Re: css3-fonts: should not dictate usage policy with respect to origin from Glenn Adams on 2011-06-30 (www-style@w3.org from June 2011)

From: Glenn Adams <glenn@skynav.com>
Date: Thu, 30 Jun 2011 15:23:59 -0600
To: "Levantovsky, Vladimir" <Vladimir.Levantovsky@monotypeimaging.com>
Cc: John Daggett <jdaggett@mozilla.com>, John Hudson <tiro@tiro.com>, "liam@w3.org" <liam@w3.org>, StyleBeyondthePunchedCard <www-style@w3.org>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>, "www-font@w3.org" <www-font@w3.org>, "Martin J." <duerst@it.aoyama.ac.jp>, Sylvain Galineau <sylvaing@microsoft.com>
Message-ID: <BANLkTi=DTJzM-NhHhARq5C5BRw4+ssMjCQ@mail.gmail.com>

What are those EULA clauses about if not content protection? To quote
wikipedia:

*"*techniques used for preventing the reproduction of software, films,
music, and other media, usually for
copyright<http://en.wikipedia.org/wiki/Copyright>
 reasons."

I am using CP in a general sense to include access (e.g., rendering,
display) control, and not merely copy control. If you don't like my use,
then I can  use the somewhat more general term DRM.

The two cited EULAs state:

> which reasonably
> restricts access to Web Font Software from use in any way by web pages
> or any document not originating from your Web Site

and

> reasonable state-of-the-art measures, that other websites cannot
> access the Font Software for display

Control of access is merely a specific type of content protection or DRM.

Retarding the last, please show me an attack based on font access that SOR
prevents.

On Thu, Jun 30, 2011 at 3:13 PM, Levantovsky, Vladimir <
Vladimir.Levantovsky@monotypeimaging.com> wrote:

> Glenn,****
>
> ** **
>
> Have you had any chance to do what you were planning to do last week? (
> http://lists.w3.org/Archives/Public/www-font/2011AprJun/0123.html)****
>
> If you had, you should have realized that same origin restriction has **
> nothing** to do with content protection. You can always type a URL of any
> font resource in your browser and download the file, no questions asked and
> no strings attached. Rip a font, use it on your computer, serve it from your
> own server – there are no technical measures that would prevent any of this
> – how can this possibly be even considered a content protection? ****
>
> ** **
>
> The only thing that SOR doesn’t let you do is to hot-link to a resource
> that is hosted on someone else’s website – with same origin restriction in
> place you would need to have the author of that website to allow you to link
> their resources. As of right now (with no SOR in place – you can do it
> easily leeching the bandwidth someone else is paying for, and opening up all
> sorts of holes for an attack (which is what John Daggett and ROC pointed out
> on many occasions.****
>
> ** **
>
> Regards,****
>
> Vlad****
>
> ** **
>
> ** **
>
> *From:* Glenn Adams [mailto:glenn@skynav.com]
> *Sent:* Thursday, June 30, 2011 4:42 PM
> *To:* John Daggett
> *Cc:* John Hudson; Levantovsky, Vladimir; liam@w3.org;
> StyleBeyondthePunchedCard; public-webfonts-wg@w3.org; www-font@w3.org;
> Martin J.; Sylvain Galineau
>
> *Subject:* Re: css3-fonts: should not dictate usage policy with respect to
> origin****
>
> ** **
>
> So, as I've previously said, this is only about content protection
> mechanisms and their enforcement. There is no security risk on the part of
> the end user (viewer of content rendered with web fonts) that is at stake
> here.****
>
> ** **
>
> On Thu, Jun 30, 2011 at 2:09 PM, John Daggett <jdaggett@mozilla.com>
> wrote:****
>
> Glenn Adams wrote:
>
> > So, there is no end-user risk that is being addressed here other than
> > the hypothetical case of violating an EULA? Is that really what all
> > this noise is about?****
>
> No Glenn, this is an information leakage issue, it allows for the
> contents of a font, the glyph data, to be transmitted beyond the
> boundaries specified by an *author* (for example, on an access-limited
> site), not just beyond what is allowed by some form of licensing.****
>
>
> > Could you send me or point me at a EULA for which SOR on fonts is
> > relevant?****
>
> Ascender (Microsoft distributes their fonts via Ascender)
>
> From their Web Fonts EULA:
> http://www.fontslive.com/info/web-fonts-eula.aspx
>
> > 11. “Web Site” as used herein shall be the web site identified by you
> > in your account at ascenderfonts.com; (i) which utilizes the Ascender
> > hosted Web Font Software in its web pages through the use of the
> > Services, (ii) which does not in any way enable the permanent
> > installation of the Web Font Software by End-Users on any workstation,
> > computer and other electronic device, and (iii) which reasonably
> > restricts access to Web Font Software from use in any way by web pages
> > or any document not originating from your Web Site (For example; by
> > using referrer checking to prevent hotlinking or deeplinking).
>
> FontFont
>
> From their Web Fonts EULA:
> http://www.fontshop.com/licenses/fontfont/
>
> > 2.3. Font Software File Protection. You must ensure, by applying
> > reasonable state-of-the-art measures, that other websites cannot
> > access the Font Software for display (e. g. by preventing hotlinking
> > and blocking direct access to the Font Software via .htaccess or other
> > web server configurations).****
>
> ** **
>

Received on Thursday, 30 June 2011 21:24:48 UTC