero-out their respective offset/length values using any HEX 
>> editor with no efforts. Recalculating a checksum does require 
>> writing a piece of code.
> 
> Anyone who knows enough to use a hex editor like that, though, can 
> certainly write the code.  The extra knowledge/effort that is 
> required to handle the checksum is so trivial as to be nonexistent.

I agree. A publicly available method for computing a checksum cannot be
used as a prevention method for any forgery. Either you must keep the
checksum algorithm secret (and the checksum cannot be verified by
anybody but you) or you use some real secure algorithm suitable for
digital signatures.

With a digital signature, you can provide a proof that the font has been
modified. Add a clause to your licensing that only a digitally signed
font can be used for web. Then anybody who wants to legally use your
font on the web, must acquire a digitally signed copy from you. That
digitally signed copy should include the name of the licensee.

Notice that I'm against UAs to enforce the licensing and/or declining to
load a font with invalid signature. I'm just suggesting that with
digital signatures and proper licensing terms, you can be 100% sure that
any copy of your font without a proper signature is always an illegal
copy of your font.

As I've said so many times before, you cannot prevent copying with
technical measurements (as that would require a working DRM system which
cannot exist by definition). You can, however, provide a solid proof for
the judge if needed. However, notice that because contract law is
different in different countries, you should not expect to get the same
level of protection through EULA licensing terms. In some countries, the
EULA does not mean anything unless it has been signed _on paper_ and the
contract agreement ("EULA") has been agreed on _beforehand_ (as opposed
to the usual method of getting the font/software first, and then
"agreeing" into the EULA later by clicking a button).

-- 
Mikko
Received on Monday, 10 May 2010 07:52:16 UTC