[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ft-devel] Digital signatures
From: |
David Somers |
Subject: |
Re: [ft-devel] Digital signatures |
Date: |
Thu, 25 Aug 2005 18:48:13 +0200 |
User-agent: |
KMail/1.8.1 |
On Thursday 25 August 2005 16:17, George Williams wrote:
> There has been an argument running on the OpenType list about Digital
> signatures.
Its more of a deep discussion than an argument :-)
> I must confess I fail to understand the need for them on a linux/unix
> platform. Perhaps someone can illuminate me, or perhaps linux/unix is
> different enough from Windows/Mac that font validation isn't as
> important.
>
> As I understand it, the Digital signature says that someone (who has at
> one time been in some sense verified to exist) says the font is ok. But
> it does not say the font has been validated or anything useful, just
> that someone thought it was ok. (It doesn't even say that the someone
> wasn't a virus-writer ten years ago when the certificate was obtained
> who has since moved on from the original location)
All it says is that this font was signed by X, and since then it hasn't been
tampered with.
> First of all that seems a very weak form of protection.
True. Its more about integrity than security.
> Am I missing something?
No... it just menas that the font developer spent money and went through a lot
of hassle to get a code signing certificate. It does NOT mean anything else
at all. Its NOT mandatory to sign fonts.
Greetings from Luxembourg,
--
David Somers
VoIP: FWD 622885
PGP Key = 7E613D4E
Fingerprint = 53A0 D84B 7F90 F227 2EAB 4FD7 6278 E2A8 7E61 3D4E
pgpHFvNsoj1oB.pgp
Description: PGP signature